Elastic Security Detection Rules

Segfault from Sensitive Process Detected

Last updated 2 days ago on 2026-05-28
Created 2 days ago on 2026-05-28

About

Monitors kernel logs for segfault messages from sensitive processes. A segfault, or segmentation fault, is an error that occurs when a program tries to access a memory location that it's not allowed to access, typically leading to program termination. A segfault can be an indication of malicious behavior if it results from attempts to exploit buffer overflows, inject shared objects, or other vulnerabilities in software to execute arbitrary code or disrupt its normal operation.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Credential AccessTactic: ExecutionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

OS Credential Dumping (T1003)(external, opens in a new tab or window)

Exploitation for Credential Access (T1212)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Exploitation for Client Execution (T1203)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-system.syslog-*filebeat-*
Related Integrations

system(external, opens in a new tab or window)

Query
text code block:
host.os.type:linux and event.dataset:system.syslog and process.name:kernel and
message:(
  segfault and (
    agetty or apache2 or atd or auditbeat or auditd or beacon-chain or besu or chage or
    chfn or chsh or clef or cron or crond or dbus-broker or dbus-daemon or dnsmasq or
    elastic-agent or erigon or ethrex or ethsigner or geth or getty or gpasswd or
    grandine or httpd or krb5_child or ldap_child or lighthouse or lodestar or login or
    logrotate or named or nethermind or newgrp or nginx or nslcd or op-batcher or
    op-challenger or op-conductor or op-geth or op-node or op-proposer or openvpn or
    osqueryd or passwd or pkexec or polkitd or proftpd or prysm or reth or rsyslogd or
    smbd or ssh or sshd or sssd or sssd_nss or sssd_pam or su or sudo or sudoedit or
    systemd-logind or teku or unix_chkpwd or vsftpd or web3signer
  )
)

Install detection rules in Elastic Security

Detect Segfault from Sensitive Process Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).