Skip to content

Commit 1280e08

Browse files
AegrahAegrah
authored
[New Rule] Potential SSH Password Grabbing via strace (#5294)
1 parent 4e1c8f6 commit 1280e08

File tree

1 file changed

+67
-0
lines changed

1 file changed

+67
-0
lines changed

rules/linux/credential_access_ssh_password_grabbing_via_strace.toml

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
[metadata]
2+
creation_date = "2025/11/10"
3+
integration = ["endpoint"]
4+
maturity = "production"
5+
updated_date = "2025/11/10"
6+
7+
[rule]
8+
author = ["Elastic"]
9+
description = """
10+
Detects potential SSH password grabbing via the use of strace on sshd processes. Attackers may use strace to capture
11+
sensitive information, such as passwords, by tracing system calls made by the sshd process. This rule looks for a sequence
12+
of events where an sshd process ends followed closely by the start of a strace process. This may be indicative of an attacker
13+
attempting to capture SSH credentials.
14+
"""
15+
from = "now-9m"
16+
index = ["logs-endpoint.events.process-*"]
17+
language = "eql"
18+
license = "Elastic License v2"
19+
name = "Potential SSH Password Grabbing via strace"
20+
references = [
21+
"https://github.com/braindead-sec/ssh-grabber",
22+
"https://dfir.ch/posts/strace/",
23+
]
24+
risk_score = 47
25+
rule_id = "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28"
26+
severity = "medium"
27+
tags = [
28+
"Domain: Endpoint",
29+
"OS: Linux",
30+
"Use Case: Threat Detection",
31+
"Tactic: Persistence",
32+
"Tactic: Credential Access",
33+
"Data Source: Elastic Defend",
34+
]
35+
timestamp_override = "event.ingested"
36+
type = "eql"
37+
query = '''
38+
sequence by host.id with maxspan=3s
39+
[process where host.os.type == "linux" and event.type == "end" and process.name == "sshd"]
40+
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "strace"]
41+
'''
42+
43+
[[rule.threat]]
44+
framework = "MITRE ATT&CK"
45+
46+
[[rule.threat.technique]]
47+
id = "T1556"
48+
name = "Modify Authentication Process"
49+
reference = "https://attack.mitre.org/techniques/T1556/"
50+
51+
[rule.threat.tactic]
52+
id = "TA0006"
53+
name = "Credential Access"
54+
reference = "https://attack.mitre.org/tactics/TA0006/"
55+
56+
[[rule.threat]]
57+
framework = "MITRE ATT&CK"
58+
59+
[[rule.threat.technique]]
60+
id = "T1554"
61+
name = "Compromise Host Software Binary"
62+
reference = "https://attack.mitre.org/techniques/T1554/"
63+
64+
[rule.threat.tactic]
65+
id = "TA0003"
66+
name = "Persistence"
67+
reference = "https://attack.mitre.org/tactics/TA0003/"

0 commit comments

Comments
 (0)