Potential Execution via XZBackdoor

  1[metadata]
  2creation_date = "2024/04/01"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2024/10/17"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly
 11terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential Execution via XZBackdoor"
 18references = [
 19    "https://github.com/amlweems/xzbot",
 20    "https://access.redhat.com/security/cve/CVE-2024-3094",
 21    "https://www.elastic.co/security-labs/500ms-to-midnight",
 22]
 23risk_score = 73
 24rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248"
 25severity = "high"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Linux",
 29    "Use Case: Threat Detection",
 30    "Tactic: Credential Access",
 31    "Tactic: Persistence",
 32    "Tactic: Lateral Movement",
 33    "Data Source: Elastic Defend",
 34]
 35timestamp_override = "event.ingested"
 36type = "eql"
 37
 38query = '''
 39sequence by host.id, user.id with maxspan=1s
 40 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and
 41    process.args == "-D" and process.args == "-R"] by process.pid, process.entity_id
 42 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "sshd" and 
 43  process.executable != null and not (
 44    process.executable in ("/usr/sbin/sshd", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/bin/fipscheck") or
 45    process.args like ("rsync*", "systemctl*", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/sbin/aad_certhandler*") or
 46    process.command_line like "sh -c /usr/bin/env -i PATH=*"
 47  )] by process.parent.pid, process.parent.entity_id
 48 [process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0] by process.pid, process.entity_id
 49 [network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id
 50'''
 51
 52[[rule.threat]]
 53framework = "MITRE ATT&CK"
 54
 55[[rule.threat.technique]]
 56id = "T1543"
 57name = "Create or Modify System Process"
 58reference = "https://attack.mitre.org/techniques/T1543/"
 59
 60[rule.threat.tactic]
 61id = "TA0003"
 62name = "Persistence"
 63reference = "https://attack.mitre.org/tactics/TA0003/"
 64
 65[[rule.threat]]
 66framework = "MITRE ATT&CK"
 67
 68[[rule.threat.technique]]
 69id = "T1556"
 70name = "Modify Authentication Process"
 71reference = "https://attack.mitre.org/techniques/T1556/"
 72
 73[rule.threat.tactic]
 74id = "TA0006"
 75name = "Credential Access"
 76reference = "https://attack.mitre.org/tactics/TA0006/"
 77
 78[[rule.threat]]
 79framework = "MITRE ATT&CK"
 80
 81[[rule.threat.technique]]
 82id = "T1021"
 83name = "Remote Services"
 84reference = "https://attack.mitre.org/techniques/T1021/"
 85
 86[[rule.threat.technique.subtechnique]]
 87id = "T1021.004"
 88name = "SSH"
 89reference = "https://attack.mitre.org/techniques/T1021/004/"
 90
 91[[rule.threat.technique]]
 92id = "T1563"
 93name = "Remote Service Session Hijacking"
 94reference = "https://attack.mitre.org/techniques/T1563/"
 95
 96[[rule.threat.technique.subtechnique]]
 97id = "T1563.001"
 98name = "SSH Hijacking"
 99reference = "https://attack.mitre.org/techniques/T1563/001/"
100
101[rule.threat.tactic]
102id = "TA0008"
103name = "Lateral Movement"
104reference = "https://attack.mitre.org/tactics/TA0008/"