kqlElastic-2.0from elastic/detection-rules

Suspicious System Commands Executed by Previously Unknown Executable

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1059 T1059.004 T1016 T1033 T1049 T1057 T1082 T1083

Rule sourcerules/linux/execution_suspicious_executable_running_system_commands.toml

host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and
process.executable:(* and (
  /etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or /etc/update-motd.d/* or
  /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or /usr/share/* or /var/tmp/* or /sbin/* or /usr/sbin/* or
  /usr/local/sbin/* or /usr/local/bin/* or /var/lib/* or /var/run/* or /var/cache/* or /var/log/* or /dev/shm/* or /var/tmp/*
) and not /tmp/go-build*) and
process.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and
not (process.name:
  (apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or
  snapd or sudo or top or uptime or which or whoami or yum or sh or bash or ip or dash or find or podman or env or
  busybox or aws or timeout or nmcli or dpkg-query or nsenter or pw-cli or node or npm or gnome-calculator or pidof or
  steamerrorreporter or ssh or grep or xargs or apt-get or numactl or entrypoint or flatpak-spawn or logger or command or
  login or sshpass or docker-compose or whereis or rbd or basename or ifconfig or tar or crictl or su) or
process.parent.executable:(
  /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or /opt/puppetlabs/puppet/bin/puppet or
  /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or
  /etc/network/* or /opt/Elastic/* or /opt/TrendMicro* or /opt/aws/* or /opt/eset/* or /opt/rapid7/* or /run/containerd/* or /run/k3s/* or
  /snap/* or /tmp/dpkg-licenses* or /tmp/newroot/* or /usr/bin/* or /var/lib/amagent/* or /var/lib/docker/* or /vz/* or
  "/usr/sbin/sshd" or "./runc" or "/opt/gitlab/embedded/bin/ruby" or /opt/saltstack/salt/bin/python* or "/usr/lib/rabbitmq/bin/rabbitmqctl"
  ) or
  process.executable:(/run/containerd/* or /srv/snp/docker/* or /tmp/.criu*)
)