Elastic Security Detection Rules

Discovery Command Output Written to Suspicious File

Last updated 2 days ago on 2026-02-09
Created 12 days ago on 2026-01-30

About

Detects when a discovery command is executed followed by the immediate modification of a suspicious file via the same process. Many types of malware execute discovery commands, save the output to a file, and then exfiltrate that file via their C2 channel.
Tags
Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: CollectionTactic: DiscoveryData Source: Elastic DefendLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Collection (TA0009)(external, opens in a new tab or window)

Data Staged (T1074)(external, opens in a new tab or window)

Discovery (TA0007)(external, opens in a new tab or window)

System Information Discovery (T1082)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process-*logs-endpoint.events.file-*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
sequence by process.entity_id with maxspan=15s
  [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
    process.parent.name in ("bash", "sh", "zsh") and
    process.name in ("whoami", "ifconfig", "system_profiler", "dscl", "arch", "csrutil") and
    process.args_count == 1]
  [file where host.os.type == "macos" and event.action == "modification" and
    file.path like ("/Users/Shared/*", "/tmp/*", "/private/tmp/*", "/Library/WebServer/*",
                    "/Library/Graphics/*", "/Library/Fonts/*", "/private/var/root/Library/HTTPStorages/*", "/*/.*") and
    not file.path like ("/private/tmp/*.fifo", "/private/tmp/tcl-tk*")]

Install detection rules in Elastic Security

Detect Discovery Command Output Written to Suspicious File in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).