Elastic Security Detection Rules

Potential Code Execution via Postgresql

Last updated 6 months ago on 2025-02-04
Created 3 years ago on 2022-06-20

About

This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: ExecutionData Source: Elastic EndgameData Source: Elastic DefendLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

Command and Scripting Interpreter (T1059)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
endgame-*logs-endpoint.events.process*
Related Integrations

endpoint(opens in a new tab or window)

Query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "postgres" and (
  (process.parent.args : "*sh" and process.parent.args : "echo*") or
  (process.args : "*sh" and process.args : "echo*")
) and not (
  process.parent.name == "puppet" or
  process.command_line like (
    "*BECOME-SUCCESS-*", "bash -c while true; do sleep 1;*", "df -l", "sleep 1", "who", "head -v -n *", "tail -v -n *",
    "/bin/sh -c echo BECOME-SUCCESS*", "/usr/bin/python3 /var/tmp/ansible-tmp*"
  ) or
  process.parent.command_line like "*BECOME-SUCCESS-*"
)

Install detection rules in Elastic Security

Detect Potential Code Execution via Postgresql in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).