Yum/DNF Plugin Status Discovery

Last updated 5 days ago on 2024-09-23

Created 3 months ago on 2024-06-25

About

This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an attacker is attempting to establish persistence in a YUM or DNF plugin.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: DiscoveryData Source: Elastic DefendData Source: Elastic Endgame

Severity

low

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ System Information Discovery (T1082)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.*endgame-*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.name == "grep" and process.args : "plugins*" and process.args : (
  "/etc/yum.conf", "/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*",
  "/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/*", "/etc/dnf/dnf.conf"
)

Install detection rules in Elastic Security

Detect Yum/DNF Plugin Status Discovery in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).