kqlElastic-2.0from elastic/detection-rules
Shared Object Created by Previously Unknown Process
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/persistence_shared_object_creation.toml
event.category:file and host.os.type:"linux" and event.action:("creation" or "file_create_event") and
(file.extension:"so" or file.name:*.so.*) and
file.path:(
/dev/shm/* or /usr/lib/* or /usr/lib64/* or /usr/local/lib/* or /usr/local/lib64/* or /lib/x86_64-linux-gnu/* or
/usr/lib/x86_64-linux-gnu/* or /lib/i386-linux-gnu/* or /usr/lib/i386-linux-gnu/* or /lib/* or /lib64/*
) and not (
process.name:(
"dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or "apt-get" or "dnf" or "podman" or
platform-python* or "dnf-automatic" or "unattended-upgrade" or "apk" or "snap-update-ns" or "install" or "exe" or
"systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or "crio" or "packagekitd"
) or
(process.name:"vmware-install.pl" and file.path:/usr/lib/vmware-tools/*) or
(process.name:"ssm-agent-worker" and file.path:/usr/lib/jvm/java*) or
process.executable : (
/dev/fd/* or "/" or "/kaniko/executor" or "/usr/bin/buildah" or "/usr/bin/microdnf" or "/usr/sbin/yum-cron" or
"/usr/lib/check_mk_agent/plugins/3600/cmk-update-agent" or "/usr/bin/pamac-daemon" or "/usr/bin/dnf5" or
"3600/cmk-update-agent" or "/usr/lib/dracut/dracut-install" or "/usr/bin/dockerd" or "/usr/sbin/crond" or
"./usr/bin/qemu-aarch64-static" or "/usr/bin/nvidia-installer" or "./nvidia-installer" or "/usr/bin/cmake" or
/var/lib/docker/overlay2/* or "/usr/sbin/gdm" or "/opt/ITSPlatform/plugin/scap/fortify-scap-plugin" or
/tmp/makeself* or /tmp/selfgz* or "./usr/bin/qemu-aarch64" or "/usr/local/bin/cmake" or /opt/lpruitt/tmp/selfgz* or
"/usr/lib/snapd/snap-update-ns" or "/sbin/yum-cron" or "/usr/local/psa/bin/dnf_install" or /opt/lmanteuffel/useful/tmp/makeself*
) or
file.name:libnvidia*
)