IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
System Binary Copied and/or Moved to Suspicious Directory
editSystem Binary Copied and/or Moved to Suspicious Directory
editThis rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Data Source: Elastic Defend
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name in ("cp", "mv") and process.args : ( // Shells "/bin/*sh", "/usr/bin/*sh", // Interpreters "/bin/python*", "/usr/bin/python*", "/bin/php*", "/usr/bin/php*", "/bin/ruby*", "/usr/bin/ruby*", "/bin/perl*", "/usr/bin/perl*", "/bin/lua*", "/usr/bin/lua*", "/bin/java*", "/usr/bin/java*", // Compilers "/bin/gcc*", "/usr/bin/gcc*", "/bin/g++*", "/usr/bin/g++*", "/bin/cc", "/usr/bin/cc", // Suspicious utilities "/bin/nc", "/usr/bin/nc", "/bin/ncat", "/usr/bin/ncat", "/bin/netcat", "/usr/bin/netcat", "/bin/nc.openbsd", "/usr/bin/nc.openbsd", "/bin/*awk", "/usr/bin/*awk", "/bin/socat", "/usr/bin/socat", "/bin/openssl", "/usr/bin/openssl", "/bin/telnet", "/usr/bin/telnet", "/bin/mkfifo", "/usr/bin/mkfifo", "/bin/mknod", "/usr/bin/mknod", "/bin/ping*", "/usr/bin/ping*", "/bin/nmap", "/usr/bin/nmap", // System utilities "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", "/bin/wget", "/usr/bin/wget", "/bin/tmux", "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] [file where host.os.type == "linux" and event.action == "creation" and file.path : ( "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" )]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Hide Artifacts
- ID: T1564
- Reference URL: https://attack.mitre.org/techniques/T1564/
-
Technique:
- Name: Masquerading
- ID: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/
-
Sub-technique:
- Name: Rename System Utilities
- ID: T1036.003
- Reference URL: https://attack.mitre.org/techniques/T1036/003/