« rc.local 脚本的潜在执行 未加引号的服务路径漏洞的潜在利用 »
Elastic 文档 Elastic 安全解决方案 [8.17] 检测和告警 预构建规则参考

通过 XZ 后门潜在执行

编辑

通过 XZ 后门潜在执行

编辑

它通过远程 SSH 识别潜在的恶意 shell 执行,并检测 sshd 服务在成功执行后不久突然终止的情况,这表明了类似 XZ 后门的可疑行为。

规则类型: eql

规则索引:

  • logs-endpoint.events.*

严重性: 高

风险评分: 73

运行频率: 5 分钟

搜索索引的时间范围: now-9m (日期数学格式,另请参阅 额外回溯时间)

每次执行的最大告警数: 100

参考资料:

标签:

  • 域:端点
  • 操作系统:Linux
  • 用例:威胁检测
  • 战术:凭证访问
  • 战术:持久化
  • 战术:横向移动
  • 数据源:Elastic Defend

版本: 4

规则作者:

  • Elastic

规则许可: Elastic License v2

规则查询

编辑
sequence by host.id, user.id with maxspan=1s
 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and
    process.args == "-D" and process.args == "-R"] by process.pid, process.entity_id
 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "sshd" and
  process.executable != null and not (
    process.executable in ("/usr/sbin/sshd", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/bin/fipscheck") or
    process.args like ("rsync*", "systemctl*", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/sbin/aad_certhandler*") or
    process.command_line like "sh -c /usr/bin/env -i PATH=*"
  )] by process.parent.pid, process.parent.entity_id
 [process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0] by process.pid, process.entity_id
 [network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id

框架: MITRE ATT&CKTM

« rc.local 脚本的潜在执行 未加引号的服务路径漏洞的潜在利用 »