Potential Protocol Tunneling via Chisel Server | Elastic Security Solution [8.8]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Potential Protocol Tunneling via Chisel Client Potential Protocol Tunneling via EarthWorm »

Potential Protocol Tunneling via Chisel Serveredit

This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend

Version: 3

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

sequence by host.id, process.entity_id with maxspan=1m
  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
   process.args == "server" and process.args in ("--port", "-p", "--reverse", "--backend", "--socks5") and
   process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
  [network where host.os.type == "linux" and event.action == "connection_accepted" and event.type == "start" and
   destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and
   not process.name : (
     "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
     "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")]

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Protocol Tunneling
- ID: T1572
- Reference URL: https://attack.mitre.org/techniques/T1572/

« Potential Protocol Tunneling via Chisel Client Potential Protocol Tunneling via EarthWorm »