Network Connection via Recently Compiled Executable

This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/28"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network 
13connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. 
14Attackers may spawn reverse shells to establish persistence onto a target system.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Network Connection via Recently Compiled Executable"
21risk_score = 47
22rule_id = "64cfca9e-0f6f-4048-8251-9ec56a055e9e"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
25type = "eql"
26query = '''
27sequence by host.id with maxspan=1m
28  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
29   process.name in ("gcc", "g++", "cc")] by process.args
30  [file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name
31  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start"] by process.name
32  [network where host.os.type == "linux" and event.action == "connection_attempted"] by process.name
33'''
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37
38[rule.threat.tactic]
39name = "Execution"
40id = "TA0002"
41reference = "https://attack.mitre.org/tactics/TA0002/"
42
43[[rule.threat.technique]]
44id = "T1059"
45name = "Command and Scripting Interpreter"
46reference = "https://attack.mitre.org/techniques/T1059/"
47
48[[rule.threat.technique.subtechnique]]
49id = "T1059.004"
50name = "Unix Shell"
51reference = "https://attack.mitre.org/techniques/T1059/004/"
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55
56[rule.threat.tactic]
57name = "Command and Control"
58id = "TA0011"
59reference = "https://attack.mitre.org/tactics/TA0011/"
60
61[[rule.threat.technique]]
62name = "Application Layer Protocol"
63id = "T1071"
64reference = "https://attack.mitre.org/techniques/T1071/"

Related rules

to-top