diff --git a/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml new file mode 100644 index 00000000000..b4df5e291cd --- /dev/null +++ b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2025/11/10" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/11/10" + +[rule] +author = ["Elastic"] +description = """ +Detects potential SSH password grabbing via the use of strace on sshd processes. Attackers may use strace to capture +sensitive information, such as passwords, by tracing system calls made by the sshd process. This rule looks for a sequence +of events where an sshd process ends followed closely by the start of a strace process. This may be indicative of an attacker +attempting to capture SSH credentials. +""" +from = "now-9m" +index = ["logs-endpoint.events.process-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential SSH Password Grabbing via strace" +references = [ + "https://github.com/braindead-sec/ssh-grabber", + "https://dfir.ch/posts/strace/", +] +risk_score = 47 +rule_id = "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +sequence by host.id with maxspan=3s + [process where host.os.type == "linux" and event.type == "end" and process.name == "sshd"] + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "strace"] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"