IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Potential Backdoor Execution Through PAM_EXEC Docker Release File Creation »

› ›

Unusual Exim4 Child Process

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Unusual Exim4 Child Process

edit

This rule detects the execution of unusual commands via a descendant process of exim4. Attackers may use descendant processes of exim4 to evade detection and establish persistence or execute post-exploitation commands on a target system.

Rule type: new_terms

Rule indices:

logs-endpoint.events.process*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

host.os.type:linux and event.type:start and event.action:exec and process.parent.name:exim4 and
not process.name:(
  exim4 or start-stop-daemon or run-parts or systemctl or update-exim4.conf or install or plymouth or
  readlink or grep or stat or cmake or gcc or cppcheck or sort or sshd
)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Boot or Logon Initialization Scripts
- ID: T1037
- Reference URL: https://attack.mitre.org/techniques/T1037/
Technique:
- Name: Compromise Host Software Binary
- ID: T1554
- Reference URL: https://attack.mitre.org/techniques/T1554/

« Potential Backdoor Execution Through PAM_EXEC Docker Release File Creation »