Threat-Detection

This rule detects potential Pass-the-Hash (PtH) attempts in Windows environments by monitoring successful authentications with specific user IDs (S-1-5-21-* or S-1-12-1-*) and the `seclogo` logon process, where attackers use stolen password hashes to authenticate and move laterally across systems without needing plaintext passwords.

Detection of potential NTLM relay attacks targeting computer accounts by identifying authentication events originating from hosts other than the account's owner, indicating possible credential theft and misuse.

Threat actors are rapidly exfiltrating data by exploiting blind spots created by an over-reliance on endpoint data, necessitating a comprehensive security approach that incorporates cloud, identity, and network telemetry for effective threat detection and response.

This rule identifies hosts triggering multiple distinct, globally rare Elastic Defend behavior rules, increasing the likelihood of detecting compromised hosts while reducing false positives.

This rule detects multiple external EDR alerts on the same host, indicating a potential compromise, by analyzing alert data from various EDR solutions like CrowdStrike, SentinelOne, and M365 Defender to identify hosts triggering multiple alerts, enabling prioritization of investigation and response.

A user created a self-hosted email threat detection tool, named VerdictMail, employing IMAP IDLE for real-time monitoring and multi-stage enrichment via SPF, DKIM, DMARC, DNSBL, WHOIS, URLhaus, and VirusTotal, coupled with an LLM for threat assessment.

This rule uses alert data to identify hosts with multiple alerts across different ATT&CK tactics, indicating a higher likelihood of compromise and enabling analysts to prioritize triage and response based on accumulated risk score.

This rule identifies when multiple different alerts involving the same user are triggered, which could indicate a compromised user account and requires further investigation.

A machine learning job has detected an unusually high number of processes started within a single Remote Desktop Protocol (RDP) session, potentially indicating lateral movement activity.

This alert detects when Okta's ThreatInsight identifies a security threat within an Okta environment, potentially indicating command and control activity.

This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.

A machine learning job detected an RDP session initiated at an unusual time or day, potentially indicating lateral movement activity within a network.

This analytic identifies suspicious programs such as script interpreters, rundll32, or MSBuild being executed shortly after user logon, indicating potential persistence mechanisms abusing the registry run keys.

This rule detects suspicious use of whoami.exe to display user, group, and privileges information for the user who is currently logged on to the local system, potentially indicating post-compromise discovery activity.

This rule detects newly observed, low-frequency, high-severity Elastic SIEM detection alerts affecting a single agent, helping prioritize triage and response by highlighting alerts tied to specific detection rules that have not been seen previously for the host.

This rule correlates multiple security alerts associated with the same ATT&CK tactic on a single host within a defined time window, helping to identify hosts exhibiting concentrated malicious behavior indicative of an active intrusion or post-compromise activity, focusing on Credential Access, Defense Evasion, Execution, and Command and Control tactics.

Detects an unusual volume of Kubernetes API get requests against multiple distinct Secret objects from the same client fingerprint, potentially indicating credential access or in-cluster reconnaissance.

This rule identifies the creation and subsequent execution of a Windows script downloaded from the internet, a technique used by adversaries for initial access and execution on Windows systems.

The rule detects suspicious loading of the Remote Desktop Services ActiveX Client (mstscax.dll) from unusual locations, potentially indicating RDP lateral movement on Windows systems.

This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

A machine learning job has detected unusually high variance of RDP session duration, potentially indicating lateral movement and session persistence by threat actors.