← Library
kqlElastic-2.0from elastic/detection-rules

Renaming of OpenSSH Binaries

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1543T1554T1556T1021T1021.004T1563T1563.001
Rule sourcerules/linux/persistence_credential_access_modify_ssh_binaries.toml
event.category:file and host.os.type:linux and event.type:change and 
process.name:(* and not (
  dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python* or
  apk or ansible-admin or systemd or python* or yum or nix-daemon or nix
  )
) and 
(file.path:(/usr/bin/scp or 
              /usr/bin/sftp or 
              /usr/bin/ssh or 
              /usr/sbin/sshd) or 
file.name:libkeyutils.so) and
not (
  process.executable:(
    /usr/share/elasticsearch/* or "/usr/bin/microdnf" or "/usr/bin/dnf5" or "/usr/sbin/gdm" or
    "/usr/libexec/packagekitd" or "/usr/libexec/zypp/zypp-rpm" or "/home/sa-ansible"
  ) or
  file.Ext.original.name:"sshd.session-split"
)