diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 4ec571c7d34..4074c2302d8 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/05/05" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -13,8 +13,8 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a interactive tty after obtaining initial access to a host. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] -language = "kuery" +index = ["logs-endpoint.events.*"] +language = "eql" license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" risk_score = 73 @@ -23,15 +23,14 @@ severity = "high" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" -timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.category:process and host.os.type:linux and event.type:(start or process_started) and - process.name:python* and - process.args:("import pty; pty.spawn(\"/bin/sh\")" or - "import pty; pty.spawn(\"/bin/dash\")" or - "import pty; pty.spawn(\"/bin/bash\")") +sequence with maxspan=1m + [process where host.os.type == "linux" and event.type == "start" and process.name : "python*"] by process.entity_id + [process where host.os.type == "linux" and event.type == "start" and + process.executable : "/bin/*sh" + ] by process.parent.entity_id ''' @@ -42,6 +41,10 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] + id = "T1059.006" + name = "Python" + reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] id = "TA0002"