host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.parent.name:kthreadd and (
process.executable:(/dev/shm/* or /tmp/* or /var/tmp/* or /var/www/*) or
process.name:(bash or csh or curl or dash or fish or id or ksh or nohup or setsid or sh or tcsh or wget or whoami or zsh)
) and
process.command_line:(
*/dev/shm/* or */dev/tcp/* or */etc/init.d* or */etc/ld.so* or */etc/profile* or */etc/rc.local* or */etc/shadow* or */etc/ssh* or
*/etc/sudoers* or */home/*/.ssh/* or */root/.ssh* or */tmp/* or */var/log/* or */var/run/* or */var/tmp/* or */var/www/* or
*base64* or *cron* or *xxd* or *~/.ssh/*
) and not (
process.name:(true or cifs.upcall or dpkg or flock or gdbus or getopt or grep or mount or touch or umount or uname) or
process.command_line:(
"sh -c /bin/true" or */bin/ps* or */usr/bin/find* or */usr/bin/grep* or *ds_agent* or *gitlabrunner* or *nagios* or
*omsagent* or *pgrep*
) or
process.executable:(
/lib/systemd/systemd-cgroups-agent or /proc/self/exe or /usr/local/axs-haproxy-monitoring/haproxy_stats.sh or /tmp/newroot/* or
/var/lib/docker/overlay2/* or /vz/root/*
)
)
Install detection rules in Elastic Security
Detect Unusual Execution from Kernel Thread (kthreadd) Parent in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).