Process Discovery via Built-In Applications

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Process Discovery via Built-In Applications

edit

Identifies the use of built-in tools attackers can use to discover running processes on an endpoint.

Rule type: new_terms

Rule indices:

logs-endpoint.events.*
endgame-*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Discovery
Rule Type: BBR
Data Source: Elastic Defend
Data Source: Elastic Endgame

Version: 6

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

event.category:process and host.os.type:(linux or macos) and event.type:start and event.action:(exec or exec_event) and
process.name:("ps" or "pstree" or "htop" or "pgrep") and not (
  process.parent.name:("amazon-ssm-agent" or "snap") or
  process.parent.args:("/usr/local/ASR/Vx/bin/status" or "/usr/sbin/ksmtuned") or
  process.parent.executable:(
    "/usr/bin/check_mk_agent" or /opt/gitlab/* or "/usr/bin/pmlogctl" or "/usr/libexec/pcp/bin/pmlogger_daily" or
    "/usr/libexec/pcp/bin/pmlogger_check"
  )
)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Process Discovery
- ID: T1057
- Reference URL: https://attack.mitre.org/techniques/T1057/
Technique:
- Name: Software Discovery
- ID: T1518
- Reference URL: https://attack.mitre.org/techniques/T1518/
Sub-technique:
- Name: Security Software Discovery
- ID: T1518.001
- Reference URL: https://attack.mitre.org/techniques/T1518/001/

« Process Discovery Using Built-in Tools Process Execution from an Unusual Directory »