From fd7a6d63b05daa6a0830abe29ddafb73a64f7dd1 Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Wed, 25 May 2022 19:21:08 +0530
Subject: [PATCH] [Rule tuning] Linux binary(s) shell evasion threat

* Linux binary(s) git shell evasion threat
---
 .../execution_shell_evasion_linux_binary.toml | 59 ++++++++++++++++++-
 1 file changed, 56 insertions(+), 3 deletions(-)

diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml
index 31a7dce98f6..01d2324dbe7 100644
--- a/rules/linux/execution_shell_evasion_linux_binary.toml
+++ b/rules/linux/execution_shell_evasion_linux_binary.toml
@@ -1,12 +1,12 @@
 [metadata]
 creation_date = "2022/05/06"
 maturity = "production"
-updated_date = "2022/05/09"
+updated_date = "2022/05/25"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies Linux binary(s) abuse to breakout out of restricted shells or environments by spawning an interactive system
+Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system
 shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system
 administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.
 """
@@ -15,6 +15,57 @@ index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Linux Restricted Shell Breakout via  Linux Binary(s)"
+note = """## Triage and analysis
+
+### Investigating Shell Evasion via Linux Utilities
+Detection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or
+environments by spawning an interactive system shell.
+Here are some possible avenues of investigation:
+- Examine the entry point to the host and user in action via the Analyse View.
+  - Identify the session entry leader and session user
+- Examine the contents of session leading to the abuse via the Session View.
+  - Examine the command execution pattern in the session, which may lead to suspricous activities
+- Examine the execution of commands in the spawned shell.
+  - Identify imment threat to the system from the executed commands
+  - Take necessary incident response actions to contain any malicious behviour caused via this execution.
+
+### Related rules
+
+- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.
+- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment
+
+### Response and remediation
+
+Initiate the incident response process based on the outcome of the triage.
+
+- If the triage releaved suspicious netwrok activity from the malicious spawned shell,
+  - Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware execution via the maliciously spawned shell,
+  - Search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- If the triage revelaed defence evasion for imparing defenses
+  - Isolate the involved host to prevent further post-compromise behavior.
+  - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.
+  - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.
+- If the triage revelaed addition of persistence mechanism exploit like auto start scripts
+  - Isolate further login to the systems that can initae auto start scripts.
+  - Identify the auto start scripts and disable and remove the same from the systems
+- If the triage revealed data crawling or data export via remote copy
+  - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling
+  - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.
+  - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+
+## Config
+
+The session view analysis for the command alerted is avalible in versions 8.2 and above.
+"""
 references = [
     "https://gtfobins.github.io/gtfobins/apt/",
     "https://gtfobins.github.io/gtfobins/apt-get/",
@@ -39,6 +90,7 @@ references = [
     "https://gtfobins.github.io/gtfobins/vim/",
     "https://gtfobins.github.io/gtfobins/capsh/",
     "https://gtfobins.github.io/gtfobins/byebug/",
+    "https://gtfobins.github.io/gtfobins/git/",
 ]
 risk_score = 47
 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0"
@@ -55,7 +107,7 @@ process where event.type == "start" and
 
   /* launching shells from unusual parents or parent+arg combos */
   (process.name in ("bash", "sh", "dash","ash") and
-    (process.parent.name == "byebug") or
+    (process.parent.name in ("byebug","git")) or
 
     /* shells specified in parent args */
     /* nice rule is broken in 8.2 */
@@ -101,3 +153,4 @@ reference = "https://attack.mitre.org/techniques/T1059/004/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+