Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Suspicious Network Connection via systemd #3420

Merged
merged 5 commits into from
Feb 6, 2024
Merged

[New Rule] Suspicious Network Connection via systemd #3420

merged 5 commits into from
Feb 6, 2024

Conversation

Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Feb 1, 2024

Summary

Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events.

Detection

0 FPs in telemetry / my own stack.

sequence by host.id with maxspan=5s
  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
   process.parent.name == "systemd" and process.name in (
     "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk"
   )
  ] by process.entity_id
  [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start"
  ] by process.parent.entity_id
image

@Aegrah Aegrah self-assigned this Feb 1, 2024
@Aegrah Aegrah merged commit 4f303ab into main Feb 6, 2024
13 checks passed
@Aegrah Aegrah deleted the new-rule-systemd-code-execution branch February 6, 2024 09:19
protectionsmachine pushed a commit that referenced this pull request Feb 6, 2024
@Aegrah @github-actions
[New Rule] Suspicious Network Connection via systemd (#3420)
4b31fb3 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab)
protectionsmachine pushed a commit that referenced this pull request Feb 6, 2024
@Aegrah @github-actions
[New Rule] Suspicious Network Connection via systemd (#3420)
0225489 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab)
protectionsmachine pushed a commit that referenced this pull request Feb 6, 2024
@Aegrah @github-actions
[New Rule] Suspicious Network Connection via systemd (#3420)
3a67750 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab)
protectionsmachine pushed a commit that referenced this pull request Feb 6, 2024
@Aegrah @github-actions
[New Rule] Suspicious Network Connection via systemd (#3420)
67bda57 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab)
protectionsmachine pushed a commit that referenced this pull request Feb 6, 2024
@Aegrah @github-actions
[New Rule] Suspicious Network Connection via systemd (#3420)
cc7db5a 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab)
protectionsmachine pushed a commit that referenced this pull request Feb 6, 2024
@Aegrah @github-actions
[New Rule] Suspicious Network Connection via systemd (#3420)
7642536 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab)
protectionsmachine pushed a commit that referenced this pull request Feb 6, 2024
@Aegrah @github-actions
[New Rule] Suspicious Network Connection via systemd (#3420)
9ce519b 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab)
protectionsmachine pushed a commit that referenced this pull request Feb 6, 2024
@Aegrah @github-actions
[New Rule] Suspicious Network Connection via systemd (#3420)
6276d63 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab)
protectionsmachine pushed a commit that referenced this pull request Feb 6, 2024
@Aegrah @github-actions
[New Rule] Suspicious Network Connection via systemd (#3420)
8d3eed8 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab)
protectionsmachine pushed a commit that referenced this pull request Feb 6, 2024
@Aegrah @github-actions
[New Rule] Suspicious Network Connection via systemd (#3420)
5e46668 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imays11 imays11 imays11 approved these changes

@Samirbous Samirbous Samirbous approved these changes

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

Assignees

@Aegrah Aegrah

Labels
backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Aegrah @imays11 @Samirbous @terrancedejesus