kqlElastic-2.0from elastic/detection-rules
System Binary Symlink to Suspicious Location
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/defense_evasion_symlink_binary_to_writable_dir.toml
host.os.type:linux and event.category:process and event.type:start and event.action:exec and
process.parent.executable:(* and not (/bin/make or /sbin/weak-modules or /usr/bin/make or /usr/sbin/weak-modules)) and
(process.name:ln or process.name:busybox and process.args:ln or process.name:cp and process.args:--symbolic-link) and
process.args:(
(
/bin/* or /lib/* or /lib64/* or /sbin/* or /usr/bin/* or /usr/lib/* or /usr/lib64/* or /usr/local/bin/* or
/usr/local/lib/* or /usr/local/lib64/* or /usr/local/sbin/* or /usr/sbin/*
) and (
/*/.* or /dev/shm/* or /home/* or /root/* or /tmp/* or /var/tmp/*
) and
not (
/usr/bin/coreutils or /tmp/mkinitcpio* or /var/tmp/dracut* or /var/tmp/mkinitramfs* or /var/tmp/pamac-build* or
/var/tmp/portage/* or usr/lib/python3/dist-packages/*
)
) and not
process.parent.args:(/usr/bin/qemu-aarch64-static or /usr/sbin/weak-modules or /usr/share/initramfs-tools/hooks/ntfs_3g or /var/tmp/rpm-tmp*)