Connection to External Network via Telnet

About

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Lateral MovementData Source: Elastic DefendData Source: SentinelOneLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Lateral Movement (TA0008)(opens in a new tab or window)

↳ Remote Services (T1021)(opens in a new tab or window)

False Positive Examples

Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-endpoint.events.network*logs-endpoint.events.process*logs-sentinel_one_cloud_funnel.*

Related Integrations

endpoint(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

Query

sequence by process.entity_id
  [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"]
  [network where host.os.type == "linux" and process.name == "telnet" and not cidrmatch(
     destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
     "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
     "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
     "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
     "FF00::/8"
    )
  ]