IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Suspicious Network Connection Attempt by Root
editSuspicious Network Connection Attempt by Root
editIdentifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate a potential reverse shell activity via a privileged process.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Command and Control
Version: 101
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
edit## Triage and analysis ### Investigating Connection Attempt by Non-SSH Root Session Detection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation: - Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'. - Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener. - Analyze anomalies in the use of files that do not normally initiate connections. - Examine processes utilizing the network that do not normally have network communication.
Rule query
editsequence by process.entity_id with maxspan=1m
[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and
not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]
[process where event.action == "session_id_change" and user.id == "0" and
not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Non-Application Layer Protocol
- ID: T1095
- Reference URL: https://attack.mitre.org/techniques/T1095/
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Abuse Elevation Control Mechanism
- ID: T1548
- Reference URL: https://attack.mitre.org/techniques/T1548/
-
Sub-technique:
- Name: Sudo and Sudo Caching
- ID: T1548.003
- Reference URL: https://attack.mitre.org/techniques/T1548/003/