/
teleport_network_scanning.yml
118 lines (118 loc) · 3.33 KB
/
teleport_network_scanning.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
AnalysisType: rule
Filename: teleport_network_scanning.py
RuleID: "Teleport.NetworkScanning"
DisplayName: "Teleport Network Scan Initiated"
Enabled: true
LogTypes:
- Gravitational.TeleportAudit
Tags:
- SSH
- Discovery:Network Service Discovery
Severity: Medium
Description: A user has invoked a network scan that could potentially indicate enumeration of the network.
DedupPeriodMinutes: 60
Reports:
MITRE ATT&CK:
- TA0007:T1046
Reference: https://goteleport.com/docs/management/admin/
Runbook: >
Find related commands within the time window and determine if the command was invoked legitimately. Examine the arguments to determine how the command was used.
SummaryAttributes:
- event
- code
- user
- program
- path
- return_code
- login
- server_id
- sid
Tests:
- Name: Echo command
ExpectedResult: false
Log:
{
"argv": [],
"cgroup_id": 4294967537,
"code": "T4000I",
"ei": 15,
"event": "session.command",
"login": "root",
"namespace": "default",
"path": "/bin/echo",
"pid": 7143,
"ppid": 7115,
"program": "echo",
"return_code": 0,
"server_id": "e75992b4-9e27-456f-b1c9-7a32da83c661",
"sid": "8a3fc038-785b-43f3-8737-827b3e25fe5b",
"time": "2020-08-17T17:40:37.491Z",
"uid": "8eaf8f39-09d4-4a42-a22a-65163d2af702",
"user": "panther",
}
- Name: Nmap with no args
ExpectedResult: false
Log:
{
"argv": [],
"cgroup_id": 4294967672,
"code": "T4000I",
"ei": 16,
"event": "session.command",
"login": "root",
"namespace": "default",
"path": "/bin/nmap",
"pid": 13555,
"ppid": 13525,
"program": "nmap",
"return_code": 0,
"server_id": "e75992b4-9e27-456f-b1c9-7a32da83c661",
"sid": "a3562a0e-e57f-4273-9f69-eedb6cd029cb",
"time": "2020-08-17T21:13:47.117Z",
"uid": "c7f6367b-04bb-4b1d-9a3a-0497e8f4a650",
"user": "panther",
}
- Name: Nmap with args
ExpectedResult: true
Log:
{
"argv": ["-v", "-iR", "100000", "-Pn", "-p", "80"],
"cgroup_id": 4294967672,
"code": "T4000I",
"ei": 16,
"event": "session.command",
"login": "root",
"namespace": "default",
"path": "/bin/nmap",
"pid": 13555,
"ppid": 13525,
"program": "nmap",
"return_code": 0,
"server_id": "e75992b4-9e27-456f-b1c9-7a32da83c661",
"sid": "a3562a0e-e57f-4273-9f69-eedb6cd029cb",
"time": "2020-08-17T21:13:47.117Z",
"uid": "c7f6367b-04bb-4b1d-9a3a-0497e8f4a650",
"user": "panther",
}
- Name: Nmap running from crontab
ExpectedResult: true
Log:
{
"cgroup_id": 4294967792,
"code": "T4002I",
"dst_addr": "67.205.137.100",
"dst_port": 1723,
"ei": 32,
"event": "session.network",
"login": "root",
"namespace": "default",
"pid": 15412,
"program": "nmap",
"server_id": "e75992b4-9e27-456f-b1c9-7a32da83c661",
"sid": "a3562a0e-e57f-4273-9f69-eedb6cd029cb",
"src_addr": "172.31.9.159",
"time": "2020-08-18T17:37:35.883Z",
"uid": "3e067d21-a5fb-47a3-af09-e6b9da39753c",
"user": "panther",
"version": 4,
}