Product
medium
advisory
Potential Evasion via Windows Filtering Platform Blocking Security Software
2 rules 2 TTPsAdversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.
Windows Filtering Platform +2
defense-evasion
windows-filtering-platform
endpoint-security
2r
2t
high
advisory
Long Base64 Encoded Command via Scripting Interpreter
2 rules 5 TTPsDetection of oversized command lines used by Python, PowerShell, Node.js, or Deno interpreters containing base64 decoding or encoded-command patterns, indicating potential evasion and malicious execution.
Elastic Endpoint
defense-evasion
execution
scripting-interpreter
base64
command-line
2r
5t
medium
advisory
Suspicious DNS Queries to RMM Domains from Non-Browser Processes
2 rulesDetection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.
Elastic Endpoint +1
command-and-control
remote-access
windows
2r