Potential Execution via XZBackdoor

  1[metadata]
  2creation_date = "2024/04/01"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/12/17"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly
 11terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential Execution via XZBackdoor"
 18references = [
 19    "https://github.com/amlweems/xzbot",
 20    "https://access.redhat.com/security/cve/CVE-2024-3094",
 21    "https://www.elastic.co/security-labs/500ms-to-midnight",
 22]
 23risk_score = 73
 24rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248"
 25severity = "high"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Linux",
 29    "Use Case: Threat Detection",
 30    "Tactic: Credential Access",
 31    "Tactic: Persistence",
 32    "Tactic: Lateral Movement",
 33    "Data Source: Elastic Defend",
 34    "Resources: Investigation Guide",
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38query = '''
 39sequence by host.id with maxspan=1m
 40  [process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0 and
 41   process.command_line == "/usr/sbin/sshd -D -R" and process.parent.command_line == "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"] by process.entity_id
 42  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 43   process.parent.name == "sshd" and process.parent.command_line == "/usr/sbin/sshd -D -R" and
 44   process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and
 45   not process.executable in ("/usr/sbin/sshd", "/sbin/unix_chkpwd") and
 46   not (
 47     process.args like ("rsync*", "systemctl*", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/sbin/aad_certhandler*",
 48                        "bash -c bash -s", "/usr/lib/ssh/sftp-server", "stat /etc/is_upgrade_install > /dev/null 2>&1",
 49                        "stat /opt/qradar/ha/.*", "/usr/bin/env -i PATH=*", "/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key*",
 50                        "test -e /*", "md5sum*", "check_mk_agent") or
 51     process.command_line like ("sh -c /usr/bin/env -i PATH=*", "sh -c -- /usr/bin/env -i PATH=*", "*/root/.ansible/tmp/ansible-tmp*")
 52   )] by process.parent.entity_id
 53'''
 54note = """## Triage and analysis
 55
 56> **Disclaimer**:
 57> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 58
 59### Investigating Potential Execution via XZBackdoor
 60
 61The XZBackdoor leverages SSH, a secure protocol for remote access, to execute malicious commands stealthily. Adversaries exploit SSH by initiating sessions that mimic legitimate activity, then abruptly terminate them post-execution to evade detection. The detection rule identifies anomalies by tracking SSH processes that start and end unexpectedly, especially when non-standard executables are invoked, signaling potential backdoor activity.
 62
 63### Possible investigation steps
 64
 65- Review the SSH session logs on the affected host to identify any unusual or unauthorized access attempts, focusing on sessions that match the process.pid and process.entity_id from the alert.
 66- Examine the command history and executed commands for the user associated with the user.id in the alert to identify any suspicious or unexpected activities.
 67- Investigate the non-standard executables invoked by the SSH session by checking the process.executable field to determine if they are legitimate or potentially malicious.
 68- Analyze the network activity associated with the SSH session, particularly any disconnect_received events, to identify any unusual patterns or connections to suspicious IP addresses.
 69- Check the exit codes of the SSH processes, especially those with a non-zero process.exit_code, to understand the reason for the abrupt termination and whether it aligns with typical error codes or indicates malicious activity.
 70
 71### False positive analysis
 72
 73- Legitimate administrative SSH sessions may trigger the rule if they involve non-standard executables. To manage this, create exceptions for known administrative scripts or tools that are frequently used in your environment.
 74- Automated processes or scripts that use SSH for routine tasks might mimic the behavior of the XZBackdoor. Identify these processes and exclude them by specifying their executable paths or command-line patterns in the rule exceptions.
 75- Security tools or monitoring solutions that perform SSH-based checks could be mistaken for malicious activity. Review these tools and add their signatures to the exclusion list to prevent false alerts.
 76- Custom applications that use SSH for communication might be flagged. Document these applications and adjust the rule to recognize their specific execution patterns as non-threatening.
 77- Temporary network issues causing abrupt SSH session terminations could be misinterpreted as suspicious behavior. Monitor network stability and consider excluding known transient disconnections from triggering alerts.
 78
 79### Response and remediation
 80
 81- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement.
 82- Terminate any suspicious SSH sessions identified by the detection rule to stop ongoing malicious activity.
 83- Conduct a thorough review of the affected host's SSH configuration and logs to identify unauthorized changes or access patterns.
 84- Reset credentials for any user accounts involved in the suspicious SSH activity to prevent further unauthorized access.
 85- Restore the affected system from a known good backup if any unauthorized changes or malware are detected.
 86- Implement network segmentation to limit SSH access to critical systems and reduce the attack surface.
 87- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are compromised."""
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91
 92[[rule.threat.technique]]
 93id = "T1543"
 94name = "Create or Modify System Process"
 95reference = "https://attack.mitre.org/techniques/T1543/"
 96
 97[rule.threat.tactic]
 98id = "TA0003"
 99name = "Persistence"
100reference = "https://attack.mitre.org/tactics/TA0003/"
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104
105[[rule.threat.technique]]
106id = "T1556"
107name = "Modify Authentication Process"
108reference = "https://attack.mitre.org/techniques/T1556/"
109
110[rule.threat.tactic]
111id = "TA0006"
112name = "Credential Access"
113reference = "https://attack.mitre.org/tactics/TA0006/"
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117
118[[rule.threat.technique]]
119id = "T1021"
120name = "Remote Services"
121reference = "https://attack.mitre.org/techniques/T1021/"
122
123[[rule.threat.technique.subtechnique]]
124id = "T1021.004"
125name = "SSH"
126reference = "https://attack.mitre.org/techniques/T1021/004/"
127
128[[rule.threat.technique]]
129id = "T1563"
130name = "Remote Service Session Hijacking"
131reference = "https://attack.mitre.org/techniques/T1563/"
132
133[[rule.threat.technique.subtechnique]]
134id = "T1563.001"
135name = "SSH Hijacking"
136reference = "https://attack.mitre.org/techniques/T1563/001/"
137
138[rule.threat.tactic]
139id = "TA0008"
140name = "Lateral Movement"
141reference = "https://attack.mitre.org/tactics/TA0008/"