Unix Socket Connection

  1[metadata]
  2creation_date = "2023/09/04"
  3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local
 11Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate
 12privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to
 13evade detection.
 14"""
 15from = "now-9m"
 16index = [
 17    "auditbeat-*",
 18    "endgame-*",
 19    "logs-auditd_manager.auditd-*",
 20    "logs-crowdstrike.fdr*",
 21    "logs-endpoint.events.process*",
 22    "logs-sentinel_one_cloud_funnel.*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Unix Socket Connection"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating Unix Socket Connection
 33
 34Unix sockets facilitate efficient inter-process communication (IPC) on the same host, crucial for system operations. However, adversaries can exploit them to probe applications, identify weaknesses, or establish covert channels. The detection rule identifies suspicious use of tools like netcat and socat with specific arguments, signaling potential misuse of Unix sockets for unauthorized communication or privilege escalation attempts.
 35
 36### Possible investigation steps
 37
 38- Review the process details to confirm the execution of netcat or socat with the specified arguments, focusing on the process name and arguments fields to verify the suspicious activity.
 39- Investigate the source and destination of the Unix socket connection by examining the process.args field to determine if the connection is legitimate or potentially malicious.
 40- Check the user context under which the process was executed to assess if there is any indication of privilege escalation attempts.
 41- Correlate the event with other logs or alerts from the same host to identify any patterns or additional suspicious activities that might indicate a broader attack.
 42- Examine the process lineage to understand the parent process and any child processes spawned, which might provide insights into how the suspicious process was initiated.
 43- Verify if the process is part of any known legitimate application or service by cross-referencing with system documentation or application inventories.
 44
 45### False positive analysis
 46
 47- Legitimate administrative tasks using netcat or socat for system maintenance or monitoring can trigger alerts. To manage this, identify and whitelist specific scripts or commands used regularly by system administrators.
 48- Automated backup or monitoring tools that use Unix sockets for communication may be flagged. Review these tools and add them to an exception list if they are verified as safe and necessary for operations.
 49- Certain applications may use Unix sockets for legitimate inter-process communication, such as database services or web servers. Monitor these applications and exclude their typical behavior from the rule to prevent unnecessary alerts.
 50- Development environments where developers frequently use netcat or socat for testing purposes can generate false positives. Establish a policy to differentiate between development and production environments and apply exceptions accordingly.
 51- System services like libvirt, which are known to use Unix sockets, should be excluded from the rule as indicated by the exception for /var/run/libvirt/libvirt-sock. Regularly update this list to include other known benign services.
 52
 53### Response and remediation
 54
 55- Immediately isolate the affected host from the network to prevent potential lateral movement or data exfiltration.
 56- Terminate any suspicious processes identified by the detection rule, specifically those involving netcat or socat with the flagged arguments.
 57- Conduct a thorough review of the affected system's logs to identify any unauthorized access or data manipulation that may have occurred.
 58- Reset credentials and review permissions for any accounts that may have been compromised or used in the attack.
 59- Apply patches or configuration changes to address any vulnerabilities or misconfigurations identified during the investigation.
 60- Monitor the affected system and network for any signs of recurring suspicious activity, focusing on Unix socket connections.
 61- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected."""
 62risk_score = 21
 63rule_id = "41284ba3-ed1a-4598-bfba-a97f75d9aba2"
 64severity = "low"
 65tags = [
 66    "Domain: Endpoint",
 67    "OS: Linux",
 68    "Use Case: Threat Detection",
 69    "Tactic: Execution",
 70    "Data Source: Elastic Defend",
 71    "Data Source: Elastic Endgame",
 72    "Data Source: Auditd Manager",
 73    "Data Source: Crowdstrike",
 74    "Data Source: SentinelOne",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81process where host.os.type == "linux" and event.type == "start" and
 82 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 83 (
 84  (process.name in ("nc", "ncat", "netcat", "nc.openbsd") and
 85   process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or
 86  (process.name == "socat" and
 87   process.args == "-" and process.args : ("UNIX-CLIENT:/usr/local/*", "UNIX-CLIENT:/run/*", "UNIX-CLIENT:/var/run/*")) or
 88  (process.name == "curl" and process.args : ("--unix-socket", "--abstract-unix-socket"))
 89) and
 90not (
 91  process.args == "/var/run/libvirt/libvirt-sock" or
 92  process.parent.name in ("bundle", "ruby", "haproxystatus.sh")
 93)
 94'''
 95
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1559"
101name = "Inter-Process Communication"
102reference = "https://attack.mitre.org/techniques/T1559/"
103
104
105[rule.threat.tactic]
106id = "TA0002"
107name = "Execution"
108reference = "https://attack.mitre.org/tactics/TA0002/"