Potential Code Execution via Postgresql

This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/06/20"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/07/31"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within 
13a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a
14public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection
15attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities
16for unauthorized access and malicious actions.
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.*", "endgame-*"]
20language = "eql"
21license = "Elastic License v2"
22name = "Potential Code Execution via Postgresql"
23risk_score = 47
24rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
27type = "eql"
28
29query = '''
30process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and 
31event.type == "start" and user.name == "postgres" and (
32  (process.parent.args : "*sh" and process.parent.args : "echo*") or 
33  (process.args : "*sh" and process.args : "echo*")
34) and not process.parent.name : "puppet"
35'''
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39
40[[rule.threat.technique]]
41id = "T1059"
42name = "Command and Scripting Interpreter"
43reference = "https://attack.mitre.org/techniques/T1059/"
44
45[[rule.threat.technique.subtechnique]]
46id = "T1059.004"
47name = "Unix Shell"
48reference = "https://attack.mitre.org/techniques/T1059/004/"
49
50[rule.threat.tactic]
51id = "TA0002"
52name = "Execution"
53reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top