Network Connection via Recently Compiled Executable

edit

Network Connection via Recently Compiled Executable

edit

This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: Elastic Defend

Version: 4

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by host.id with maxspan=1m
  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
   process.name in ("gcc", "g++", "cc")] by process.args
  [file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name
  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start"] by process.name
  [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and
   not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name

Framework: MITRE ATT&CKTM