IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Security Software Discovery using WMIC Sensitive Files Compression »

› › ›

Security Software Discovery via Grep

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Security Software Discovery via Grep

edit

Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.

Rule type: eql

Rule indices:

logs-endpoint.events.*
auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
macOS
Linux
Threat Detection
Discovery

Version: 2 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 7.13.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Endpoint Security installers, updaters and post installation verification scripts.

Rule query

edit

process where event.type == "start" and process.name : "grep" and
user.id != "0" and not process.parent.executable :
"/Library/Application Support/*" and process.args :
("Little Snitch*", "Avast*", "Avira*",
"ESET*", "BlockBlock*", "360Sec*",
"LuLu*", "KnockKnock*", "kav", "KIS",
"RTProtectionDaemon*", "Malware*",
"VShieldScanner*", "WebProtection*",
"webinspectord*", "McAfee*", "isecespd*",
"macmnsvc*", "masvc*", "kesl*",
"avscan*", "guard*", "rtvscand*",
"symcfgd*", "scmdaemon*", "symantec*",
"sophos*", "osquery*", "elastic-endpoint*"
) and not (process.args : "Avast" and process.args : "Passwords")

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Software Discovery
- ID: T1518
- Reference URL: https://attack.mitre.org/techniques/T1518/

Rule version history

edit

Version 2 (7.13.0 release)

Updated query, changed from:

event.category : process and event.type : (start or process_started)
and process.name : grep and process.args : ("Little Snitch" or Avast*
or Avira* or ESET* or esets_* or BlockBlock or 360* or LuLu or
KnockKnock* or kav or KIS or RTProtectionDaemon or Malware* or
VShieldScanner or WebProtection or webinspectord or McAfee* or
isecespd* or macmnsvc* or masvc or kesl or avscan or guard or rtvscand
or symcfgd or scmdaemon or symantec or elastic-endpoint )

« Security Software Discovery using WMIC Sensitive Files Compression »