Mknod Process Activity
The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits.
11It is used to export a command shell when the traditional version of netcat is not available to the payload.
12"""
13false_positives = [
14 """
15 Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from
16 scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious.
17 """,
18]
19from = "now-9m"
20index = ["auditbeat-*", "logs-endpoint.events.*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Mknod Process Activity"
24references = [
25 "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/",
26]
27risk_score = 21
28rule_id = "61c31c14-507f-4627-8c31-072556b89a9c"
29severity = "low"
30tags = ["Elastic", "Host", "Linux", "Threat Detection"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.category:process and event.type:(start or process_started) and process.name:mknod
36'''
References
Related rules
- Base64 Encoding/Decoding Activity
- Hex Encoding/Decoding Activity
- Network Sniffing via Tcpdump
- Nmap Process Activity
- Persistence via Kernel Module Modification