Potential Code Execution via Postgresql
This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/06/20"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/07/31"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within
13a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a
14public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection
15attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities
16for unauthorized access and malicious actions.
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.*", "endgame-*"]
20language = "eql"
21license = "Elastic License v2"
22name = "Potential Code Execution via Postgresql"
23risk_score = 47
24rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
27type = "eql"
28
29query = '''
30process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and
31event.type == "start" and user.name == "postgres" and (
32 (process.parent.args : "*sh" and process.parent.args : "echo*") or
33 (process.args : "*sh" and process.args : "echo*")
34) and not process.parent.name : "puppet"
35'''
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39
40[[rule.threat.technique]]
41id = "T1059"
42name = "Command and Scripting Interpreter"
43reference = "https://attack.mitre.org/techniques/T1059/"
44
45[[rule.threat.technique.subtechnique]]
46id = "T1059.004"
47name = "Unix Shell"
48reference = "https://attack.mitre.org/techniques/T1059/004/"
49
50[rule.threat.tactic]
51id = "TA0002"
52name = "Execution"
53reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- BPF filter applied using TC
- Binary Executed from Shared Memory Directory
- Cron Job Created or Changed by Previously Unknown Process
- Interactive Terminal Spawned via Perl
- Interactive Terminal Spawned via Python