nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/_deprecated/execution_gcc_binary.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2022/03/09"
+deprecation_date = "2022/05/09"
+maturity = "deprecated"
+updated_date = "2022/05/09"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies Linux binary gcc abuse to break out from restricted environments by spawning an interactive system shell. The
+gcc utility is a complier system for various languages and mainly used to compile C and C++ programs. The activity of
+spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially
+malicious actor attempting to improve the capabilities or stability of their access.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Linux Restricted Shell Breakout via the gcc command"
+references = ["https://gtfobins.github.io/gtfobins/gcc/"]
+risk_score = 47
+rule_id = "da986d2c-ffbf-4fd6-af96-a88dbf68f386"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and process.name in ("sh", "dash", "bash")  and
+  process.parent.name == "gcc" and process.parent.args == "-wrapper" and
+  process.parent.args in ("sh,-s", "bash,-s", "dash,-s", "/bin/sh,-s", "/bin/bash,-s", "/bin/dash,-s")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

nldcsc_elastic_rules/rules/_deprecated/execution_interactive_exec_to_container.toml

@@ -0,0 +1,127 @@
+[metadata]
+creation_date = "2023/05/12"
+integration = ["cloud_defend"]
+deprecation_date = "2025/03/14"
+maturity = "deprecated"
+updated_date = "2025/03/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec'
+command in a pod allows a user to establish a temporary shell session and execute any process/command inside the
+container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a
+container's shell. A malicious actor could use this level of access to further compromise the container environment or
+attempt a container breakout.
+"""
+false_positives = [
+    """
+    An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from
+    Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands
+    inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ...
+    ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec
+    cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell
+    connected to the terminal: kubectl exec -i -t cassandra -- sh
+    """,
+]
+from = "now-6m"
+index = ["logs-cloud_defend*"]
+interval = "5m"
+language = "eql"
+license = "Elastic License v2"
+name = "Deprecated - Interactive Exec Command Launched Against A Running Container"
+references = [
+    "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
+    "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
+]
+risk_score = 73
+rule_id = "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1"
+severity = "high"
+tags = [
+    "Data Source: Elastic Defend for Containers",
+    "Domain: Container",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where container.id : "*" and event.type== "start" and
+
+/* use of kubectl exec to enter a container */
+process.entry_leader.entry_meta.type : "container" and
+
+/* process is the inital process run in a container */
+process.entry_leader.same_as_process== true and
+
+/* interactive process */
+process.interactive == true
+'''
+note = """## Setup
+
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container".
+
+## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Deprecated - Interactive Exec Command Launched Against A Running Container
+
+In containerized environments, the 'exec' command is used to run processes inside a running container, often for debugging or administrative tasks. Adversaries may exploit this to gain shell access, potentially leading to further compromise or container escape. The detection rule identifies such activities by monitoring for interactive 'exec' sessions, focusing on initial processes within containers, and flagging high-risk interactions.
+
+### Possible investigation steps
+
+- Review the container.id to identify which specific container the interactive exec command was executed against and gather information about its purpose and criticality.
+- Examine the process.entry_leader.entry_meta.type to confirm that the process was indeed initiated within a container environment, ensuring the context of the alert is accurate.
+- Investigate the process.entry_leader.same_as_process field to verify that the process in question is the initial process run in the container, which may indicate a new or unexpected session.
+- Analyze the process.interactive field to understand the nature of the interaction and determine if it aligns with expected administrative activities or if it suggests unauthorized access.
+- Check for any recent changes or deployments in the container environment that might explain the interactive session, such as updates or debugging activities.
+- Correlate the event with user activity logs to identify the user or service account responsible for initiating the exec command and assess their access permissions and recent actions.
+- Investigate any subsequent actions or commands executed within the container following the interactive session to identify potential malicious activities or attempts at container breakout.
+
+### False positive analysis
+
+- Routine administrative tasks may trigger the rule when system administrators use 'kubectl exec' for legitimate maintenance or debugging. To manage this, create exceptions for known administrator accounts or specific maintenance windows.
+- Automated scripts or monitoring tools that use 'exec' for health checks or logging purposes can also cause false positives. Identify these scripts and exclude their associated processes or user accounts from triggering the rule.
+- Development and testing activities often involve frequent use of 'exec' commands for container interaction. Consider excluding specific development environments or user roles from the rule to reduce noise.
+- Continuous integration/continuous deployment (CI/CD) pipelines might use 'exec' to deploy or test applications within containers. Exclude these pipeline processes or service accounts to prevent false alerts.
+- If certain containers are known to require frequent interactive access for legitimate reasons, consider tagging these containers and configuring the rule to ignore interactions with them.
+
+### Response and remediation
+
+- Immediately isolate the affected container to prevent further unauthorized access or potential lateral movement within the environment. This can be done by pausing or stopping the container.
+- Review and terminate any unauthorized or suspicious interactive sessions identified by the alert to cut off the adversary's access.
+- Conduct a thorough analysis of the container's filesystem and running processes to identify any malicious scripts or binaries that may have been introduced during the interactive session.
+- Revert the container to a known good state by redeploying it from a trusted image, ensuring that any potential backdoors or malicious modifications are removed.
+- Implement network segmentation and access controls to limit the ability of users to execute 'exec' commands on containers, especially for high-risk or production environments.
+- Escalate the incident to the security operations team for further investigation and to determine if additional containers or systems have been compromised.
+- Enhance monitoring and alerting for similar activities by ensuring that all interactive 'exec' commands are logged and reviewed, and consider implementing stricter access controls for container management tools like kubectl."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+
+[[rule.threat.technique]]
+id = "T1609"
+name = "Container Administration Command"
+reference = "https://attack.mitre.org/techniques/T1609/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

nldcsc_elastic_rules/rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml

@@ -0,0 +1,109 @@
+[metadata]
+creation_date = "2023/04/26"
+integration = ["cloud_defend"]
+deprecation_date = "2025/03/14"
+maturity = "deprecated"
+updated_date = "2025/03/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential
+container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host.
+"""
+false_positives = [
+    """
+    Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container
+    resulting in false positives.
+    """,
+]
+from = "now-6m"
+index = ["logs-cloud_defend*"]
+interval = "5m"
+language = "eql"
+license = "Elastic License v2"
+name = "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container"
+risk_score = 73
+rule_id = "8d3d0794-c776-476b-8674-ee2e685f6470"
+severity = "high"
+tags = [
+    "Data Source: Elastic Defend for Containers",
+    "Domain: Container",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where container.id: "*" and
+event.type== "start" and
+
+/*D4C consolidates closely spawned event.actions, this excludes end actions to only capture ongoing processes*/
+event.action in ("fork", "exec") and
+ process.entry_leader.same_as_process== false and
+(
+(process.executable: "*/*sh" and process.args: ("-i", "-it")) or
+process.args: "*/*sh"
+)
+'''
+note = """## Setup
+
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container".
+
+## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Deprecated - Suspicious Interactive Shell Spawned From Inside A Container
+
+Containers are lightweight, portable units that encapsulate applications and their dependencies, often used to ensure consistent environments across development and production. Adversaries may exploit containers by spawning interactive shells to execute unauthorized commands, potentially leading to container escape and host compromise. The detection rule identifies such threats by monitoring for shell processes initiated within containers, focusing on specific process actions and arguments indicative of interactive sessions.
+
+### Possible investigation steps
+
+- Review the alert details to identify the specific container ID where the interactive shell was spawned. This will help in isolating the affected container for further analysis.
+- Examine the process executable and arguments, particularly looking for shell types and interactive flags (e.g., "-i", "-it"), to understand the nature of the shell session initiated.
+- Check the process entry leader to determine if the shell process is part of a larger process tree, which might indicate a more complex attack chain or script execution.
+- Investigate the user context under which the shell was spawned to assess if it aligns with expected user behavior or if it indicates potential unauthorized access.
+- Analyze recent logs and events from the container and host to identify any preceding suspicious activities or anomalies that might have led to the shell spawning.
+- Correlate the event with other security alerts or incidents to determine if this is part of a broader attack pattern or campaign targeting the environment.
+
+### False positive analysis
+
+- Development and testing activities may trigger this rule when developers intentionally spawn interactive shells within containers for debugging or configuration purposes. To manage this, create exceptions for specific user accounts or container IDs frequently used in development environments.
+- Automated scripts or orchestration tools that use interactive shells for legitimate tasks can also cause false positives. Identify these scripts and exclude their associated process names or arguments from the rule.
+- Some container management platforms might use interactive shells as part of their normal operations. Review the processes and arguments used by these platforms and add them to an exception list if they are known to be safe.
+- Regular maintenance tasks that require interactive shell access, such as system updates or configuration changes, can be excluded by scheduling these tasks during known maintenance windows and temporarily adjusting the rule settings.
+
+### Response and remediation
+
+- Immediately isolate the affected container to prevent further unauthorized access or potential container escape. This can be done by stopping the container or disconnecting it from the network.
+- Capture and preserve forensic data from the container, including logs, process lists, and network activity, to aid in further investigation and understanding of the attack vector.
+- Conduct a thorough review of the container's configuration and permissions to identify and rectify any misconfigurations or vulnerabilities that may have been exploited.
+- Patch and update the container image and any associated software to address known vulnerabilities that could have been leveraged by the attacker.
+- Implement stricter access controls and monitoring on container environments to prevent unauthorized shell access, such as using role-based access controls and enabling audit logging.
+- Escalate the incident to the security operations team for further analysis and to determine if the threat has spread to other parts of the infrastructure.
+- Review and enhance detection capabilities to identify similar threats in the future, ensuring that alerts are tuned to detect unauthorized shell access attempts promptly."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

nldcsc_elastic_rules/rules/_deprecated/execution_linux_process_started_in_temp_directory.toml

@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2020/02/18"
+deprecation_date = "2022/07/25"
+maturity = "deprecated"
+updated_date = "2022/07/25"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware."
+false_positives = [
+    """
+    Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by
+    username.
+    """,
+]
+from = "now-9m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Unusual Process Execution - Temp"
+risk_score = 47
+rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.category:process and event.type:(start or process_started) and process.working_directory:/tmp and
+  not process.parent.name:(update-motd-updates-available or
+                           apt or apt-* or
+                           cnf-update-db or
+                           appstreamcli or
+                           unattended-upgrade or
+                           packagekitd) and
+  not process.args:(/usr/lib/update-notifier/update-motd-updates-available or
+                    /var/lib/command-not-found/)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

nldcsc_elastic_rules/rules/_deprecated/execution_mysql_binary.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2022/03/09"
+deprecation_date = "2022/05/09"
+maturity = "deprecated"
+updated_date = "2022/05/09"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell. The
+MySQL server is an open source relational database management system. The activity of spawning shell is not a standard
+use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve
+the capabilities or stability of their access.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Linux Restricted Shell Breakout via the mysql command"
+references = ["https://gtfobins.github.io/gtfobins/mysql/"]
+risk_score = 47
+rule_id = "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and process.name in ("bash", "sh", "dash") and
+  process.parent.name == "mysql" and process.parent.args == "-e" and
+  process.parent.args : ("\\!*sh", "\\!*bash", "\\!*dash", "\\!*/bin/sh", "\\!*/bin/bash", "\\!*/bin/dash")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

nldcsc_elastic_rules/rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml

@@ -0,0 +1,114 @@
+[metadata]
+creation_date = "2023/04/26"
+integration = ["cloud_defend"]
+deprecation_date = "2025/03/14"
+maturity = "deprecated"
+updated_date = "2025/03/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and
+writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for
+persistence or exfiltrating data.
+"""
+false_positives = [
+    """
+    There is a potential for false positives if the container is used for legitimate tasks that require the use of
+    netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts
+    generated by this rule to determine if they are indicative of malicious activity or part of legitimate container
+    activity.
+    """,
+]
+from = "now-6m"
+index = ["logs-cloud_defend*"]
+interval = "5m"
+language = "eql"
+license = "Elastic License v2"
+name = "Deprecated - Netcat Listener Established Inside A Container"
+risk_score = 73
+rule_id = "a52a9439-d52c-401c-be37-2785235c6547"
+severity = "high"
+tags = [
+    "Data Source: Elastic Defend for Containers",
+    "Domain: Container",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where container.id: "*" and event.type== "start"
+and event.action in ("fork", "exec") and
+(
+process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or
+/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
+process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional")
+) and (
+          /* bind shell to echo for command execution */
+          (process.args:("-*l*", "--listen", "-*p*", "--source-port") and process.args:("-c", "--sh-exec", "-e", "--exec", "echo","$*"))
+          /* bind shell to specific port */
+          or process.args:("-*l*", "--listen", "-*p*", "--source-port")
+          )
+'''
+note = """## Setup
+
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container".
+
+## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Deprecated - Netcat Listener Established Inside A Container
+
+Netcat is a versatile networking tool used for reading and writing data across network connections, often employed for legitimate purposes like debugging and network diagnostics. However, adversaries can exploit Netcat to establish unauthorized backdoors or exfiltrate data from containers. The detection rule identifies suspicious Netcat activity by monitoring process events within containers, focusing on specific arguments that indicate a listening state, which is a common trait of malicious use. This proactive detection helps mitigate potential threats by flagging unusual network behavior indicative of compromise.
+
+### Possible investigation steps
+
+- Review the container ID associated with the alert to identify the specific container where the Netcat listener was established. This can help in understanding the context and potential impact.
+- Examine the process name and arguments to confirm the presence of Netcat and its listening state. Look for arguments like "-l", "--listen", "-p", or "--source-port" to verify the listener setup.
+- Check the parent process of the Netcat instance to determine how it was initiated. This can provide insights into whether it was started by a legitimate application or a potentially malicious script.
+- Investigate the network connections associated with the container to identify any unusual or unauthorized connections that may indicate data exfiltration or communication with a command and control server.
+- Analyze the container's recent activity and logs to identify any other suspicious behavior or anomalies that could be related to the Netcat listener, such as unexpected file modifications or other process executions.
+- Assess the container's security posture and configuration to determine if there are any vulnerabilities or misconfigurations that could have been exploited to establish the Netcat listener.
+
+### False positive analysis
+
+- Development and testing activities within containers may trigger the rule if Netcat is used for legitimate debugging or network diagnostics. Users can create exceptions for specific container IDs or process names associated with known development environments.
+- Automated scripts or tools that utilize Netcat for routine network checks or health monitoring might be flagged. To mitigate this, users can whitelist these scripts by identifying their unique process arguments or execution patterns.
+- Containers running network services that rely on Netcat for legitimate communication purposes could be mistakenly identified. Users should document and exclude these services by specifying their container IDs and associated process arguments.
+- Security tools or monitoring solutions that incorporate Netcat for legitimate scanning or testing purposes may cause false positives. Users can manage this by excluding these tools based on their known process names and arguments.
+
+### Response and remediation
+
+- Immediately isolate the affected container to prevent further unauthorized access or data exfiltration. This can be done by stopping the container or disconnecting it from the network.
+- Conduct a thorough review of the container's logs and process history to identify any unauthorized access or data transfers that may have occurred.
+- Remove any unauthorized Netcat binaries or scripts found within the container to eliminate the backdoor.
+- Rebuild the container from a known good image to ensure no residual malicious artifacts remain.
+- Update container images and underlying host systems with the latest security patches to mitigate vulnerabilities that could be exploited by similar threats.
+- Implement network segmentation and firewall rules to restrict unauthorized outbound connections from containers, reducing the risk of data exfiltration.
+- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other containers or systems within the environment."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

nldcsc_elastic_rules/rules/_deprecated/execution_reverse_shell_via_named_pipe.toml

@@ -0,0 +1,74 @@
+[metadata]
+creation_date = "2022/11/14"
+deprecation_date = "2023/07/04"
+integration = ["endpoint"]
+maturity = "deprecated"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a reverse shell via the abuse of named pipes on Linux with the help of OpenSSL or Netcat. First in, first out
+(FIFO) files are special files for reading and writing to by Linux processes. For this to work, a named pipe is created
+and passed to a Linux shell where the use of a network connection tool such as Netcat or OpenSSL has been established.
+The stdout and stderr are captured in the named pipe from the network connection and passed back to the shell for
+execution.
+"""
+false_positives = [
+    """
+    Netcat and OpenSSL are common tools used for establishing network connections and creating encryption keys. While
+    they are popular, capturing the stdout and stderr in a named pipe pointed to a shell is anomalous.
+    """,
+]
+from = "now-9m"
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Reverse Shell Created via Named Pipe"
+references = [
+    "https://int0x33.medium.com/day-43-reverse-shell-with-openssl-1ee2574aa998",
+    "https://blog.gregscharf.com/2021/03/22/tar-in-cronjob-to-privilege-escalation/",
+    "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl",
+]
+risk_score = 47
+rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Data Source: Elastic Endgame",
+]
+type = "eql"
+
+query = '''
+sequence by host.id with maxspan = 5s
+    [process where host.os.type == "linux" and event.type == "start" and process.executable : ("/usr/bin/mkfifo","/usr/bin/mknod") and process.args:("/tmp/*","$*")]
+    [process where host.os.type == "linux" and process.executable : ("/bin/sh","/bin/bash") and process.args:("-i") or
+        (process.executable: ("/usr/bin/openssl") and process.args: ("-connect"))]
+    [process where host.os.type == "linux" and (process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or
+                    (process.name: "openssl" and process.executable: "/usr/bin/openssl"))]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+