Anomalous Linux Compiler Activity

Last updated 7 months ago on 2025-01-15

Created 5 years ago on 2020-09-03

About

Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionRule Type: MLRule Type: Machine LearningTactic: Resource Development

Severity

low

Risk Score

MITRE ATT&CK™

Resource Development (TA0042)(opens in a new tab or window)

↳ Obtain Capabilities (T1588)(opens in a new tab or window)

False Positive Examples

Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

auditd_manager(opens in a new tab or window)

endpoint(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Anomalous Linux Compiler Activity in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).