Potential Hex Payload Execution via Command-Line

Last updated 15 days ago on 2025-04-29

Created 15 days ago on 2025-04-29

About

This rule detects when a process executes a command line containing hexadecimal characters. Malware authors may use hexadecimal encoding to obfuscate their payload and evade detection.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Defense EvasionTactic: ExecutionData Source: Elastic DefendLanguage: eql

Severity

low

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Obfuscated Files or Information (T1027)(opens in a new tab or window)

↳ Deobfuscate/Decode Files or Information (T1140)(opens in a new tab or window)

Execution (TA0002)(opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(opens in a new tab or window)

↳ User Execution (T1204)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.parent.executable != null and
process.command_line : "*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*" and
length(process.command_line) > 50

Install detection rules in Elastic Security

Detect Potential Hex Payload Execution via Command-Line in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).