Potentially Suspicious Process Started via tmux or screen
This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/04"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching
11directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux
12to execute commands while attempting to evade detection.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potentially Suspicious Process Started via tmux or screen"
19risk_score = 21
20rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89"
21severity = "low"
22tags = [
23 "Domain: Endpoint",
24 "OS: Linux",
25 "Use Case: Threat Detection",
26 "Tactic: Defense Evasion",
27 "Data Source: Elastic Defend",
28 "Data Source: Elastic Endgame",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
35process.parent.name in ("screen", "tmux") and process.name : (
36 "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "python*", "php*", "perl", "ruby",
37 "lua*", "openssl", "telnet", "awk", "wget", "curl", "id"
38 )
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1218"
46name = "System Binary Proxy Execution"
47reference = "https://attack.mitre.org/techniques/T1218/"
48
49
50[rule.threat.tactic]
51id = "TA0005"
52name = "Defense Evasion"
53reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Attempt to Clear Kernel Ring Buffer
- Attempt to Disable IPTables or Firewall
- Attempt to Disable Syslog Service
- Base16 or Base32 Encoding/Decoding Activity
- Creation of Hidden Shared Object File