kqlElastic-2.0from elastic/detection-rules
Process Backgrounded by Unusual Parent
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/execution_process_backgrounded_by_unusual_parent.toml
event.category:process and host.os.type:linux and event.type:start and
event.action:(ProcessRollup2 or exec or exec_event or start) and
process.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and
process.args:(-c and *&) and
not process.parent.name:(sshd or make or su or ds_agent or fortitraylauncher or zeek or asterisk or vncserver or cron or crond)