Potential Execution via XZBackdoor

calendar Apr 2, 2024 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Credential Access Tactic: Persistence Tactic: Lateral Movement Data Source: Elastic Defend  ·
Share on: linkedin copy

It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/04/01"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/01"
 8
 9
10[rule]
11author = ["Elastic"]
12description = """
13It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly
14terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Execution via XZBackdoor"
21references =["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"]
22risk_score = 73
23rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248"
24severity = "high"
25tags = [
26        "Domain: Endpoint",
27        "OS: Linux",
28        "Use Case: Threat Detection",
29        "Tactic: Credential Access",
30        "Tactic: Persistence",
31        "Tactic: Lateral Movement",
32        "Data Source: Elastic Defend"
33        ]
34timestamp_override = "event.ingested"
35type = "eql"
36query = '''
37sequence by host.id, user.id with maxspan=1s
38 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and
39    process.args == "-D" and process.args == "-R"] by process.pid, process.entity_id
40 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "sshd" and 
41  process.executable != "/usr/sbin/sshd"] by process.parent.pid, process.parent.entity_id
42 [process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0] by process.pid, process.entity_id
43 [network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id
44'''
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48
49[[rule.threat.technique]]
50id = "T1543"
51name = "Create or Modify System Process"
52reference = "https://attack.mitre.org/techniques/T1543/"
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61
62[[rule.threat.technique]]
63id = "T1556"
64name = "Modify Authentication Process"
65reference = "https://attack.mitre.org/techniques/T1556/"
66
67[rule.threat.tactic]
68id = "TA0006"
69name = "Credential Access"
70reference = "https://attack.mitre.org/tactics/TA0006/"
71
72[[rule.threat]]
73framework = "MITRE ATT&CK"
74
75[[rule.threat.technique]]
76id = "T1021"
77name = "Remote Services"
78reference = "https://attack.mitre.org/techniques/T1021/"
79
80[[rule.threat.technique.subtechnique]]
81id = "T1021.004"
82name = "SSH"
83reference = "https://attack.mitre.org/techniques/T1021/004/"
84
85[[rule.threat.technique]]
86id = "T1563"
87name = "Remote Service Session Hijacking"
88reference = "https://attack.mitre.org/techniques/T1563/"
89
90[[rule.threat.technique.subtechnique]]
91id = "T1563.001"
92name = "SSH Hijacking"
93reference = "https://attack.mitre.org/techniques/T1563/001/"
94
95[rule.threat.tactic]
96id = "TA0008"
97name = "Lateral Movement"
98reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top