Potential Linux Hack Tool Launched

  1[metadata]
  2creation_date = "2023/09/22"
  3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from
 11this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as
 12well.
 13"""
 14from = "now-9m"
 15index = [
 16    "auditbeat-*",
 17    "endgame-*",
 18    "logs-auditd_manager.auditd-*",
 19    "logs-crowdstrike.fdr*",
 20    "logs-endpoint.events.process*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Potential Linux Hack Tool Launched"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Potential Linux Hack Tool Launched
 32
 33Linux environments often utilize various tools for system administration and security testing. While these tools serve legitimate purposes, adversaries can exploit them for malicious activities, such as unauthorized access or data exfiltration. The detection rule identifies suspicious process executions linked to known hacking tools, flagging potential misuse by monitoring specific process names and actions indicative of exploitation attempts.
 34
 35### Possible investigation steps
 36
 37- Review the process name that triggered the alert to determine if it matches any known hacking tools listed in the query, such as "crackmapexec" or "sqlmap".
 38- Check the user account associated with the process execution to assess if it is a legitimate user or potentially compromised.
 39- Investigate the source and destination IP addresses involved in the process execution to identify any unusual or unauthorized network activity.
 40- Examine the command line arguments used during the process execution to understand the intent and scope of the activity.
 41- Correlate the event with other logs or alerts from the same host to identify any patterns or additional suspicious activities.
 42- Verify if the process execution aligns with any scheduled tasks or known administrative activities to rule out false positives.
 43
 44### False positive analysis
 45
 46- System administrators and security teams often use tools like "john", "hashcat", and "hydra" for legitimate security testing and password recovery. To reduce false positives, create exceptions for these tools when used by authorized personnel or during scheduled security assessments.
 47- Blue team exercises may involve the use of exploitation frameworks such as "msfconsole" and "msfvenom". Implement a process to whitelist these activities when they are part of a sanctioned security drill.
 48- Network scanning tools like "zenmap" and "nuclei" are frequently used for network mapping and vulnerability assessments. Establish a baseline of normal usage patterns and exclude these from alerts when they match expected behavior.
 49- Web enumeration tools such as "gobuster" and "dirbuster" might be used by web developers for testing purposes. Coordinate with development teams to identify legitimate use cases and exclude these from triggering alerts.
 50- Regularly review and update the list of excluded processes to ensure that only non-threatening activities are exempted, maintaining a balance between security and operational efficiency.
 51
 52### Response and remediation
 53
 54- Immediately isolate the affected Linux host from the network to prevent further unauthorized access or data exfiltration.
 55- Terminate any suspicious processes identified by the alert, such as those listed in the detection query, to halt potential malicious activities.
 56- Conduct a thorough review of system logs and process execution history to identify any additional indicators of compromise or lateral movement attempts.
 57- Restore the affected system from a known good backup if any unauthorized changes or data exfiltration are confirmed.
 58- Update and patch all software and applications on the affected host to mitigate vulnerabilities that could be exploited by the identified tools.
 59- Implement stricter access controls and monitoring on the affected host to prevent unauthorized execution of potentially malicious tools in the future.
 60- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected."""
 61risk_score = 47
 62rule_id = "1df1152b-610a-4f48-9d7a-504f6ee5d9da"
 63setup = """## Setup
 64
 65This rule requires data coming in from Elastic Defend.
 66
 67### Elastic Defend Integration Setup
 68Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
 69the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 70
 71#### Prerequisite Requirements:
 72- Fleet is required for Elastic Defend.
 73- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 74
 75#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 76- Go to the Kibana home page and click "Add integrations".
 77- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 78- Click "Add Elastic Defend".
 79- Configure the integration name and optionally add a description.
 80- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 81- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 82- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 83- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 84For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 85- Click "Save and Continue".
 86- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 87For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 88"""
 89severity = "medium"
 90tags = [
 91    "Domain: Endpoint",
 92    "OS: Linux",
 93    "Use Case: Threat Detection",
 94    "Tactic: Execution",
 95    "Data Source: Elastic Endgame",
 96    "Data Source: Elastic Defend",
 97    "Data Source: Auditd Manager",
 98    "Data Source: Crowdstrike",
 99    "Data Source: SentinelOne",
100    "Resources: Investigation Guide",
101]
102timestamp_override = "event.ingested"
103type = "eql"
104
105query = '''
106process where host.os.type == "linux" and event.type == "start" and
107event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
108process.name in~ (
109  // exploitation frameworks
110  "crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc",
111  // network scanners (nmap left out to reduce noise)
112  "zenmap", "nuclei", "netdiscover", "legion",
113  // web enumeration
114  "gobuster", "dirbuster", "dirb", "wfuzz", "ffuf", "whatweb", "eyewitness",
115  // web vulnerability scanning
116  "wpscan", "joomscan", "droopescan", "nikto",
117  // exploitation tools
118  "sqlmap", "commix", "yersinia",
119  // cracking and brute forcing
120  "john", "hashcat", "hydra", "ncrack", "cewl", "fcrackzip", "rainbowcrack",
121  // host and network
122  "linenum.sh", "linpeas.sh", "pspy32", "pspy32s", "pspy64", "pspy64s", "binwalk", "evil-winrm",
123  "linux-exploit-suggester-2.pl", "linux-exploit-suggester.sh", "panix.sh"
124)
125'''
126
127
128[[rule.threat]]
129framework = "MITRE ATT&CK"
130
131[rule.threat.tactic]
132id = "TA0002"
133name = "Execution"
134reference = "https://attack.mitre.org/tactics/TA0002/"