Potential Execution via XZBackdoor
It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/04/01"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly
11terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential Execution via XZBackdoor"
18references = [
19 "https://github.com/amlweems/xzbot",
20 "https://access.redhat.com/security/cve/CVE-2024-3094",
21 "https://www.elastic.co/security-labs/500ms-to-midnight",
22]
23risk_score = 73
24rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248"
25severity = "high"
26tags = [
27 "Domain: Endpoint",
28 "OS: Linux",
29 "Use Case: Threat Detection",
30 "Tactic: Credential Access",
31 "Tactic: Persistence",
32 "Tactic: Lateral Movement",
33 "Data Source: Elastic Defend",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39sequence by host.id, user.id with maxspan=1s
40 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and
41 process.args == "-D" and process.args == "-R"] by process.pid, process.entity_id
42 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "sshd" and
43 process.executable != null and
44 not process.executable in ("/usr/sbin/sshd", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/bin/fipscheck") and
45 process.command_line != "sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"] by process.parent.pid, process.parent.entity_id
46 [process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0] by process.pid, process.entity_id
47 [network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1543"
55name = "Create or Modify System Process"
56reference = "https://attack.mitre.org/techniques/T1543/"
57
58
59[rule.threat.tactic]
60id = "TA0003"
61name = "Persistence"
62reference = "https://attack.mitre.org/tactics/TA0003/"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1556"
67name = "Modify Authentication Process"
68reference = "https://attack.mitre.org/techniques/T1556/"
69
70
71[rule.threat.tactic]
72id = "TA0006"
73name = "Credential Access"
74reference = "https://attack.mitre.org/tactics/TA0006/"
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1021"
79name = "Remote Services"
80reference = "https://attack.mitre.org/techniques/T1021/"
81[[rule.threat.technique.subtechnique]]
82id = "T1021.004"
83name = "SSH"
84reference = "https://attack.mitre.org/techniques/T1021/004/"
85
86
87[[rule.threat.technique]]
88id = "T1563"
89name = "Remote Service Session Hijacking"
90reference = "https://attack.mitre.org/techniques/T1563/"
91[[rule.threat.technique.subtechnique]]
92id = "T1563.001"
93name = "SSH Hijacking"
94reference = "https://attack.mitre.org/techniques/T1563/001/"
95
96
97
98[rule.threat.tactic]
99id = "TA0008"
100name = "Lateral Movement"
101reference = "https://attack.mitre.org/tactics/TA0008/"
References
Related rules
- Modification of OpenSSH Binaries
- SSH Key Generated via ssh-keygen
- Creation or Modification of Pluggable Authentication Module or Configuration
- Potential OpenSSH Backdoor Logging Activity
- Modification of Standard Authentication Module or Configuration