IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
File Creation, Execution and Self-Deletion in Suspicious Directory
editFile Creation, Execution and Self-Deletion in Suspicious Directory
editThis rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Execution
- Data Source: Elastic Defend
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by host.id, user.id with maxspan=1m
[file where host.os.type == "linux" and event.action == "creation" and
process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") and
file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*",
"/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name
[process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.name
[file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and
file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*",
"/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: Unix Shell
- ID: T1059.004
- Reference URL: https://attack.mitre.org/techniques/T1059/004/