endpoint(external, opens in a new tab or window)
crowdstrike(external, opens in a new tab or window)
sentinel_one_cloud_funnel(external, opens in a new tab or window)
text code block:process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name in ("cat", "less", "more", "strings", "find", "xargs") and process.parent.executable != null and process.args like ( "/etc/security/*", "/etc/pam.d/*", "/etc/login.defs", "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*", "/usr/lib/x86_64-linux-gnu/security/*", "/home/*/.aws/credentials", "/home/*/.aws/config", "/home/*/.config/gcloud/*credentials.json", "/home/*/.config/gcloud/configurations/config_default", "/home/*/.azure/accessTokens.json", "/home/*/.azure/azureProfile.json" ) and not ( process.parent.name in ("wazuh-modulesd", "lynis") or process.command_line in ("cat /etc/login.defs" , "cat /home/asterisk/.aws/credentials") or ?process.parent.command_line in ( "/bin/sh /usr/sbin/lynis audit system --cronjob", "/usr/bin/find -L /etc/security/limits.conf /etc/security/limits.d -type f -exec /usr/bin/cat {} ;", "/usr/bin/find /etc/security/limits.conf /etc/security/limits.d -type f -exec /usr/bin/cat {} ;" ) or ?process.parent.args in ("/opt/imperva/ragent/bin/get_sys_resources.sh", "/usr/sbin/lynis", "./terra_linux.sh") or process.args == "/usr/bin/coreutils" or (process.parent.name == "pwsh" and process.parent.command_line like "*Evaluate-STIG*") or ?process.parent.executable == "/usr/sap/audit_scripts/auto_audit_gral.sh" )
Install detection rules in Elastic Security
Detect Security File Access via Common Utilities in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).