Elastic Endgame

The rule detects attempts to clear the kernel ring buffer on Linux systems using the `dmesg` command with options like `-c`, `-C`, `--clear`, or `--read-clear` to evade detection.

The rule identifies command-line executions that attempt to access cloud service provider's Instance Metadata Service (IMDS) API endpoints, potentially retrieving sensitive instance information and temporary security credentials, ultimately leading to credential access and privilege escalation within the cloud environment.

The rule detects the use of the 'kubectl get secrets --all-namespaces' command, which enumerates secret resources across the entire Kubernetes cluster, potentially aiding credential discovery, privilege escalation, or lateral movement by attackers.

This rule detects the creation of files in world-writable directories on Linux systems by an unusual process, which is a common defense evasion tactic for potential lateral movement or malicious payload staging.

Detects User Account Control (UAC) bypass attempts using eventvwr.exe to execute code with elevated permissions by identifying child processes of eventvwr.exe, excluding mmc.exe and WerFault.exe, which may indicate unauthorized privilege escalation.

Detection of suspicious ImagePath values written to the registry, indicating potential persistence or privilege escalation via abnormal service creation involving command interpreters or named pipes.

Detects suspicious modifications to the Windows Startup shell folder, a technique used to bypass detections monitoring file creation in the Windows Startup folder.

Adversaries may achieve lateral movement by creating malicious files in remote Windows startup folders via RDP or SMB, leading to code execution upon system reboot or user logon.

This brief detects potential remote desktop shadowing activity by identifying modifications to the RDP Shadow registry or the execution of processes indicative of an active RDP shadowing session, which adversaries may abuse to spy on or control other users' RDP sessions.

This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.

This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.

This rule detects the execution of PowerShell, PowerShell ISE, or Cmd spawned from Windows Script Host or MSHTA, indicating potential abuse of scripting interpreters to execute malicious commands or scripts on Windows systems.

This rule identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values, often observed during malware installation.

Attackers with DNSAdmin privileges can modify or disable the DNS Global Query Block List (GQBL) in Windows, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.

Adversaries may disable Network-Level Authentication (NLA) by modifying specific registry keys to bypass authentication requirements for Remote Desktop Protocol (RDP) and enable persistence mechanisms.

This rule detects suspicious managed code hosting processes on Windows systems, potentially indicating code injection or defense evasion tactics by monitoring file events associated with processes commonly used to host managed code, such as wscript.exe, cscript.exe, and mshta.exe.

This rule detects attempts to install a file from a remote server using MsiExec, which adversaries may abuse to deliver malware, by identifying msiexec.exe processes running with arguments indicative of remote installations and executed from suspicious parent processes.

This rule detects potential exploitation of unquoted service path vulnerabilities, where adversaries may escalate privileges by placing a malicious executable in a higher-level directory within the path of an unquoted service executable.

Detects suspicious creation of Alternate Data Streams (ADS) on targeted files using script or command interpreters, indicative of malware hiding in ADS for defense evasion.

Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.

Detects attempts to export sensitive Windows registry hives (SAM/SECURITY) using reg.exe, potentially leading to credential compromise.

Detects the renaming of automation script interpreter processes like AutoIt, AutoHotkey, and KIX32, a tactic used by malware operators to evade detection by obscuring the true nature of the executable.

Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.

Detects suspicious command execution via WMI on a Windows host, potentially indicating lateral movement by an adversary using cmd.exe to execute commands remotely.

This rule detects attempts to execute content from remote WebDAV shares, where attackers may abuse WebDAV paths, public tunnels, or host@port UNC paths to execute tools or scripts, reducing local staging on the victim's file system.

An adversary may attempt to bypass AMSI by creating a rogue AMSI DLL in an unusual location to evade detection.

Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.

Detection of scrobj.dll loaded into unusual Microsoft processes indicates potential malicious scriptlet execution for defense evasion and execution by abusing legitimate system binaries.

This rule detects suspicious mofcomp.exe activity, which attackers may leverage MOF files to manipulate the Windows Management Instrumentation (WMI) repository for execution and persistence by filtering out legitimate processes and focusing on unusual executions, excluding known safe parent processes and system accounts.

Adversaries may disable or tamper with Microsoft Defender features via registry modifications to evade detection and conceal malicious behavior on Windows systems.

Adversaries use Unicode modifier letters to obfuscate command-line arguments, evading string-based detections on common Windows utilities like PowerShell and cmd.exe.

The `unshare` command is used to create new namespaces in Linux, which can be exploited to break out of containers or elevate privileges by creating namespaces that bypass security controls.

This alert detects potential protocol tunneling activity via the execution of Yuze, a lightweight open-source tunneling tool often used by threat actors for intranet penetration via forward and reverse SOCKS5 proxy tunneling.