Strace Process Activity

Strace is a useful diagnostic, instructional, and debugging tool. This rule identifies a privileged context execution of strace which can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.

Rule type: query
Rule indices:

• auditbeat-*
• logs-endpoint.events.*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

• https://en.wikipedia.org/wiki/Strace

Tags:

• Elastic
• Host
• Linux
• Threat Detection
• Privilege Escalation

Version: 100
Rule authors:

• Elastic

Rule license: Elastic License v2

event.category:process and event.type:(start or process_started) and process.name:strace
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Privilege Escalation
  • Id: TA0004
  • Reference URL: https://attack.mitre.org/tactics/TA0004/

• Technique:

  • Name: Exploitation for Privilege Escalation
  • Id: T1068
  • Reference URL: https://attack.mitre.org/techniques/T1068/