System Binary Symlink to Suspicious Location

  1[metadata]
  2creation_date = "2025/04/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/07/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the creation of a symbolic link from a system binary to a suspicious and writable location. This
 11activity may indicate an attacker's attempt to evade detection by behavioral rules that depend on predefined process
 12parent/child relationships. By executing the symlinked variant of a binary instead of the original, the attacker aims to
 13bypass these rules. Through the new_terms rule type, this rule can identify uncommon parent processes that may indicate the
 14presence of a malicious symlink.
 15"""
 16from = "now-9m"
 17index = [
 18    "logs-endpoint.events.process*",
 19]
 20language = "kuery"
 21license = "Elastic License v2"
 22name = "System Binary Symlink to Suspicious Location"
 23note = """ ## Triage and analysis
 24
 25> **Disclaimer**:
 26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 27
 28### Investigating System Binary Symlink to Suspicious Location
 29
 30Symbolic links in Linux create shortcuts to files or directories, allowing flexible file management. Adversaries exploit this by linking system binaries to writable, suspicious locations, aiming to bypass security measures that monitor standard execution paths. The detection rule identifies unusual parent processes and symbolic link creation to these locations, flagging potential evasion attempts.
 31
 32### Possible investigation steps
 33
 34- Review the parent process executable (process.parent.executable) to determine if it is a known and legitimate process that should be creating symbolic links.
 35- Examine the specific system binary involved (process.args) to verify if it is commonly used in the environment and assess if its redirection to a suspicious location is justified.
 36- Investigate the destination path of the symbolic link (process.args) to determine if it is a writable and potentially malicious location such as /tmp, /dev/shm, or /var/tmp.
 37- Check for any recent or concurrent alerts or logs related to the same parent process or destination path to identify potential patterns or repeated attempts.
 38- Assess the user account associated with the process (if available) to determine if it has the necessary permissions and if the activity aligns with the user's typical behavior.
 39- Correlate with other security tools or logs to identify any additional suspicious activities or anomalies around the time of the alert.
 40
 41### False positive analysis
 42
 43- Routine system maintenance tasks may create symbolic links in monitored directories. Exclude known maintenance scripts or processes like mkinitcpio and dracut from triggering alerts by adding them to the exception list.
 44- Software installations or updates often involve creating symbolic links in writable directories. Identify and whitelist trusted installation processes or package managers to prevent unnecessary alerts.
 45- Development environments may frequently use symbolic links for testing purposes. Consider excluding specific user directories or development tools that are known to create such links regularly.
 46- Backup or synchronization tools might create symbolic links as part of their operation. Verify and exclude these tools if they are part of a legitimate and routine process.
 47- Custom scripts or automation tools used within the organization might trigger this rule. Review and whitelist these scripts if they are verified to be safe and necessary for business operations.
 48
 49### Response and remediation
 50
 51- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
 52- Terminate any suspicious processes identified as creating symbolic links to writable locations, especially those with uncommon parent processes.
 53- Remove any unauthorized symbolic links from system binaries to suspicious locations, ensuring the integrity of the original binaries.
 54- Conduct a thorough review of user accounts and permissions on the affected system to identify and disable any compromised accounts or unnecessary elevated privileges.
 55- Restore affected binaries and system files from a known good backup to ensure no tampered files remain.
 56- Monitor the system for any further attempts to create unauthorized symbolic links, using enhanced logging and alerting mechanisms.
 57- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 58"""
 59risk_score = 21
 60rule_id = "d19a2399-f8e2-4b10-80d8-a561ce9d24d1"
 61severity = "low"
 62tags = [
 63    "Domain: Endpoint",
 64    "OS: Linux",
 65    "Use Case: Threat Detection",
 66    "Tactic: Defense Evasion",
 67    "Data Source: Elastic Defend",
 68    "Resources: Investigation Guide",
 69]
 70timestamp_override = "event.ingested"
 71type = "new_terms"
 72query = '''
 73host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.parent.executable:* and
 74(process.name:ln or process.name:busybox and process.args:ln or process.name:cp and process.args:--symbolic-link) and
 75process.args:(
 76  (
 77    /bin/* or /lib/* or /lib64/* or /sbin/* or /usr/bin/* or /usr/lib/* or /usr/lib64/* or /usr/local/bin/* or
 78    /usr/local/lib/* or /usr/local/lib64/* or /usr/local/sbin/* or /usr/sbin/*
 79  ) and (
 80    /*/.* or /dev/shm/* or /home/* or /root/* or /tmp/* or /var/tmp/*
 81  ) and
 82  not (/usr/bin/coreutils or /tmp/mkinitcpio* or /var/tmp/dracut* or /var/tmp/mkinitramfs*)
 83)
 84'''
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88
 89  [rule.threat.tactic]
 90  name = "Defense Evasion"
 91  id = "TA0005"
 92  reference = "https://attack.mitre.org/tactics/TA0005/"
 93
 94    [[rule.threat.technique]]
 95    name = "Hijack Execution Flow"
 96    id = "T1574"
 97    reference = "https://attack.mitre.org/techniques/T1574/"
 98
 99    [[rule.threat.technique]]
100    name = "Indirect Command Execution"
101    id = "T1202"
102    reference = "https://attack.mitre.org/techniques/T1202/"
103
104    [[rule.threat.technique]]
105    name = "Hide Artifacts"
106    id = "T1564"
107    reference = "https://attack.mitre.org/techniques/T1564/"
108
109[rule.new_terms]
110field = "new_terms_fields"
111value = ["host.id", "process.parent.name"]
112
113[[rule.new_terms.history_window_start]]
114field = "history_window_start"
115value = "now-10d"