File Creation, Execution and Self-Deletion in Suspicious Directory
This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/28"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a
13directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute
14malicious code and delete itself to hide its tracks.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "File Creation, Execution and Self-Deletion in Suspicious Directory"
21risk_score = 47
22rule_id = "09bc6c90-7501-494d-b015-5d988dc3f233"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
25type = "eql"
26query = '''
27sequence by host.id, user.id with maxspan=1m
28 [file where host.os.type == "linux" and event.action == "creation" and
29 process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") and
30 file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*",
31 "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name
32 [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
33 process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.name
34 [file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and
35 file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*",
36 "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[[rule.threat.technique]]
43id = "T1059"
44name = "Command and Scripting Interpreter"
45reference = "https://attack.mitre.org/techniques/T1059/"
46
47[[rule.threat.technique.subtechnique]]
48id = "T1059.004"
49name = "Unix Shell"
50reference = "https://attack.mitre.org/techniques/T1059/004/"
51
52[rule.threat.tactic]
53id = "TA0002"
54name = "Execution"
55reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Abnormal Process ID or Lock File Created
- Network Connection via Recently Compiled Executable
- Potential Disabling of AppArmor
- System Binary Copied and/or Moved to Suspicious Directory
- Potential Sudo Privilege Escalation via CVE-2019-14287