{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/detection-rule/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["endpoint","linux","execution","user-execution","initial-access","detection-rule"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis intelligence describes a detection opportunity concerning the \u003ccode\u003exdg-open\u003c/code\u003e utility on Linux systems. While \u003ccode\u003exdg-open\u003c/code\u003e is a legitimate command used to open files or URLs in a user's preferred desktop application, it can be leveraged by adversaries as part of an initial access or execution chain. Attackers might craft spearphishing emails containing malicious links or documents that, when opened by the user, trigger \u003ccode\u003exdg-open\u003c/code\u003e to execute their payload. This technique relies on user interaction (User Execution, T1204) to bypass security controls and initiate further malicious activity. This specific detection rule, developed by Elastic, targets the execution of \u003ccode\u003exdg-open\u003c/code\u003e itself, aiming to identify instances where it might be invoked as a result of user interaction with malicious content. The rule was published on July 2nd, 2026, and provides a generic detection for this common Linux utility's suspicious usage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / User Interaction\u003c/strong\u003e: An attacker sends a spearphishing email or hosts a malicious website presenting a malicious link or file (e.g., a \u003ccode\u003e.desktop\u003c/code\u003e file, a crafted document, or a URL).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Execution\u003c/strong\u003e: The target user, tricked by social engineering, interacts with the malicious content, either by clicking a link or opening a file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003exdg-open\u003c/code\u003e Invocation\u003c/strong\u003e: The user's desktop environment or a script silently invokes \u003ccode\u003exdg-open\u003c/code\u003e to handle the malicious link or file, believing it to be legitimate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Payload Delivery/Execution\u003c/strong\u003e: \u003ccode\u003exdg-open\u003c/code\u003e attempts to open the attacker-controlled resource, which could be a remote URL hosting an exploit, a local malicious script, or a document embedded with macros or other executable content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise\u003c/strong\u003e: Successful exploitation leads to arbitrary code execution on the user's system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFurther Actions\u003c/strong\u003e: The attacker can then establish persistence, exfiltrate data, or deploy additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploit leveraging \u003ccode\u003exdg-open\u003c/code\u003e can lead to initial system compromise, allowing attackers to execute arbitrary code with the privileges of the compromised user. Depending on the payload delivered, this could result in data exfiltration, installation of ransomware or other malware, or the establishment of a foothold for lateral movement within the network. This technique is often used as a gateway for more extensive attacks, impacting user workstations and potentially leading to broader organizational breaches. The primary impact is the loss of confidentiality, integrity, and availability of data and systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM/EDR platform to detect suspicious \u003ccode\u003exdg-open\u003c/code\u003e command executions on Linux endpoints.\u003c/li\u003e\n\u003cli\u003eEnsure process creation logging for Linux systems (\u003ccode\u003eprocess_creation\u003c/code\u003e category, \u003ccode\u003elinux\u003c/code\u003e product) is enabled and forwarded to your security platforms for analysis.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening unsolicited attachments or clicking on suspicious links to mitigate the effectiveness of User Execution (T1204).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T17:32:11Z","date_published":"2026-07-06T17:32:11Z","id":"https://feed.craftedsignal.io/briefs/2026-07-xdg-open-command-execution/","summary":"This brief details a detection rule for the `xdg-open` command on Linux systems, which attackers abuse to trick users into opening malicious documents or URLs, leading to user execution and potential system compromise.","title":"Suspicious XDG-Open Command Execution on Linux","url":"https://feed.craftedsignal.io/briefs/2026-07-xdg-open-command-execution/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Endpoint","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["linux","endpoint-security","command-and-control","defense-evasion","execution","detection-rule"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of malicious shell execution activities initiated by the Elastic Endpoint agent on Linux systems. Attackers gaining control over an Elastic Endpoint agent could leverage its built-in response action console to execute arbitrary shell commands on compromised machines. This technique allows adversaries to establish remote access, execute further commands, or maintain persistence, often bypassing standard detection mechanisms by masquerading as legitimate endpoint management actions. The detection rule targets the spawning of common shell interpreters (such as \u003ccode\u003ebash\u003c/code\u003e, \u003ccode\u003esh\u003c/code\u003e, \u003ccode\u003ezsh\u003c/code\u003e) as child processes of the \u003ccode\u003e/opt/Elastic/Endpoint/elastic-endpoint\u003c/code\u003e binary, specifically when invoked with command execution arguments like \u003ccode\u003e-c\u003c/code\u003e or \u003ccode\u003e--command\u003c/code\u003e. This behavior is a strong indicator of post-exploitation activity, where an adversary is actively controlling the system through the endpoint agent, making it critical for defenders to identify and respond to promptly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis detection rule focuses on a post-exploitation phase where an attacker has already gained sufficient access to leverage the Elastic Endpoint agent.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (Pre-requisite)\u003c/strong\u003e: An attacker gains initial access to a Linux system through various means (e.g., exploitation of a vulnerability, compromised credentials, or malicious payload).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation / Lateral Movement (Pre-requisite)\u003c/strong\u003e: The attacker may escalate privileges or move laterally to a system where the Elastic Endpoint agent is running with sufficient permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAbuse Elastic Endpoint Functionality\u003c/strong\u003e: The attacker interacts with the compromised Elastic Endpoint agent, potentially through its API or an exposed administrative interface, to instruct it to execute commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eShell Process Creation\u003c/strong\u003e: The \u003ccode\u003eelastic-endpoint\u003c/code\u003e process, acting on the attacker's commands, spawns a child process for a shell interpreter (e.g., \u003ccode\u003ebash\u003c/code\u003e, \u003ccode\u003esh\u003c/code\u003e, \u003ccode\u003ezsh\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution\u003c/strong\u003e: The spawned shell executes arbitrary commands supplied by the attacker (e.g., \u003ccode\u003e-c \u0026quot;whoami\u0026quot;\u003c/code\u003e, \u003ccode\u003e-lc \u0026quot;ls -la /tmp\u0026quot;\u003c/code\u003e), leading to system reconnaissance, data exfiltration, or further malware deployment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control / Impact\u003c/strong\u003e: The executed commands facilitate command and control, enable persistence, or contribute to the attacker's final objective, such as data exfiltration or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique provides attackers with a stealthy method to execute arbitrary commands on a compromised Linux host, using a trusted endpoint security agent as a proxy. This can lead to full system compromise, data theft, deployment of additional malware (e.g., ransomware, cryptominers), or establishment of long-term persistence within the environment. Since the activity originates from a legitimate security product's process, it can evade less sophisticated monitoring solutions, making detection crucial. The potential for a wide range of follow-on activities means the impact can range from minor data exposure to complete business disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Shell Execution via Elastic Endpoint\u0026quot; to your SIEM and tune for your Linux environment.\u003c/li\u003e\n\u003cli\u003eEnsure that Elastic Defend and Elastic Endpoint are configured for comprehensive logging of process creation events on Linux systems, as specified in the rule's \u003ccode\u003elogsource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview access controls and configurations for the Elastic Endpoint agent and its management interfaces to prevent unauthorized command execution capabilities.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the rule, paying close attention to the \u003ccode\u003eCommandLine\u003c/code\u003e arguments and the context of the \u003ccode\u003eelastic-endpoint\u003c/code\u003e process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T17:29:54Z","date_published":"2026-07-06T17:29:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-elastic-endpoint-shell-execution/","summary":"This brief details the detection of shell command execution initiated by the Elastic Endpoint agent on Linux systems, indicating potential post-exploitation activity such as remote access or command and control via misuse of the endpoint's response capabilities.","title":"Shell Execution via Elastic Endpoint on Linux","url":"https://feed.craftedsignal.io/briefs/2026-07-elastic-endpoint-shell-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Detection-Rule","version":"https://jsonfeed.org/version/1.1"}