Terrance DeJesus
f0b2cb7c87
* added 'Uncommon Process Execution from Suspicious Directory' hunt * adds all linux hunting files * moves linux hunting files to queries folder * adds generated docs * fixing windows hunts * fixing windows hunts * updated README * Removed 2, updated a few, changed some names/descriptions and added list of str * updated windows for language schema changes, regenerated docs; updated README and index * changed UUIDs to hex only with standard hyphen format * removing unecessary docs * Fixed queries based on Samir feedback * ++ * regenerating linux docs * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * Update * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * regenerating linux docs --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
30 lines
1.6 KiB
TOML
30 lines
1.6 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
description = """
|
|
This hunt identifies potential system binary hijacking attempts on Linux systems. It monitors process execution events where common system binaries such as ls, cat, mkdir, touch, mv, and cp are the parent processes. These activities can indicate attempts to hijack system binaries for malicious purposes. The hunt lists detailed information for further analysis and investigation.
|
|
"""
|
|
integration = ["endpoint"]
|
|
uuid = "d22cbe8f-c84d-4811-aa6d-f1ee00c806b2"
|
|
name = "Unusual System Binary Parent (Potential System Binary Hijacking Attempt)"
|
|
language = ["ES|QL"]
|
|
license = "Elastic License v2"
|
|
notes = [
|
|
"Monitors process execution events where common system binaries such as ls, cat, mkdir, touch, mv, and cp are the parent processes.",
|
|
"Focuses on identifying unusual or suspicious child processes spawned by these common system binaries.",
|
|
"Uses stats to count occurrences and identify unusual activity by looking at the number of unique hosts and processes involved.",
|
|
"Requires additional data analysis and investigation into results to identify malicious or unauthorized use of system binaries."
|
|
]
|
|
mitre = ["T1546.004", "T1059.004"]
|
|
|
|
query = [
|
|
'''
|
|
from logs-endpoint.events.process-*
|
|
| where @timestamp > now() - 30 day
|
|
| where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.parent.name in ("ls", "cat", "mkdir", "touch", "mv", "cp")
|
|
| stats cc = count(), host_count = count_distinct(host.name) by process.parent.executable, process.executable
|
|
| where host_count <= 5
|
|
| sort cc asc
|
|
| limit 100
|
|
'''
|
|
]
|