Skip to content

Commit

Permalink
[Rule Tuning] Interactive Terminal Spawned via Python (#2781)
Browse files Browse the repository at this point in the history 
* [Rule Tuning] Interactive Terminal Spawned via Python

* Update execution_python_tty_shell.toml

* Update execution_python_tty_shell.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <[email protected]>

---------

Co-authored-by: Ruben Groenewoud <[email protected]>
  • Loading branch information
@w0rk3r @Aegrah
w0rk3r and Aegrah authored May 26, 2023
1 parent 54c5c17 commit 0d5e25e
Showing 1 changed file with 13 additions and 10 deletions.
23 changes: 13 additions & 10 deletions rules/linux/execution_python_tty_shell.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/04/15"
integration = ["endpoint"]
maturity = "production"
updated_date = "2023/02/22"
updated_date = "2023/05/05"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"

Expand All @@ -13,8 +13,8 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a
interactive tty after obtaining initial access to a host.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "kuery"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Interactive Terminal Spawned via Python"
risk_score = 73
Expand All @@ -23,15 +23,14 @@ severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"]
timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
timeline_title = "Comprehensive Process Timeline"
timestamp_override = "event.ingested"
type = "query"
type = "eql"

query = '''
event.category:process and host.os.type:linux and event.type:(start or process_started) and
process.name:python* and
process.args:("import pty; pty.spawn(\"/bin/sh\")" or
"import pty; pty.spawn(\"/bin/dash\")" or
"import pty; pty.spawn(\"/bin/bash\")")
sequence with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and process.name : "python*"] by process.entity_id
[process where host.os.type == "linux" and event.type == "start" and
process.executable : "/bin/*sh"
] by process.parent.entity_id
'''


Expand All @@ -42,6 +41,10 @@ id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"

[rule.threat.tactic]
id = "TA0002"
Expand Down

1 comment on commit 0d5e25e

@TheJprakashG
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

triggering a lot false positive alerts.
Normally almost most of the service or agents are created using python to support in linux env.

if possible can we tweek the rule

Please sign in to comment.