Techniques
Sample rules
Abnormal Process ID or Lock File Created
- source: elastic
- technicques:
- T1106
Description
Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.
Detection logic
host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and
user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (
(process.name : (
bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)
) or (
process.executable : (
./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*
))
) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or
vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and
not file.name : (jem.*.pid)