Deployable detection rules
4,399 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 4,399
Elastic
ESQL
high
Alerts From Multiple Integrations by User Name
This rule uses alert data to determine when multiple alerts from different integrations with unique event categories and
involving the same user.name are triggered. Analysts can use this to prioritize triage and response, as these users are
more likely to be compromised.
Show query
from .alerts-security.*
// any alerts excluding low severity and the noisy ones
| where kibana.alert.rule.name is not null and user.name is not null and kibana.alert.risk_score > 21 and
not kibana.alert.rule.type in ("threat_match", "machine_learning") and
not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20", "0") and
not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """) and
// Top noisy influencing rules
// Agent Spoofing - Mismatched Agent ID
// Compression DLL Loaded by Unusual Process
// Process Termination followed by Deletion
// Suspicious PrintSpooler Service Executable File Creation
// Potential PrintNightmare File Modification
// Multiple Vault Web Credentials Read
// Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
not kibana.alert.rule.rule_id in ("3115bd2c-0baa-4df0-80ea-45e474b5ef93", "d197478e-39f0-4347-a22f-ba654718b148", "09443c92-46b3-45a4-8f25-383b028b258d", "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "5e87f165-45c2-4b80-bfa5-52822552c997", "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "994e40aa-8c85-43de-825e-15f665375ee8")
// group alerts by user.name and extract values of interest for alert triage
| stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),
Esql.event_category_distinct_count = COUNT_DISTINCT(event.category),
Esql.rule_risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),
Esql.event_module_values = VALUES(event.module),
Esql.rule_name_values = VALUES(kibana.alert.rule.name),
Esql.message_values = VALUES(message),
Esql.event_category_values = VALUES(event.category),
Esql.event_action_values = VALUES(event.action),
Esql.source_ip_values = VALUES(source.ip),
Esql.destination_ip_values = VALUES(destination.ip),
Esql.host_id_values = VALUES(host.id),
Esql.agent_id_values = VALUES(agent.id),
Esql.rule_severity_values = VALUES(kibana.alert.risk_score) by user.name, user.id
// filter for alerts from same destination.ip reported by different integrations with unique categories and with different severity levels
| where Esql.event_module_distinct_count >= 2 and Esql.event_category_distinct_count >= 2 and (Esql.rule_risk_score_distinct_count >= 2 or Esql.rule_severity_values == 73 or Esql.rule_severity_values == 99)
| keep user.name, Esql.*
Elastic
ESQL
high
Alerts in Different ATT&CK Tactics by Host
This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are
triggered and where the accumulated risk score is higher than a defined threshold. Analysts can use this to prioritize
triage and response, as these hosts are more likely to be compromised.
Show query
from .alerts-security.* metadata _id
// filter for alerts with populated risk score, excluding threat_match rules, deprecated and some other noisy ones.
| where kibana.alert.risk_score > 0 and
kibana.alert.rule.name IS NOT NULL and
host.id is not null and event.dataset is not null and
kibana.alert.rule.type != "threat_match" and
// Top noisy influencing rules
not kibana.alert.rule.name in ("Agent Spoofing - Mismatched Agent ID", "Compression DLL Loaded by Unusual Process", "Process Termination followed by Deletion", "Suspicious PrintSpooler Service Executable File Creation", "Potential PrintNightmare File Modification") and
not kibana.alert.rule.name like "Deprecated - *" and
not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """)
// extract unique counts and values by host.id
| stats Esql.alerts_count = COUNT(*),
Esql.kibana_alert_rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),
Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
Esql.event_module_values = VALUES(event.module),
Esql.kibana_alert_rule_name_values = VALUES(kibana.alert.rule.name),
Esql.threat_tactic_id_distinct_count = COUNT_DISTINCT(kibana.alert.rule.threat.tactic.id),
Esql.threat_tactic_name_values = VALUES(kibana.alert.rule.threat.tactic.name),
Esql.kibana_alert_risk_score_sum = sum(kibana.alert.risk_score),
Esql.process_executable_values = VALUES(process.executable),
Esql.process_parent_executable_values = VALUES(process.parent.executable),
Esql.process_command_line_values = VALUES(process.command_line),
Esql.process_entity_id_distinct_count = COUNT_DISTINCT(process.entity_id) by host.id
// divide the sum of risk scores by the total number of alerts
| eval Esql.risk_alerts_count_ratio = Esql.kibana_alert_risk_score_sum/Esql.alerts_count
// filter for risky hosts by risk score and unique count of rules and tactics
| where Esql.kibana_alert_rule_name_distinct_count >= 5 and Esql.threat_tactic_id_distinct_count >= 3 and Esql.threat_tactic_id_distinct_count >= 3 and Esql.alerts_count <= 500 and Esql.risk_alerts_count_ratio >= 50
// fiels populated in the resulting alert
| keep host.id,
Esql.alerts_count,
Esql.kibana_alert_risk_score_sum,
Esql.risk_alerts_count_ratio,
Esql.kibana_alert_rule_name_distinct_count,
Esql.event_module_values,
Esql.kibana_alert_rule_name_values,
Esql.threat_tactic_name_values,
Esql.process_executable_values,
Esql.process_parent_executable_values,
Esql.process_command_line_values
Attempt to Clear Kernel Ring Buffer
Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events
to evade detection after installing a Linux kernel module (LKM). This activity is commonly observed by intrusions that
leverage kernel-level rootkits to maintain persistence on a compromised host.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name == "dmesg" and process.args in ("-c", "-C", "--clear", "--read-clear")
Attempt to Install or Run Kali Linux via WSL
Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for
Linux to avoid detection.
Show query
process where host.os.type == "windows" and event.type == "start" and
(
(process.name : "wsl.exe" and process.args : ("-d", "--distribution", "-i", "--install") and process.args : "kali*") or
process.executable : (
"?:\\Users\\*\\AppData\\Local\\packages\\kalilinux*",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe",
"?:\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe",
/* Crowdstrike specific exclusion as it uses NT Object paths */
"\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Local\\packages\\kalilinux*",
"\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe",
"\\Device\\HarddiskVolume*\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe"
)
)
Attempt to Unload Elastic Endpoint Security Kernel Extension
Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.
Show query
process where host.os.type == "macos" and event.type in ("start", "process_started") and
process.name == "kextunload" and process.args like~ ("*.EndpointSecurity", "/System/Library/Extensions/EndpointSecurity.kext", "EndpointSecurity.kext")
Attempted Bypass of Okta MFA
Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA
policies configured for an organization in order to obtain unauthorized access to an application.
Show query
data_stream.dataset:okta.system and event.action:user.mfa.attempt_bypass
Auditd Login from Forbidden Location
Identifies that a login attempt has happened from a forbidden location.
Show query
event.module:auditd and event.action:"attempted-log-in-from-unusual-place-to"
Azure Compute Restore Point Collections Deleted
Identifies multiple Azure Restore Point Collections being deleted by a single user within a short time period. Restore
Point Collections contain recovery points for virtual machines, enabling point-in-time recovery capabilities. Mass
deletion of these collections is a common tactic used by adversaries during ransomware attacks to prevent victim
recovery or to maximize impact during destructive operations. Multiple deletions in rapid succession may indicate
malicious intent.
Show query
data_stream.dataset: azure.activitylogs and
event.action: "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" and
event.outcome: (Success or success)
Azure RBAC Built-In Administrator Roles Assigned
Identifies when a user is assigned a built-in administrator role in Azure RBAC (Role-Based Access Control). These roles provide significant privileges and can be abused by attackers for lateral movement, persistence, or privilege escalation. The privileged built-in administrator roles include Owner, Contributor, User Access Administrator, Azure File Sync Administrator, Reservations Administrator, and Role Based Access Control Administrator.
Show query
data_stream.dataset: azure.activitylogs and
event.action: "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" and
azure.activitylogs.properties.requestbody.properties.roleDefinitionId:
(
*18d7d88d-d35e-4fb5-a5c3-7773c20a72d9* or
*f58310d9-a9f6-439a-9e8d-f62e7b41a168* or
*b24988ac-6180-42a0-ab88-20f7382dd24c* or
*8e3af657-a8ff-443c-a75c-2fe8c4bcb635* or
*92b92042-07d9-4307-87f7-36a593fc5850* or
*a8889054-8d42-49c9-bc1c-52486c10e7cd*
)
Azure Storage Account Deletions by User
Identifies when a single user or service principal deletes multiple Azure Storage Accounts within a short time period.
This behavior may indicate an adversary attempting to cause widespread service disruption, destroy evidence, or execute
a destructive attack such as ransomware. Mass deletion of storage accounts can have severe business impact and is rarely
performed by legitimate administrators except during controlled decommissioning activities.
Show query
data_stream.dataset: azure.activitylogs and
azure.activitylogs.operation_name: "MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE" and
azure.activitylogs.identity.claims_initiated_by_user.name: *
BPF filter applied using TC
Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network
interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic.
A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic.
This technique is not at all common and should indicate abnormal, suspicious or malicious activity.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.executable == "/usr/sbin/tc" and process.args == "filter" and process.args == "add" and process.args == "bpf" and
not ?process.parent.executable == "/usr/sbin/libvirtd"
Base64 Decoded Payload Piped to Interpreter
This rule detects when a base64 decoded payload is piped to an interpreter on Linux systems. Adversaries may use
base64 encoding to obfuscate data and pipe it to an interpreter to execute malicious code. This technique may
be used to evade detection by host- or network-based security controls.
Show query
sequence by host.id, process.parent.entity_id with maxspan=3s
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and (
(process.name in ("base64", "base64plain", "base64url", "base64mime", "base64pem", "base32", "base16") and process.command_line like~ "*-*d*") or
(process.name == "openssl" and process.args == "enc" and process.args in ("-d", "-base64", "-a")) or
(process.name like "python*" and
(process.args == "base64" and process.args in ("-d", "-u", "-t")) or
(process.args == "-c" and process.args like "*base64*" and process.command_line like~ "*b64decode*")
) or
(process.name like "perl*" and process.command_line like~ "*decode_base64*") or
(process.name like "ruby*" and process.args == "-e" and process.command_line like~ "*Base64.decode64*")
)]
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name like~ (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl*", "ruby*", "lua*", "php*"
) and
not (
?process.parent.command_line in (
"bash ./run_tests.sh unit-integration",
"/bin/sh /var/lib/dpkg/info/nmap-common.postinst configure",
"bash -c base64 -d <<< Zm9yIHN2YyBpbiBxZW11LWt2bSBvdnMtdnN3aXRjaGQgbGlidmlydGQgdmlydGxvY2tkIHBhY2VtYWtlciBwY3NkOyBkbyBzeXN0ZW1jdGwgaXMtYWN0aXZlICRzdmM7IGRvbmU= | bash -l"
) or
process.command_line == "/usr/bin/perl /usr/bin/shasum -a 256" or
?process.working_directory like (
"/usr/local/zeek", "/opt/zeek", "/var/lib/docker/overlay2/*/opt/zeek", "/usr/local/zeek_old_install",
"/var/lib/docker/overlay2/*/usr/local/zeek", "/proc/self/fd/*/usr/local/zeek"
) or
(?process.parent.name == "zsh" and ?process.parent.command_line like "*extendedglob*") or
(process.name like "python*" and ?process.parent.name == "python*") or
process.args like "/tmp/apt-key-gpghome*"
)]
Binary Executed from Shared Memory Directory
Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/,
/var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed
executables used for persistence on high-uptime servers in these directories as system backdoors.
Show query
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
user.id == "0" and process.executable like ("/dev/shm/*", "/run/shm/*", "/var/run/*", "/var/lock/*") and
not (
process.executable : (
"/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/*", "/var/run/cloudera-scm-agent/*",
"/var/run/argo/argoexec", "/dev/shm/*.*/sandfly"
) or
process.parent.command_line == "/usr/bin/runc init"
)
Browser Process Spawned from an Unusual Parent
Identifies instances where a browser is launched with remote debugging, headless automation, or minimal arguments from
an unusual parent process. This may indicate an attempt to broker or tamper with a browser session for credential theft.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.name : ("chrome.exe", "msedge.exe") and
process.parent.executable != null and
(
process.command_line : (
"\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"",
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"",
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --disable-logging --log-level=3 --v=0",
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --log-level=3",
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless",
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --remote-debugging-port=922? --profile-directory=\"Default\"*",
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --restore-last-session --remote-debugging-port=45452*"
) or
(process.args : "--remote-debugging-port=922?" and process.args : "--window-position=-*,-*")
) and
not process.parent.executable :
("C:\\Windows\\explorer.exe",
"C:\\Program Files (x86)\\*.exe",
"C:\\Program Files\\*.exe",
"C:\\Windows\\System32\\rdpinit.exe",
"C:\\Windows\\System32\\sihost.exe",
"C:\\Windows\\System32\\RuntimeBroker.exe",
"C:\\Windows\\System32\\SECOCL64.exe")
Bypass UAC via Event Viewer
Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with
elevated permissions.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "eventvwr.exe" and
not process.executable : (
"?:\\Windows\\SysWOW64\\mmc.exe",
"?:\\Windows\\System32\\mmc.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe",
"?:\\Windows\\System32\\WerFault.exe",
/* Crowdstrike specific exclusion as it uses NT Object paths */
"\\Device\\HarddiskVolume*\\Windows\\Sys?????\\mmc.exe",
"\\Device\\HarddiskVolume*\\Windows\\Sys?????\\WerFault.exe"
)
Chroot Execution in Container Context on Linux
Detects chroot execution on Linux when the process appears to run in a container-oriented context: the process title
matches runc init, the entry leader is a container workload, or the parent process is runc. Chroot from inside a
container can pivot to an alternate root filesystem and is a common step in container breakout attempts when combined
with sensitive host mounts.
Show query
host.os.type:linux and event.category:process and
event.type:start and event.action:(executed or exec) and
(process.name:"chroot" or process.args:("chroot" or "/bin/chroot" or "/usr/bin/chroot" or "/usr/local/bin/chroot")) and
(process.title:"runc init" or process.entry_leader.entry_meta.type:"container" or process.parent.name:("runc" or "containerd-shim-runc-v2"))
Cobalt Strike Command and Control Beacon
Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and
exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for
command and control.
Show query
((event.category: (network OR network_traffic) AND network.protocol: (tls OR http))
OR data_stream.dataset: (network_traffic.tls OR network_traffic.http)
) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/
Command Obfuscation via Unicode Modifier Letters
Identifies the presence of Unicode modifier letters in the process command_line. Adversaries sometimes replace ASCII
characters with visually similar Unicode modifier letters to evade simple string-based detections.
Show query
process where host.os.type == "windows" and event.type == "start" and
(
process.name : (
"reg.exe", "net.exe", "net1.exe", "certutil.exe", "MSHTA.EXE", "msiexec.exe", "bitsadmin.exe", "CertReq.exe",
"PrintBrm.exe", "MSBuild.exe", "wuauclt.exe", "curl.exe", "wget.exe", "ssh.exe", "Cmd.Exe", "PowerShell.EXE",
"CONHOST.EXE", "wscript.exe", "cscript.exe", "REGSVR32.EXE", "RUNDLL32.EXE", "procdump.exe", "ntdsutil.exe",
"diskshadow.exe", "schtasks.exe", "sc.exe", "wmic.exe", "VSSADMIN.EXE", "WBADMIN.EXE", "iCACLS.EXE",
"sftp.exe", "scp.exe", "esentutl.exe", "InstallUtil.exe", "wevtutil.exe"
) or
?process.pe.original_file_name in (
"reg.exe", "net.exe", "net1.exe", "CertUtil.exe", "MSHTA.EXE", "msiexec.exe", "bitsadmin.exe", "CertReq.exe",
"PrintBrm.exe", "MSBuild.exe", "wuauclt.exe", "curl.exe", "wget.exe", "ssh.exe", "Cmd.Exe", "PowerShell.EXE",
"CONHOST.EXE", "wscript.exe", "cscript.exe", "REGSVR32.EXE", "RUNDLL32.EXE", "procdump", "ntdsutil.exe",
"diskshadow.exe", "schtasks.exe", "sc.exe", "wmic.exe", "VSSADMIN.EXE", "WBADMIN.EXE", "iCACLS.EXE",
"sftp.exe", "scp.exe", "esentutl.exe", "InstallUtil.exe", "wevtutil.exe"
)
) and
process.command_line regex """.*[ʰ-˿ᴬ-ᶻ]+.* """Command and Scripting Interpreter via Windows Scripts
Identifies PowerShell, PowerShell ISE, or Cmd execution spawned from Windows Script Host or MSHTA.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.command_line != null and
(
process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe", "cmd.exe") or
?process.pe.original_file_name : ("powershell.exe", "pwsh.dll", "powershell_ise.exe", "Cmd.Exe")
) and
process.parent.name : ("wscript.exe", "mshta.exe") and
not (
process.args : (
"C:\\Program Files\\Intel\\SUR\\QUEENCREEK\\x64\\task.bat",
"\"C:\\Program Files\\Intel\\SUR\\QUEENCREEK\\x64\\task.bat\""" ) or
process.command_line : (
"\"C:\\Windows\\system32\\cmd.exe\" /c auditpol.exe /set /SUBCATEGORY:*",
"\"C:\\Windows\\system32\\cmd.exe\" /c auditpol.exe /get*",
"\"C:\\Windows\\system32\\cmd.exe\" /c exit\""" ) or
(process.args == "-File" and process.args == "-ExecutionPolicy")
)
and
not (
?user.id == "S-1-5-18" and
/* Don't apply the user.id exclusion to Sysmon for compatibility */
not data_stream.dataset : ("windows.sysmon_operational", "windows.sysmon")
)
Conhost Spawned By Suspicious Parent Process
Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be
indicative of code injection.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.name : "conhost.exe" and
process.parent.name : ("lsass.exe", "services.exe", "smss.exe", "winlogon.exe", "explorer.exe", "dllhost.exe", "rundll32.exe",
"regsvr32.exe", "userinit.exe", "wininit.exe", "spoolsv.exe", "ctfmon.exe") and
not (process.parent.name : "rundll32.exe" and
process.parent.args : ("?:\\Windows\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc",
"?:\\WINDOWS\\system32\\PcaSvc.dll,PcaPatchSdbTask",
"?:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie"))
Control Panel Process with Unusual Arguments
Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value.
Adversaries may abuse control.exe to proxy execution of malicious code.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.name : "control.exe" and
process.command_line : (
"*.jpg*", "*.png*",
"*.gif*", "*.bmp*",
"*.jpeg*", "*.TIFF*",
"*.inf*", "*.cpl:*/*",
"*../../..*",
"*/AppData/Local/*",
"*:\\Users\\Public\\*",
"*\\AppData\\Local\\*"
)
Elastic
ESQL
high
Correlated Alerts on Similar User Identities
This rule correlates alerts from multiple integrations and event categories that involve different user.name values which
may represent the same real-world identity. It uses an LLM-based similarity analysis to evaluate whether multiple user identifiers
(e.g. naming variations, formats, aliases, or domain differences) likely belong to the same person.
Show query
from .alerts-security.*
// truncate timestamp to 5-minute window
| eval Esql.time_window_date_trunc = date_trunc(5 minutes, @timestamp)
// high severity alerts excluding system standard user.ids
| where kibana.alert.rule.name is not null and user.name is not null and kibana.alert.risk_score >= 73 and kibana.alert.workflow_status == "open" and
not kibana.alert.rule.type in ("threat_match", "machine_learning") and
not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20", "0")
// group alerts by short time window and extract values of interest for alert triage
| stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),
Esql.user_name_distinct_count = COUNT_DISTINCT(user.name),
Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),
Esql.event_category_distinct_count = COUNT_DISTINCT(event.category),
Esql.rule_risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),
Esql.event_module_values = VALUES(event.module),
Esql.rule_name_values = VALUES(kibana.alert.rule.name),
Esql.message_values = VALUES(message),
Esql.event_category_values = VALUES(event.category),
Esql.event_action_values = VALUES(event.action),
Esql.source_ip_values = VALUES(source.ip),
Esql.destination_ip_values = VALUES(destination.ip),
Esql.host_id_values = VALUES(host.id),
Esql.agent_id_values = VALUES(agent.id),
Esql.rule_severity_values = VALUES(kibana.alert.risk_score),
Esql.user_name_values = VALUES(user.name) by Esql.time_window_date_trunc
// filter for alerts from different integrations with unique categories
| where Esql.event_module_distinct_count >= 2 and Esql.user_name_distinct_count >= 2 and Esql.event_category_distinct_count >= 2
// build context for LLM analysis
| eval users_list = MV_CONCAT(Esql.user_name_values, ",")
// LLM analysis
| eval instructions = "Analyze the provided user names and return a boolean value true if at least 2 of them are similar and they may belong to the same human identify or false if not, do not compare user names that may look like service accounts. If the list of users has more than 2 users and only 2 of them are similar consider this as true. Structure the output as follows: verdict=<verdict> confidence=<score between 0.0 and 1.0> summary=<short reason max 500 words> without any other response statements on a single line."
| eval prompt = CONCAT("User identities extracted from different alerts: ", users_list, instructions)
| COMPLETION triage_result = prompt WITH { "inference_id": ".gp-llm-v2-completion"}
// parse LLM response
| DISSECT triage_result """verdict=%{Esql.verdict} confidence=%{Esql.confidence} summary=%{Esql.summary} """// filter for similar user values
| where TO_LOWER(Esql.verdict) == "true"
| keep Esql.*
Creation of a Hidden Local User Account
Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is
sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using
the net users command.
Show query
registry where host.os.type == "windows" and event.type in ("change", "creation") and
registry.path : (
"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\",
"\\REGISTRY\\MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\",
"MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\"
)
Creation or Modification of Domain Backup DPAPI private key
Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API
(DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.
Show query
file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk")
Credential Acquisition via Registry Hive Dumping
Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.
Show query
process where host.os.type == "windows" and event.type == "start" and
(?process.pe.original_file_name == "reg.exe" or process.name : "reg.exe") and
process.args : ("save", "export") and
process.args : ("hklm\\sam", "hklm\\security")
Credential Dumping - Detected - Elastic Endgame
Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in
the rule.reference column for additional information.
Show query
event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)
Credential Manipulation - Detected - Elastic Endgame
Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link
in the rule.reference column for additional information.
Show query
event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)
Cupsd or Foomatic-rip Shell Execution
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the
foomatic-rip parent process. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip,
allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or
network spoofing. This can result in arbitrary command execution when a print job is initiated.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name == "foomatic-rip" and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not (
process.command_line like (
"*/tmp/foomatic-*", "*-sDEVICE=ps2write*", "*printf*", "/bin/sh -e -c cat", "/bin/bash -c cat",
"/bin/bash -e -c cat"
) or
process.args like "gs*"
)
Curl Execution via Shell Profile
Detects when curl is executed via a shell profile upon login. This indicates a curl command was added to the
user's shell profile (like .zshrc or .bashrc) and is executed automatically at login, which could be used for
persistence and payload delivery.
Show query
sequence with maxspan=10s
[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
process.name in ("bash", "zsh", "sh") and
process.args in ("-zsh", "-sh", "-bash") and process.args_count == 1 and
process.parent.name == "login"] by process.entity_id
[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
process.name in ("curl", "nscurl") and
process.args in ("-o", "--output", "--download", "-dl", "-dir", "--directory", "-F", "--form") and
not process.args like ("https://upload.elastic.co*", "https://vault-ci-prod.elastic.dev", "https://artifacts.elastic.co*")] by process.parent.entity_id
CyberArk Privileged Access Security Error
Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code
correlates to the CyberArk Vault Audit Action Code.
Show query
data_stream.dataset:cyberarkpas.audit and event.type:error
CyberArk Privileged Access Security Recommended Monitor
Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is
recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.
Show query
data_stream.dataset:cyberarkpas.audit and
event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or
308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and
not event.type:error
Elastic
EQL
high
T1027, T1027.010, T1140, T1059, T1059.004, T1059.006, T1059.011, T1204, T1204.002 ↗
Decoded Payload Piped to Interpreter Detected via Defend for Containers
This rule detects the execution of a base64 decoded payload to an interpreter inside a container. Attackers
may use this technique to execute malicious code, while attempting to evade detection.
Show query
sequence by process.parent.entity_id, container.id with maxspan=3s
[process where event.type == "start" and event.action == "exec" and container.id like "?*" and (
(
(
process.name in ("base64", "basez", "base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16") or
(
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.args in ("base64", "basez", "base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16")
)
) and
process.args like~ "*-*d*"
) or
(
process.name == "openssl" and
process.args == "enc" and process.args in ("-d", "-base64", "-a", "-A")
) or
(
process.name like "python*" and (
(process.args == "base64" and process.args in ("-d", "-u", "-t")) or
(process.args == "-c" and process.args like "*base64*" and process.args like~ "*b64decode*")
)
) or
(
process.name like "perl*" and
process.args like~ "*decode_base64*"
) or
(
process.name like "ruby*" and
process.args == "-e" and
process.args like~ "*Base64.decode64*"
)
)]
[process where event.type == "start" and event.action == "exec" and process.name like (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox",
"python*", "perl*", "ruby*", "lua*", "php*"
) and
process.args like (
"-bash", "-dash", "-sh", "-tcsh", "-csh", "-zsh", "-ksh", "-fish", "-busybox",
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox",
"/bin/bash", "/bin/dash", "/bin/sh", "/bin/tcsh", "/bin/csh",
"/bin/zsh", "/bin/ksh", "/bin/fish", "/bin/busybox",
"/usr/bin/bash", "/usr/bin/dash", "/usr/bin/sh", "/usr/bin/tcsh",
"/usr/bin/csh", "/usr/bin/zsh", "/usr/bin/ksh", "/usr/bin/fish",
"/usr/bin/busybox",
"*python*", "*perl*", "*ruby*", "*lua*", "*php*", "/dev/fd/*"
) and
not (
process.working_directory like (
"/usr/local/zeek", "/opt/zeek", "/var/lib/docker/overlay2/*/opt/zeek", "/usr/local/zeek_old_install",
"/var/lib/docker/overlay2/*/usr/local/zeek", "/proc/self/fd/*/usr/local/zeek"
) or
process.args in (
"which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
"man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
"chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
"chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
)
)]
Default Cobalt Strike Team Server Certificate
This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for
Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques
of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and
SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module
configuration.
Show query
(data_stream.dataset: network_traffic.tls or event.category: (network or network_traffic)) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)
Delegated Managed Service Account Modification by an Unusual User
Detects modifications to the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account by an
unusual subject account. Attackers can abuse this attribute to inherit a target account's permissions and further
elevate privileges.
Show query
event.code:5136 and host.os.type:"windows" and winlog.event_data.AttributeLDAPDisplayName:"msDS-ManagedAccountPrecededByLink"
Deprecated - AWS Root Login Without MFA
Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best
practices indicate that the root user should be protected by MFA.
Show query
event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success
Deprecated - Agent Spoofing - Mismatched Agent ID
Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when
the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
attempts to spoof events in order to masquerade actual activity to evade detection.
Show query
event.agent_id_status:agent_id_mismatch and not host.name:agentless-*
Deprecated - EggShell Backdoor Execution
Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.
Show query
event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6*
Deprecated - Potential DNS Tunneling via Iodine
Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls,
network security groups, and network access lists while evading detection.
Show query
event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)
Deprecated - Potential Password Spraying of Microsoft 365 User Accounts
Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30
minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to
obtain unauthorized access to user accounts.
Show query
event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")
Deprecated - SSH Connection Established Inside A Running Container
This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a
container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it
to gain initial access or establish persistence within a compromised environment.
Show query
process where container.id: "*" and event.type == "start" and /* use of sshd to enter a container*/ process.entry_leader.entry_meta.type: "sshd" and /* process is the initial process run in a container or start of a new session*/ (process.entry_leader.same_as_process== true or process.session_leader.same_as_process== true) and /* interactive process*/ process.interactive== true
Deprecated - SSH Process Launched From Inside A Container
This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and
server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With
valid credentials an attacker may move laterally to other containers or to the underlying host through container
breakout. They may also use valid SSH credentials as a persistence mechanism.
Show query
process where container.id: "*" and event.type== "start" and
event.action in ("fork", "exec") and
process.name: ("sshd", "ssh", "autossh")
Deprecated - SUNBURST Command and Control Activity
The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects
post-exploitation command and control activity of the SUNBURST backdoor.
Show query
network where host.os.type == "windows" and event.type == "protocol" and network.protocol == "http" and
process.name : ("ConfigurationWizard.exe",
"NetFlowService.exe",
"NetflowDatabaseMaintenance.exe",
"SolarWinds.Administration.exe",
"SolarWinds.BusinessLayerHost.exe",
"SolarWinds.BusinessLayerHostx64.exe",
"SolarWinds.Collector.Service.exe",
"SolarwindsDiagnostics.exe") and
(
(
(http.request.body.content : "*/swip/Upload.ashx*" and http.request.body.content : ("POST*", "PUT*")) or
(http.request.body.content : ("*/swip/SystemDescription*", "*/swip/Events*") and http.request.body.content : ("GET*", "HEAD*"))
) and
not http.request.body.content : "*solarwinds.com*"
)
Deprecated - Sudo Heap-Based Buffer Overflow Attempt
Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems
(CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.
Show query
event.category:process and event.type:start and
process.name:(sudo or sudoedit) and
process.args:(*\\ and ("-i" or "-s"))
Elastic
ESQL
high
Detection Alert on a Process Exhibiting CPU Spike
This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process
ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit
payload execution, or abuse of system resources following initial compromise.
Show query
FROM metrics-*, .alerts-security.* METADATA _index
| where not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """)
| eval
// processes with more than 70% total CPU use
cpu_metrics_pids = CASE(_index like ".ds-metrics-system.process-*" and system.process.cpu.total.norm.pct >= 0.7, process.pid, null),
// any security alert with process.name and ID populated excluding low severity ones
alerts_pids = CASE(_index like ".internal.alerts-security.*" and kibana.alert.rule.name is not null and process.name is not null and process.pid is not null and host.id is not null and kibana.alert.risk_score > 21, process.pid, null)
| stats pid_with_cpu_spike = COUNT_DISTINCT(cpu_metrics_pids), pid_with_alerts = COUNT_DISTINCT(alerts_pids),
Esql.max_cpu_pct = MAX(system.process.cpu.total.norm.pct),
Esql.alerts = VALUES(kibana.alert.rule.name),
Esql.process_hash_sha256 = VALUES(process.hash.sha256),
process_path = VALUES(process.executable),
parent_process_path = VALUES(process.parent.executable),
user_name = VALUES(user.name),
host_name = VALUES(host.name),
cmdline = VALUES(process.command_line) by process.pid, process.name, host.id
| where pid_with_cpu_spike > 0 and pid_with_alerts > 0
// populate fields to use in rule exceptions
| eval process.hash.sha256 = MV_FIRST(Esql.process_hash_sha256),
process.executable = MV_FIRST(process_path),
process.parent.executable = MV_FIRST(parent_process_path),
process.command_line = MV_FIRST(cmdline),
user.name = MV_FIRST(user_name),
host.name = MV_FIRST(host_name)
| KEEP user.name, host.id, host.name, process.*, Esql.*
| where `process.executable` != "C:\\Program Files\\ESET\\ESET Security\\ekrn.exe" and
`process.executable` != "C:\\Windows\\System32\\CompatTelRunner.exe" and
`process.executable` != "C:\\Program Files\\UiPath\\Studio\\UiPath.ActivityCompiler.CommandLine.exe"
Disabling Lsa Protection via Registry Modification
LSA protecton is provided to prevent nonprotected processes from reading memory and injecting code. This feature
provides added security for the credentials that LSA stores and manages. Adversaries may modify the RunAsPPL registry
and wait or initiate a system restart to enable Lsass credentials access.
Show query
registry where host.os.type == "windows" and event.type == "change" and
registry.data.strings != null and process.name != null and
registry.value : "RunAsPPL" and
registry.path : "*\\SYSTEM\\*ControlSet*\\Control\\Lsa\\RunAsPPL" and
not registry.data.strings : ("1", "0x00000001", "2", "0x00000002") and
not process.executable : "?:\\Windows\\System32\\SecurityHealthService.exe"
Domain Added to Google Workspace Trusted Domains
Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in
order to collect and exfiltrate data from their target’s organization with less restrictive security controls.
Show query
data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS
Dumping Account Hashes via Built-In Commands
Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump
credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for
lateral movement.
Show query
process where host.os.type == "macos" and event.type in ("start","process_started") and (
(process.name == "defaults" and process.args like~ "ShadowHashData") or
(process.name == "mkpassdb" and process.args == "-dump") or
(process.name == "dscl" and process.args like~ "ShadowHashData") or
(
process.name in ("plutil","cat","strings","xxd","head") and
process.args like "/var/db/dslocal/nodes/Default/users/*.plist"
)
)
Dumping of Keychain Content via Security Command
Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the
built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi
and website passwords, secure notes, certificates, and Kerberos.
Show query
process where host.os.type == "macos" and event.type in ("start", "process_started") and
process.args like~ "dump-keychain" and process.args == "-d"
Dylib Injection via Process Environment Variables
Detects the use of process environment variables (DYLD_INSERT_LIBRARIES or LD_PRELOAD) to inject a shared
library into a binary at or prior to execution. A threat actor may use this technique to load a malicious
shared library for persistence, privilege escalation, and defense evasion. This activity is uncommon and
typically indicates malicious behavior.
Show query
sequence by process.entity_id with maxspan=15s
[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
process.env_vars like ("DYLD_INSERT_LIBRARIES=?*", "LD_PRELOAD=?*") and
not process.env_vars like ("DYLD_INSERT_LIBRARIES=", "LD_PRELOAD=", "LD_PRELOAD=<null>") and
not process.executable like ("/Users/*/Library/Developer/Xcode/*", "/Users/*/Library/Developer/CoreSimulator/*") and
not process.parent.executable like ("/usr/bin/xcrun", "/Applications/Xcode*.app/*", "/Library/Developer/*")]
[library where host.os.type == "macos" and event.action == "load" and
not dll.name like ("*.aot", "*.so") and
not dll.code_signature.trusted == true and
not dll.path like ("/System/*", "/usr/lib/*", "/opt/homebrew/*", "/private/var/folders/*",
"/Library/Apple/*", "/Library/Developer/*",
"/Users/*/Library/Developer/Xcode/*", "/Users/*/Library/Developer/CoreSimulator/*")]
Dynamic Linker Copy
Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup
copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to
inject and preload a malicious shared object file. This activity should never occur and if it does then it should be
considered highly suspicious or malicious.
Show query
sequence by process.entity_id with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and process.name in ("cp", "rsync", "mv") and
process.args in (
"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2",
"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2"
) and
not process.args like ("/var/tmp/mkinitramfs*", "/var/tmp/dracut*", "/tmp/mkinitcpio*")]
[file where host.os.type == "linux" and event.action == "creation" and (file.extension == "so" or file.name like "*.so.*")]
Showing 51-100 of 4,399