Suspicious which Enumeration
This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/30"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may
11leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a
12system to escalate privileges or move latteraly across the network.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Suspicious which Enumeration"
19risk_score = 21
20rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde"
21severity = "low"
22tags = [
23 "Domain: Endpoint",
24 "OS: Linux",
25 "Use Case: Threat Detection",
26 "Tactic: Discovery",
27 "Data Source: Elastic Defend",
28 "Data Source: Elastic Endgame",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
35process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and
36not process.args == "--tty-only"
37
38/* potential tuning if rule would turn out to be noisy
39and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and
40process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
41*/
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1082"
49name = "System Information Discovery"
50reference = "https://attack.mitre.org/techniques/T1082/"
51
52
53[rule.threat.tactic]
54id = "TA0007"
55name = "Discovery"
56reference = "https://attack.mitre.org/tactics/TA0007/"
Related rules
- ESXI Discovery via Find
- ESXI Discovery via Grep
- Enumeration of Kernel Modules
- Hping Process Activity
- Nping Process Activity