Elastic Agent

This rule detects segfault messages in kernel logs originating from sensitive processes on Linux systems, indicating potential exploitation attempts that could lead to arbitrary code execution or credential access.

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.