IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Prompt for Credentials with OSASCRIPT PsExec Network Connection »

› › ›

ProxyChains Activity

edit

ProxyChains Activity

edit

This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
Rule Type: BBR

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "proxychains"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Protocol Tunneling
- ID: T1572
- Reference URL: https://attack.mitre.org/techniques/T1572/

« Prompt for Credentials with OSASCRIPT PsExec Network Connection »