Potential Reverse Shell via Background Process

  1[metadata]
  2creation_date = "2023/09/20"
  3integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5min_stack_version = "8.13.0"
  6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
  7updated_date = "2025/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp
 13channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Potential Reverse Shell via Background Process"
 20risk_score = 47
 21rule_id = "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39"
 22setup = """## Setup
 23
 24This rule requires data coming in from Elastic Defend.
 25
 26### Elastic Defend Integration Setup
 27Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 28
 29#### Prerequisite Requirements:
 30- Fleet is required for Elastic Defend.
 31- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 32
 33#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 34- Go to the Kibana home page and click "Add integrations".
 35- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 36- Click "Add Elastic Defend".
 37- Configure the integration name and optionally add a description.
 38- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 39- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 40- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 41- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 42For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 43- Click "Save and Continue".
 44- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 45For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 46"""
 47severity = "medium"
 48tags = [
 49    "Domain: Endpoint",
 50    "OS: Linux",
 51    "Use Case: Threat Detection",
 52    "Tactic: Execution",
 53    "Data Source: Elastic Defend",
 54    "Data Source: Elastic Endgame",
 55    "Data Source: Crowdstrike",
 56    "Data Source: SentinelOne",
 57    "Resources: Investigation Guide",
 58]
 59timestamp_override = "event.ingested"
 60type = "eql"
 61
 62query = '''
 63process where host.os.type == "linux" and event.type == "start" and
 64  event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
 65  process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and
 66  process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
 67'''
 68note = """## Triage and analysis
 69
 70> **Disclaimer**:
 71> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 72
 73### Investigating Potential Reverse Shell via Background Process
 74
 75In Linux environments, background processes can be manipulated to establish reverse shells, allowing adversaries to gain remote access. By exploiting shell commands to open network sockets, attackers can create backdoor connections. The detection rule identifies suspicious executions of background processes, like 'setsid' or 'nohup', with arguments indicating socket activity in '/dev/tcp', often initiated by common shell interpreters. This helps in flagging potential reverse shell activities for further investigation.
 76
 77### Possible investigation steps
 78
 79- Review the process details to confirm the presence of suspicious arguments, specifically looking for '/dev/tcp' in the process.args field, which indicates an attempt to open a network socket.
 80- Identify the parent process by examining the process.parent.name field to determine if it is one of the common shell interpreters like 'bash', 'dash', 'sh', etc., which could suggest a script-based execution.
 81- Check the user context under which the process was executed to assess if it aligns with expected user behavior or if it indicates potential compromise of a user account.
 82- Investigate the network activity associated with the host to identify any unusual outbound connections that could correlate with the reverse shell attempt.
 83- Correlate the event with other security alerts or logs from the same host to identify any preceding or subsequent suspicious activities that might indicate a broader attack pattern.
 84- Review historical data for similar process executions on the host to determine if this is an isolated incident or part of a recurring pattern.
 85
 86### False positive analysis
 87
 88- Legitimate administrative scripts may use background processes with network socket activity for maintenance tasks. Review the script's purpose and source to determine if it is authorized.
 89- Automated monitoring tools might execute commands that match the rule's criteria. Identify these tools and consider excluding their specific process names or paths from the rule.
 90- Development environments often run test scripts that open network connections. Verify the development context and exclude known development-related processes to reduce noise.
 91- Backup or synchronization software may use similar techniques to transfer data. Confirm the software's legitimacy and add exceptions for its processes if necessary.
 92- System updates or package management tools might trigger alerts when installing or updating software. Monitor these activities and whitelist trusted update processes.
 93
 94### Response and remediation
 95
 96- Immediately isolate the affected host from the network to prevent further unauthorized access or data exfiltration.
 97- Terminate any suspicious background processes identified by the alert, specifically those involving 'setsid' or 'nohup' with '/dev/tcp' in their arguments.
 98- Conduct a thorough review of the affected system's process and network activity logs to identify any additional indicators of compromise or lateral movement.
 99- Reset credentials for any accounts that were active on the affected system to prevent unauthorized access using potentially compromised credentials.
100- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
101- Implement network segmentation to limit the ability of compromised systems to communicate with critical infrastructure or sensitive data repositories.
102- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
103
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1059"
109name = "Command and Scripting Interpreter"
110reference = "https://attack.mitre.org/techniques/T1059/"
111[[rule.threat.technique.subtechnique]]
112id = "T1059.004"
113name = "Unix Shell"
114reference = "https://attack.mitre.org/techniques/T1059/004/"
115
116
117
118[rule.threat.tactic]
119id = "TA0002"
120name = "Execution"
121reference = "https://attack.mitre.org/tactics/TA0002/"
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1071"
126name = "Application Layer Protocol"
127reference = "https://attack.mitre.org/techniques/T1071/"
128
129
130[rule.threat.tactic]
131id = "TA0011"
132name = "Command and Control"
133reference = "https://attack.mitre.org/tactics/TA0011/"