-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Rule Tuning] Potential Shell via Web Server #2585
Conversation
Will change this to draft untill issue #1730 is resolved. |
rules/linux/persistence_linux_shell_activity_by_web_server.toml
Outdated
Show resolved
Hide resolved
rules/linux/persistence_linux_shell_activity_by_web_server.toml
Outdated
Show resolved
Hide resolved
rules/linux/persistence_linux_shell_activity_by_web_server.toml
Outdated
Show resolved
Hide resolved
rules/linux/persistence_linux_shell_activity_by_web_server.toml
Outdated
Show resolved
Hide resolved
rules/linux/persistence_linux_shell_activity_by_web_server.toml
Outdated
Show resolved
Hide resolved
@shashank-elastic I reverted my commits, and deprecated the old rule, created the new one with type eql. @brokensound77 I applied your formatting fix and your suggestion to add process.parent.executables instead of names. This will indeed minimize false positives, thanks for the good suggestion. @imays11 I added the "*sh" to process.name to catch all shells ending with "sh", is a useful wildcard query to make the query easier to read and more effective at the same time, so your suggestion is also included in the new rule. @DefSecSentinel I looked into the Kraken web shell, but the only info we can currently capture (as far as I could find) are TCP connection events initiated by the host that is exploiting the web server, thus with our current capabilities it is difficult to detect. Will require further investigation to see how we can improve on this. Currently setting up an IIS environment to see whether we can capture more data in Windows environments (this PR however is focused on Linux). @everyone thanks for the help. |
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This PR is using the new OSQuery investigation guide layout. Will have to wait until #2602 is merged before unit testing will no longer fail. In the meanwhile - investigation guide feedback is always welcome. |
rules/linux/persistence_linux_shell_activity_via_web_server.toml
Outdated
Show resolved
Hide resolved
rules/linux/persistence_linux_shell_activity_via_web_server.toml
Outdated
Show resolved
Hide resolved
rules/linux/persistence_linux_shell_activity_via_web_server.toml
Outdated
Show resolved
Hide resolved
rules/linux/persistence_linux_shell_activity_via_web_server.toml
Outdated
Show resolved
Hide resolved
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 09719dd)
* tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 09719dd)
* tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 09719dd)
* tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 09719dd)
* tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 09719dd)
* tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 09719dd)
Summary
Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.
The previous rule was written in KQL, and missed several web shells initiated by process.name such as "sh". Converted to rule to EQL and added several extra processes to detect.
Detection Logic