forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcommand_and_control_telnet_port_activity.toml
More file actions
75 lines (64 loc) · 2.24 KB
/
command_and_control_telnet_port_activity.toml
File metadata and controls
75 lines (64 loc) · 2.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system
administrators to remotely control older or embed ed systems using the command line shell. It should almost never be
directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing
the traffic.
"""
false_positives = [
"""
IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business
work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet
activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production
server that has no known associated Telnet work-flow or business requirement is often suspicious.
""",
]
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "Telnet Port Activity"
risk_score = 47
rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269"
severity = "medium"
tags = ["Elastic", "Network"]
type = "query"
query = '''
network.transport:tcp and destination.port:23
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1043"
name = "Commonly Used Port"
reference = "https://attack.mitre.org/techniques/T1043/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0011"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0011/"