← Library
kqlElastic-2.0from elastic/detection-rules

Unknown Execution of Binary with RWX Memory Region

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1059T1059.004T1106T1620
Rule sourcerules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 and not (
  process.executable:(
    "/usr/share/kibana/node/bin/node" or "/usr/share/elasticsearch/jdk/bin/java" or "/usr/sbin/apache2"
  ) or
  process.name:(httpd or java or node or dotnet or github-desktop or code or tenzir or brave or qemu-* or php* or deno)
)