Unusual Linux Process Discovery Activity
Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/03"
3maturity = "production"
4updated_date = "2023/03/06"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7
8[rule]
9anomaly_threshold = 50
10author = ["Elastic"]
11description = """
12Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon
13troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage
14in system process discovery in order to increase their understanding of software applications running on a target host
15or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.
16"""
17false_positives = [
18 """
19 Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual
20 troubleshooting or reconfiguration.
21 """,
22]
23from = "now-45m"
24interval = "15m"
25license = "Elastic License v2"
26machine_learning_job_id = ["v3_linux_system_process_discovery"]
27name = "Unusual Linux Process Discovery Activity"
28risk_score = 21
29rule_id = "5c983105-4681-46c3-9890-0c66d05e776b"
30severity = "low"
31tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"]
32type = "machine_learning"
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1057"
37name = "Process Discovery"
38reference = "https://attack.mitre.org/techniques/T1057/"
39
40
41[rule.threat.tactic]
42id = "TA0007"
43name = "Discovery"
44reference = "https://attack.mitre.org/tactics/TA0007/"