IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Protocol Tunneling via EarthWorm
editPotential Protocol Tunneling via EarthWorm
editIdentifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Command and Control
Version: 4
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editRule query
editprocess where event.type == "start" and process.args : "-s" and process.args : "-d" and process.args : "rssocks"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Protocol Tunneling
- ID: T1572
- Reference URL: https://attack.mitre.org/techniques/T1572/