Unusual Exim4 Child Process

Last updated 6 months ago on 2025-07-07

Created 8 months ago on 2025-04-30

About

This rule detects the execution of unusual commands via a descendant process of exim4. Attackers may use descendant processes of exim4 to evade detection and establish persistence or execute post-exploitation commands on a target system.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceData Source: Elastic DefendLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Boot or Logon Initialization Scripts (T1037)(external, opens in a new tab or window)

↳ Compromise Host Software Binary (T1554)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗host.os.type:linux and event.type:start and event.action:exec and process.parent.name:exim4 and
not process.name:(
  exim4 or start-stop-daemon or run-parts or systemctl or update-exim4.conf or install or plymouth or
  readlink or grep or stat or cmake or gcc or cppcheck or sort or sshd
)

Install detection rules in Elastic Security

Detect Unusual Exim4 Child Process in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).