
Summary
This rule detects a two-step sequence on Linux endpoints: (1) a network connection initiation by a binary executing from commonly writable locations (e.g., /boot, /tmp, /var/tmp, /var/log, /run/user), followed within a short window (maxspan=5s) by (2) a file creation event in similar locations. The pattern mirrors behavior seen in certain C2 agents that poll a C2 framework (e.g., Mythic) and then execute commands. The rule employs extensive path-based exclusions to reduce noise, such as ignoring benign processes and files, and filtering destinations (excluding null, 0.0.0.0, localhost-like and many private/internal ranges). It is designed to identify post-initial-contact C2 activity that leverages an application-layer protocol (web protocols) and subsequent shell execution. The rule is mapped to MITRE ATT&CK techniques: T1071 (Application Layer Protocol) with subtechnique T1071.001 (Web Protocols) and T1059.004 (Unix Shell) under Execution. It uses data from Linux network and file events collected via Elastic Defend and runs within the Elastic Security framework. The rule’s intent is to detect early-stage C2 activity and command execution patterns consistent with modern C2 frameworks, using a Linux-only scope with specific host-path and process-name filters to minimize false positives.
Categories
- Endpoint
- Linux
Data Sources
- Kernel
- Process
- Network Traffic
- File
- Application Log
- Web Credential
- Cloud Service
- Logon Session
- Sensor Health
- Driver
- Module
- Service
- Command
- Process
- File
- Network Traffic
- Cloud Service
- Active Directory
- Windows Registry
- Pod
- Container
- User Account
- Script
- Image
- Named Pipe
- Certificate
- WMI
- Cloud Storage
- Internet Scan
- Persona
- Group
- Domain Name
- Firewall
- Module
- Malware Repository
- Network Share
- Scheduled Job
- Firmware
- Instance
- Drive
- Snapshot
- Kernel
- Volume
- Container
- Application Log
- Logon Session
- Driver
- Process
- File
- Network Traffic
- Service
- Domain Name
- Module
- Cloud Service
- Pod
- Container
- User Account
- Certificate
- WMI
- Script
- Image
- Kernel
- Sensor Health
- Firewall
- Active Directory
- Network Traffic
- Application Log
- Cloud Storage
- Internet Scan
- Domain Name
- Process
- Driver
- Volume
- Snapshot
- Module
- Scheduled Job
- Firmware
- Service
- Driver
- Kernel
- Volume
- Drive
- Instance
- Container
- Pod
- Network Share
- Certificate
- Web Credential
- Named Pipe
- Cloud Service
- WMI
- File
- Process
- Network Traffic
- Kernel
- Image
- Script
- Application Log
- Sensor Health
- Driver
- Volume
- Module
- Domain Name
- Firewall
- Service
- Active Directory
- Group
- Persona
- Cloud Storage
- Internet Scan
- Cloud Service
- Logon Session
- Instance
- Process
- File
- Network Traffic
- Kernel
- Drive
- Snapshot
- Module
- Firmware
- Scheduled Job
- Container
- Pod
- Certificate
- WMI
- Web Credential
- Application Log
- Driver
- Volume
- Network Share
- Domain Name
- Sensor Health
- Service
- Process
ATT&CK Techniques
- T1071
- T1071.001
- T1059
- T1059.004
Created: 2026-07-02