IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [8.6] Detections and alerts Prebuilt rule reference
« Suspicious Cmd Execution via WMI Suspicious CronTab Creation or Modification »

Suspicious Content Extracted or Decompressed via Funzipedit

Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*
  • endgame-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: Elastic Endgame

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and
not process.args : "/var/log/messages" and
not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and
not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*")

Framework: MITRE ATT&CKTM

« Suspicious Cmd Execution via WMI Suspicious CronTab Creation or Modification »