Suspicious Content Extracted or Decompressed via Funzip

edit

Suspicious Content Extracted or Decompressed via Funzip

edit

Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*
  • endgame-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: Elastic Endgame
  • Data Source: Elastic Defend

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and
not process.args : "/var/log/messages" and
not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and
not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*")

Framework: MITRE ATT&CKTM