Security Software Discovery via Grep

edit

Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.

Rule type: query

Rule indices:

  • logs-endpoint.events.*
  • auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • macOS
  • Linux
  • Threat Detection
  • Discovery

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
event.category : process and event.type : (start or process_started)
and process.name : grep and process.args : ("Little Snitch" or Avast*
or Avira* or ESET* or esets_* or BlockBlock or 360* or LuLu or
KnockKnock* or kav or KIS or RTProtectionDaemon or Malware* or
VShieldScanner or WebProtection or webinspectord or McAfee* or
isecespd* or macmnsvc* or masvc or kesl or avscan or guard or rtvscand
or symcfgd or scmdaemon or symantec or elastic-endpoint )

Threat mapping

edit

Framework: MITRE ATT&CKTM