Potential Linux Hack Tool Launched

Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/09/22"
  3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5min_stack_version = "8.13.0"
  6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
  7updated_date = "2025/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from
 13this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as
 14well.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Potential Linux Hack Tool Launched"
 21risk_score = 47
 22rule_id = "1df1152b-610a-4f48-9d7a-504f6ee5d9da"
 23setup = """## Setup
 24
 25This rule requires data coming in from Elastic Defend.
 26
 27### Elastic Defend Integration Setup
 28Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
 29the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 30
 31#### Prerequisite Requirements:
 32- Fleet is required for Elastic Defend.
 33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 34
 35#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 36- Go to the Kibana home page and click "Add integrations".
 37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 38- Click "Add Elastic Defend".
 39- Configure the integration name and optionally add a description.
 40- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 42- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 45- Click "Save and Continue".
 46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 48"""
 49severity = "medium"
 50tags = [
 51    "Domain: Endpoint",
 52    "OS: Linux",
 53    "Use Case: Threat Detection",
 54    "Tactic: Execution",
 55    "Data Source: Elastic Endgame",
 56    "Data Source: Elastic Defend",
 57    "Data Source: Auditd Manager",
 58    "Data Source: Crowdstrike",
 59    "Data Source: SentinelOne",
 60    "Resources: Investigation Guide",
 61]
 62timestamp_override = "event.ingested"
 63type = "eql"
 64query = '''
 65process where host.os.type == "linux" and event.type == "start" and
 66event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 67process.name in~ (
 68  // exploitation frameworks
 69  "crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc",
 70  // network scanners (nmap left out to reduce noise)
 71  "zenmap", "nuclei", "netdiscover", "legion",
 72  // web enumeration
 73  "gobuster", "dirbuster", "dirb", "wfuzz", "ffuf", "whatweb", "eyewitness",
 74  // web vulnerability scanning
 75  "wpscan", "joomscan", "droopescan", "nikto",
 76  // exploitation tools
 77  "sqlmap", "commix", "yersinia",
 78  // cracking and brute forcing
 79  "john", "hashcat", "hydra", "ncrack", "cewl", "fcrackzip", "rainbowcrack",
 80  // host and network
 81  "linenum.sh", "linpeas.sh", "pspy32", "pspy32s", "pspy64", "pspy64s", "binwalk", "evil-winrm",
 82  "linux-exploit-suggester-2.pl", "linux-exploit-suggester.sh", "panix.sh"
 83)
 84'''
 85note = """## Triage and analysis
 86
 87> **Disclaimer**:
 88> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 89
 90### Investigating Potential Linux Hack Tool Launched
 91
 92Linux environments often utilize various tools for system administration and security testing. While these tools serve legitimate purposes, adversaries can exploit them for malicious activities, such as unauthorized access or data exfiltration. The detection rule identifies suspicious process executions linked to known hacking tools, flagging potential misuse by monitoring specific process names and actions indicative of exploitation attempts.
 93
 94### Possible investigation steps
 95
 96- Review the process name that triggered the alert to determine if it matches any known hacking tools listed in the query, such as "crackmapexec" or "sqlmap".
 97- Check the user account associated with the process execution to assess if it is a legitimate user or potentially compromised.
 98- Investigate the source and destination IP addresses involved in the process execution to identify any unusual or unauthorized network activity.
 99- Examine the command line arguments used during the process execution to understand the intent and scope of the activity.
100- Correlate the event with other logs or alerts from the same host to identify any patterns or additional suspicious activities.
101- Verify if the process execution aligns with any scheduled tasks or known administrative activities to rule out false positives.
102
103### False positive analysis
104
105- System administrators and security teams often use tools like "john", "hashcat", and "hydra" for legitimate security testing and password recovery. To reduce false positives, create exceptions for these tools when used by authorized personnel or during scheduled security assessments.
106- Blue team exercises may involve the use of exploitation frameworks such as "msfconsole" and "msfvenom". Implement a process to whitelist these activities when they are part of a sanctioned security drill.
107- Network scanning tools like "zenmap" and "nuclei" are frequently used for network mapping and vulnerability assessments. Establish a baseline of normal usage patterns and exclude these from alerts when they match expected behavior.
108- Web enumeration tools such as "gobuster" and "dirbuster" might be used by web developers for testing purposes. Coordinate with development teams to identify legitimate use cases and exclude these from triggering alerts.
109- Regularly review and update the list of excluded processes to ensure that only non-threatening activities are exempted, maintaining a balance between security and operational efficiency.
110
111### Response and remediation
112
113- Immediately isolate the affected Linux host from the network to prevent further unauthorized access or data exfiltration.
114- Terminate any suspicious processes identified by the alert, such as those listed in the detection query, to halt potential malicious activities.
115- Conduct a thorough review of system logs and process execution history to identify any additional indicators of compromise or lateral movement attempts.
116- Restore the affected system from a known good backup if any unauthorized changes or data exfiltration are confirmed.
117- Update and patch all software and applications on the affected host to mitigate vulnerabilities that could be exploited by the identified tools.
118- Implement stricter access controls and monitoring on the affected host to prevent unauthorized execution of potentially malicious tools in the future.
119- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected."""
120
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123
124[rule.threat.tactic]
125id = "TA0002"
126name = "Execution"
127reference = "https://attack.mitre.org/tactics/TA0002/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Linux environments often utilize various tools for system administration and security testing. While these tools serve legitimate purposes, adversaries can exploit them for malicious activities, such as unauthorized access or data exfiltration. The detection rule identifies suspicious process executions linked to known hacking tools, flagging potential misuse by monitoring specific process names and actions indicative of exploitation attempts.

  • Review the process name that triggered the alert to determine if it matches any known hacking tools listed in the query, such as "crackmapexec" or "sqlmap".
  • Check the user account associated with the process execution to assess if it is a legitimate user or potentially compromised.
  • Investigate the source and destination IP addresses involved in the process execution to identify any unusual or unauthorized network activity.
  • Examine the command line arguments used during the process execution to understand the intent and scope of the activity.
  • Correlate the event with other logs or alerts from the same host to identify any patterns or additional suspicious activities.
  • Verify if the process execution aligns with any scheduled tasks or known administrative activities to rule out false positives.
  • System administrators and security teams often use tools like "john", "hashcat", and "hydra" for legitimate security testing and password recovery. To reduce false positives, create exceptions for these tools when used by authorized personnel or during scheduled security assessments.
  • Blue team exercises may involve the use of exploitation frameworks such as "msfconsole" and "msfvenom". Implement a process to whitelist these activities when they are part of a sanctioned security drill.
  • Network scanning tools like "zenmap" and "nuclei" are frequently used for network mapping and vulnerability assessments. Establish a baseline of normal usage patterns and exclude these from alerts when they match expected behavior.
  • Web enumeration tools such as "gobuster" and "dirbuster" might be used by web developers for testing purposes. Coordinate with development teams to identify legitimate use cases and exclude these from triggering alerts.
  • Regularly review and update the list of excluded processes to ensure that only non-threatening activities are exempted, maintaining a balance between security and operational efficiency.
  • Immediately isolate the affected Linux host from the network to prevent further unauthorized access or data exfiltration.
  • Terminate any suspicious processes identified by the alert, such as those listed in the detection query, to halt potential malicious activities.
  • Conduct a thorough review of system logs and process execution history to identify any additional indicators of compromise or lateral movement attempts.
  • Restore the affected system from a known good backup if any unauthorized changes or data exfiltration are confirmed.
  • Update and patch all software and applications on the affected host to mitigate vulnerabilities that could be exploited by the identified tools.
  • Implement stricter access controls and monitoring on the affected host to prevent unauthorized execution of potentially malicious tools in the future.
  • Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected.

Related rules

to-top