File Creation, Execution and Self-Deletion in Suspicious Directory

This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/28"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a
13directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute 
14malicious code and delete itself to hide its tracks.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "File Creation, Execution and Self-Deletion in Suspicious Directory"
21risk_score = 47
22rule_id = "09bc6c90-7501-494d-b015-5d988dc3f233"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
25type = "eql"
26query = '''
27sequence by host.id, user.id with maxspan=1m
28  [file where host.os.type == "linux" and event.action == "creation" and 
29   process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") and 
30   file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*",
31     "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name
32  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
33   process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.name
34  [file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and 
35   file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*",
36     "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[[rule.threat.technique]]
43id = "T1059"
44name = "Command and Scripting Interpreter"
45reference = "https://attack.mitre.org/techniques/T1059/"
46
47[[rule.threat.technique.subtechnique]]
48id = "T1059.004"
49name = "Unix Shell"
50reference = "https://attack.mitre.org/techniques/T1059/004/"
51
52[rule.threat.tactic]
53id = "TA0002"
54name = "Execution"
55reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top