Unusual Exim4 Child Process
This rule detects the execution of unusual commands via a descendant process of exim4. Attackers may use descendant processes of exim4 to evade detection and establish persistence or execute post-exploitation commands on a target system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/04/30"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/04/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects the execution of unusual commands via a descendant process of exim4. Attackers may use descendant
11processes of exim4 to evade detection and establish persistence or execute post-exploitation commands on a target system.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Unusual Exim4 Child Process"
18references = [
19 "https://www.qualys.com/2021/05/04/21nails/21nails.txt",
20 "https://blog.qualys.com/vulnerabilities-threat-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server"
21]
22risk_score = 21
23rule_id = "6eb862bb-013d-4d4f-a14b-341433ca1a1f"
24severity = "low"
25tags = [
26 "Domain: Endpoint",
27 "OS: Linux",
28 "Use Case: Threat Detection",
29 "Tactic: Persistence",
30 "Data Source: Elastic Defend",
31]
32timestamp_override = "event.ingested"
33type = "new_terms"
34query = '''
35host.os.type:linux and event.type:start and event.action:exec and process.parent.name:exim4 and
36not process.name:(
37 exim4 or start-stop-daemon or run-parts or systemctl or update-exim4.conf or install or plymouth or
38 readlink or grep or stat or cmake or gcc or cppcheck or sort or sshd
39)
40'''
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44
45[[rule.threat.technique]]
46id = "T1037"
47name = "Boot or Logon Initialization Scripts"
48reference = "https://attack.mitre.org/techniques/T1037/"
49
50[[rule.threat.technique]]
51id = "T1554"
52name = "Compromise Host Software Binary"
53reference = "https://attack.mitre.org/techniques/T1554/"
54
55[rule.threat.tactic]
56id = "TA0003"
57name = "Persistence"
58reference = "https://attack.mitre.org/tactics/TA0003/"
59
60[rule.new_terms]
61field = "new_terms_fields"
62value = ["process.executable"]
63
64[[rule.new_terms.history_window_start]]
65field = "history_window_start"
66value = "now-14d"
References
-
Qualys Security Advisory 21Nails: Multiple vulnerabilities in Exim ======================================================================== Contents ================================================...
Read More -
Update May 7, 2021: Exim has released a security update to address multiple vulnerabilities in Exim versions prior to 4.94.2. See the CISA announcement. Original Post: The Qualys Research Team has…
Read More
Related rules
- Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments
- Potential Backdoor Execution Through PAM_EXEC
- Shared Object Created or Changed by Previously Unknown Process
- File Creation in /var/log via Suspicious Process
- Linux User Account Credential Modification