Anomalous Linux Compiler Activity

 1[metadata]
 2creation_date = "2020/09/03"
 3integration = ["auditd_manager", "endpoint"]
 4maturity = "production"
 5updated_date = "2023/07/27"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8
 9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc
14software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run
15exploits or malware activity.
16"""
17false_positives = [
18    """
19    Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in
20    the course of troubleshooting or fixing a software issue.
21    """,
22]
23from = "now-45m"
24interval = "15m"
25license = "Elastic License v2"
26machine_learning_job_id = ["v3_linux_rare_user_compiler"]
27name = "Anomalous Linux Compiler Activity"
28risk_score = 21
29rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530"
30severity = "low"
31tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Resource Development"]
32type = "machine_learning"
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1588"
38name = "Obtain Capabilities"
39reference = "https://attack.mitre.org/techniques/T1588/"
40
41    [[rule.threat.technique.subtechnique]]
42    id = "T1588.001"
43    name = "Malware"
44    reference = "https://attack.mitre.org/techniques/T1588/001/"
45
46[rule.threat.tactic]
47id = "TA0042"
48name = "Resource Development"
49reference = "https://attack.mitre.org/tactics/TA0042/"```