Elasticsearch

This rule detects unusual child process executions originating from web server processes on Linux systems, which attackers may use to maintain persistence on a compromised system by exploiting web server vulnerabilities.

Identifies suspicious command executions via a web server on Linux systems, which may suggest a vulnerability and remote shell access.

The Atomic Red Team Model Context Protocol (MCP) server integrates security tests from the Atomic Red Team project with AI assistants, enabling natural language interaction with security tools, bridging the gap between threat intelligence and execution, allowing for automated validation, multi-platform testing, and rapid playbook creation.

This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from the internet, a common initial access vector, by monitoring network connections to TCP port 135 and filtering known internal IP ranges.

This rule identifies potentially unsecured Elasticsearch nodes that lack TLS and/or authentication and are accepting inbound network connections, which could allow adversaries to gain initial access, exfiltrate data, or disrupt services.