From 5d3e17eaffbb65ad13df6959e278a2c9fe64fd72 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Tue, 17 Mar 2026 17:12:08 +0100
Subject: [PATCH] [Rule Tuning] Dynamic Linker Copy (#5841)

---
 rules/linux/persistence_dynamic_linker_backup.toml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml
index f6f216ead..2dcef6e4f 100644
--- a/rules/linux/persistence_dynamic_linker_backup.toml
+++ b/rules/linux/persistence_dynamic_linker_backup.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/07/12"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/22"
+updated_date = "2026/03/17"
 
 [transform]
 [[transform.osquery]]
@@ -166,11 +166,12 @@ tags = [
 type = "eql"
 query = '''
 sequence by process.entity_id with maxspan=1m
-[process where host.os.type == "linux" and event.type == "start" and process.name in ("cp", "rsync", "mv") and
-   process.args in (
-     "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2",
-     "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2"
-    )]
+  [process where host.os.type == "linux" and event.type == "start" and process.name in ("cp", "rsync", "mv") and
+  process.args in (
+   "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2",
+   "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2"
+  ) and
+  not process.args like ("/var/tmp/mkinitramfs*", "/var/tmp/dracut*", "/tmp/mkinitcpio*")]
 [file where host.os.type == "linux" and event.action == "creation" and (file.extension == "so" or file.name like "*.so.*")]
 '''