Elastic

This rule detects unusual child process executions originating from web server processes on Linux systems, which attackers may use to maintain persistence on a compromised system by exploiting web server vulnerabilities.

Identifies suspicious command executions via a web server on Linux systems, which may suggest a vulnerability and remote shell access.

This rule detects the exploitation of a web server through the execution of a suspicious process by common web server user accounts within a containerized environment, potentially indicating the uploading of a web shell to maintain system access, and covers persistence, execution, and command and control tactics.

This rule detects unusual child process executions originating from web server processes on Linux systems, potentially indicating attackers exploiting web servers for persistence.

Identifies suspicious command executions via a web server on Linux systems, potentially indicating a vulnerability exploitation or remote shell access for persistence.

This rule identifies unusual destination port network activity originating from a web server process on Linux systems, indicating potential web shell activity or unauthorized communication from a web server process to external systems by detecting egress connections from web server processes to non-standard ports while excluding common local IP ranges.

This rule detects potential command execution from a web server parent process on a Linux host, indicating a possible web shell attack where adversaries exploit web server vulnerabilities to execute arbitrary commands.

This rule detects unusual processes spawned from a web server parent process on Linux systems, potentially indicating an attacker attempting to establish persistence, execute malicious commands, or establish command and control channels.

This rule detects the abuse of Azure Virtual Machine Run Command to execute scripts remotely, correlating Azure Activity Log events with endpoint process starts, identifying instances where adversaries use Run Command to run scripts as SYSTEM or root.

The rule detects attempts to clear the kernel ring buffer on Linux systems using the `dmesg` command with options like `-c`, `-C`, `--clear`, or `--read-clear` to evade detection.

This rule detects Linux process executions that reference /etc/kubernetes/manifests in process arguments, which may indicate tampering with static pod manifests for persistence or privilege escalation in Kubernetes environments.

Multiple vulnerabilities in Elastic Kibana allow for privilege escalation, remote denial of service, data breach, server-side request forgery (SSRF), and cross-site scripting (XSS).

This rule detects segfault messages in kernel logs originating from sensitive processes on Linux systems, indicating potential exploitation attempts that could lead to arbitrary code execution or credential access.

This rule detects potential privilege escalation attempts on Linux systems by monitoring the use of `unshare` with user namespace-related arguments followed by a UID change to root, indicating a transition to root and a potential local privilege escalation.

The rule identifies command-line executions that attempt to access cloud service provider's Instance Metadata Service (IMDS) API endpoints, potentially retrieving sensitive instance information and temporary security credentials, ultimately leading to credential access and privilege escalation within the cloud environment.

This rule detects the execution of macOS built-in commands such as `defaults`, `mkpassdb`, and `dscl` used by adversaries to dump user account hashes for credential access and lateral movement.

This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication using rundll32.exe.

This rule detects passwordless sudo probing activity on Linux systems, which can indicate an attacker attempting to enumerate allowed commands and potential privilege escalation.

Detection of uncommon DNS requests originating from Bun or Node.js processes, potentially indicating malicious code execution following a supply chain attack.

This rule detects potential privilege escalation under the root effective user when the real user and parent user are not root, indicative of the execution of binaries with SUID or SGID bits set, often exploited by adversaries to gain elevated access on Linux systems.

Detects Kubernetes API requests where a user is impersonating a privileged cluster identity such as system:kube-controller-manager, system:admin, system:anonymous, or a member of the system:masters group, potentially leading to privilege escalation and unauthorized access.

Detects execution of curl or wget from processes running inside OCI/runc-backed containers, potentially indicating ingress tool transfer or data exfiltration after a container breakout.

Detects potential reconnaissance activity in Kubernetes environments where adversaries or automated scripts attempt to map the environment by rapidly querying multiple API resource kinds, indicative of initial setup before actions like privilege escalation or data exfiltration.

This rule detects Kubernetes audit events where node or pod service accounts are accessing secrets via `get` or `list` operations, which may indicate credential access attempts by attackers sweeping Secret objects for sensitive information.

The rule detects the use of the 'kubectl get secrets --all-namespaces' command, which enumerates secret resources across the entire Kubernetes cluster, potentially aiding credential discovery, privilege escalation, or lateral movement by attackers.

This rule identifies a high number of inbound SSH login attempts on a macOS host within a short time window by monitoring the `sshd-keygen-wrapper` process, indicating potential brute-force attacks against exposed SSH services.

A machine learning job combination has identified a user with one or more suspicious Windows processes exhibiting unusually high malicious probability scores, potentially involving LOLbins for defense evasion.

A machine learning job has identified a parent process spawning one or more suspicious Windows processes exhibiting unusually high malicious probability scores, indicating potential defense evasion tactics like masquerading and LOLBins usage.

A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, indicating potential masquerading tactics for defense evasion.

A machine learning job has detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be suspicious given its user context by an unsupervised ML model, indicating potential defense evasion activity involving LOLbins.

This rule detects unusual process spawned by a parent process, potentially indicating malicious activity involving LOLbins by leveraging machine learning to identify anomalous process creation patterns that evade conventional search rules.

A machine learning job detects unusual Windows processes, potentially Living off the Land binaries, on hosts not commonly associated with malicious activity, indicating possible defense evasion attempts.

This rule detects the creation of files in world-writable directories on Linux systems by an unusual process, which is a common defense evasion tactic for potential lateral movement or malicious payload staging.

This rule detects parent process spoofing used to create an elevated child process, specifically targeting privilege escalation to SYSTEM, where adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges on Windows systems.

Detects attempts to bypass User Account Control (UAC) by masquerading as a trusted Microsoft Windows directory, abusing a trailing-space in the path to execute code with elevated privileges.

Detects User Account Control (UAC) bypass attempts using eventvwr.exe to execute code with elevated permissions by identifying child processes of eventvwr.exe, excluding mmc.exe and WerFault.exe, which may indicate unauthorized privilege escalation.

Detects User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface, where attackers may attempt to stealthily execute code with elevated permissions, potentially leading to privilege escalation.

A privilege escalation attempt is detected through modification of the Windows directory (Windir) environment variable, a technique often combined with other vulnerabilities to elevate privileges by redirecting system processes.

Adversaries may escalate privileges by abusing named pipe impersonation, a technique often used with tools like Metasploit's meterpreter getsystem command, where a process writes to a named pipe to facilitate a SYSTEM-token handoff.

The rule detects a local successful logon event with Kerberos authentication from localhost, followed by service creation from the same LogonId, indicating a potential Kerberos relay attack for local privilege escalation to LocalSystem.

Detects the creation of a delegated Managed Service Account (dMSA) by an unusual subject account, potentially indicating an attempt to abuse weak permissions for privilege escalation in Active Directory.

The rule detects the hijack of the Microsoft Compatibility Appraiser scheduled task to establish persistence with system integrity level, by monitoring CompatTelRunner.exe process execution and detecting unexpected child processes.

This rule detects a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key, evading detection from system utilities.

Detection of suspicious ImagePath values written to the registry, indicating potential persistence or privilege escalation via abnormal service creation involving command interpreters or named pipes.

Attackers can modify the msDS-AllowedToDelegateTo attribute to KRBTGT, enabling persistent domain access by requesting Kerberos tickets for the KRBTGT service.

This rule detects attempts to establish persistence on Windows endpoints by abusing Microsoft Office add-ins through the creation of malicious files in Office startup directories.

Detects suspicious modifications to the Windows Startup shell folder, a technique used to bypass detections monitoring file creation in the Windows Startup folder.

Detects the creation of a hidden local user account by appending a dollar sign ($) to the account name, a technique used by attackers to persist on a system and evade standard account listing methods.

Adversaries may achieve lateral movement by creating malicious files in remote Windows startup folders via RDP or SMB, leading to code execution upon system reboot or user logon.

This rule detects potential SharpRDP behavior, a tool used for authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for lateral movement by identifying incoming RDP connections followed by RunMRU registry value modifications and subsequent process execution.

The rule detects execution of processes from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on Windows hosts, which may indicate a lateral movement attempt.

This brief detects potential remote desktop shadowing activity by identifying modifications to the RDP Shadow registry or the execution of processes indicative of an active RDP shadowing session, which adversaries may abuse to spy on or control other users' RDP sessions.

Detection of Distributed Component Object Model (DCOM) abuse to execute commands remotely via the MMC20 Application COM object, potentially indicating lateral movement.

This rule detects suspicious Kerberos authentication ticket requests by correlating network connections to the standard Kerberos port (88) from a source machine with a Kerberos authentication ticket request from the target domain controller, which could indicate lateral movement or credential access attempts within a Windows domain.

The rule identifies the creation of files resembling ransomware notes via SMB, potentially indicating a remote ransomware attack on Windows systems.

Detection of a suspicious file rename operation following an incoming SMB connection, potentially indicating a remote ransomware attack via the SMB protocol, targeting Windows hosts.

Detection of attempts to delete or modify critical Windows boot files indicating a potential destructive attack to prevent system startup.

The rule detects the creation of Kubernetes service account tokens through the TokenRequest API by non-system identities, which can be abused to escalate privileges, pivot to cloud resources, or generate persistent tokens, bypassing file system-based detection.

This rule identifies suspicious child processes of Microsoft Office applications on macOS, which often result from exploitation or malicious macros, by detecting unexpected processes like curl, bash, osascript, and python spawned by Office apps, while filtering out false positives related to product version discovery, error reporting, and legitimate software.

TCLBanker is a banking trojan targeting 59 financial platforms, spreading via trojanized Logitech AI Prompt Builder installers and worm modules for WhatsApp and Outlook, enabling remote control and data theft.

Adversaries may abuse Curl for Windows to download files or upload data to a remote URL for command and control or exfiltration purposes.

Adversaries may abuse Cloudflare Tunnel (cloudflared) on Windows systems to proxy command and control traffic or exfiltrate data through Cloudflare's edge, evading direct connection blocking.

This rule detects Kubernetes pod exec sessions where the decoded command line references sensitive files or paths such as mounted service account tokens, kubelet and control-plane configuration, host identity stores, private keys, and process environment dumps, aiming to identify potential lateral movement, privilege escalation, or credential theft.

An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.

A suspicious Zoom child process was detected, indicating a potential attempt to run unnoticed by masquerading as Zoom.exe or exploiting a vulnerability, resulting in the execution of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.

This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.

Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.

This rule detects modifications to the registered Subject Interface Package (SIP) providers, which are used by the Windows cryptographic system to validate file signatures, potentially indicating an attempt to bypass signature validation or inject code for defense evasion.

Detection of service DACL modifications via `sc.exe` using the `sdset` command, potentially leading to defense evasion by denying service access to legitimate users or system accounts.

Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.

This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.

This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.

Attackers are abusing the legitimate file synchronization tool rclone, often renamed to masquerade as legitimate software, to exfiltrate data to cloud storage or remote endpoints.

The rule identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP, potentially indicating account takeover or use of stolen credentials from a new location.

Adversaries may modify the LocalAccountTokenFilterPolicy registry key to bypass User Account Control (UAC) and gain elevated privileges remotely by granting high-integrity tokens to remote connections from local administrators, facilitating lateral movement and defense evasion.

The rule detects the execution of the VScode portable binary with the tunnel command line option, potentially indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance for unauthorized access and command and control.

This rule detects command shell activity, such as cmd.exe or powershell.exe, initiated by RunDLL32, a technique commonly abused by attackers to execute malicious code and bypass security controls.

The rule detects a potential chroot container escape via mount, which involves a user within a container mounting the host's root file system and using chroot to escape the containerized environment, indicating a privilege escalation attempt.

Detects suspicious chroot execution within a Linux container context, potentially indicating a container escape attempt by pivoting to an alternate root filesystem.

This threat brief details the detection of GenAI tools accessing sensitive files containing credentials, SSH keys, browser data, and shell configurations, indicating potential credential harvesting and persistence attempts by attackers leveraging GenAI agents.

Detects suspicious DNS queries containing a base64-encoded blob, indicating potential Kerberos coercion attacks and SPN spoofing via DNS to coerce authentication to attacker-controlled hosts, enabling Kerberos or NTLM relay attacks.

This rule identifies process execution events where the effective user is root while the real user is not, the process arguments include the privileged shell flag commonly associated with setuid-capable shells, and the executable path is outside standard system binary directories, indicating potential privilege escalation.

This rule detects potential exploitation of CVE-2026-31431, a Copy Fail vulnerability in the Linux kernel, via AF_ALG socket abuse, by correlating non-root AF_ALG-class socket or splice events with a subsequent process execution where the effective user is root but the login user remains non-root, indicating a privilege escalation attempt.

The Atomic Red Team Model Context Protocol (MCP) server integrates security tests from the Atomic Red Team project with AI assistants, enabling natural language interaction with security tools, bridging the gap between threat intelligence and execution, allowing for automated validation, multi-platform testing, and rapid playbook creation.

This rule correlates multiple security alerts involving the same user, analyzes them with an LLM, and flags potentially compromised accounts based on MITRE tactics, geographic anomalies, and multi-host activity, helping analysts prioritize users exhibiting indicators of credential theft or unauthorized access.

This rule detects the execution of PowerShell, PowerShell ISE, or Cmd spawned from Windows Script Host or MSHTA, indicating potential abuse of scripting interpreters to execute malicious commands or scripts on Windows systems.

Adversaries may use a specially crafted Windows Defender Application Control (WDAC) policy to restrict the execution of security products, detected by unusual process creation of WDAC policy files.

Attackers may leverage misconfigured SUID/SGID permissions on Linux systems to escalate privileges to root or establish persistence by executing processes with root privileges initiated by non-root users.

The rule identifies when a user is added to the admin group on macOS systems, potentially indicating privilege escalation activity, and requires Jamf Protect for data ingestion into Elastic.

This rule identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values, often observed during malware installation.

Detection of MsiExec spawning child processes that initiate network connections, potentially indicating abuse of Windows Installers for malware delivery and defense evasion.

Detection of Alternate Data Stream (ADS) creation at a volume root directory, a technique used to hide malware and tools by exploiting how ADSs in root directories are not readily visible to standard system utilities, indicating a defense evasion attempt.

The rule identifies the loading of unusual or unsigned DLLs by the DNS Server process, which can indicate exploitation of the ServerLevelPluginDll functionality, potentially leading to privilege escalation and remote code execution with SYSTEM privileges.

Attackers with Backup Operator privileges may abuse wbadmin.exe to access the NTDS.dit file, enabling credential dumping and domain compromise.

Adversaries may use Microsoft Management Console (MMC) files from untrusted paths to bypass security controls for initial access and execution on Windows systems.

Attackers with DNSAdmin privileges can modify or disable the DNS Global Query Block List (GQBL) in Windows, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.

This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.

This rule identifies suspicious child processes spawned by ScreenConnect client processes, potentially indicating unauthorized access and command execution abusing ScreenConnect remote access software to perform malicious activities such as data exfiltration or establishing persistence.

Adversaries use parent process PID spoofing to evade detection by creating processes with mismatched parent-child relationships, hindering process monitoring and potentially elevating privileges on Windows systems.

This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.

The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.

Adversaries may disable Network-Level Authentication (NLA) by modifying specific registry keys to bypass authentication requirements for Remote Desktop Protocol (RDP) and enable persistence mechanisms.

Adversaries use the Windows built-in utility Netsh to dump Wireless saved access keys in clear text, potentially leading to credential compromise.

Adversaries may clear the command history of a compromised account to conceal the actions undertaken during an intrusion on a Windows system.

Adversaries may modify file or directory ownership to evade access control lists (ACLs) and access protected files, often using icacls.exe or takeown.exe to reset permissions on system files.

A Windows account, usually a service account, exhibiting a sudden shift in logon type patterns may indicate account compromise and lateral movement.

Attackers may abuse the Netsh Helper DLL functionality by adding malicious DLLs to execute payloads every time the netsh utility is executed via administrators or scheduled tasks, achieving persistence.

An expired or revoked driver being loaded on a Windows system may indicate an attempt to gain code execution in kernel mode or abuse revoked certificates for malicious purposes, potentially leading to privilege escalation or defense evasion.

Msxsl.exe, a legitimate Windows utility, is being abused by adversaries to make network connections to non-local IPs for command and control or data exfiltration, potentially bypassing security measures.

Adversaries may use vaultcmd.exe to list credentials stored in the Windows Credential Manager to gain unauthorized access to saved usernames and passwords, potentially in preparation for lateral movement.

This rule detects suspicious managed code hosting processes on Windows systems, potentially indicating code injection or defense evasion tactics by monitoring file events associated with processes commonly used to host managed code, such as wscript.exe, cscript.exe, and mshta.exe.

Adversaries may masquerade malicious executables within directories mimicking the legitimate Windows Program Files directory to evade defenses and execute untrusted code.

The rule detects a sequence of events indicating a potential privilege escalation attempt on Linux systems where a non-root user performs namespace activity using unshare, followed by the execution of a root process shortly after.

This rule detects attempts to install a file from a remote server using MsiExec, which adversaries may abuse to deliver malware, by identifying msiexec.exe processes running with arguments indicative of remote installations and executed from suspicious parent processes.

This rule detects potential exploitation of unquoted service path vulnerabilities, where adversaries may escalate privileges by placing a malicious executable in a higher-level directory within the path of an unquoted service executable.

Adversaries modify the AmsiEnable registry key to 0 to disable Windows Script AMSI scanning, bypassing AMSI protections for Windows Script Host or JScript execution.

Attackers modify the Microsoft Office 'Office Test' Registry key to achieve persistence by specifying a malicious DLL that executes upon application startup.

Detects suspicious creation of Alternate Data Streams (ADS) on targeted files using script or command interpreters, indicative of malware hiding in ADS for defense evasion.

Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM, using services.exe as the parent process of the shell.

Attackers can enable full user-mode dumps system-wide via registry modification to facilitate LSASS credential dumping, allowing extraction of credentials from process memory without deploying malware.

Detects the execution of `gpresult.exe` with arguments `/z`, `/v`, `/r`, or `/x` on Windows systems, which attackers may use during reconnaissance to enumerate Group Policy Objects and identify opportunities for privilege escalation or lateral movement.

This rule identifies the installation of potentially malicious browser extensions, which adversaries can leverage for persistence and unauthorized activity by monitoring file creation events in common browser extension directories on Windows systems.

The rule detects unusual outbound network connections made by rundll32.exe, specifically when executed with minimal arguments, which may indicate command and control activity or defense evasion tactics on Windows systems.

Adversaries can achieve persistence by abusing the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program after a job finishes, leading to arbitrary code execution and system compromise.

This rule detects potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments on Windows systems.

The rule identifies unexpected executable file creation or modification by critical Windows processes, potentially indicating remote code execution or exploitation attempts.

This brief details a detection strategy for rare SMB connections originating from internal networks to the internet, potentially indicating NTLM credential theft via rogue UNC path injection.

This rule identifies attempts to execute Jscript/Vbscript files from an archive file, a common delivery method for malicious scripts on Windows systems.

This rule detects potential privilege escalation attempts on Linux systems by identifying processes running with root privileges but initiated by non-root users, indicative of SUID/SGID abuse.

This rule uses alert data to identify hosts with multiple alerts across different ATT&CK tactics, indicating a higher likelihood of compromise and enabling analysts to prioritize triage and response based on accumulated risk score.

Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.

Detection of executable files created with multiple extensions, a masquerading technique to evade defenses.

Detects attempts to export sensitive Windows registry hives (SAM/SECURITY) using reg.exe, potentially leading to credential compromise.

This rule identifies when multiple different alerts involving the same user are triggered, which could indicate a compromised user account and requires further investigation.

Detects the renaming of automation script interpreter processes like AutoIt, AutoHotkey, and KIX32, a tactic used by malware operators to evade detection by obscuring the true nature of the executable.

This rule detects potential PowerShell HackTool scripts by identifying script block content containing known offensive-tool author handles or attribution strings, indicative of attackers using public tooling with minimal modifications.

This rule detects the execution of curl or wget from within runc-backed containers on Linux systems monitored by Auditd Manager, indicating potential ingress tool transfer or data exfiltration by attackers who have compromised the container.

This rule detects suspicious execution of scripts via WMIC, potentially used for allowlist bypass, by identifying WMIC executions with atypical arguments and the loading of specific libraries like jscript.dll or vbscript.dll for defense evasion and execution.

This rule detects potential ransomware behavior by identifying the creation of multiple files with the same name over SMB by the SYSTEM account, potentially indicating remote execution of ransomware dropping note files.

This rule detects the abuse of Windows Sandbox with sensitive configurations to evade detection, where malware may abuse the sandbox feature to gain write access to the host file system, enable network connections, and automatically execute commands via logon, identifying the start of a new container with these sensitive configurations.

This rule detects PowerShell scripts that request Kerberos service tickets using KerberosRequestorSecurityToken, potentially indicating Kerberoasting attacks for offline password cracking of service accounts.

Adversaries may load unsigned DLLs into svchost.exe to establish persistence or escalate privileges, leveraging a shared Windows service to execute malicious code with elevated permissions.

The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.

This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from the internet, a common initial access vector, by monitoring network connections to TCP port 135 and filtering known internal IP ranges.

The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.

Adversaries may coerce local NTLM authentication over HTTP via WebDAV named-pipe paths (Print Spooler, SRVSVC), then relay credentials to elevate privileges.

The execution of a Linux shell process from a Java JAR application following an incoming network connection may indicate reverse shell activity.

This detection rule identifies attempts to establish persistence on Windows systems by creating scheduled jobs in the Windows Tasks directory, excluding known legitimate jobs.

Detection of access attempts to the LSASS handle, indicating potential credential dumping by monitoring API calls (OpenProcess, OpenThread, ReadProcessMemory) targeting lsass.exe.

This brief documents the detection of Cobalt Strike command and control activity through identifying specific domain naming conventions used by its implant beacons, indicative of network attack and exploitation campaigns.

This rule detects suspicious child processes of WerFault.exe, a Windows error reporting tool, indicating potential abuse of the SilentProcessExit registry key to execute malicious processes stealthily for defense evasion, persistence, and privilege escalation.

Detection of LSASS process cloning using PssCaptureSnapShot, where the parent process is also LSASS, indicating a potential attempt to dump LSASS memory for credential access.

Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.

Detection of runc init child processes with root effective user and non-root login user ID, indicating potential container privilege escalation.

Adversaries may exploit PDF reader applications to execute arbitrary commands and establish a foothold within a system, often launching built-in utilities for reconnaissance and privilege escalation.

This detection rule identifies downloaded .url shortcut files on Windows systems, often used in phishing campaigns, by monitoring their creation events and flagging those from non-local sources, enabling early threat detection.

This detection identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn child processes, potentially indicating code injection or exploitation.

Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.

Attackers attempt to disable Windows Event and Security Logs using logman, PowerShell, or auditpol to evade detection and cover their tracks.

This rule identifies remote execution via Windows PowerShell remoting, which allows a user to run any Windows PowerShell command on one or more remote computers, potentially indicating lateral movement.

The rule detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation, command execution inside existing containers, image manipulation, or host filesystem mounting, potentially leading to container escape and privilege escalation.

Adversaries may conceal malicious code in compiled HTML files (.chm) and deliver them to a victim for execution, using the HTML Help executable (hh.exe) to proxy the execution of scripting interpreters and bypass security controls.

Detection of suspicious Windows processes using DNS queries to determine the external IP address, potentially indicating reconnaissance or preparation for command and control activity.

The rule detects creation, modification, or deletion of Kubernetes MutatingWebhookConfigurations or ValidatingWebhookConfigurations by non-system identities, allowing attackers to inject malicious sidecars, block security tooling, or exfiltrate pod specifications.

This rule detects potentially malicious .lnk shortcut files downloaded from outside the local network on Windows systems, which are commonly used in phishing campaigns.

Detection of Console Window Host (conhost.exe) being spawned by unusual parent processes, potentially indicating code injection or other malicious activity on Windows systems.

Adversaries may create symbolic links to shadow copies to access sensitive files such as ntds.dit and browser credentials, enabling credential dumping using cmd.exe or powershell.exe.

This rule detects potential fake CAPTCHA phishing attacks on Windows systems where victims are tricked into copying and pasting malicious commands into the Windows Run dialog box.

Detection of InstallUtil.exe making outbound network connections, which can indicate adversaries leveraging it to execute code and evade detection by proxying execution through a trusted system binary.

Attackers may attempt credential theft by launching browsers (Chrome, Edge) with remote debugging, headless automation, or minimal arguments from an unusual parent process on Windows systems.

This detection identifies the deletion of backup files by processes outside of the backup suite, specifically targeting Veritas and Veeam backups, which may indicate an attempt to prevent recovery from ransomware.

Detects execution of JavaScript via Deno with suspicious command-line patterns (base64, eval, http, or import in a JavaScript context), which adversaries may abuse to run malicious JavaScript for execution or staging.

Adversaries may execute the `net.exe` or `wmic.exe` commands to enumerate administrator accounts or groups, both locally and within the domain, to gather information for follow-on actions.

This rule detects the creation of the default Mimikatz MemSSP credential log file, mimilsa.log, which is created after the misc::memssp module injects a malicious Security Support Provider into LSASS, potentially capturing credentials from subsequent logons.

Detection of oversized command lines used by Python, PowerShell, Node.js, or Deno interpreters containing base64 decoding or encoded-command patterns, indicating potential evasion and malicious execution.

This rule detects registry modifications indicative of a new Windows Subsystem for Linux (WSL) distribution installation, a technique adversaries may leverage to evade detection by utilizing Linux environments within Windows.

Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls; this rule detects unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.

This rule identifies the use of bcdedit.exe to modify boot configuration data, which may be indicative of a destructive attack or ransomware activity aimed at inhibiting system recovery by disabling error recovery or ignoring boot failures.

Detects suspicious command execution via WMI on a Windows host, potentially indicating lateral movement by an adversary using cmd.exe to execute commands remotely.

Adversaries may delete Windows backup catalogs and system state backups using wbadmin.exe to inhibit system recovery, often as part of ransomware or other destructive attacks.

This rule detects attempts to execute content from remote WebDAV shares, where attackers may abuse WebDAV paths, public tunnels, or host@port UNC paths to execute tools or scripts, reducing local staging on the victim's file system.

This rule detects suspicious execution of system enumeration commands by the Windows Management Instrumentation Provider Service (WMIPrvSE), indicating potential reconnaissance or malicious activity on Windows systems.

An adversary may attempt to bypass AMSI by creating a rogue AMSI DLL in an unusual location to evade detection.

Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.

This rule detects PowerShell scripts that build commands from concatenated string literals within dynamic invocation constructs, a technique used by attackers to obscure execution intent, bypass keyword-based detections, and evade AMSI.

Detects remote access to the registry, potentially dumping credential data from the Security Account Manager (SAM) registry hive, indicating preparation for credential access and privilege elevation.

This rule detects nsenter executions that target a PID with a namespace target flag, a common pattern used to attach to the host init namespace from a container or session and run with host context, potentially escalating privileges.

This analytic identifies suspicious programs such as script interpreters, rundll32, or MSBuild being executed shortly after user logon, indicating potential persistence mechanisms abusing the registry run keys.

This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.

Adversaries abuse the Console Window Host (conhost.exe) with the `--headless` argument to proxy execution of malicious commands, evading detection by blending in with legitimate Windows software.

Detection of adversaries disabling Windows Firewall rules using the `netsh.exe` command-line tool to weaken defenses and facilitate unauthorized network activity.

This rule identifies script engines creating files or the creation of script files in the Windows Startup folder, a persistence technique used by adversaries to automatically execute scripts upon user login.

Detection of PowerShell processes launched by cscript.exe or wscript.exe, indicative of potential malicious initial access or execution attempts.

Detection of unsigned or untrusted DLLs being loaded into the LSASS process, which is indicative of credential access attempts by adversaries aiming to steal sensitive information such as user passwords.

This rule detects command-line activity indicative of credential access across multiple cloud platforms (GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, Kubernetes), looking for specific commands used to print or access tokens and credentials, flagging hosts where multiple cloud targets are accessed within a five-minute window, suggesting potential credential harvesting activity.

The rule detects network connection attempts to the Kubernetes Kubelet API ports 10250 and 10255 on internal IP ranges from Linux hosts, indicating potential lateral movement within container and cluster environments.

This rule detects Kubernetes pod exec API calls using curl or wget to fetch HTTPS URLs, potentially indicating malicious activity such as staging tools or exfiltrating data.

This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from internal networks and reaching the public internet, which is indicative of potential initial access or backdoor activity.

Detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation, command execution inside existing containers, image manipulation, or host filesystem mounting, potentially leading to privileged container creation and unauthorized access to sensitive data.

This rule identifies potentially unsecured Elasticsearch nodes that lack TLS and/or authentication and are accepting inbound network connections, which could allow adversaries to gain initial access, exfiltrate data, or disrupt services.

Detection of command execution via proxy using the Windows OpenSSH client (ssh.exe or sftp.exe) to bypass application control using trusted Windows binaries.

This rule identifies attempts to create new users on Windows systems using net.exe, a common tactic used by attackers to increase access or establish persistence.

The rule identifies unusual instances of dllhost.exe making outbound network connections to non-local IPs, which may indicate adversarial Command and Control activity and defense evasion.

This detection identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped unsigned DLL, which indicates an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed process.

Adversaries may establish persistence by writing malicious files to the Windows Startup folder, allowing them to automatically execute upon user logon; this detection identifies suspicious processes creating files in these locations.

This rule detects suspicious execution of Microsoft Office applications launching Office Add-Ins from unusual paths or with atypical parent processes, potentially indicating an attempt to gain initial access via a malicious phishing campaign.

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

Attackers may enable the deprecated Windows AT command via registry modification to achieve local persistence or lateral movement.

The modification of root certificates on Windows systems by unauthorized processes can allow attackers to masquerade malicious files as valid signed components and intercept/decrypt SSL traffic, leading to defense evasion and data collection.

Attackers can enable host network discovery via netsh.exe to weaken host firewall settings, facilitating lateral movement by identifying other systems on the network.

Attackers modify the Windows Filtering Platform (WFP) policy to block the communication of endpoint detection and response (EDR) processes, impairing their functionality and hindering detection of malicious activities.

Adversaries may attempt to bypass Windows Defender's capabilities by using PowerShell to add exclusions for folders or processes, and this activity can be detected by monitoring PowerShell command lines that use `Add-MpPreference` or `Set-MpPreference` with exclusion parameters.

Attackers may establish persistence by modifying the ReflectDebugger registry key associated with Windows Error Reporting to execute arbitrary code when Werfault is invoked with the '-pr' parameter.

Adversaries may leverage unusual system utilities such as Microsoft.Workflow.Compiler.exe, bginfo.exe, cdb.exe, cmstp.exe, csi.exe, dnx.exe, fsi.exe, ieexec.exe, iexpress.exe, odbcconf.exe, rcsi.exe and xwizard.exe to execute code and evade detection, as identified by network connections originating from these processes.

An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.

Detection of processes modifying the Windows services registry key directly, potentially indicating stealthy persistence attempts via abnormal service creation or modification.

The detection rule identifies cmd.exe instances spawned by uncommon parent processes, such as lsass.exe, csrss.exe, or regsvr32.exe, which may indicate unauthorized or suspicious activity, thus aiding in early threat detection.

This threat brief details a UAC bypass technique leveraging the Internet Explorer Add-On Installer (ieinstal.exe) and Component Object Model (COM) to execute arbitrary code with elevated privileges.

The rule identifies the use of sc.exe to create, modify, or start services on remote hosts, potentially indicating lateral movement by adversaries.

Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.

Detection of scrobj.dll loaded into unusual Microsoft processes indicates potential malicious scriptlet execution for defense evasion and execution by abusing legitimate system binaries.

This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.

This rule detects suspicious mofcomp.exe activity, which attackers may leverage MOF files to manipulate the Windows Management Instrumentation (WMI) repository for execution and persistence by filtering out legitimate processes and focusing on unusual executions, excluding known safe parent processes and system accounts.

Adversaries may modify the Windows Security Support Provider (SSP) configuration in the registry to establish persistence or evade defenses.

Detects suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances, which may indicate an attempt to evade defenses through DLL side-loading or masquerading.

This detection identifies the creation of HTML files with high entropy and large size, followed by execution via a browser process, indicating potential HTML smuggling and malicious payload delivery on Windows systems.

This rule detects suspicious Node.js execution patterns on Windows systems, including user-writable runtimes, preload arguments, and inline eval, decode, or child-process usage, indicating potential malicious activity.

Adversaries may leverage the Windows Subsystem for Linux (WSL) to execute malicious Linux commands, bypassing traditional Windows security measures, detected by monitoring process execution and command-line arguments.

This rule detects suspicious parent processes of endpoint security solutions such as Elastic Defend, Microsoft Defender, and SentinelOne, indicating potential process hollowing or code injection attempts to evade detection.

Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.

A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.

Attackers can abuse Windows Work Folders to execute a masqueraded control.exe file from untrusted locations, potentially bypassing application controls for defense evasion and privilege escalation.

Detection of scheduled task creation by Windows scripting engines like cscript.exe, wscript.exe, or powershell.exe, used by adversaries to establish persistence on compromised systems.

Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.

This rule detects the execution of renamed utilities with a single-character process name, differing from the original filename, a common technique used by adversaries for staging, executing temporary utilities, or bypassing security detections.

The desktopimgdownldr utility can be abused to download remote files, potentially bypassing standard download restrictions and acting as an alternative to certutil for malware or tool deployment.

This rule detects remote file copy attempts to hidden network shares, which may indicate lateral movement or data staging activity, by identifying suspicious file copy operations using command-line tools like cmd.exe and powershell.exe focused on hidden share patterns.

Modification of the AppInit DLLs registry keys on Windows systems allows attackers to execute code in every process that loads user32.dll, establishing persistence and potentially escalating privileges.

Detection of registry modifications related to AppCert DLLs, a persistence mechanism where malicious DLLs are loaded by every process using common API functions.

An adversary may enable Remote Desktop Protocol (RDP) access by modifying the `fDenyTSConnections` registry key, potentially indicating lateral movement preparation or defense evasion.

This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files opened by a victim to leak NTLM credentials via forced authentication using rundll32.exe.

The rule identifies the use of PsExec.exe making a network connection, indicative of potential lateral movement by adversaries executing commands with SYSTEM privileges on Windows systems to disable defenses.

PowerShell scripts employing .NET cryptography APIs are used to encrypt data for impact or decrypt payloads for defense evasion.

Detects PowerShell scripts using character array reconstruction to hide commands, URLs, or payloads, evading static analysis and AMSI.

This rule detects PowerShell scripts heavily obfuscated with whitespace and special characters, often used to evade static analysis and AMSI, by identifying scripts with low symbol diversity and a high proportion of whitespace and special characters.

Adversaries may abuse Windows mandatory profiles by dropping a malicious NTUSER.MAN file containing pre-populated persistence-related registry keys to establish persistence, which can evade traditional registry-based monitoring.

The rule identifies potential relay attacks against a machine account by detecting network share access events originating from a remote source IP but utilizing the target server's computer account, which may indicate an SMB relay attack.

The rule identifies the creation or change of a Windows executable file over network shares, indicating potential lateral tool transfer via SMB, which adversaries may use to move tools between systems in a compromised environment.

Detection of multiple nslookup.exe executions with explicit query types from a single host, potentially indicating command and control activity via DNS tunneling, where attackers abuse DNS for data infiltration or exfiltration.

Detection of potential direct Kubelet access via process arguments in Linux containers, which could lead to enumeration, execution, or lateral movement within the Kubernetes cluster.

This rule detects the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access by identifying specific command-line arguments and process names associated with credential dumping activities.

The rule identifies potential attempts to execute a reverse shell using the netcat utility to execute Windows commands via Cmd.exe or Powershell.

Adversaries can leverage Windows Management Instrumentation (WMI) to establish persistence by creating event subscriptions that trigger malicious code execution when specific events occur, using tools like wmic.exe to create event consumers.

Attackers modify the NullSessionPipe registry setting in Windows to enable anonymous access to named pipes, potentially facilitating lateral movement and unauthorized access to network resources.

This rule detects newly observed, low-frequency, high-severity Elastic SIEM detection alerts affecting a single agent, helping prioritize triage and response by highlighting alerts tied to specific detection rules that have not been seen previously for the host.

The rule detects the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device, potentially allowing attackers to gain persistent access to sensitive email data by adding unauthorized devices.

This rule correlates multiple security alerts associated with the same ATT&CK tactic on a single host within a defined time window, helping to identify hosts exhibiting concentrated malicious behavior indicative of an active intrusion or post-compromise activity, focusing on Credential Access, Defense Evasion, Execution, and Command and Control tactics.

Mshta.exe making outbound network connections may indicate adversarial activity, as it is often used to execute malicious scripts and evade detection by proxying execution of untrusted code.

Adversaries are leveraging MSBuild, a Microsoft Build Engine, to execute malicious code by initiating it from system processes such as Explorer or WMI to evade defenses and execute unauthorized actions.

Detects the creation of 'mimilsa.log', the default log file created by the Mimikatz MemSSP module after injecting a malicious Security Support Provider into LSASS, potentially exposing credentials from subsequent logons on the host.

Adversaries may disable or tamper with Microsoft Defender features via registry modifications to evade detection and conceal malicious behavior on Windows systems.

Adversaries can use Living-Off-The-Land Binaries (LOLBINs) such as expand.exe, extrac32.exe, ieexec.exe, and makecab.exe to establish network connections, potentially bypassing security controls and facilitating malicious activities on Windows systems.

This rule flags potential reverse shell activity via kubectl exec commands in Kubernetes pods by detecting specific shell and socket idioms within URL-decoded command payloads in Kubernetes audit logs, indicating post-exploitation interactive access and command-and-control.

This rule detects Linux process executions that access sensitive Kubernetes, cloud, and SSH credential files via common utilities, potentially indicating credential theft.

This rule detects incoming execution via Windows Remote Management (WinRM) remote shell on a target host, which could be an indication of lateral movement by monitoring network traffic on ports 5985 or 5986 and processes initiated by WinRM.

This rule detects file creation and modification on the host system from the Windows Subsystem for Linux (WSL), potentially indicating defense evasion by adversaries.

Detection of the creation or modification of new Group Policy based scheduled tasks or services, which can be abused by attackers with domain admin permissions to execute malicious payloads remotely on domain-joined machines, leading to privilege escalation and persistence.

The rule identifies the load of previously unseen drivers, which may indicate attackers exploiting vulnerable drivers for privilege escalation and persistence.

This detection identifies attempts to execute programs from the Windows Subsystem for Linux (WSL) to evade detection by flagging suspicious executions initiated by WSL processes and excluding known safe executables.

This rule detects the creation, modification, or deletion of DLL files within Windows SxS local folders, which could indicate an attempt to execute malicious payloads by abusing shared module loading.

This rule identifies the creation and subsequent execution of a Windows script downloaded from the internet, a technique used by adversaries for initial access and execution on Windows systems.

Detects process execution from removable media by an unusual process with untrusted code signature followed by network connection attempts, potentially indicating malware introduced via removable media for initial access.

Adversaries may use the New-MailboxExportRequest PowerShell cmdlet to export mailboxes in Exchange, potentially leading to sensitive information theft.

This rule detects registry write modifications hiding encoded portable executables, indicative of adversary defense evasion by avoiding storing malicious content directly on disk.

Adversaries may modify the RunAsPPL registry key to disable LSA protection, which prevents nonprotected processes from reading memory and injecting code, potentially leading to credential access.

Adversaries use WinRAR or 7-Zip with encryption options to compress and protect stolen data before exfiltration, making detection more challenging.

This threat brief details the detection of malicious Windows Management Instrumentation (WMI) event subscriptions, a technique used by attackers for persistence and privilege escalation on Windows systems.

Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects through Component Object Model (COM) hijacking via registry modification on Windows systems.

Adversaries use Unicode modifier letters to obfuscate command-line arguments, evading string-based detections on common Windows utilities like PowerShell and cmd.exe.

Adversaries may use the Windows forfiles utility to proxy command execution via a trusted parent process, potentially evading detection.

Detects the execution of ADExplorer, a tool used for Active Directory viewing and editing, which can be abused by adversaries for domain reconnaissance and creating offline snapshots of the AD database.

The execution of `rundll32.exe` without arguments, followed by a child process execution, indicates potential abuse of Rundll32 for proxy execution or payload handoff, often employed for defense evasion on Windows systems.

Detects suspicious PsExec activity where the PsExec service component is executed using a custom name, indicating an attempt to evade detections that look for the default PsExec service component name.

Attackers may abuse legitimate utilities such as TeamViewer to deploy malware interactively by remotely copying executable or script files during a TeamViewer session.

Attackers can establish persistence and evade defenses by modifying the Debugger and SilentProcessExit registry keys to perform Image File Execution Options (IFEO) injection, allowing them to intercept file executions and run malicious code.

Detects the creation of .kirbi files, a suspicious Kerberos ticket artifact often produced by ticket export or dumping tools such as Rubeus or Mimikatz, indicating preparation for Kerberos ticket theft or Pass-The-Ticket (PTT) attacks.

This rule identifies remote scheduled task creations on a target Windows host, potentially indicating lateral movement by adversaries, by monitoring network connections and registry modifications related to task scheduling.

Adversaries can use attrib.exe to add the 'hidden' attribute to files to hide them from users and evade detection, which can be detected by monitoring process executions related to attrib.exe.