-
Notifications
You must be signed in to change notification settings - Fork 512
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Rule] Unusual Preload Environment Variable Process Execution #4305
base: main
Are you sure you want to change the base?
Conversation
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
|
||
[rule.new_terms] | ||
field = "new_terms_fields" | ||
value = ["process.env_vars"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should you aggregate the executable in here as well? If I understand correctly, the rule will trigger anytime a process is started as long as environment variables are different?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I were to do that, we would get an alert for every time a new executable is started with an LD_PRELOAD environment variable that is new. That would mean that if you load a new LD_PRELOAD shared object, you will get tons of alerts for every executable that is ran after.
Not adding the process executable will ensure that it just flags any new entry to the LD_PRELOAD environment variables, and just alerts once.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LD_PRELOAD is also a development feature, so I don't want to cause alert fatigue
Summary
This rule detects processes that are executed with environment variables that are not commonly used. This could indicate an attacker is attempting to hijack the execution flow of a process by loading malicious libraries or binaries into the process memory space.