IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« File Creation, Execution and Self-Deletion in Suspicious Directory Potential Sudo Privilege Escalation via CVE-2019-14287 »
Elastic Docs Elastic Security Solution [8.9] Downloadable rule update v8.9.5

Network Connection via Recently Compiled Executable

edit

Network Connection via Recently Compiled Executable

edit

This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: Elastic Defend

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by host.id with maxspan=1m
  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
   process.name in ("gcc", "g++", "cc")] by process.args
  [file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name
  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start"] by process.name
  [network where host.os.type == "linux" and event.action == "connection_attempted"] by process.name

Framework: MITRE ATT&CKTM

« File Creation, Execution and Self-Deletion in Suspicious Directory Potential Sudo Privilege Escalation via CVE-2019-14287 »