System Binary Symlink to Suspicious Location

This rule detects the creation of a symbolic link from a system binary to a suspicious and writable location. This activity may indicate an attacker’s attempt to evade detection by behavioral rules that depend on predefined process parent/child relationships. By executing the symlinked variant of a binary instead of the original, the attacker aims to bypass these rules. Through the new_terms rule type, this rule can identify uncommon parent processes that may indicate the presence of a malicious symlink.

Rule type: new_terms

Rule indices:

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Version: 1

Rule authors:

Rule license: Elastic License v2

host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.parent.executable:* and
(process.name:ln or process.name:busybox and process.args:ln or process.name:cp and process.args:--symbolic-link) and
process.args:(
  (
    /bin/* or /lib/* or /lib64/* or /sbin/* or /usr/bin/* or /usr/lib/* or /usr/lib64/* or /usr/local/bin/* or
    /usr/local/lib/* or /usr/local/lib64/* or /usr/local/sbin/* or /usr/sbin/*
  ) and (
    /*/.* or /dev/shm/* or /home/* or /root/* or /tmp/* or /var/tmp/*
  ) and
  not (/usr/bin/coreutils or /tmp/mkinitcpio* or /var/tmp/dracut* or /var/tmp/mkinitramfs*)
)