Connection to Internal Network via Telnet

 1[metadata]
 2creation_date = "2020/04/23"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet
13network connections to non-publicly routable IP addresses.
14"""
15false_positives = [
16    """
17    Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions,
18    so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent
19    years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be
20    suspicious.
21    """,
22]
23from = "now-9m"
24index = ["auditbeat-*", "logs-endpoint.events.*"]
25language = "eql"
26license = "Elastic License v2"
27name = "Connection to Internal Network via Telnet"
28references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
29risk_score = 47
30rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973"
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
33type = "eql"
34
35query = '''
36sequence by process.entity_id
37  [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"]
38  [network where host.os.type == "linux" and process.name == "telnet" and
39    cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
40                              "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
41                              "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
42                              "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
43                              "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
44                              "FE80::/10", "FF00::/8")]
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1021"
52name = "Remote Services"
53reference = "https://attack.mitre.org/techniques/T1021/"
54
55
56[rule.threat.tactic]
57id = "TA0008"
58name = "Lateral Movement"
59reference = "https://attack.mitre.org/tactics/TA0008/"