Techniques
Sample rules
Abnormal Process ID or Lock File Created
- source: elastic
- technicques:
- T1106
Description
Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.
Detection logic
host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and
file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (
(process.name : (
bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)
) or (
process.executable : (
./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*
))
) and not (
process.executable : (
/tmp/newroot/* or /run/containerd/* or /run/k3s/containerd/* or /run/k0s/container* or /snap/* or /vz/* or
/var/lib/docker/* or /etc/*/universal-hooks/pkgs/mysql-community-server/* or /var/lib/snapd/* or /etc/rubrik/* or
/run/udev/data/*
) or
process.name : (
go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or
rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or
s6-ipcserver-socketbinder or xinetd
) or
file.name : (
jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or
rhnsd.pid
) or
file.path : (/run/containerd/* or /var/run/docker/containerd/* or /var/run/jem*.pid)
)