From 09719dd0c53207c764b094af5700e64f8eeba4de Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Fri, 5 May 2023 09:47:49 +0200
Subject: [PATCH] [Rule Tuning] Potential Shell via Web Server (#2585)

* tuned web shell logic, and converted to EQL

* Removed old, created new rule to bypass "type" bug

* Revert "Removed old, created new rule to bypass "type" bug"

This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133.

* Revert "tuned web shell logic, and converted to EQL"

This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca.

* Deprecated old rule, added new

* formatting fix

* removed endgame index

* Fixed changes captured as edited, not created

* Update rules/linux/persistence_shell_activity_through_web_server.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* fix conflict

* added host.os.type==linux for unit testing

* removed wildcards in process.args

* Update rules/linux/persistence_shell_activity_via_web_server.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* fixed conflict by changing file name and changes

* Trying to resolve the GH conflict

* attempt to fix GH conflict #2

* Update persistence_shell_activity_by_web_server.toml

* Added endgame support

* Added OSQuery to investigation guide

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* removed investigation guide to add in future PR

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
---
 ...sistence_shell_activity_by_web_server.toml |  5 +-
 ...e_linux_shell_activity_via_web_server.toml | 80 +++++++++++++++++++
 2 files changed, 83 insertions(+), 2 deletions(-)
 rename rules/{linux => _deprecated}/persistence_shell_activity_by_web_server.toml (98%)
 create mode 100644 rules/linux/persistence_linux_shell_activity_via_web_server.toml

diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/_deprecated/persistence_shell_activity_by_web_server.toml
similarity index 98%
rename from rules/linux/persistence_shell_activity_by_web_server.toml
rename to rules/_deprecated/persistence_shell_activity_by_web_server.toml
index 4045bd12c27..af68bad6a25 100644
--- a/rules/linux/persistence_shell_activity_by_web_server.toml
+++ b/rules/_deprecated/persistence_shell_activity_by_web_server.toml
@@ -1,10 +1,11 @@
 [metadata]
 creation_date = "2020/02/18"
+deprecation_date = "2023/03/04"
 integration = ["endpoint"]
-maturity = "production"
+maturity = "deprecated"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/03/04"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml
new file mode 100644
index 00000000000..5a9b2aae1b3
--- /dev/null
+++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml
@@ -0,0 +1,80 @@
+[metadata]
+creation_date = "2023/03/04"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/04/03"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access."
+false_positives = [
+    """
+    Network monitoring or management products may have a web server component that runs shell commands as part of normal
+    behavior.
+    """,
+]
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Remote Code Execution via Web Server"
+references = [
+    "https://pentestlab.blog/tag/web-shell/",
+    "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965",
+]
+risk_score = 73
+rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb"
+severity = "high"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Elastic Endgame"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event") and process.parent.executable : (
+  "/usr/sbin/nginx", "/usr/local/sbin/nginx",
+  "/usr/sbin/apache", "/usr/local/sbin/apache",
+  "/usr/sbin/apache2", "/usr/local/sbin/apache2",
+  "/usr/sbin/php*", "/usr/local/sbin/php*",
+  "/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd",
+  "/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha",
+  "/usr/local/bin/caddy", 
+  "/usr/local/lsws/bin/lswsctrl",
+  "*/bin/catalina.sh"
+) and
+process.name : ("*sh", "python*", "perl", "php*", "tmux") and
+process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1505"
+name = "Server Software Component"
+reference = "https://attack.mitre.org/techniques/T1505/"
+[[rule.threat.technique.subtechnique]]
+id = "T1505.003"
+name = "Web Shell"
+reference = "https://attack.mitre.org/techniques/T1505/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1190"
+name = "Exploit Public-Facing Application"
+reference = "https://attack.mitre.org/techniques/T1190/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"