/
linux_proxy_socks_curl.yml
95 lines (95 loc) · 3.97 KB
/
linux_proxy_socks_curl.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
name: Linux Proxy Socks Curl
id: bd596c22-ad1e-44fc-b242-817253ce8b08
version: 1
date: '2022-07-29'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic identifies curl being utilized with a proxy based
on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is
built into the MetaSploit Framework as a auxiliary module. What does socks buy an
adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination
domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928.
It is an incompatible extension of the SOCKS4 protocol; it offers more choices for
authentication and adds support for IPv6 and UDP, the latter of which can be used
for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade
controls in place monitoring traffic, making it harder for the defender to identify
and track activity.
data_source:
- Sysmon for Linux EventID 1
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl
Processes.process IN ("*-x *", "*socks4a://*", "*socks5h://*", "*socks4://*","*socks5://*",
"*--preproxy *", "--proxy*") by Processes.dest Processes.user Processes.parent_process_name
Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `linux_proxy_socks_curl_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: False positives may be present based on proxy usage internally.
Filter as needed.
references:
- https://www.offensive-security.com/metasploit-unleashed/proxytunnels/
- https://curl.se/docs/manpage.html
- https://en.wikipedia.org/wiki/SOCKS
- https://oxylabs.io/blog/curl-with-proxy
- https://reqbin.com/req/c-ddxflki5/curl-proxy-server#:~:text=To%20use%20a%20proxy%20with,be%20URL%20decoded%20by%20Curl.
- https://gtfobins.github.io/gtfobins/curl/
tags:
analytic_story:
- Linux Living Off The Land
- Ingress Tool Transfer
asset_type: Endpoint
confidence: 80
impact: 70
message: An instance of $process_name$ was identified on endpoint $dest$ by user
$user$ utilizing a proxy. Review activity for further details.
mitre_attack_id:
- T1090
- T1095
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
- name: process_name
type: Process
role:
- Child Process
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest
- Processes.user
- Processes.parent_process_name
- Processes.parent_process
- Processes.original_file_name
- Processes.process_name
- Processes.process
- Processes.process_id
- Processes.parent_process_path
- Processes.process_path
- Processes.parent_process_id
risk_score: 56
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon_linux
update_timestamp: true