Elastic Security Detection Rules

Unknown Execution of Binary with RWX Memory Region

Last updated 5 days ago on 2024-09-23
Created 6 months ago on 2024-03-13

About

Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: ExecutionData Source: Auditd Manager
Severity
medium
Risk Score
47
MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

Command and Scripting Interpreter (T1059)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*logs-auditd_manager.auditd-*
Related Integrations

auditd_manager(opens in a new tab or window)

Query
event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 and not (
  process.executable:(
    "/usr/share/kibana/node/bin/node" or "/usr/share/elasticsearch/jdk/bin/java" or "/usr/sbin/apache2"
  ) or
  process.name:httpd
)

Install detection rules in Elastic Security

Detect Unknown Execution of Binary with RWX Memory Region in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).