forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlateral_movement_telnet_network_activity_internal.toml
60 lines (53 loc) · 2.37 KB
/
lateral_movement_telnet_network_activity_internal.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
[metadata]
creation_date = "2020/04/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"
[rule]
author = ["Elastic"]
description = """
Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet
network connections to non-publicly routable IP addresses.
"""
false_positives = [
"""
Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions,
so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent
years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be
suspicious.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Connection to Internal Network via Telnet"
references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
risk_score = 47
rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"]
type = "eql"
query = '''
sequence by process.entity_id
[process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"]
[network where host.os.type == "linux" and process.name == "telnet" and
cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
"192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
"192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
"FE80::/10", "FF00::/8")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"