false-positives (fp) should be at a minimum with this detection as pid files are meant to hold process ids, not inherently be executables that spawn processes.

t1059
linux
elastic

Techniques

T1059

Sample rules

Process Started from Process ID (PID) File

source: elastic
technicques:
- T1059

Description

Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.

Detection logic

process where host.os.type == "linux" and event.type == "start" and user.id == "0" and
  process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)"""