rule Linux_Exploit_Vmsplice_cfa94001 { meta: author = "Elastic Security" id = "cfa94001-6000-4633-9af2-efabfaa96f94" fingerprint = "3fb484112484e2afc04a88d50326312af950605c61f258651479427b7bae300a" creation_date = "2021-01-12" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Vmsplice" reference_sample = "0a26e67692605253819c489cd4793a57e86089d50150124394c30a8801bf33e6" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 7A 00 21 40 23 24 00 6D 6D 61 70 00 5B 2B 5D 20 6D 6D 61 70 3A } condition: all of them } rule Linux_Exploit_Vmsplice_a000f267 { meta: author = "Elastic Security" id = "a000f267-b4d7-46e9-ab61-818633083ba2" fingerprint = "0753ef1bc3e151fd6d4773967b5cde6ad789df593e7d8b9ed08052151a1a1849" creation_date = "2021-01-12" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Vmsplice" reference_sample = "c85cc6768a28fb7de16f1cad8d3c69d8f0b4aa01e00c8e48759d27092747ca6f" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 24 04 73 00 00 00 89 44 24 00 CF 83 C4 10 5B C9 C3 55 89 E5 83 } condition: all of them } rule Linux_Exploit_Vmsplice_8b9e4f9f { meta: author = "Elastic Security" id = "8b9e4f9f-7903-4aa5-9098-766f4311a22b" fingerprint = "585b16ad3e4489a17610f0a226be428def33e411886f273d0c1db45b3819ba3f" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Vmsplice" reference_sample = "0230c81ba747e588cd9b6113df6e1867dcabf9d8ada0c1921d1bffa9c1b9c75d" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 00 00 00 00 20 4C 69 6E 75 78 20 76 6D 73 70 6C } condition: all of them } rule Linux_Exploit_Vmsplice_055f88b8 { meta: author = "Elastic Security" id = "055f88b8-b1b0-4b02-8fc5-97804b564d27" fingerprint = "38f7d6c56ee1cd465062b5c82320710c4d0393a3b33f5586b6c0c0c778e5d3b2" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Vmsplice" reference_sample = "607c8c5edc8cbbd79a40ce4a0eccf46e01447985d9415d1eff6a91bf64074507" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 2D 2D 2D 00 20 4C 69 6E 75 78 20 76 6D 73 70 6C } condition: all of them } rule Linux_Exploit_Vmsplice_431e689d { meta: author = "Elastic Security" id = "431e689d-0c41-4c92-98b0-0dac529d8328" fingerprint = "1e8aee445a3adef6ccbd2d25f7b38202bef98a99b828eda56fb8b9269b6316b4" creation_date = "2021-06-28" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Vmsplice" reference = "1cbb09223f16af4cd13545d72dbeeb996900535b1e279e4bcf447670728de1e1" severity = "100" arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 69 6F 6E 00 70 75 74 65 6E 76 00 73 74 64 6F 75 74 00 73 65 } condition: all of them }