[New Rule] System Binary Symlink to Suspicious Location

Aegrah · Aegrah · commit a1fb5fdef564 · 2025-04-30T14:02:48.000+02:00
diff --git a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml
@@ -0,0 +1,91 @@
+[metadata]
+creation_date = "2025/04/30"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/04/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects the creation of a symbolic link from a system binary to a suspicious and writable location. This
+activity may indicate an attacker's attempt to evade detection by behavioral rules that depend on predefined process
+parent/child relationships. By executing the symlinked variant of a binary instead of the original, the attacker aims to
+bypass these rules. Through the new_terms rule type, this rule can identify uncommon parent processes that may indicate the
+presence of a malicious symlink.
+"""
+from = "now-9m"
+index = [
+    "logs-endpoint.events.process*",
+]
+language = "kuery"
+license = "Elastic License v2"
+name = "System Binary Symlink to Suspicious Location"
+risk_score = 21
+rule_id = "d19a2399-f8e2-4b10-80d8-a561ce9d24d1"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
+process.parent.executable != null and (
+  (process.name == "ln") or
+  (process.name == "busybox" and process.args == "ln") or
+  (process.name == "cp" and process.args == "--symbolic-link")
+) and
+process.args like (
+  "/bin/*", "/sbin/*", "/usr/bin/*", "/usr/sbin/*", "/usr/local/bin/*", "/usr/local/sbin/*",
+  "/lib/*", "/lib64/*", "/usr/lib/*", "/usr/lib64/*", "/usr/local/lib/*", "/usr/local/lib64/*"
+) and
+process.args like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/home/*", "/*/.*")
+
+host.os.type:linux and event.category:process and event.type:start and event.action:exec and
+process.parent.executable:* and (
+  (process.name:ln) or
+  (process.name:busybox and process.args:ln) or
+  (process.name:cp and process.args:"--symbolic-link")
+) and
+process.args:(
+  /bin/* or /sbin/* or /usr/bin/* or /usr/sbin/* or /usr/local/bin/* or /usr/local/sbin/* or
+  /lib/* or /lib64/* or /usr/lib/* or /usr/lib64/* or /usr/local/lib/* or /usr/local/lib64/*
+) and
+process.args:(/tmp/* or /var/tmp/* or /dev/shm/* or /root/* or /home/* or /*/.*) and
+not process.args:(/tmp/mkinitcpio* or /var/tmp/mkinitramfs* or /var/tmp/dracut*)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  name = "Defense Evasion"
+  id = "TA0005"
+  reference = "https://attack.mitre.org/tactics/TA0005/"
+
+    [[rule.threat.technique]]
+    name = "Hijack Execution Flow"
+    id = "T1574"
+    reference = "https://attack.mitre.org/techniques/T1574/"
+
+    [[rule.threat.technique]]
+    name = "Indirect Command Execution"
+    id = "T1202"
+    reference = "https://attack.mitre.org/techniques/T1202/"
+
+    [[rule.threat.technique]]
+    name = "Hide Artifacts"
+    id = "T1564"
+    reference = "https://attack.mitre.org/techniques/T1564/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["host.id", "process.parent.name"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"
