« rc.local 脚本的潜在执行 未加引号的服务路径漏洞的潜在利用 »
Elastic 文档 Elastic 安全解决方案 [8.16] 检测和告警 预构建规则参考

通过 XZBackdoor 潜在执行

编辑

通过 XZBackdoor 潜在执行

编辑

它识别通过远程 SSH 进行的潜在恶意 shell 执行,并检测 sshd 服务在成功执行后立即终止的情况,这表明存在类似于 XZ 后门的可疑行为。

规则类型: eql

规则索引:

  • logs-endpoint.events.*

严重程度: 高

风险评分: 73

每隔: 5m

搜索索引时间范围: now-9m (日期数学格式,另请参见 额外回溯时间)

每次执行的最大告警数: 100

参考:

标签:

  • 领域: 端点
  • 操作系统: Linux
  • 用例: 威胁检测
  • 战术: 凭据访问
  • 战术: 持久性
  • 战术: 横向移动
  • 数据源: Elastic Defend

版本: 4

规则作者:

  • Elastic

规则许可证: Elastic License v2

规则查询

编辑
sequence by host.id, user.id with maxspan=1s
 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and
    process.args == "-D" and process.args == "-R"] by process.pid, process.entity_id
 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "sshd" and
  process.executable != null and not (
    process.executable in ("/usr/sbin/sshd", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/bin/fipscheck") or
    process.args like ("rsync*", "systemctl*", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/sbin/aad_certhandler*") or
    process.command_line like "sh -c /usr/bin/env -i PATH=*"
  )] by process.parent.pid, process.parent.entity_id
 [process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0] by process.pid, process.entity_id
 [network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id

框架: MITRE ATT&CKTM

« rc.local 脚本的潜在执行 未加引号的服务路径漏洞的潜在利用 »