Suspicious Dynamic Linker Discovery via od | Elastic Security Solution [8.11]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

« Executable Masquerading as Kernel Process Suspicious /proc/maps Discovery »

Suspicious Dynamic Linker Discovery via odedit

Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by identifying injection points and craft exploits based on the observed behaviors and structures within these files.

Rule type: eql

Rule indices:

logs-endpoint.events.*
endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://github.com/arget13/DDexec

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
Data Source: Elastic Endgame

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
process.name == "od" and process.args in (
  "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2",
  "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2"
)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Process Discovery
- ID: T1057
- Reference URL: https://attack.mitre.org/techniques/T1057/

« Executable Masquerading as Kernel Process Suspicious /proc/maps Discovery »