IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Protocol Tunneling via EarthWormedit
Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
- endgame-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Command and Control
- Data Source: Elastic Endgame
- Data Source: Elastic Defend
Version: 105
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guideedit
Rule queryedit
process where host.os.type == "linux" and event.type == "start" and process.args : "-s" and process.args : "-d" and process.args : "rssocks"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Protocol Tunneling
- ID: T1572
- Reference URL: https://attack.mitre.org/techniques/T1572/