Elastic Security Detection Rules

Shared Object Created or Changed by Previously Unknown Process

Last updated 5 months ago on 2025-03-11
Created 2 years ago on 2023-06-09

About

This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceData Source: Elastic EndgameData Source: Elastic DefendLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

Hijack Execution Flow (T1574)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.*endgame-*
Related Integrations

endpoint(opens in a new tab or window)

Query
host.os.type:"linux" and event.action:("creation" or "file_create_event" or "file_rename_event" or "rename" or "file_write_event") and
(file.extension:"so" or file.name:*.so.*) and
file.path:(
  /dev/shm/* or /usr/lib/* or /usr/lib64/* or /usr/local/lib/* or /usr/local/lib64/* or /lib/x86_64-linux-gnu/* or
  /usr/lib/x86_64-linux-gnu/* or /lib/i386-linux-gnu/* or /usr/lib/i386-linux-gnu/* or /lib/* or /lib64/*
) and not (
  process.name:(
    "dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or "apt-get" or "dnf" or "podman" or
    platform-python* or "dnf-automatic" or "unattended-upgrade" or "apk" or "snap-update-ns" or "install" or "exe" or
    "systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or "crio" or "packagekitd"
  ) or 
  (process.name:"vmware-install.pl" and file.path:/usr/lib/vmware-tools/*) or
  (process.name:"ssm-agent-worker" and file.path:/usr/lib/jvm/java*) or 
  process.executable : (/dev/fd/* or "/" or "/kaniko/executor" or "/usr/bin/buildah")
)

Install detection rules in Elastic Security

Detect Shared Object Created or Changed by Previously Unknown Process in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).