IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Protocol Tunneling via EarthWormedit
Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Command and Control
Version: 1
Added (Elastic Stack release): 7.13.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule queryedit
process where event.type == "start" and process.args : "-s" and process.args : "-d" and process.args : "rssocks"
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Protocol Tunneling
- ID: T1572
- Reference URL: https://attack.mitre.org/techniques/T1572/