[Rule Tuning] Potential Shell via Web Server (elastic#2585)

Aegrah · imays11 · w0rk3r · web-flow · commit 09719dd0c532 · 2023-05-05T09:47:49.000+02:00
* tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
diff --git a/rules/_deprecated/persistence_shell_activity_by_web_server.toml b/rules/_deprecated/persistence_shell_activity_by_web_server.toml
@@ -1,10 +1,11 @@
 [metadata]
 creation_date = "2020/02/18"
+deprecation_date = "2023/03/04"
 integration = ["endpoint"]
-maturity = "production"
+maturity = "deprecated"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/03/04"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml
@@ -0,0 +1,80 @@
+[metadata]
+creation_date = "2023/03/04"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/04/03"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access."
+false_positives = [
+    """
+    Network monitoring or management products may have a web server component that runs shell commands as part of normal
+    behavior.
+    """,
+]
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Remote Code Execution via Web Server"
+references = [
+    "https://pentestlab.blog/tag/web-shell/",
+    "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965",
+]
+risk_score = 73
+rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb"
+severity = "high"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Elastic Endgame"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event") and process.parent.executable : (
+  "/usr/sbin/nginx", "/usr/local/sbin/nginx",
+  "/usr/sbin/apache", "/usr/local/sbin/apache",
+  "/usr/sbin/apache2", "/usr/local/sbin/apache2",
+  "/usr/sbin/php*", "/usr/local/sbin/php*",
+  "/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd",
+  "/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha",
+  "/usr/local/bin/caddy", 
+  "/usr/local/lsws/bin/lswsctrl",
+  "*/bin/catalina.sh"
+) and
+process.name : ("*sh", "python*", "perl", "php*", "tmux") and
+process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1505"
+name = "Server Software Component"
+reference = "https://attack.mitre.org/techniques/T1505/"
+[[rule.threat.technique.subtechnique]]
+id = "T1505.003"
+name = "Web Shell"
+reference = "https://attack.mitre.org/techniques/T1505/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1190"
+name = "Exploit Public-Facing Application"
+reference = "https://attack.mitre.org/techniques/T1190/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
