kqlElastic-2.0from elastic/detection-rules
Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/defense_evasion_ld_preload_cmdline.toml
host.os.type:linux and event.category:process and event.type:start and event.action:(exec or ProcessRollup2) and
process.parent.name:(* and not (
awk or bwrap or cylancesvc or dbus-run-session or java or julia or make or matlab_helper or ninja or noproc_sandbox or
nxrunner or nxserver or perl or rear or sapcontrol or setsid or spoold or sshd or steam or su or sudo or titanagent or
vls_agent or zabbix_agentd
)) and
not process.parent.executable:(
/tmp/CVU_19_resource*/exectask or /u01/app/oracle/*oracle/CVU_19_oracle*/exectask or "/opt/ds_agent/ds_agent" or
"/opt/McAfee/agent/scripts/ma" or "/usr/local/bin/AppProtection/BootTimeChecker" or "/usr/bin/gmake" or "./runc" or
"/usr/openv/db/bin/nbdb_unload"
) and
not process.parent.args:"/opt/McAfee/agent/scripts/ma" and
process.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and
process.args:-c and process.command_line:(*LD_LIBRARY_PATH=* or *LD_PRELOAD=*)