Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable

 1[metadata]
 2creation_date = "2023/06/26"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "The linux.advanced.capture_env_vars option for Elastic Defend has been introduced in 8.6.0"
 6min_stack_version = "8.6.0"
 7updated_date = "2023/08/25"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects the execution of a process where the LD_PRELOAD environment variable is set. LD_PRELOAD can be used to
13inject a shared library into a binary at or prior to execution. A threat actor may do this in order to load a malicious
14shared library for the purposes of persistence, privilege escalation, and defense evasion. This activity is not common
15and will potentially indicate malicious or suspicious behavior.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable"
22note = """ This rule was deprecated due to the large amount of false positives and the lack of true positives generated by the rule.
23## Setup
24By default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration. 

 1`linux.advanced.capture_env_vars` should be set to `LD_PRELOAD,LD_LIBRARY_PATH`. 
 2After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.
 3"""
 4references = ["https://www.getambassador.io/resources/code-injection-on-linux-and-macos"]
 5risk_score = 21
 6rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0"
 7severity = "low"
 8tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
 9timestamp_override = "event.ingested"
10type = "eql"
11query = '''
12process where host.os.type == "linux" and event.action == "exec" and process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*")
13'''
14
15[[rule.threat]]
16framework = "MITRE ATT&CK"
17
18[[rule.threat.technique]]
19id = "T1574"
20name = "Hijack Execution Flow"
21reference = "https://attack.mitre.org/techniques/T1574/"
22
23[[rule.threat.technique.subtechnique]]
24id = "T1574.006"
25name = "Dynamic Linker Hijacking"
26reference = "https://attack.mitre.org/techniques/T1574/006/"
27
28[rule.threat.tactic]
29id = "TA0005"
30name = "Defense Evasion"
31reference = "https://attack.mitre.org/tactics/TA0005/"
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35
36[[rule.threat.technique]]
37id = "T1574"
38name = "Hijack Execution Flow"
39reference = "https://attack.mitre.org/techniques/T1574/"
40
41[[rule.threat.technique.subtechnique]]
42id = "T1574.006"
43name = "Dynamic Linker Hijacking"
44reference = "https://attack.mitre.org/techniques/T1574/006/"
45
46[rule.threat.tactic]
47id = "TA0003"
48name = "Persistence"
49reference = "https://attack.mitre.org/tactics/TA0003/"
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53
54[[rule.threat.technique]]
55id = "T1574"
56name = "Hijack Execution Flow"
57reference = "https://attack.mitre.org/techniques/T1574/"
58
59[[rule.threat.technique.subtechnique]]
60id = "T1574.006"
61name = "Dynamic Linker Hijacking"
62reference = "https://attack.mitre.org/techniques/T1574/006/"
63
64[rule.threat.tactic]
65id = "TA0004"
66name = "Privilege Escalation"
67reference = "https://attack.mitre.org/tactics/TA0004/"

1Kibana -->
2Fleet -->
3Agent policies -->
4Agent policy for which the option should be enabled -->
5Name of the Elastic Defend integration --> 
6Show advanced settings -->
7linux.advanced.capture_env_vars