Tag
Suspicious Web Server Child Process Execution via Elastic Defend for Containers
2 rules 3 TTPsThis rule detects the exploitation of a web server through the execution of a suspicious process by common web server user accounts within a containerized environment, potentially indicating the uploading of a web shell to maintain system access, and covers persistence, execution, and command and control tactics.
User Detected with Suspicious Windows Process(es)
2 rules 2 TTPsA machine learning job combination has identified a user with one or more suspicious Windows processes exhibiting unusually high malicious probability scores, potentially involving LOLbins for defense evasion.
Host Detected with Suspicious Windows Process(es)
2 rules 2 TTPsA machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, indicating potential masquerading tactics for defense evasion.
LLM-Based Compromised User Triage
2 rules 2 TTPsThis rule correlates multiple security alerts involving the same user, analyzes them with an LLM, and flags potentially compromised accounts based on MITRE tactics, geographic anomalies, and multi-host activity, helping analysts prioritize users exhibiting indicators of credential theft or unauthorized access.