From 28bda94b846cbb4ae1a084e707db2b6df458a7ca Mon Sep 17 00:00:00 2001 From: Aegrah Date: Tue, 21 Feb 2023 16:38:43 +0100 Subject: [PATCH 01/22] tuned web shell logic, and converted to EQL --- ...ersistence_shell_activity_by_web_server.toml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 873ff4b3537..e13bdec8286 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/21" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Potential Shell via Web Server" note = """## Triage and analysis @@ -67,16 +67,19 @@ references = [ "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", ] risk_score = 47 -rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb" +rule_id = "0bb0296f-0e9f-44e5-b709-bd61e0577fd5" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.category:process and event.type:(start or process_started) and -process.name:(bash or dash or ash or zsh or "python*" or "perl*" or "php*") and -process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "www-data") +process where event.type == "start" and +process.args:("whoami*", "id", "uname*", "cat*", "hostname*", "ip*", "curl*", "wget*", "pwd") and +process.name : ("bash", "sh", "ash", "dash", "zsh", "rbash", "csh", "ksh", "tmux", "python*", "perl*", "php*") and +process.parent.name : ("apache", "apache2", "nginx", "httpd", "php*", "www", "www-data", "lighttpd", "caddy") and +not process.executable : "/var/lib/docker/*" and +not process.args : ("/var/www/MISP/*", "/data/www/hg/hgweb.cgi", "/usr/lib/mailman/scripts/driver") ''' From e994b62ecb838f73fa56d145e529169ebd2f5133 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Wed, 22 Feb 2023 09:48:05 +0100 Subject: [PATCH 02/22] Removed old, created new rule to bypass "type" bug --- ...> persistence_linux_shell_activity_by_web_server.toml} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename rules/linux/{persistence_shell_activity_by_web_server.toml => persistence_linux_shell_activity_by_web_server.toml} (96%) diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_linux_shell_activity_by_web_server.toml similarity index 96% rename from rules/linux/persistence_shell_activity_by_web_server.toml rename to rules/linux/persistence_linux_shell_activity_by_web_server.toml index e13bdec8286..b3424552cf6 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_by_web_server.toml @@ -1,10 +1,10 @@ [metadata] -creation_date = "2020/02/18" +creation_date = "2023/02/22" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/21" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" -name = "Potential Shell via Web Server" +name = "Potential Remote Code Execution via Web Server" note = """## Triage and analysis ### Investigating Potential Shell via Web Server @@ -67,7 +67,7 @@ references = [ "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", ] risk_score = 47 -rule_id = "0bb0296f-0e9f-44e5-b709-bd61e0577fd5" +rule_id = "b7b2c320-d4db-4f8e-8f92-83f9d0c3e6a4" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" From 4169e0a1882b5e1d871c7a134ecbd9f6b9f70730 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Sat, 4 Mar 2023 12:27:44 +0100 Subject: [PATCH 03/22] Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133. --- ...toml => persistence_shell_activity_by_web_server.toml} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename rules/linux/{persistence_linux_shell_activity_by_web_server.toml => persistence_shell_activity_by_web_server.toml} (96%) diff --git a/rules/linux/persistence_linux_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml similarity index 96% rename from rules/linux/persistence_linux_shell_activity_by_web_server.toml rename to rules/linux/persistence_shell_activity_by_web_server.toml index b3424552cf6..e13bdec8286 100644 --- a/rules/linux/persistence_linux_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -1,10 +1,10 @@ [metadata] -creation_date = "2023/02/22" +creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/02/21" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" -name = "Potential Remote Code Execution via Web Server" +name = "Potential Shell via Web Server" note = """## Triage and analysis ### Investigating Potential Shell via Web Server @@ -67,7 +67,7 @@ references = [ "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", ] risk_score = 47 -rule_id = "b7b2c320-d4db-4f8e-8f92-83f9d0c3e6a4" +rule_id = "0bb0296f-0e9f-44e5-b709-bd61e0577fd5" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" From 94b28a80729968da1e503a74f24adb1708216233 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Sat, 4 Mar 2023 12:31:27 +0100 Subject: [PATCH 04/22] Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca. --- ...ersistence_shell_activity_by_web_server.toml | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index e13bdec8286..873ff4b3537 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/21" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Potential Shell via Web Server" note = """## Triage and analysis @@ -67,19 +67,16 @@ references = [ "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", ] risk_score = 47 -rule_id = "0bb0296f-0e9f-44e5-b709-bd61e0577fd5" +rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" -type = "eql" +type = "query" query = ''' -process where event.type == "start" and -process.args:("whoami*", "id", "uname*", "cat*", "hostname*", "ip*", "curl*", "wget*", "pwd") and -process.name : ("bash", "sh", "ash", "dash", "zsh", "rbash", "csh", "ksh", "tmux", "python*", "perl*", "php*") and -process.parent.name : ("apache", "apache2", "nginx", "httpd", "php*", "www", "www-data", "lighttpd", "caddy") and -not process.executable : "/var/lib/docker/*" and -not process.args : ("/var/www/MISP/*", "/data/www/hg/hgweb.cgi", "/usr/lib/mailman/scripts/driver") +event.category:process and event.type:(start or process_started) and +process.name:(bash or dash or ash or zsh or "python*" or "perl*" or "php*") and +process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "www-data") ''' From cefe391d3ee6b49e100c5b057df84ab39b85053d Mon Sep 17 00:00:00 2001 From: Aegrah Date: Sat, 4 Mar 2023 12:34:46 +0100 Subject: [PATCH 05/22] Deprecated old rule, added new --- ...sistence_shell_activity_by_web_server.toml | 101 ++++++++++++++++++ ...sistence_shell_activity_by_web_server.toml | 29 +++-- 2 files changed, 121 insertions(+), 9 deletions(-) create mode 100644 rules/_deprecated/persistence_shell_activity_by_web_server.toml diff --git a/rules/_deprecated/persistence_shell_activity_by_web_server.toml b/rules/_deprecated/persistence_shell_activity_by_web_server.toml new file mode 100644 index 00000000000..1c3aeac09cd --- /dev/null +++ b/rules/_deprecated/persistence_shell_activity_by_web_server.toml @@ -0,0 +1,101 @@ +[metadata] +creation_date = "2020/02/18" +deprecation_date = "2023/03/04" +integration = ["endpoint"] +maturity = "deprecated" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/03/04" + +[rule] +author = ["Elastic"] +description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access." +false_positives = [ + """ + Network monitoring or management products may have a web server component that runs shell commands as part of normal + behavior. + """, +] +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential Shell via Web Server" +note = """## Triage and analysis + +### Investigating Potential Shell via Web Server + +Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command line interface on the system that hosts the web server. + +This rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell. + +#### Possible investigation steps + +- Investigate abnormal behaviors observed by the subject process such as network connections, file modifications, and +any other spawned child processes. +- Examine the command line to determine which commands or scripts were executed. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" +references = [ + "https://pentestlab.blog/tag/web-shell/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", +] +risk_score = 47 +rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.category:process and event.type:(start or process_started) and +process.name:(bash or dash or ash or zsh or "python*" or "perl*" or "php*") and +process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "www-data") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 873ff4b3537..84ac93c5c51 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -1,10 +1,10 @@ [metadata] -creation_date = "2020/02/18" +creation_date = "2023/03/04" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/03/04" [rule] author = ["Elastic"] @@ -17,9 +17,9 @@ false_positives = [ ] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" -name = "Potential Shell via Web Server" +name = "Potential Remote Code Execution via Web Server" note = """## Triage and analysis ### Investigating Potential Shell via Web Server @@ -67,16 +67,27 @@ references = [ "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", ] risk_score = 47 -rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb" +rule_id = "c895e1f6-376c-466c-b86a-9846da002919" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.category:process and event.type:(start or process_started) and -process.name:(bash or dash or ash or zsh or "python*" or "perl*" or "php*") and -process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "www-data") +process where event.type == "start" and +process.parent.executable : ( + "/usr/sbin/nginx", "/usr/local/sbin/nginx", + "/usr/sbin/apache", "/usr/local/sbin/apache", + "/usr/sbin/apache2", "/usr/local/sbin/apache2", + "/usr/sbin/php*", "/usr/local/sbin/php*", + "/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd", + "/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha", + "/usr/local/bin/caddy", + "/usr/local/lsws/bin/lswsctrl", + "*/bin/catalina.sh" +) and +process.name : ("*sh", "python*", "perl", "php*", "tmux") and +process.args:("whoami*", "id", "uname*", "cat*", "hostname*", "ip*", "curl*", "wget*", "pwd") ''' From 65647ac438ebed80bb54d1b7a35c5e95eebba5cf Mon Sep 17 00:00:00 2001 From: Aegrah Date: Sat, 4 Mar 2023 12:38:18 +0100 Subject: [PATCH 06/22] formatting fix --- rules/linux/persistence_shell_activity_by_web_server.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 84ac93c5c51..7b01ccead4b 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -87,7 +87,7 @@ process.parent.executable : ( "*/bin/catalina.sh" ) and process.name : ("*sh", "python*", "perl", "php*", "tmux") and -process.args:("whoami*", "id", "uname*", "cat*", "hostname*", "ip*", "curl*", "wget*", "pwd") +process.args : ("whoami*", "id", "uname*", "cat*", "hostname*", "ip*", "curl*", "wget*", "pwd") ''' From 5fea265e2de218e4cf82e23259b6358d838f8e83 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Sat, 4 Mar 2023 12:45:29 +0100 Subject: [PATCH 07/22] removed endgame index --- rules/linux/persistence_shell_activity_by_web_server.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 7b01ccead4b..3e55732f7d2 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Code Execution via Web Server" From b7befb05cde500cafdbe4cecbce333663608e87c Mon Sep 17 00:00:00 2001 From: Aegrah Date: Sat, 4 Mar 2023 12:51:01 +0100 Subject: [PATCH 08/22] Fixed changes captured as edited, not created --- ...er.toml => persistence_shell_activity_through_web_server.toml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{persistence_shell_activity_by_web_server.toml => persistence_shell_activity_through_web_server.toml} (100%) diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_through_web_server.toml similarity index 100% rename from rules/linux/persistence_shell_activity_by_web_server.toml rename to rules/linux/persistence_shell_activity_through_web_server.toml From 25acafd5237f3c1c5710ba698cff49a170f5e4cd Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 6 Mar 2023 21:36:10 +0100 Subject: [PATCH 09/22] Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --- rules/linux/persistence_shell_activity_through_web_server.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/persistence_shell_activity_through_web_server.toml b/rules/linux/persistence_shell_activity_through_web_server.toml index 3e55732f7d2..cad23f309e6 100644 --- a/rules/linux/persistence_shell_activity_through_web_server.toml +++ b/rules/linux/persistence_shell_activity_through_web_server.toml @@ -22,7 +22,7 @@ license = "Elastic License v2" name = "Potential Remote Code Execution via Web Server" note = """## Triage and analysis -### Investigating Potential Shell via Web Server +### Investigating Potential Remote Code Execution via Web Server Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command line interface on the system that hosts the web server. From cda28f5c6880ed3444f8acb747b62762049a374d Mon Sep 17 00:00:00 2001 From: Aegrah Date: Wed, 8 Mar 2023 11:35:32 +0100 Subject: [PATCH 10/22] fix conflict --- ...server.toml => persistence_shell_activity_via_web_server.toml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{persistence_shell_activity_through_web_server.toml => persistence_shell_activity_via_web_server.toml} (100%) diff --git a/rules/linux/persistence_shell_activity_through_web_server.toml b/rules/linux/persistence_shell_activity_via_web_server.toml similarity index 100% rename from rules/linux/persistence_shell_activity_through_web_server.toml rename to rules/linux/persistence_shell_activity_via_web_server.toml From 9dbb1a539f2757d90079024524c592aea5a5b81f Mon Sep 17 00:00:00 2001 From: Aegrah Date: Wed, 8 Mar 2023 11:37:10 +0100 Subject: [PATCH 11/22] added host.os.type==linux for unit testing --- rules/linux/persistence_shell_activity_via_web_server.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/persistence_shell_activity_via_web_server.toml b/rules/linux/persistence_shell_activity_via_web_server.toml index cad23f309e6..d692e6a4b5c 100644 --- a/rules/linux/persistence_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_shell_activity_via_web_server.toml @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where event.type == "start" and host.os.type == "linux" and process.parent.executable : ( "/usr/sbin/nginx", "/usr/local/sbin/nginx", "/usr/sbin/apache", "/usr/local/sbin/apache", From 7b382e4187e489e9133ceb05b8208b89513bfd62 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Fri, 10 Mar 2023 14:03:34 +0100 Subject: [PATCH 12/22] removed wildcards in process.args --- rules/linux/persistence_shell_activity_via_web_server.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/persistence_shell_activity_via_web_server.toml b/rules/linux/persistence_shell_activity_via_web_server.toml index d692e6a4b5c..47823f06056 100644 --- a/rules/linux/persistence_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_shell_activity_via_web_server.toml @@ -87,7 +87,7 @@ process.parent.executable : ( "*/bin/catalina.sh" ) and process.name : ("*sh", "python*", "perl", "php*", "tmux") and -process.args : ("whoami*", "id", "uname*", "cat*", "hostname*", "ip*", "curl*", "wget*", "pwd") +process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") ''' From 56d1c8ee3a41dba429eb708e90d37e848f764fe5 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 20 Mar 2023 14:45:16 +0100 Subject: [PATCH 13/22] Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- rules/linux/persistence_shell_activity_via_web_server.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/persistence_shell_activity_via_web_server.toml b/rules/linux/persistence_shell_activity_via_web_server.toml index 47823f06056..70aa0b1ca23 100644 --- a/rules/linux/persistence_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_shell_activity_via_web_server.toml @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and host.os.type == "linux" and +process where host.os.type == "linux" and event.type == "start" and process.parent.executable : ( "/usr/sbin/nginx", "/usr/local/sbin/nginx", "/usr/sbin/apache", "/usr/local/sbin/apache", From 7f98a9532007ec2e144dd650212729830959be16 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Mon, 20 Mar 2023 16:16:43 +0100 Subject: [PATCH 14/22] fixed conflict by changing file name and changes --- ..._linux_shell_activity_via_web_server.toml} | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) rename rules/linux/{persistence_shell_activity_via_web_server.toml => persistence_linux_shell_activity_via_web_server.toml} (92%) diff --git a/rules/linux/persistence_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml similarity index 92% rename from rules/linux/persistence_shell_activity_via_web_server.toml rename to rules/linux/persistence_linux_shell_activity_via_web_server.toml index 70aa0b1ca23..951bdd65506 100644 --- a/rules/linux/persistence_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/04" +updated_date = "2023/03/20" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Code Execution via Web Server" @@ -66,10 +66,10 @@ references = [ "https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", ] -risk_score = 47 +risk_score = 73 rule_id = "c895e1f6-376c-466c-b86a-9846da002919" -severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +severity = "high" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" @@ -108,4 +108,16 @@ reference = "https://attack.mitre.org/techniques/T1505/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" From 988ce429d9d3e9e03157c113e87abe714db36954 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Mon, 20 Mar 2023 16:21:17 +0100 Subject: [PATCH 15/22] Trying to resolve the GH conflict --- ...server.toml => persistence_shell_activity_via_web_server.toml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{persistence_linux_shell_activity_via_web_server.toml => persistence_shell_activity_via_web_server.toml} (100%) diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_shell_activity_via_web_server.toml similarity index 100% rename from rules/linux/persistence_linux_shell_activity_via_web_server.toml rename to rules/linux/persistence_shell_activity_via_web_server.toml From 7e5f0384773f7fa546f20e577b2fedb48899ff8f Mon Sep 17 00:00:00 2001 From: Aegrah Date: Mon, 20 Mar 2023 16:22:27 +0100 Subject: [PATCH 16/22] attempt to fix GH conflict #2 --- ...ml => persistence_linux_shell_activity_via_web_server.toml} | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) rename rules/linux/{persistence_shell_activity_via_web_server.toml => persistence_linux_shell_activity_via_web_server.toml} (99%) diff --git a/rules/linux/persistence_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml similarity index 99% rename from rules/linux/persistence_shell_activity_via_web_server.toml rename to rules/linux/persistence_linux_shell_activity_via_web_server.toml index 951bdd65506..27794152974 100644 --- a/rules/linux/persistence_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -67,7 +67,7 @@ references = [ "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", ] risk_score = 73 -rule_id = "c895e1f6-376c-466c-b86a-9846da002919" +rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" severity = "high" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Investigation Guide"] timestamp_override = "event.ingested" @@ -120,4 +120,3 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - From 93e5d7dbca24abc7af579b5e580da282446b072e Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 20 Mar 2023 16:35:00 +0100 Subject: [PATCH 17/22] Update persistence_shell_activity_by_web_server.toml --- .../_deprecated/persistence_shell_activity_by_web_server.toml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/rules/_deprecated/persistence_shell_activity_by_web_server.toml b/rules/_deprecated/persistence_shell_activity_by_web_server.toml index 068f628b91c..af68bad6a25 100644 --- a/rules/_deprecated/persistence_shell_activity_by_web_server.toml +++ b/rules/_deprecated/persistence_shell_activity_by_web_server.toml @@ -5,11 +5,7 @@ integration = ["endpoint"] maturity = "deprecated" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -<<<<<<< HEAD:rules/_deprecated/persistence_shell_activity_by_web_server.toml updated_date = "2023/03/04" -======= -updated_date = "2023/02/22" ->>>>>>> f41c5288cc0ff45e6bc3d6707c053e853721cf50:rules/linux/persistence_shell_activity_by_web_server.toml [rule] author = ["Elastic"] From 27f91cf751e8d9325a8d8f6128c9e66d0eccaaa5 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Tue, 21 Mar 2023 16:48:21 +0100 Subject: [PATCH 18/22] Added endgame support --- ...ersistence_linux_shell_activity_via_web_server.toml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 27794152974..b850c9639e8 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/20" +updated_date = "2023/03/21" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Code Execution via Web Server" @@ -69,13 +69,13 @@ references = [ risk_score = 73 rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Investigation Guide"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Elastic Endgame", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and -process.parent.executable : ( +event.action in ("exec", "exec_event") and process.parent.executable : ( "/usr/sbin/nginx", "/usr/local/sbin/nginx", "/usr/sbin/apache", "/usr/local/sbin/apache", "/usr/sbin/apache2", "/usr/local/sbin/apache2", @@ -85,7 +85,7 @@ process.parent.executable : ( "/usr/local/bin/caddy", "/usr/local/lsws/bin/lswsctrl", "*/bin/catalina.sh" -) and +) and process.name : ("*sh", "python*", "perl", "php*", "tmux") and process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") ''' From 32d446dc37d57a2bf1d8f3860aef4633f9da78be Mon Sep 17 00:00:00 2001 From: Aegrah Date: Wed, 22 Mar 2023 13:19:55 +0100 Subject: [PATCH 19/22] Added OSQuery to investigation guide --- ...e_linux_shell_activity_via_web_server.toml | 40 +++++++++++++++++-- 1 file changed, 37 insertions(+), 3 deletions(-) diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index b850c9639e8..dc2dd843157 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -4,7 +4,28 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/21" +updated_date = "2023/03/22" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Listening Ports" +query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" + +[[transform.osquery]] +label = "Osquery - Retrieve Open Sockets" +query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info" +query = "SELECT name, cmdline, parent, path, uid FROM processes" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info for Webapp User" +query = "SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = webapp_uid" + +[[transform.osquery]] +label = "Osquery - Retrieve Crontab Information" +query = "SELECT * FROM crontab" [rule] author = ["Elastic"] @@ -28,10 +49,19 @@ Adversaries may backdoor web servers with web shells to establish persistent acc This rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell. +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + #### Possible investigation steps -- Investigate abnormal behaviors observed by the subject process such as network connections, file modifications, and -any other spawned child processes. +- Investigate abnormal behaviors observed by the subject process such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration. + - $osquery_0 + - $osquery_1 + - Investigate process info to look for malicious or uncommon processes / process trees. + - $osquery_2 + - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes. + - $osquery_3 - Examine the command line to determine which commands or scripts were executed. - Investigate other alerts associated with the user/host during the past 48 hours. - If scripts or executables were dropped, retrieve the files and determine if they are malicious: @@ -42,6 +72,7 @@ any other spawned child processes. - Check the reputation of the domain or IP address. - File access, modification, and creation activities. - Cron jobs, services and other persistence mechanisms. + - $osquery_4 ### False positive analysis @@ -61,6 +92,9 @@ any other spawned child processes. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +## Setup +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://pentestlab.blog/tag/web-shell/", From a73af53a823948c2fb24fdfcede888f3e56346d7 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 19 Apr 2023 22:22:15 +0200 Subject: [PATCH 20/22] Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- .../linux/persistence_linux_shell_activity_via_web_server.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index dc2dd843157..e1d452b431d 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -45,7 +45,7 @@ note = """## Triage and analysis ### Investigating Potential Remote Code Execution via Web Server -Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command line interface on the system that hosts the web server. +Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network. This rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell. From 8a04ab7153cbc01957b1c8003866e1c43926fbf9 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 19 Apr 2023 22:22:33 +0200 Subject: [PATCH 21/22] Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- .../linux/persistence_linux_shell_activity_via_web_server.toml | 3 --- 1 file changed, 3 deletions(-) diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index e1d452b431d..535045dfe67 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -92,9 +92,6 @@ This rule detects a web server process spawning script and command line interfac - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://pentestlab.blog/tag/web-shell/", From 0d5fe179d567cac97f97bb3733416bde7f9f7727 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Wed, 3 May 2023 09:24:24 +0200 Subject: [PATCH 22/22] removed investigation guide to add in future PR --- ...e_linux_shell_activity_via_web_server.toml | 77 +------------------ 1 file changed, 2 insertions(+), 75 deletions(-) diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 535045dfe67..5a9b2aae1b3 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -4,28 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/22" - -[transform] -[[transform.osquery]] -label = "Osquery - Retrieve Listening Ports" -query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" - -[[transform.osquery]] -label = "Osquery - Retrieve Open Sockets" -query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" - -[[transform.osquery]] -label = "Osquery - Retrieve Process Info" -query = "SELECT name, cmdline, parent, path, uid FROM processes" - -[[transform.osquery]] -label = "Osquery - Retrieve Process Info for Webapp User" -query = "SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = webapp_uid" - -[[transform.osquery]] -label = "Osquery - Retrieve Crontab Information" -query = "SELECT * FROM crontab" +updated_date = "2023/04/03" [rule] author = ["Elastic"] @@ -41,58 +20,6 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Code Execution via Web Server" -note = """## Triage and analysis - -### Investigating Potential Remote Code Execution via Web Server - -Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network. - -This rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell. - -> **Note**: -> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. - -#### Possible investigation steps - -- Investigate abnormal behaviors observed by the subject process such as network connections, file modifications, and any other spawned child processes. - - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration. - - $osquery_0 - - $osquery_1 - - Investigate process info to look for malicious or uncommon processes / process trees. - - $osquery_2 - - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes. - - $osquery_3 -- Examine the command line to determine which commands or scripts were executed. -- Investigate other alerts associated with the user/host during the past 48 hours. -- If scripts or executables were dropped, retrieve the files and determine if they are malicious: - - Use a private sandboxed malware analysis system to perform analysis. - - Observe and collect information about the following activities: - - Attempts to contact external domains and addresses. - - Check if the domain is newly registered or unexpected. - - Check the reputation of the domain or IP address. - - File access, modification, and creation activities. - - Cron jobs, services and other persistence mechanisms. - - $osquery_4 - -### False positive analysis - -- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. - -### Response and remediation - -- Initiate the incident response process based on the outcome of the triage. -- Isolate the involved host to prevent further post-compromise behavior. -- If the triage identified malware, search the environment for additional compromised hosts. - - Implement temporary network rules, procedures, and segmentation to contain the malware. - - Stop suspicious processes. - - Immediately block the identified indicators of compromise (IoCs). - - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. -- Remove and block malicious artifacts identified during triage. -- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. -- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. -- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -""" references = [ "https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", @@ -100,7 +27,7 @@ references = [ risk_score = 73 rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Elastic Endgame", "Investigation Guide"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql"