Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Potential Shell via Web Server #2585

Merged
merged 29 commits into from
May 5, 2023
Merged

[Rule Tuning] Potential Shell via Web Server #2585

Changes from 3 commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
28bda94
tuned web shell logic, and converted to EQL
Aegrah Feb 21, 2023
e994b62
Removed old, created new rule to bypass "type" bug
Aegrah Feb 22, 2023
851931c
Merge branch 'main' into rule-tuning-web-shells
Aegrah Feb 22, 2023
4169e0a
Revert "Removed old, created new rule to bypass "type" bug"
Aegrah Mar 4, 2023
94b28a8
Revert "tuned web shell logic, and converted to EQL"
Aegrah Mar 4, 2023
cefe391
Deprecated old rule, added new
Aegrah Mar 4, 2023
65647ac
formatting fix
Aegrah Mar 4, 2023
22809da
Merge branch 'main' into rule-tuning-web-shells
Aegrah Mar 4, 2023
5fea265
removed endgame index
Aegrah Mar 4, 2023
34691a3
Merge branch 'rule-tuning-web-shells' of https://github.com/elastic/d…
Aegrah Mar 4, 2023
b7befb0
Fixed changes captured as edited, not created
Aegrah Mar 4, 2023
25acafd
Update rules/linux/persistence_shell_activity_through_web_server.toml
Aegrah Mar 6, 2023
cda28f5
fix conflict
Aegrah Mar 8, 2023
9dbb1a5
added host.os.type==linux for unit testing
Aegrah Mar 8, 2023
7b382e4
removed wildcards in process.args
Aegrah Mar 10, 2023
56d1c8e
Update rules/linux/persistence_shell_activity_via_web_server.toml
Aegrah Mar 20, 2023
7f98a95
fixed conflict by changing file name and changes
Aegrah Mar 20, 2023
988ce42
Trying to resolve the GH conflict
Aegrah Mar 20, 2023
7e5f038
attempt to fix GH conflict #2
Aegrah Mar 20, 2023
1e97c8c
attempt to fix GH conflict nr 3
Aegrah Mar 20, 2023
93e5d7d
Update persistence_shell_activity_by_web_server.toml
Aegrah Mar 20, 2023
27f91cf
Added endgame support
Aegrah Mar 21, 2023
f03c5b7
Merge branch 'main' into rule-tuning-web-shells
Aegrah Mar 21, 2023
32d446d
Added OSQuery to investigation guide
Aegrah Mar 22, 2023
226eaa6
Merge branch 'main' into rule-tuning-web-shells
Aegrah Apr 2, 2023
a73af53
Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Aegrah Apr 19, 2023
8a04ab7
Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Aegrah Apr 19, 2023
0d5fe17
removed investigation guide to add in future PR
Aegrah May 3, 2023
1560ef4
Merge branch 'main' into rule-tuning-web-shells
Aegrah May 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 12 additions & 9 deletions ...istence_shell_activity_by_web_server.toml → ...e_linux_shell_activity_by_web_server.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2020/02/18"
creation_date = "2023/02/22"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/20"
updated_date = "2023/02/22"

[rule]
author = ["Elastic"]
Expand All @@ -17,9 +17,9 @@ false_positives = [
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "kuery"
language = "eql"
Aegrah marked this conversation as resolved.
Show resolved Hide resolved
license = "Elastic License v2"
name = "Potential Shell via Web Server"
name = "Potential Remote Code Execution via Web Server"
note = """## Triage and analysis

### Investigating Potential Shell via Web Server
Expand Down Expand Up @@ -67,16 +67,19 @@ references = [
"https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965",
]
risk_score = 47
rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb"
rule_id = "b7b2c320-d4db-4f8e-8f92-83f9d0c3e6a4"
Aegrah marked this conversation as resolved.
Show resolved Hide resolved
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"]
timestamp_override = "event.ingested"
type = "query"
type = "eql"

query = '''
event.category:process and event.type:(start or process_started) and
process.name:(bash or dash or ash or zsh or "python*" or "perl*" or "php*") and
process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "www-data")
process where event.type == "start" and
process.args:("whoami*", "id", "uname*", "cat*", "hostname*", "ip*", "curl*", "wget*", "pwd") and
Aegrah marked this conversation as resolved.
Show resolved Hide resolved
process.name : ("bash", "sh", "ash", "dash", "zsh", "rbash", "csh", "ksh", "tmux", "python*", "perl*", "php*") and
Aegrah marked this conversation as resolved.
Show resolved Hide resolved
process.parent.name : ("apache", "apache2", "nginx", "httpd", "php*", "www", "www-data", "lighttpd", "caddy") and
Aegrah marked this conversation as resolved.
Show resolved Hide resolved
not process.executable : "/var/lib/docker/*" and
not process.args : ("/var/www/MISP/*", "/data/www/hg/hgweb.cgi", "/usr/lib/mailman/scripts/driver")
'''


Expand Down