Unusual Process For a Linux Host
editUnusual Process For a Linux Host
editIdentifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.
Rule type: machine_learning
Machine learning job: v3_rare_process_by_host_linux
Machine learning anomaly threshold: 50
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-45m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- ML
- Persistence
Version: 100 (version history)
Added (Elastic Stack release): 7.7.0
Last modified (Elastic Stack release): 8.5.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editA newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.
Investigation guide
edit## Triage and analysis ### Investigating an Unusual Linux Process Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation: - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? - Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
Rule version history
edit- Version 100 (8.5.0 release)
-
- Formatting only
- Version 9 (8.4.0 release)
-
- Formatting only
- Version 8 (8.3.0 release)
-
- Formatting only
- Version 7 (7.15.0 release)
-
- Formatting only
- Version 6 (7.14.0 release)
-
- Formatting only
- Version 5 (7.13.0 release)
-
- Formatting only
- Version 4 (7.12.0 release)
-
- Formatting only
- Version 3 (7.10.0 release)
-
- Formatting only
- Version 2 (7.9.0 release)
-
- Formatting only