The rule detects potential malicious ELF files being uploaded or executed within the environment, which could indicate the presence of a Linux-based adversary. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule is__elf {
meta:
author = "@mmorenog,@yararules"
strings:
$header = { 7F 45 4C 46 }
condition:
$header at 0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A legitimate system update or patching tool (e.g., rsync, yum, apt) is transferring an ELF file as part of a package installation.
Filter/Exclusion: Exclude files with known package manager signatures or files located in standard package directories like /var/cache/apt/archives/ or /usr/local/src/.
Scenario: A system administrator is manually compiling a C program using gcc and the resulting ELF binary is temporarily stored in a build directory.
Filter/Exclusion: Exclude files in directories like /tmp/build/, /home/admin/build/, or files with a .o or .elf extension that are not executable.
Scenario: A scheduled job (e.g., cron job) is running a legitimate script that generates an ELF file as part of a test or development process.
Filter/Exclusion: Exclude files created within a specific time window (e.g., during a known test phase) or files in directories like /var/tmp/ or /opt/test/.
Scenario: A security tool (e.g., ClamAV, Sophos, or Tripwire) is generating a temporary ELF file for analysis or reporting purposes.
Filter/Exclusion: Exclude files in directories like /var/log/ or /tmp/ that match known temporary file patterns or are associated with specific security tools.
Scenario: A developer is using a containerization tool (e.g., Docker, Podman) to build and run an ELF-based application, and the binary is temporarily stored in a build context.
Filter/Exclusion: Exclude files in Docker build directories (e.g., /var/lib/docker/build/) or files with Docker-specific metadata or labels.