IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Security Software Discovery using WMIC Sensitive Files Compression »

› › ›

Security Software Discovery via Grep

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Security Software Discovery via Grep

edit

Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.

Rule type: query

Rule indices:

logs-endpoint.events.*
auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
macOS
Linux
Threat Detection
Discovery

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit

event.category : process and event.type : (start or process_started)
and process.name : grep and process.args : ("Little Snitch" or Avast*
or Avira* or ESET* or esets_* or BlockBlock or 360* or LuLu or
KnockKnock* or kav or KIS or RTProtectionDaemon or Malware* or
VShieldScanner or WebProtection or webinspectord or McAfee* or
isecespd* or macmnsvc* or masvc or kesl or avscan or guard or rtvscand
or symcfgd or scmdaemon or symantec or elastic-endpoint )

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Software Discovery
- ID: T1518
- Reference URL: https://attack.mitre.org/techniques/T1518/

« Security Software Discovery using WMIC Sensitive Files Compression »