What is session_id_change in event.action?

Moros_ntd · September 3, 2024, 12:16pm

I'm using the "Suspicious Network Connection Attempt by Root" rule in Elastic, but I don't really understand it. I don't know how to trigger this rule through an attack because I don't understand why it needs to catch the session_id_change event following a connection_attempted. I don't understand what the session_id_change event is and when it occurs. Could someone provide me with an example? Here is the rule:

sequence by process.entity_id with maxspan=1m
[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and
    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]
[process where event.action == "session_id_change" and user.id == "0" and
    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]

ashishtiwari1993 · September 3, 2024, 12:37pm

Referring to the doc, If you have not taken a look -

Identifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate a potential reverse shell activity via a privileged process.

For reproducing, there are some reference given. Let me know if that helps.

Moros_ntd · September 3, 2024, 1:54pm

They don't help me much. As far as I know, the session ID is set up whenever you log in (via SSH or similar) or when you create a new terminal. If so, why would an attacker want to change the session ID after attempting to create a connection?

Ruben_Groenewoud · September 4, 2024, 7:51am

Hello, this rule has been deprecated in july 2023. But related to the question of when this activity would occur; this may occur in situations where a root user catches a reverse shell connection. This is a network event followed by a UID change. This activity is also seen in the port knocking functionality of the open source rootkit dubbed "Reptile". But because the rule was noisy, it was deprecated some time ago.

I hope that helps.

Ruben

system · October 2, 2024, 7:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Brute Force Attack - Watcher using Windows Event id's Elasticsearch elastic-stack-alerting	4	2082	October 5, 2017
Difference between (event.module: system - event.action: user_login) AND (event.module: auditd - event.action: logged-in) SIEM ecs-elastic-common-schema , detection-rules	3	824	August 24, 2021
Event correlation rule that compares fields between the two events Elastic Security detection-rules	2	2101	March 3, 2022
EQL rules are wrong, God help me Elastic Security	7	386	October 20, 2022
Security events and rules matching SIEM	3	505	August 23, 2022

What is session_id_change in event.action?

Related topics