A newer version is available. For the latest information, see the
current release documentation.
Potential Protocol Tunneling via EarthWorm
editPotential Protocol Tunneling via EarthWorm
editIdentifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Command and Control
Version: 1
Added (Elastic Stack release): 7.13.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule query
editprocess where event.type == "start" and process.args : "-s" and process.args : "-d" and process.args : "rssocks"
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Protocol Tunneling
- ID: T1572
- Reference URL: https://attack.mitre.org/techniques/T1572/