Detection rules › Panther
Teleport Suspicious Commands Executed
A user has invoked a suspicious command that could lead to a host compromise
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
Rule body yaml
AnalysisType: rule
Filename: teleport_suspicious_commands.py
RuleID: "Teleport.SuspiciousCommands"
DisplayName: "Teleport Suspicious Commands Executed"
Enabled: true
LogTypes:
- Gravitational.TeleportAudit
Tags:
- SSH
- Execution:Command and Scripting Interpreter
Severity: Medium
Description: A user has invoked a suspicious command that could lead to a host compromise
DedupPeriodMinutes: 60
Reports:
MITRE ATT&CK:
- TA0002:T1059
Reference: https://goteleport.com/docs/management/admin/
Runbook: >
Find related commands within the time window and determine if the command was invoked legitimately. Examine the arguments to determine how the command was used and reach out to the user to verify the intentions.
SummaryAttributes:
- event
- code
- user
- program
- path
- return_code
- login
- server_id
- sid
Tests:
- Name: Echo command
ExpectedResult: false
Log:
{
"argv": [],
"cgroup_id": 4294967537,
"code": "T4000I",
"ei": 15,
"event": "session.command",
"login": "root",
"namespace": "default",
"path": "/bin/echo",
"pid": 7143,
"ppid": 7115,
"program": "echo",
"return_code": 0,
"server_id": "e75992b4-9e27-456f-b1c9-7a32da83c661",
"sid": "8a3fc038-785b-43f3-8737-827b3e25fe5b",
"time": "2020-08-17T17:40:37.491Z",
"uid": "8eaf8f39-09d4-4a42-a22a-65163d2af702",
"user": "panther",
}
- Name: Netcat command
ExpectedResult: true
Log:
{
"argv": ["-l", "-p", "11434"],
"cgroup_id": 4294967537,
"code": "T4000I",
"ei": 15,
"event": "session.command",
"login": "root",
"namespace": "default",
"path": "/bin/nc",
"pid": 7143,
"ppid": 7115,
"program": "nc",
"return_code": 0,
"server_id": "e75992b4-9e27-456f-b1c9-7a32da83c661",
"sid": "8a3fc038-785b-43f3-8737-827b3e25fe5b",
"time": "2020-08-17T17:40:37.491Z",
"uid": "8eaf8f39-09d4-4a42-a22a-65163d2af702",
"user": "panther",
}
Detection logic
Condition
event eq "session.command"
argv is_not_null
program in ["nc", "wget"]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
user |
program |
cluster_name |