Abnormal Process ID or Lock File Created

Last updated 4 months ago on 2025-01-24

Created 3 years ago on 2022-05-11

About

Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: ExecutionThreat: BPFDoorData Source: Elastic DefendData Source: Elastic EndgameLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

↳ Native API (T1106)(opens in a new tab or window)

False Positive Examples

False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.*endgame-*
Related Integrations: endpoint(opens in a new tab or window)
Query

host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and
file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (
  (process.name : (
    bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)
  ) or (
  process.executable : (
    ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*
  ))
) and not (
  process.executable : (
  /tmp/newroot/* or /run/containerd/* or /run/k3s/containerd/* or /run/k0s/container* or /snap/* or /vz/* or
  /var/lib/docker/* or /etc/*/universal-hooks/pkgs/mysql-community-server/* or /var/lib/snapd/* or /etc/rubrik/* or
  /run/udev/data/*
  ) or
  process.name : (
    go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or
    rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or libvirt_leaseshelper or
    s6-ipcserver-socketbinder or xinetd or libvirtd or veeamdeploymentsvc  or dnsmasq or virtlogd or lynis or
    veeamtransport
  ) or
  file.name : (
    jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or
    rhnsd.pid
  ) or
  file.path : (/run/containerd/* or /var/run/docker/containerd/* or /var/run/jem*.pid)
)

Install detection rules in Elastic Security

Detect Abnormal Process ID or Lock File Created in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).