IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Security Software Discovery via Grepedit
Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.
Rule type: query
Rule indices:
- logs-endpoint.events.*
- auditbeat-*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- macOS
- Linux
- Threat Detection
- Discovery
Version: 1
Added (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule queryedit
event.category : process and event.type : (start or process_started)
and process.name : grep and process.args : ("Little Snitch" or Avast*
or Avira* or ESET* or esets_* or BlockBlock or 360* or LuLu or
KnockKnock* or kav or KIS or RTProtectionDaemon or Malware* or
VShieldScanner or WebProtection or webinspectord or McAfee* or
isecespd* or macmnsvc* or masvc or kesl or avscan or guard or rtvscand
or symcfgd or scmdaemon or symantec or elastic-endpoint )
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Software Discovery
- ID: T1518
- Reference URL: https://attack.mitre.org/techniques/T1518/