System Binary Symlink to Suspicious Location
This rule detects the creation of a symbolic link from a system binary to a suspicious and writable location. This activity may indicate an attacker's attempt to evade detection by behavioral rules that depend on predefined process parent/child relationships. By executing the symlinked variant of a binary instead of the original, the attacker aims to bypass these rules. Through the new_terms rule type, this rule can identify uncommon parent processes that may indicate the presence of a malicious symlink.
Rule type: new_terms
Rule indices:
- logs-endpoint.events.process*
Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Data Source: Elastic Defend
Version: ?
Rule authors:
- Elastic
Rule license: Elastic License v2
host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.parent.executable:* and
(process.name:ln or process.name:busybox and process.args:ln or process.name:cp and process.args:--symbolic-link) and
process.args:(
(
/bin/* or /lib/* or /lib64/* or /sbin/* or /usr/bin/* or /usr/lib/* or /usr/lib64/* or /usr/local/bin/* or
/usr/local/lib/* or /usr/local/lib64/* or /usr/local/sbin/* or /usr/sbin/*
) and (
/*/.* or /dev/shm/* or /home/* or /root/* or /tmp/* or /var/tmp/*
) and
not (/usr/bin/coreutils or /tmp/mkinitcpio* or /var/tmp/dracut* or /var/tmp/mkinitramfs*)
)
Framework: MITRE ATT&CK
Tactic:
- Name: Defense Evasion
- Id: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Hijack Execution Flow
- Id: T1574
- Reference URL: https://attack.mitre.org/techniques/T1574/
Technique:
- Name: Indirect Command Execution
- Id: T1202
- Reference URL: https://attack.mitre.org/techniques/T1202/
Technique:
- Name: Hide Artifacts
- Id: T1564
- Reference URL: https://attack.mitre.org/techniques/T1564/