kqlElastic-2.0from elastic/detection-rules
Modification of Dynamic Linker Preload Shared Object
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
host.os.type:linux and event.category:file and event.action:(file_rename_event or rename or renamed or updated) and
not event.type:deletion and file.path:/etc/ld.so.preload and
process.name:(* and not (oneagentinstallaction or passwd or wine))