Network Connection via Recently Compiled Executable

  1[metadata]
  2creation_date = "2023/08/28"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/02/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network
 11connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server.
 12Attackers may spawn reverse shells to establish persistence onto a target system.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.file*", "logs-endpoint.events.network*", "logs-endpoint.events.process*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Network Connection via Recently Compiled Executable"
 19risk_score = 47
 20rule_id = "64cfca9e-0f6f-4048-8251-9ec56a055e9e"
 21setup = """## Setup
 22
 23This rule requires data coming in from Elastic Defend.
 24
 25### Elastic Defend Integration Setup
 26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 27
 28#### Prerequisite Requirements:
 29- Fleet is required for Elastic Defend.
 30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 31
 32#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 33- Go to the Kibana home page and click "Add integrations".
 34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 35- Click "Add Elastic Defend".
 36- Configure the integration name and optionally add a description.
 37- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 41For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 42- Click "Save and Continue".
 43- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 44For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 45"""
 46severity = "medium"
 47tags = [
 48    "Domain: Endpoint",
 49    "OS: Linux",
 50    "Use Case: Threat Detection",
 51    "Tactic: Execution",
 52    "Data Source: Elastic Defend",
 53    "Resources: Investigation Guide",
 54]
 55type = "eql"
 56query = '''
 57sequence by host.id with maxspan=1m
 58  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 59   process.name in ("gcc", "g++", "cc")] by process.args
 60  [file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name
 61  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec"] by process.name
 62  [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and not (
 63     cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1") or
 64     process.name in ("simpleX", "conftest", "ssh", "python", "ispnull", "pvtui", "npreal2d", "ruby", "source", "ssh")
 65   )] by process.name
 66'''
 67note = """## Triage and analysis
 68
 69> **Disclaimer**:
 70> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 71
 72### Investigating Network Connection via Recently Compiled Executable
 73
 74In Linux environments, compiling and executing programs is routine for development. However, adversaries exploit this by compiling malicious code to establish reverse shells, enabling remote control. The detection rule identifies this threat by monitoring sequences of compilation, execution, and network activity, flagging unusual connections that deviate from typical patterns, thus indicating potential compromise.
 75
 76### Possible investigation steps
 77
 78- Review the process execution details to identify the compiler used (e.g., gcc, g++, cc) and examine the arguments passed during the compilation to understand the nature of the compiled code.
 79- Investigate the file creation event associated with the linker (ld) to determine the output executable file and its location on the system.
 80- Analyze the subsequent process execution to identify the newly compiled executable and verify its legitimacy by checking its hash against known malware databases.
 81- Examine the network connection attempt details, focusing on the destination IP address, to determine if it is associated with known malicious activity or command-and-control servers.
 82- Check the process name involved in the network connection attempt to ensure it is not a commonly used legitimate process, as specified in the query exclusions (e.g., simpleX, conftest, ssh, python, ispnull, pvtui).
 83- Correlate the timing of the compilation, execution, and network connection events to assess if they align with typical user behavior or indicate suspicious activity.
 84
 85### False positive analysis
 86
 87- Development activities involving frequent compilation and execution of new code can trigger false positives. To manage this, exclude specific user accounts or directories commonly used for legitimate development work.
 88- Automated build systems or continuous integration pipelines may compile and execute code regularly. Identify and exclude these processes or IP addresses from monitoring to prevent false alerts.
 89- Legitimate software updates or installations that involve compiling source code can be mistaken for malicious activity. Exclude known update processes or package managers from the rule.
 90- Network connections to internal or trusted IP addresses that are not part of the typical exclusion list might be flagged. Update the exclusion list to include these trusted IP ranges.
 91- Certain legitimate applications that compile and execute code as part of their normal operation, such as IDEs or scripting environments, should be identified and excluded from the rule to reduce noise.
 92
 93### Response and remediation
 94
 95- Immediately isolate the affected host from the network to prevent further unauthorized access or data exfiltration.
 96- Terminate any suspicious processes identified in the alert, especially those related to the recently compiled executable and any associated network connections.
 97- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise, such as unauthorized user accounts or scheduled tasks.
 98- Remove any malicious executables or scripts identified during the investigation from the system to prevent re-execution.
 99- Reset credentials for any accounts that may have been compromised, focusing on those with elevated privileges.
100- Update and patch the affected system to close any vulnerabilities that may have been exploited by the attacker.
101- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105
106[[rule.threat.technique]]
107id = "T1059"
108name = "Command and Scripting Interpreter"
109reference = "https://attack.mitre.org/techniques/T1059/"
110
111[[rule.threat.technique.subtechnique]]
112id = "T1059.004"
113name = "Unix Shell"
114reference = "https://attack.mitre.org/techniques/T1059/004/"
115
116[rule.threat.tactic]
117id = "TA0002"
118name = "Execution"
119reference = "https://attack.mitre.org/tactics/TA0002/"
120
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123
124[[rule.threat.technique]]
125id = "T1071"
126name = "Application Layer Protocol"
127reference = "https://attack.mitre.org/techniques/T1071/"
128
129[rule.threat.tactic]
130id = "TA0011"
131name = "Command and Control"
132reference = "https://attack.mitre.org/tactics/TA0011/"