IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Potential Application Shimming via Sdbinst Potential Command and Control via Internet Explorer »
Elastic Docs Elastic Security Solution [8.8] Detections and alerts Prebuilt rule reference

Potential Code Execution via Postgresql

edit

Potential Code Execution via Postgresql

edit

This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*
  • endgame-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: Elastic Endgame
  • Data Source: Elastic Defend

Version: 5

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and
event.type == "start" and user.name == "postgres" and (
  (process.parent.args : "*sh" and process.parent.args : "echo*") or
  (process.args : "*sh" and process.args : "echo*")
) and not process.parent.name : "puppet"

Framework: MITRE ATT&CKTM

« Potential Application Shimming via Sdbinst Potential Command and Control via Internet Explorer »