Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.
Rule type: eql
Risk score: 21
Runs every: 5m
Maximum alerts per execution: 100
- Threat Detection
Rule license: Elastic License v2
## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
file where event.type in ("change", "creation") and file.extension : "py" and file.path : ( "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py", "/Applications/Sublime Text.app/Contents/MacOS/sublime.py" ) and not process.executable : ( "/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*", "/usr/local/Cellar/git/*/bin/git", "/usr/libexec/xpcproxy", "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper", "/Applications/Sublime Text.app/Contents/MacOS/plugin_host" )
Framework: MITRE ATT&CKTM