Elastic License V2

This rule detects Kubernetes pod exec sessions where the decoded command line references sensitive files or paths such as mounted service account tokens, kubelet and control-plane configuration, host identity stores, private keys, and process environment dumps, aiming to identify potential lateral movement, privilege escalation, or credential theft.

This rule detects PowerShell scripts that build commands from concatenated string literals within dynamic invocation constructs, a technique used by attackers to obscure execution intent, bypass keyword-based detections, and evade AMSI.

This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from internal networks and reaching the public internet, which is indicative of potential initial access or backdoor activity.

The rule identifies potential relay attacks against a machine account by detecting network share access events originating from a remote source IP but utilizing the target server's computer account, which may indicate an SMB relay attack.