false-positives (fp) can appear if the pid file is legitimate and holding a process id as intended. to differentiate, if the pid file is an executable or larger than 10 bytes, it should be ruled suspicious.

Techniques

T1106

Sample rules

Abnormal Process ID or Lock File Created

source: elastic
technicques:
- T1106

Description

Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.

Detection logic

host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and
user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (
  (process.name : (
    bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)
  ) or (
  process.executable : (
    ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*
  ))
) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or 
vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and
not file.name : (jem.*.pid)