EXPLORE
Sign In
← Back to Explore
elasticmediumTTP

Segfault from Sensitive Process Detected

Monitors kernel logs for segfault messages from sensitive processes. A segfault, or segmentation fault, is an error that occurs when a program tries to access a memory location that it's not allowed to access, typically leading to program termination. A segfault can be an indication of malicious behavior if it results from attempts to exploit buffer overflows, inject shared objects, or other vulnerabilities in software to execute arbitrary code or disrupt its normal operation.

MITRE ATT&CK

T1003T1212T1203
credential-accessexecution

Detection Query

host.os.type:linux and event.dataset:system.syslog and process.name:kernel and
message:(
  segfault and (
    agetty or apache2 or atd or auditbeat or auditd or beacon-chain or besu or chage or
    chfn or chsh or clef or cron or crond or dbus-broker or dbus-daemon or dnsmasq or
    elastic-agent or erigon or ethrex or ethsigner or geth or getty or gpasswd or
    grandine or httpd or krb5_child or ldap_child or lighthouse or lodestar or login or
    logrotate or named or nethermind or newgrp or nginx or nslcd or op-batcher or
    op-challenger or op-conductor or op-geth or op-node or op-proposer or openvpn or
    osqueryd or passwd or pkexec or polkitd or proftpd or prysm or reth or rsyslogd or
    smbd or ssh or sshd or sssd or sssd_nss or sssd_pam or su or sudo or sudoedit or
    systemd-logind or teku or unix_chkpwd or vsftpd or web3signer
  )
)

Author

Elastic

Created

2026/05/28

Data Sources

logs-system.syslog-*filebeat-*

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Credential AccessTactic: Execution
Raw Content
[metadata]
creation_date = "2026/05/28"
integration = ["system"]
maturity = "production"
updated_date = "2026/05/28"

[rule]
author = ["Elastic"]
description = """
Monitors kernel logs for segfault messages from sensitive processes. A segfault, or segmentation fault, is an error
that occurs when a program tries to access a memory location that it's not allowed to access, typically leading to
program termination. A segfault can be an indication of malicious behavior if it results from attempts to exploit
buffer overflows, inject shared objects, or other vulnerabilities in software to execute arbitrary code or disrupt
its normal operation.
"""
from = "now-9m"
index = ["logs-system.syslog-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "Segfault from Sensitive Process Detected"
risk_score = 47
rule_id = "01e244f0-fef9-4102-903f-9788052b2c91"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "OS: Linux",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Tactic: Execution"
]
timestamp_override = "event.ingested"
type = "query"
query = '''
host.os.type:linux and event.dataset:system.syslog and process.name:kernel and
message:(
  segfault and (
    agetty or apache2 or atd or auditbeat or auditd or beacon-chain or besu or chage or
    chfn or chsh or clef or cron or crond or dbus-broker or dbus-daemon or dnsmasq or
    elastic-agent or erigon or ethrex or ethsigner or geth or getty or gpasswd or
    grandine or httpd or krb5_child or ldap_child or lighthouse or lodestar or login or
    logrotate or named or nethermind or newgrp or nginx or nslcd or op-batcher or
    op-challenger or op-conductor or op-geth or op-node or op-proposer or openvpn or
    osqueryd or passwd or pkexec or polkitd or proftpd or prysm or reth or rsyslogd or
    smbd or ssh or sshd or sssd or sssd_nss or sssd_pam or su or sudo or sudoedit or
    systemd-logind or teku or unix_chkpwd or vsftpd or web3signer
  )
)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"

[[rule.threat.technique]]
id = "T1212"
name = "Exploitation for Credential Access"
reference = "https://attack.mitre.org/techniques/T1212/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"