search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.88k stars 482 forks source link

[New Rule] Potential SSH Hijacking #2364

Open DefSecSentinel opened 1 year ago

DefSecSentinel commented 1 year ago

Description

This rule detects the use of the SSH_AUTH_SOCK environment variable in a process command-line to hijack a user's existing SSH session in order to move laterally without requiring the user's authentication material. Threat actors will abuse this technique in order to silently move laterally and access additional resources.

Target Operating Systems

Linux, macOS

Tested ECS Version

1.11.0

Query

process where event.type == "start" and event.action == "exec" and process.name : ("sudo", "ssh", "bash", "sh", "zsh", "csh") and process.args : "SSH_AUTH_SOCK=*" and not process.parent.name : "vault"

References

https://embracethered.com/blog/posts/2022/ttp-diaries-ssh-agent-hijacking/

botelastic[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.