Vendor
medium
advisory
Suspicious PowerShell Engine ImageLoad
2 rules 1 TTPThis rule identifies instances where the PowerShell engine is loaded by processes other than powershell.exe, potentially indicating attackers attempting to use PowerShell functionality stealthily by using the underlying System.Management.Automation namespace and bypassing PowerShell security features.
Elastic Defend
powershell
execution
windows
2r
1t
medium
advisory
Remote Execution via File Shares
2 rules 2 TTPsThis rule identifies the execution of a file that was created by the virtual system process, potentially indicating lateral movement via network file shares in Windows environments.
lateral-movement
file-share
windows
2r
2t
medium
advisory
Remote Execution via File Shares
2 rules 2 TTPsThe rule identifies the execution of a file created by the virtual system process, potentially indicating lateral movement via network file shares, by detecting a sequence of file creation/modification followed by process execution, excluding trusted vendors.
Elastic Defend
lateral-movement
file-shares
windows
2r
2t