Potentially Suspicious Process Started via tmux or screen

edit

Potentially Suspicious Process Started via tmux or screen

edit

This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*
  • endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Data Source: Elastic Defend
  • Data Source: Elastic Endgame

Version: 5

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.parent.name in ("screen", "tmux") and process.name like (
  "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "php*", "perl", "ruby", "lua*",
  "openssl", "telnet", "wget", "curl", "id"
)

Framework: MITRE ATT&CKTM