-
Notifications
You must be signed in to change notification settings - Fork 513
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] IPv4/IPv6 Forwarding Activity (#4240)
Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 4011818)
- Loading branch information
1 parent
ceec8e6
commit 499b944
Showing
1 changed file
with
56 additions
and
0 deletions.
There are no files selected for viewing
56 changes: 56 additions & 0 deletions
56
rules/linux/command_and_control_ip_forwarding_activity.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
[metadata] | ||
creation_date = "2024/11/04" | ||
integration = ["endpoint"] | ||
maturity = "production" | ||
updated_date = "2024/11/04" | ||
|
||
[rule] | ||
author = ["Elastic"] | ||
description = """ | ||
This rule monitors for the execution of commands that enable IPv4 and IPv6 forwarding on Linux systems. Enabling IP | ||
forwarding can be used to route network traffic between different network interfaces, potentially allowing attackers to | ||
pivot between networks, exfiltrate data, or establish command and control channels. | ||
""" | ||
from = "now-9m" | ||
index = ["logs-endpoint.events.*"] | ||
language = "eql" | ||
license = "Elastic License v2" | ||
name = "IPv4/IPv6 Forwarding Activity" | ||
risk_score = 21 | ||
rule_id = "5a138e2e-aec3-4240-9843-56825d0bc569" | ||
severity = "low" | ||
tags = [ | ||
"Domain: Endpoint", | ||
"OS: Linux", | ||
"Use Case: Threat Detection", | ||
"Tactic: Command and Control", | ||
"Data Source: Elastic Defend", | ||
] | ||
timestamp_override = "event.ingested" | ||
type = "eql" | ||
query = ''' | ||
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and | ||
process.parent.executable != null and process.command_line like ( | ||
"*net.ipv4.ip_forward*", "*/proc/sys/net/ipv4/ip_forward*", "*net.ipv6.conf.all.forwarding*", | ||
"*/proc/sys/net/ipv6/conf/all/forwarding*" | ||
) and ( | ||
(process.name == "sysctl" and process.args like ("*-w*", "*--write*", "*=*")) or | ||
( | ||
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and | ||
process.command_line like "*echo *" | ||
) | ||
) | ||
''' | ||
|
||
[[rule.threat]] | ||
framework = "MITRE ATT&CK" | ||
|
||
[[rule.threat.technique]] | ||
id = "T1572" | ||
name = "Protocol Tunneling" | ||
reference = "https://attack.mitre.org/techniques/T1572/" | ||
|
||
[rule.threat.tactic] | ||
id = "TA0011" | ||
name = "Command and Control" | ||
reference = "https://attack.mitre.org/tactics/TA0011/" |