Anomalous Linux Compiler Activity

Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/03"
 3integration = ["auditd_manager", "endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8anomaly_threshold = 50
 9author = ["Elastic"]
10description = """
11Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc
12software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run
13exploits or malware activity.
14"""
15false_positives = [
16    """
17    Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in
18    the course of troubleshooting or fixing a software issue.
19    """,
20]
21from = "now-45m"
22interval = "15m"
23license = "Elastic License v2"
24machine_learning_job_id = ["v3_linux_rare_user_compiler"]
25name = "Anomalous Linux Compiler Activity"
26risk_score = 21
27rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530"
28severity = "low"
29tags = [
30    "Domain: Endpoint",
31    "OS: Linux",
32    "Use Case: Threat Detection",
33    "Rule Type: ML",
34    "Rule Type: Machine Learning",
35    "Tactic: Resource Development",
36]
37type = "machine_learning"
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1588"
42name = "Obtain Capabilities"
43reference = "https://attack.mitre.org/techniques/T1588/"
44[[rule.threat.technique.subtechnique]]
45id = "T1588.001"
46name = "Malware"
47reference = "https://attack.mitre.org/techniques/T1588/001/"
48
49
50
51[rule.threat.tactic]
52id = "TA0042"
53name = "Resource Development"
54reference = "https://attack.mitre.org/tactics/TA0042/"

Related rules

to-top