Potential Shell via Wildcard Injection Detected
This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/28"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/07/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection,
13with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security
14vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended
15operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Potential Shell via Wildcard Injection Detected"
22references = ["https://www.exploit-db.com/papers/33930"]
23risk_score = 47
24rule_id = "0b803267-74c5-444d-ae29-32b5db2d562a"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"]
27type = "eql"
28query = '''
29sequence by host.id with maxspan=1s
30 [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (
31 (process.name == "tar" and process.args : "--checkpoint=*" and process.args : "--checkpoint-action=*") or
32 (process.name == "rsync" and process.args : "-e*") or
33 (process.name == "zip" and process.args == "--unzip-command") )] by process.entity_id
34 [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
35 process.parent.name : ("tar", "rsync", "zip") and
36 process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[[rule.threat.technique]]
43id = "T1068"
44name = "Exploitation for Privilege Escalation"
45reference = "https://attack.mitre.org/techniques/T1068/"
46
47[rule.threat.tactic]
48id = "TA0004"
49name = "Privilege Escalation"
50reference = "https://attack.mitre.org/tactics/TA0004/"
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54
55[[rule.threat.technique]]
56id = "T1059"
57name = "Command and Scripting Interpreter"
58reference = "https://attack.mitre.org/techniques/T1059/"
59
60[rule.threat.tactic]
61id = "TA0002"
62name = "Execution"
63reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Cron Job Created or Changed by Previously Unknown Process
- Apple Scripting Execution with Administrator Privileges
- BPF filter applied using TC
- Binary Executed from Shared Memory Directory
- Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable