uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue.

t1588
ml
elastic

Techniques

T1588

Sample rules

Anomalous Linux Compiler Activity

source: elastic
technicques:
- T1588

Description

Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.

LoFP / uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue.

Techniques

Sample rules

Anomalous Linux Compiler Activity

Description

Detection logic