Connection to Internal Network via Telnet
Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/04/23"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet
13network connections to non-publicly routable IP addresses.
14"""
15false_positives = [
16 """
17 Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions,
18 so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent
19 years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be
20 suspicious.
21 """,
22]
23from = "now-9m"
24index = ["auditbeat-*", "logs-endpoint.events.*"]
25language = "eql"
26license = "Elastic License v2"
27name = "Connection to Internal Network via Telnet"
28references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
29risk_score = 47
30rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973"
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
33type = "eql"
34
35query = '''
36sequence by process.entity_id
37 [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"]
38 [network where host.os.type == "linux" and process.name == "telnet" and
39 cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
40 "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
41 "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
42 "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
43 "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
44 "FE80::/10", "FF00::/8")]
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1021"
52name = "Remote Services"
53reference = "https://attack.mitre.org/techniques/T1021/"
54
55
56[rule.threat.tactic]
57id = "TA0008"
58name = "Lateral Movement"
59reference = "https://attack.mitre.org/tactics/TA0008/"
References
Related rules
- Connection to External Network via Telnet
- Modification of OpenSSH Binaries
- SSH Authorized Keys File Modification
- Attempt to Disable IPTables or Firewall
- Attempt to Disable Syslog Service