Deployable detection rules
4,399 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 4,399
Elastic
ESQL
high
Multiple Elastic Defend Alerts from a Single Process Tree
Detects multiple Elastic Defend EDR alerts originating from the same process tree, indicating coordinated malicious activity.
Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
Show query
from logs-endpoint.alerts-*
// process.Ext.ancestry is an array of all unique process IDs ancestors of the alert actor process ID
| where event.code in ("malicious_file", "memory_signature", "shellcode_thread", "behavior") and
agent.id is not null and not rule.name in ("Multi.EICAR.Not-a-virus") and process.Ext.ancestry is not null
// aggregate alerts by process.Ext.ancestry and agent.id
| stats Esql.alerts_count = COUNT(*),
Esql.rule_name_distinct_count = COUNT_DISTINCT(rule.name),
Esql.event_code_distinct_count = COUNT_DISTINCT(event.code),
Esql.process_id_distinct_count = COUNT_DISTINCT(process.entity_id),
Esql.message_values = VALUES(message),
Esql.user_name_values = VALUES(user.name),
Esql.threat_tactic_name_values = VALUES(threat.tactic.name),
Esql.threat_technique_name_values = VALUES(threat.technique.name),
Esql.process_command_line_values = VALUES(process.command_line),
Esql.process_parent_executable_values = values(process.parent.executable),
Esql.file_path_values = VALUES(file.path),
Esql.file_hash_sha256_values = VALUES(file.hash.sha256),
Esql.process_hash_sha256_values = VALUES(process.hash.sha256),
Esql.dns_question_name_values = VALUES(dns.question.name) by process.Ext.ancestry, agent.id
// filter for at least 3 unique process IDs and 2 or more alert types or rule names.
| where Esql.process_id_distinct_count >= 3 and (Esql.rule_name_distinct_count >= 2 or Esql.event_code_distinct_count >= 2)
// keep unique values
| stats Esql.alert_names = values(Esql.message_values),
Esql.alerts_process_cmdline_values = VALUES(Esql.process_command_line_values),
Esql.alerts_user_names = VALUES(Esql.user_name_values),
Esql.alerts_mitre_tactics = values(Esql.threat_tactic_name_values),
Esql.alerts_mitre_techniques = VALUES(Esql.threat_technique_name_values),
Esql.alerts_process_parent_executable = values(Esql.process_parent_executable_values),
Esql.alerts_file_paths = VALUES(Esql.file_path_values),
Esql.alerts_file_hash_sha256 = VALUES(Esql.file_hash_sha256_values),
Esql.alerts_process_hash_sha256 = VALUES(Esql.process_hash_sha256_values),
Esql.alerts_dns_question_names = VALUES(Esql.dns_question_name_values) by agent.id
| keep Esql.*, agent.id
Elastic
ESQL
high
Multiple External EDR Alerts by Host
This rule uses alert data to determine when multiple external EDR alerts involving the same host are triggered. Analysts
can use this to prioritize triage and response, as these hosts are more likely to be compromised.
Show query
from .alerts-security.*
| WHERE event.dataset in ("crowdstrike.alert", "crowdstrike.falcon", "sentinel_one.alert", "sentinel_one.threat", "m365_defender.alert") and
host.id is not null and kibana.alert.risk_score > 21 and
not (event.module == "crowdstrike" and (kibana.alert.rule.name like "* at *" or kibana.alert.rule.name like "* on *" or kibana.alert.rule.name == "EICARTestFileWrittenWin")) and
not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """)
| stats Esql.alerts_count = COUNT(*),
Esql.kibana_alert_risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),
Esql.kibana_alert_rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),
Esql.process_executable_distinct_count = COUNT_DISTINCT(process.executable),
Esql.file_path_distinct_count = COUNT_DISTINCT(file.path),
Esql.process_command_line_distinct_count = COUNT_DISTINCT(process.command_line),
Esql.kibana_alert_risk_score_values = VALUES(kibana.alert.risk_score),
Esql.process_executable_values = VALUES(process.executable),
Esql.file_path_values = VALUES(file.path),
Esql.user_name_values = VALUES(user.name),
Esql.process_command_line_values = VALUES(process.command_line),
Esql.process_parent_command_line_values = VALUES(process.parent.command_line),
Esql.kibana_alert_rule_name_values = VALUES(kibana.alert.rule.name) by host.id, host.name, event.module
| where (
// 3+ unique rules or processes
(
Esql.kibana_alert_rule_name_distinct_count >= 3 or
(Esql.process_executable_distinct_count >= 3 and Esql.kibana_alert_rule_name_values == "External Alerts")
) and
// and 2+ rules of different severity, or 1 high/critical severity rule
(
Esql.kibana_alert_risk_score_distinct_count >= 2 or
Esql.kibana_alert_risk_score_values == 73 or
Esql.kibana_alert_risk_score_values == 99
)
) or
// or 5+ unique rules from the same host for 1+ path/command_line/process
(Esql.kibana_alert_rule_name_distinct_count >= 5 and Esql.alerts_count <= 50 and
(Esql.file_path_distinct_count >= 1 or Esql.process_command_line_distinct_count >= 1 or Esql.process_executable_distinct_count >= 1)
)
| KEEP event.module, host.id, host.name, Esql.*
Elastic
ESQL
high
Multiple Machine Learning Alerts by Influencer Field
This rule uses alerts data to determine when multiple unique machine learning jobs involving the same influencer field are triggered.
Analysts can use this to prioritize triage and response machine learning alerts.
Show query
from .alerts-security.*
| where kibana.alert.rule.type == "machine_learning" and
not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """)
| stats Esql.count_distinct_job_id = COUNT_DISTINCT(job_id),
Esql.job_id_values = VALUES(job_id),
Esql.rule_name_values = VALUES(kibana.alert.rule.name),
Esql.influencer_field_values = VALUES(influencers.influencer_field_values),
Esql.influencer_field_name = VALUES(influencers.influencer_field_name) by influencers.influencer_field_values, process.name, host.name
| where Esql.count_distinct_job_id >= 3 and not influencers.influencer_field_values in ("root", "SYSTEM")
| KEEP influencers.influencer_field_values, process.name, host.name, Esql.*
NTDS or SAM Database File Copied
Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files.
Those files contain sensitive information including hashed domain and/or local credentials.
Show query
process where host.os.type == "windows" and event.type == "start" and
(
((?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") or process.name : ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE")) and
process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv")
) or
((?process.pe.original_file_name : "esentutl.exe" or process.name : "esentutl.exe") and process.args : ("*/y*", "*/vss*", "*/d*"))
) and
process.command_line : ("*\\ntds.dit*", "*\\config\\SAM*", "*\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*")
NetSupport Manager Execution from an Unusual Path
Identifies execution of the NetSupport remote access software from non-default paths. Adversaries may abuse NetSupport
Manager to control a victim machine.
Show query
process where host.os.type == "windows" and event.type == "start" and
(process.name : "client32.exe" or ?process.pe.original_file_name == "client32.exe" or process.parent.name : "client32.exe") and
(
process.executable :
("?:\\Users\\*.exe",
"?:\\ProgramData\\*.exe",
"\\Device\\HarddiskVolume*\\Users\\*.exe",
"\\Device\\HarddiskVolume*\\ProgramData\\*.exe") or
?process.parent.executable : ("?:\\Users\\*\\client32.exe", "?:\\ProgramData\\*\\client32.exe")
)
Network Activity to a Suspicious Top Level Domain
Identifies DNS queries to commonly abused Top Level Domains by common LOLBINs or executables running from world writable
directories or unsigned binaries. This behavior matches on common malware C2 abusing less formal domain names.
Show query
network where host.os.type == "windows" and dns.question.name != null and
(
process.name : ("MSBuild.exe", "mshta.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "msiexec.exe", "rundll32.exe",
"bitsadmin.exe", "InstallUtil.exe", "python.exe", "regsvr32.exe", "dllhost.exe", "node.exe", "curl.exe",
"java.exe", "javaw.exe", "*.pif", "*.com", "*.scr") or
(?process.code_signature.trusted == false or ?process.code_signature.exists == false) or
?process.code_signature.subject_name : ("AutoIt Consulting Ltd", "OpenJS Foundation", "Python Software Foundation") or
?process.executable : (
"?:\\Users\\Public\\*.exe", "?:\\ProgramData\\*.exe", "?:\\Users\\*\\Downloads\\*.exe",
"\\Device\\HarddiskVolume*\\Users\\Public\\*.exe", "\\Device\\HarddiskVolume*\\ProgramData\\*.exe", "\\Device\\HarddiskVolume*\\Users\\*\\Downloads\\*.exe"
)
) and
dns.question.name regex """.*\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou|quest|cc|bar|cfd|click|cam|surf|tk|shop|club|icu|pw|ws|online|fun|life|boats|store|hair|skin|motorcycles|christmas|lol|makeup|mom|bond|beauty|biz|live|work|zip|country|accountant|date|party|science|loan|win|men|faith|review|racing|download|host|zone)""" and
not process.executable : (
"?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\*\\*.exe",
"\\Device\\HarddiskVolume*\\ProgramData\\Microsoft\\Windows Defender\\platform\\*\\*.exe"
)
Network Connection by Cups or Foomatic-rip Child
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects network connections initiated by a
child processes of foomatic-rip. These flaws impact components like cups-browsed, libcupsfilters, libppd, and
foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted
UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.
Show query
sequence by host.id with maxspan=10s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.parent.name == "foomatic-rip" and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.entity_id
[network where host.os.type == "linux" and event.type == "start" and
event.action == "connection_attempted"] by process.parent.entity_id
Network Connection to OAST Domain via Script Interpreter
Detects when a package service such as npm, gems, or a script interpreter makes an outbound network connection
to an OAST (Out-of-band Application Security Testing) domain. Threat actors have been using OAST domains to
exfiltrate sensitive data from compromised systems via malicious packages.
Show query
sequence by process.entity_id with maxspan=1m
[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
(process.name == "node" or process.name like ("python*", "ruby*", "perl*"))]
[network where host.os.type == "macos" and event.type == "start" and destination.domain like "*.oast*"]
Elastic
ESQL
high
Newly Observed Elastic Defend Behavior Alert
This rule detects Elastic Defend behavior alerts that are observed for the first time today when compared against the previous
5 days of alert history. It highlights low-volume, newly observed alerts tied to a specific detection rule, analysts can use
this to prioritize triage and response.
Show query
from logs-endpoint.alerts-*
| WHERE event.code == "behavior" and rule.name is not null
| STATS Esql.alerts_count = count(*),
Esql.first_time_seen = MIN(@timestamp),
Esql.last_time_seen = MAX(@timestamp),
Esql.agents_distinct_count = COUNT_DISTINCT(agent.id),
Esql.process_executable = VALUES(process.executable),
Esql.process_parent_executable = VALUES(process.parent.executable),
Esql.process_command_line = VALUES(process.command_line),
Esql.process_hash_sha256 = VALUES(process.hash.sha256),
Esql.host_id_values = VALUES(host.id),
Esql.user_name = VALUES(user.name) by rule.name
// first time seen in the last 5 days - defined in the rule schedule Additional look-back time
| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
// first time seen is within 10m of the rule execution time
| where Esql.recent <= 10 and Esql.agents_distinct_count == 1 and Esql.alerts_count <= 10 and (Esql.last_time_seen == Esql.first_time_seen)
// Move single values to their corresponding ECS fields for alerts exclusion
| eval host.id = mv_min(Esql.host_id_values)
| keep host.id, rule.name, Esql.*
Elastic
ESQL
high
Newly Observed High Severity Detection Alert
This rule detects Elastic SIEM high severity detection alerts that are observed for the first time in the previous 5 days
of alert history. It highlights low-volume, newly observed alerts tied to a specific detection rule, analysts can use this
to prioritize triage and response.
Show query
FROM .alerts-security.*
| where kibana.alert.rule.name is not null and kibana.alert.risk_score >= 73 and
not kibana.alert.rule.type in ("threat_match", "machine_learning", "new_terms") and
not kibana.alert.rule.name like "Deprecated - *" and kibana.alert.rule.name != "My First Rule" and
// covered by 7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8
event.dataset != "endpoint.alerts" and
not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """)
| STATS Esql.alerts_count = count(*),
Esql.first_time_seen = MIN(@timestamp),
Esql.last_time_seen = MAX(@timestamp),
Esql.process_executable = VALUES(process.executable),
Esql.process_command_line_values = VALUES(process.command_line),
Esql.process_parent_executable_values = VALUES(process.parent.executable),
Esql.file_path_values = VALUES(file.path),
Esql.dll_path_values = VALUES(dll.path),
Esql.user_id_values = VALUES(user.id),
Esql.user_name_values = VALUES(user.name),
Esql.agent_id_values = VALUES(agent.id),
Esql.host_id_values = VALUES(host.id),
Esql.event_module_values = VALUES(event.module),
Esql.source_ip_values = VALUES(source.ip),
Esql.kibana_alert_rule_name_values = VALUES(kibana.alert.rule.name),
Esql.agent_id_distinct_count = COUNT_DISTINCT(agent.id) by kibana.alert.rule.name
// fist time seen in the last 5 days - defined in the rule schedule Additional look-back time
| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
// first time seen is within 10m of the rule execution time
| where Esql.recent <= 10 and Esql.agent_id_distinct_count == 1 and Esql.alerts_count <= 10 and (Esql.last_time_seen == Esql.first_time_seen)
// Move single values to their corresponding ECS fields for alerts exclusion
| eval host.id = mv_min(Esql.host_id_values)
| keep host.id, kibana.alert.rule.name, Esql.*
Newly Observed Process Exhibiting High CPU Usage
This rule alerts on processes exhibiting high CPU usage and that are observed for the first time in the previous 5 days.
A previously unseen process consuming sustained CPU resources may indicate suspicious activity such as cryptomining,
exploit payload execution, or other forms of resource abuse following host compromise. In some cases, this may also
surface legitimate but unexpected software causing performance degradation.
Show query
FROM metrics-*
// more than 90% CPU use
| WHERE system.process.cpu.total.norm.pct >= 0.9 and process.name is not null
| STATS Esql.total_count = count(*),
Esql.first_time_seen = MIN(@timestamp),
Esql.agent_id_values = COUNT_DISTINCT(agent.id),
Esql.system_process_cpu_total_norm_pct_values = MAX(system.process.cpu.total.norm.pct),
Esql.process_command_line_values = VALUES(process.command_line),
Esql.host_id_values = values(host.id),
Esql.user_name_values = VALUES(user.name) by process.name
| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
// first time seen is within 6m of the rule execution time and first seen in the last 5 days as per the rule from schedule and limited to 1 unique hostg
| where Esql.recent <= 6 and Esql.agent_id_values == 1
// populate fields for rule exception
| eval host.id = MV_FIRST(Esql.host_id_values),
process.command_line = MV_FIRST(Esql.process_command_line_values)
| keep host.id, process.name, process.command_line, Esql.*
Newly Observed ScreenConnect Host Server
Detects when the ScreenConnect client (ConnectWise Control) connects to a newly observed host server that is not the official ScreenConnect cloud. ScreenConnect is a common RMM/remote access tool abused for C2 and persistence. Self-hosted or non-standard relay servers may indicate abuse or compromise. The rule aggregates by server host (parsed from the client command line), requires first-time observation within the rule window, and limits to a single host to reduce noise.
Show query
from logs-endpoint.events.process-*
| where event.category == "process" and event.type == "start" and (process.name == "ScreenConnect.ClientService.exe" or process.code_signature.subject_name == "ConnectWise, LLC")
| grok process.command_line """e=Access&y=Guest&h=(?<Esql.screenconnect_server>[^&]+)&p """| where Esql.screenconnect_server is not null and not Esql.screenconnect_server like "*.screenconnect.com"
| stats Esql.count_distinct_host_id = count_distinct(host.id),
Esql.first_time_seen = min(@timestamp),
Esql.user_name_values = values(user.name),
Esql.command_line_values = values(process.command_line),
Esql.host_id_values = values(host.id),
Esql.host_name_values = values(host.name),
Esql.process_entity_id_values = values(process.entity_id) by Esql.screenconnect_server
| eval Esql.recent = date_diff("minute", Esql.first_time_seen, now())
| where Esql.recent <= 6 and Esql.count_distinct_host_id == 1
| eval host.id = mv_first(Esql.host_id_values),
host.name = mv_first(Esql.host_name_values),
process.command_line = mv_first(Esql.command_line_values),
process.entity_id = mv_first(Esql.process_entity_id_values)
| keep host.id, host.name, process.command_line, process.entity_id, Esql.screenconnect_server, Esql.user_name_values, Esql.first_time_seen
Nsenter Execution with Target Flag Inside Container
Detects nsenter executions from inside a monitored Linux container that include a namespace target flag (-t or
--target). Adversaries abuse nsenter to attach to host or sibling namespaces and escape container isolation when
combined with privileged mounts, exposed PIDs, or shared namespaces.
Show query
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
(process.name == "nsenter" or process.args == "nsenter") and
container.id like "?*" and process.args like ("-t", "--target*")
Nsenter to PID Namespace via Auditd
Detects nsenter executions that target PID with a namespace target flag, a pattern commonly used to attach to the
host init namespace from a container or session and run with host context.
Show query
host.os.type:linux and event.category:process and event.action:(executed or exec) and (process.name:nsenter or process.args:nsenter) and process.args:((--target* or -t) and not --net=/run/netns/* and not (--assertion and snap) and not (is-active and snap.*))
Okta AiTM Session Cookie Replay
Detects potential Adversary-in-the-Middle (AiTM) session cookie replay attacks against Okta. This rule identifies when
an Okta session is used from multiple IP addresses or with suspicious non-browser user agents after initial
authentication. AiTM attacks capture session cookies via phishing proxies (e.g., Evilginx, Modlishka) and replay them
from attacker infrastructure, bypassing MFA. The detection correlates session start events with subsequent policy
evaluations or SSO attempts that occur from different IPs or programmatic user agents.
Show query
FROM logs-okta.system-*
// Filter to relevant event types for AiTM detection
| WHERE
okta.event_type IN ("user.session.start", "policy.evaluate_sign_on", "user.authentication.sso") AND
okta.authentication_context.root_session_id IS NOT NULL AND
okta.actor.alternate_id != "[email protected]"
// Create event type flags
| EVAL Esql.is_session_start = okta.event_type == "user.session.start"
| EVAL Esql.is_policy_eval = okta.event_type == "policy.evaluate_sign_on"
| EVAL Esql.is_sso = okta.event_type == "user.authentication.sso"
| EVAL Esql.is_replay_event = Esql.is_policy_eval OR Esql.is_sso
// Flag suspicious non-browser user agents
| EVAL Esql.is_suspicious_ua =
user_agent.original LIKE "python-requests*" OR
user_agent.original LIKE "curl/*" OR
user_agent.original LIKE "httpx*" OR
user_agent.original LIKE "aiohttp*" OR
user_agent.original LIKE "Go-http-client*" OR
user_agent.original LIKE "*Headless*" OR
user_agent.original LIKE "Java/*" OR
user_agent.original LIKE "okhttp*"
// Aggregate by session
| STATS
Esql.session_start_count = SUM(CASE(Esql.is_session_start, 1, 0)),
Esql.replay_event_count = SUM(CASE(Esql.is_replay_event, 1, 0)),
Esql.session_start_time = MIN(CASE(Esql.is_session_start, @timestamp, null)),
Esql.first_replay_time = MIN(CASE(Esql.is_replay_event, @timestamp, null)),
Esql.last_replay_time = MAX(CASE(Esql.is_replay_event, @timestamp, null)),
Esql.session_start_ip = MAX(CASE(Esql.is_session_start, okta.client.ip, null)),
Esql.session_start_ua = MAX(CASE(Esql.is_session_start, user_agent.original, null)),
Esql.suspicious_ua_count = SUM(CASE(Esql.is_suspicious_ua, 1, 0)),
Esql.okta_client_ip_count_distinct = COUNT_DISTINCT(okta.client.ip),
Esql.user_agent_count_distinct = COUNT_DISTINCT(user_agent.original),
Esql.okta_client_ip_values = VALUES(okta.client.ip),
Esql.user_agent_values = VALUES(user_agent.original),
Esql.okta_event_type_values = VALUES(okta.event_type),
Esql.okta_outcome_result_values = VALUES(okta.outcome.result),
Esql.source_geo_country_name_values = VALUES(source.geo.country_name),
Esql.source_geo_city_name_values = VALUES(source.geo.city_name),
Esql.okta_debug_context_debug_data_risk_level_values = VALUES(okta.debug_context.debug_data.risk_level),
Esql.okta_debug_context_debug_data_risk_reasons_values = VALUES(okta.debug_context.debug_data.risk_reasons)
BY okta.authentication_context.root_session_id, okta.actor.alternate_id
// Detection conditions
| WHERE
Esql.session_start_count >= 1
AND Esql.replay_event_count >= 1
AND Esql.first_replay_time > Esql.session_start_time
AND (
(
Esql.okta_client_ip_count_distinct > 1 OR Esql.user_agent_count_distinct > 1
) AND Esql.suspicious_ua_count > 0
)
| SORT Esql.session_start_time DESC
| KEEP Esql.*, okta.authentication_context.root_session_id, okta.actor.alternate_id
Okta Alerts Following Unusual Proxy Authentication
Correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the
same user. Attackers frequently use proxy infrastructure (VPNs, Tor, residential proxies) to mask their origin when
using stolen credentials, and their post-authentication activity often triggers additional detection rules.
Show query
sequence by user.name with maxspan=30m
[any where event.dataset == "okta.system" and
kibana.alert.rule.rule_id == "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd"]
[any where event.dataset == "okta.system" and
kibana.alert.rule.rule_id != null and
kibana.alert.severity != "low" and
kibana.alert.rule.rule_id not in (
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd",
"af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b"
)
]
Okta Multiple OS Names Detected for a Single DT Hash
Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is
highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly
indicates that an attacker has stolen a device token and is using it to impersonate a legitimate user from a
different machine.
Show query
data_stream.dataset: "okta.system"
and not okta.debug_context.debug_data.dt_hash: "-"
and user_agent.os.name: *
and event.action: (
"user.authentication.verify" or
"user.authentication.auth_via_mfa"
)
Okta Successful Login After Credential Attack
Correlates Okta credential attack alerts with subsequent successful authentication for the same user account,
identifying potential compromise following brute force, password spray, or credential stuffing attempts.
Show query
FROM .alerts-security.*, logs-okta.system-* METADATA _id, _version, _index
// Filter for credential attack alerts OR successful Okta authentications
| WHERE
(
// Credential attack alerts from the five correlated rules
kibana.alert.rule.rule_id IN (
"94e734c0-2cda-11ef-84e1-f661ea17fbce", // Credential Stuffing
"42bf698b-4738-445b-8231-c834ddefd8a0", // Password Spraying
"23f18264-2d6d-11ef-9413-f661ea17fbce", // DT Brute Force
"5889760c-9858-4b4b-879c-e299df493295", // Distributed Brute Force
"2d3c27d5-d133-4152-8102-8d051619ec4a" // Distributed Spray
)
)
OR (
// Successful Okta authentication events
data_stream.dataset == "okta.system"
AND (event.action LIKE "user.authentication.*" OR event.action == "user.session.start")
AND okta.outcome.result == "SUCCESS"
AND okta.actor.alternate_id IS NOT NULL
)
// correlation - alerts may store user/IP in different fields than raw logs
| EVAL
Esql.user = COALESCE(okta.actor.alternate_id, user.name, user.email),
Esql.source_ip = COALESCE(okta.client.ip, client.ip, source.ip)
// Must have user identity to correlate
| WHERE Esql.user IS NOT NULL
// Classify events and capture timestamps/IPs by event type
| EVAL
Esql.is_attack_alert = CASE(
kibana.alert.rule.rule_id IN (
"94e734c0-2cda-11ef-84e1-f661ea17fbce",
"42bf698b-4738-445b-8231-c834ddefd8a0",
"23f18264-2d6d-11ef-9413-f661ea17fbce",
"5889760c-9858-4b4b-879c-e299df493295",
"2d3c27d5-d133-4152-8102-8d051619ec4a"
), 1, 0
),
Esql.is_success_login = CASE(
data_stream.dataset == "okta.system"
AND okta.outcome.result == "SUCCESS", 1, 0
),
Esql.attack_ip = CASE(
kibana.alert.rule.rule_id IN (
"94e734c0-2cda-11ef-84e1-f661ea17fbce",
"42bf698b-4738-445b-8231-c834ddefd8a0",
"23f18264-2d6d-11ef-9413-f661ea17fbce",
"5889760c-9858-4b4b-879c-e299df493295",
"2d3c27d5-d133-4152-8102-8d051619ec4a"
), Esql.source_ip, null
),
Esql.login_ip = CASE(
data_stream.dataset == "okta.system"
AND okta.outcome.result == "SUCCESS", Esql.source_ip, null
),
Esql.attack_ts = CASE(
kibana.alert.rule.rule_id IN (
"94e734c0-2cda-11ef-84e1-f661ea17fbce",
"42bf698b-4738-445b-8231-c834ddefd8a0",
"23f18264-2d6d-11ef-9413-f661ea17fbce",
"5889760c-9858-4b4b-879c-e299df493295",
"2d3c27d5-d133-4152-8102-8d051619ec4a"
), @timestamp, null
),
Esql.login_ts = CASE(
data_stream.dataset == "okta.system"
AND okta.outcome.result == "SUCCESS", @timestamp, null
)
// Aggregate by user (catches IP rotation: spray from IP A, login from IP B)
| STATS
Esql.attack_count = SUM(Esql.is_attack_alert),
Esql.login_count = SUM(Esql.is_success_login),
Esql.earliest_attack = MIN(Esql.attack_ts),
Esql.latest_attack = MAX(Esql.attack_ts),
Esql.earliest_login = MIN(Esql.login_ts),
Esql.latest_login = MAX(Esql.login_ts),
Esql.attack_source_ips = VALUES(Esql.attack_ip),
Esql.login_source_ips = VALUES(Esql.login_ip),
Esql.all_source_ips = VALUES(Esql.source_ip),
Esql.alert_rule_ids = VALUES(kibana.alert.rule.rule_id),
Esql.alert_rule_names = VALUES(kibana.alert.rule.name),
Esql.event_action_values = VALUES(event.action),
Esql.geo_country_values = VALUES(client.geo.country_name),
Esql.geo_city_values = VALUES(client.geo.city_name),
Esql.source_asn_values = VALUES(source.as.number),
Esql.source_asn_org_values = VALUES(source.as.organization.name),
Esql.user_agent_values = VALUES(okta.client.user_agent.raw_user_agent),
Esql.device_values = VALUES(okta.client.device),
Esql.is_proxy_values = VALUES(okta.security_context.is_proxy)
BY Esql.user
// Calculate time gap between latest attack and earliest subsequent login
| EVAL Esql.attack_to_login_minutes = DATE_DIFF("minute", Esql.latest_attack, Esql.earliest_login)
// Correlation: attack BEFORE login + success within reasonable window (3 hours)
| WHERE
Esql.attack_count > 0
AND Esql.login_count > 0
AND Esql.latest_attack < Esql.earliest_login
AND Esql.attack_to_login_minutes <= 180
| SORT Esql.login_count DESC
| KEEP Esql.*
Okta User Session Impersonation
A user has initiated a session impersonation granting them access to the environment with the permissions of the user
they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested
and expected.
Show query
data_stream.dataset:okta.system and event.action:user.session.impersonation.initiate
Outlook Home Page Registry Modification
Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and
control or persistence.
Show query
registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and
registry.path : (
"*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\*",
"*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Today\\*"
) and registry.data.strings : ("*://*", "*:\\*", "\\\\*\\*")
Pbpaste Execution via Unusual Parent Process
Detects when an unusual parent process like Node.js, Python, or osascript executes the pbpaste binary to
access clipboard data. This technique has been used by malware like OtterCookie to steal passwords and
seed phrases from the clipboard.
Show query
process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
process.name == "pbpaste" and process.args_count == 1 and
(process.parent.name in ("node", "osascript") or process.parent.name like "python*") and
not process.parent.executable like "/Users/*/.pyenv/versions/*/bin/python3*"
Permission Theft - Detected - Elastic Endgame
Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the
rule.reference column for additional information.
Show query
event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)
Persistence via Hidden Run Key Detected
Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated)
registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).
Show query
registry where host.os.type == "windows" and event.type == "change" and length(registry.data.strings) > 0 and
/* Registry Path ends with backslash */
registry.path : "*\\Run\\" and
registry.path : (
"*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\"
)
Persistence via Microsoft Office AddIns
Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.
Show query
file where host.os.type == "windows" and event.type != "deletion" and
file.extension : ("wll","xll","ppa","ppam","xla","xlam") and
file.path : (
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*",
/* Crowdstrike specific condition as it uses NT Object paths */
"\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
"\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
"\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
) and
not (file.name : "~$*" and process.name : "excel.exe" and ?file.size in (0, 165))
Persistence via Suspicious Launch Agent or Launch Daemon
Identifies the creation of a launch agent or daemon property list file containing abnormal or suspicious
values. An adversary may establish persistence by installing a new launch agent or daemon which executes
at login. This rule looks for plist files created in LaunchAgents/LaunchDaemons directories with paths
commonly used by malware.
Show query
file where host.os.type == "macos" and event.type != "deletion" and
file.extension == "plist" and
file.path like ("/Library/LaunchAgents/*", "/Library/LaunchDaemons/*",
"/Users/*/Library/LaunchAgents/*", "/System/Library/LaunchAgents/*",
"/System/Library/LaunchDaemons/*") and
(process.executable like ("/private/tmp/*", "/private/var/root/Library/*", "/var/tmp/*",
"/tmp/*", "/var/folders/*", "/Users/Shared/*", "/var/root/*",
"/Library/WebServer/*", "/Library/Graphics/*", "/Library/Fonts/*") or
process.name like~ ("python*", "osascript", "bash", "zsh", "sh", "curl", "nscurl", "wget", "java")) and
not process.executable like ("/System/*", "/Library/PrivilegedHelperTools/*") and
not (process.code_signature.signing_id in ("com.apple.vim", "com.apple.cat", "com.apple.cfprefsd",
"com.jetbrains.toolbox", "com.apple.pico", "com.apple.shove",
"com.sublimetext.4", "com.apple.ditto") and process.code_signature.trusted == true)
Persistence via TelemetryController Scheduled Task Hijack
Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an
integrity level of system.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and
not process.name : ("conhost.exe",
"DeviceCensus.exe",
"CompatTelRunner.exe",
"DismHost.exe",
"rundll32.exe",
"powershell.exe")
Persistence via Update Orchestrator Service Hijack
Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity
level of SYSTEM.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and
process.parent.args : "UsoSvc" and
not process.executable :
("?:\\ProgramData\\Microsoft\\Windows\\UUS\\Packages\\*\\amd64\\MoUsoCoreWorker.exe",
"?:\\Windows\\System32\\UsoClient.exe",
"?:\\Windows\\System32\\MusNotification.exe",
"?:\\Windows\\System32\\MusNotificationUx.exe",
"?:\\Windows\\System32\\MusNotifyIcon.exe",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\System32\\WerMgr.exe",
"?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe",
"?:\\Windows\\System32\\MoUsoCoreWorker.exe",
"?:\\Windows\\UUS\\amd64\\UsoCoreWorker.exe",
"?:\\Windows\\System32\\UsoCoreWorker.exe",
"?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") and
not process.name : ("MoUsoCoreWorker.exe", "OfficeC2RClient.exe")
Persistence via WMI Standard Registry Provider
Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused
registry locations for persistence.
Show query
registry where host.os.type == "windows" and event.type == "change" and
registry.data.strings != null and process.name : "WmiPrvSe.exe" and
registry.path : (
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL",
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*",
"HKEY_USERS\\*\\Environment\\UserInitMprLogonScript",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script",
"\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
"\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"\\REGISTRY\\MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath",
"\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*",
"\\REGISTRY\\USER\\*\\Environment\\UserInitMprLogonScript",
"\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
"\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
"\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell",
"\\REGISTRY\\USER\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script",
"\\REGISTRY\\USER\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script",
"\\REGISTRY\\USER\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script",
"\\REGISTRY\\USER\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
"\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
"\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
"\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script"
)
Persistence via a Hidden Plist Filename
Identifies the creation of a hidden launch agent or daemon property list file. An adversary may establish
persistence by installing a new launch agent or daemon which executes at login. Hidden plist files with
filenames starting with a dot are particularly suspicious.
Show query
file where host.os.type == "macos" and event.type != "deletion" and
file.path like~ (
"/System/Library/LaunchAgents/.*.plist",
"/Library/LaunchAgents/.*.plist",
"/Users/*/Library/LaunchAgents/.*.plist",
"/System/Library/LaunchDaemons/.*.plist",
"/Library/LaunchDaemons/.*.plist"
) and
not (file.name like ".chef-com*.plist" and process.executable like "/opt/chef/embedded/bin/ruby") and
not (process.executable in ("/usr/bin/sed", "/bin/bash") and file.name like ".!*!*.plist")
Possible FIN7 DGA Command and Control Behavior
This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this
command and control technique, while maintaining persistence in their target's network.
Show query
(data_stream.dataset: (network_traffic.tls OR network_traffic.http) OR
(event.category: (network OR network_traffic) AND network.protocol: (tls OR http) AND network.transport: tcp)) AND
destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us
Potential ADIDNS Poisoning via Wildcard Record Creation
Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and
replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces
some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to
create DNS-named records. Attackers can create wildcard records to redirect traffic for names that do not explicitly
match records in the zone, positioning themselves as an adversary-in-the-middle and enabling credential interception or
relay through ADIDNS manipulation similar in outcome to LLMNR/NBNS spoofing.
Show query
any where host.os.type == "windows" and event.code == "5137" and
startsWith(winlog.event_data.ObjectDN, "DC=*,")
Potential CVE-2025-32463 Nsswitch File Creation
Detects suspicious creation of the nsswitch.conf file, outside of the regular /etc/nsswitch.conf path,
consistent with attempts to exploit CVE-2025-32463 (the "sudo chroot" privilege escalation), where an
attacker tricks sudo into using attacker-controlled NSS files or libraries to gain root.
Show query
file where host.os.type == "linux" and event.type == "creation" and file.path like "/*/etc/nsswitch.conf" and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
not file.path like (
"/var/tmp/mkinitramfs_*", "/tmp/tmp.*/mkinitramfs_*", "/var/tmp/dracut.*", "/tmp/user/0/mkinitramfs_*",
"/var/lib/aws-replication-agent/.tmp/mkinitramfs_*"
)
Potential CVE-2025-32463 Sudo Chroot Execution Attempt
Detects suspicious use of sudo's --chroot / -R option consistent with attempts to exploit CVE-2025-32463
(the "sudo chroot" privilege escalation), where an attacker tricks sudo into using attacker-controlled
NSS files or libraries to gain root.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "executed", "process_started", "ProcessRollup2") and
process.name == "sudo" and process.args like ("-R", "--chroot*") and
// To enforce the -R and --chroot arguments to be for sudo specifically, while wildcarding potential full sudo paths
process.command_line like ("*sudo -R*", "*sudo --chroot*")
Potential CVE-2025-33053 Exploitation
Identifies Internet Explorer Diagnostics launching a helper name from a non-System32 path, which may indicate
CVE-2025-33053 exploitation.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.parent.executable : "C:\\Program Files\\Internet Explorer\\iediagcmd.exe" and
process.name : ("route.exe", "netsh.exe", "ipconfig.exe", "dxdiag.exe", "conhost.exe", "makecab.exe") and
process.executable != null and
not process.executable : ("C:\\Windows\\System32\\route.exe",
"C:\\Windows\\System32\\netsh.exe",
"C:\\Windows\\System32\\ipconfig.exe",
"C:\\Windows\\System32\\dxdiag.exe",
"C:\\Windows\\System32\\conhost.exe",
"C:\\Windows\\System32\\makecab.exe")
Potential Chroot Container Escape via Mount
Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user
within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its
containarized environment. This behavior pattern is very uncommon and should be investigated.
Show query
sequence by host.id, process.parent.entity_id with maxspan=5m
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and
process.name == "mount" and process.args : "/dev/sd*" and process.args_count >= 3 and
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and
process.name == "chroot"]
Potential Command Shell via NetCat
Identifies potential attempt to execute via a reverse shell using the netcat utility to execute Windows commands using
the default interpreters like Cmd.exe and Powershell.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.name : ("cmd.exe", "powershell.exe") and process.parent.args : "-e" and
(
(process.parent.args_count == 5 and process.parent.command_line regex~ """.*[0-9]{1,3}(\.[0-9]{1,3}){3}.*""") or
(process.parent.args : "-*l*" and process.parent.args : "-*p*" and process.parent.args : ("cmd.exe", "powershell.exe"))
)
Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket
Correlates a burst of non-root AF_ALG-class "socket", "splice", or "bound-socket" telemetry with a subsequent process execution
where effective user is root but the login user remains non-root. This sequence matches common post-exploitation chains
for Copy Fail (CVE-2026-31431) style abuse where AF_ALG and "splice" primitives precede executing a corrupted setuid
binary from cache.
Show query
sequence with maxspan=60s
[any where host.os.type == "linux" and
(
(event.category == "process" and auditd.data.syscall == "socket" and auditd.data.a0 == "26") or
(event.category == "process" and auditd.data.syscall == "splice") or
(event.category == "network" and event.action == "bound-socket" and data_stream.dataset == "auditd_manager.auditd" and ?auditd.data.socket.family == "38")
)
and user.id != "0"] by process.pid, host.id, user.id with runs=10
[process where host.os.type == "linux" and event.action == "executed" and
(
(user.effective.id == "0" and user.id != "0") or
(process.name in ("bash", "sh", "zsh", "dash", "fish", "ksh", "busybox") and
process.args in ("-c", "--command", "-ic", "-ci", "-cl", "-lc", "-bash", "-sh", "-zsh", "-dash", "-fish", "-ksh"))
)] by process.parent.pid, host.id, user.id
Potential Credential Access via LSASS Memory Dump
Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export
the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
Show query
process where host.os.type == "windows" and event.code == "10" and
winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
/* dbgcore.dll hosts MiniDumpWriteDump on modern Windows; dbghelp-only traces are non-dump usage */
winlog.event_data.CallTrace : "*dbgcore*" and
/* crash handlers */
not process.executable : (
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe",
"?:\\Windows\\System32\\WerFaultSecure.exe"
)
Potential Credential Access via Renamed COM+ Services DLL
Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a
process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in
preparation for credential access.
Show query
sequence by process.entity_id with maxspan=1m [process where host.os.type == "windows" and event.type == "start" and process.name : "rundll32.exe"] [process where host.os.type == "windows" and event.code == "7" and (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and /* renamed COMSVCS */ not file.name : "COMSVCS.DLL"]
Potential Credential Access via Trusted Developer Utility
An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows
credential management. This technique is sometimes used for credential dumping.
Show query
sequence by process.entity_id
[process where host.os.type == "windows" and event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")]
[library where host.os.type == "windows" and dll.name : ("vaultcli.dll", "SAMLib.DLL")]
Potential Credential Access via Windows Utilities
Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database
(NTDS.dit) in preparation for credential access.
Show query
process where host.os.type == "windows" and event.type == "start" and
(
(
(?process.pe.original_file_name : "procdump" or process.name : "procdump.exe") and process.args : "-ma"
) or
(
process.name : "ProcessDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Cisco Systems\\.* """ ) or
(
(?process.pe.original_file_name : "WriteMiniDump.exe" or process.name : "WriteMiniDump.exe") and
not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Steam\\.* """ ) or
(
(?process.pe.original_file_name : "RUNDLL32.EXE" or process.name : "RUNDLL32.exe") and
(process.args : "*MiniDump*" or process.command_line : "*comsvcs*#*24*")
) or
(
(?process.pe.original_file_name : "RdrLeakDiag.exe" or process.name : "RdrLeakDiag.exe") and
process.args : "/fullmemdmp"
) or
(
(?process.pe.original_file_name : "SqlDumper.exe" or process.name : "SqlDumper.exe") and
process.args : "0x01100*") or
(
(?process.pe.original_file_name : "TTTracer.exe" or process.name : "TTTracer.exe") and
process.args : "-dumpFull" and process.args : "-attach") or
(
(?process.pe.original_file_name : "ntdsutil.exe" or process.name : "ntdsutil.exe") and
process.args : "cr*fu*") or
(
(?process.pe.original_file_name : "diskshadow.exe" or process.name : "diskshadow.exe") and process.args : "/s")
)
Potential Credential Discovery via Recursive Grep
Identifies recursive grep activity on Linux or macOS where the command line suggests hunting for secrets, credentials,
keys, tokens, or sensitive paths (for example .env, .git, .aws). Events are aggregated per host, user, parent process,
and one-minute window, the rule surfaces activity only when at least three distinct grep command lines match in the same
bucket, to reduce noise from one-off searches.
Show query
from logs-endpoint.events.process-* metadata _id, _version, _index
| where host.os.type in ("linux", "macos")
and event.category == "process"
and process.name in ("grep", "egrep")
and (to_lower(process.command_line) like "* -r*" or to_lower(process.command_line) like "*--recursive*")
and (
process.command_line like "*password*"
or process.command_line like "*passwd*"
or process.command_line like "*pwd*"
or process.command_line like "*secret*"
or process.command_line like "*token*"
or process.command_line like "*apikey*"
or process.command_line like "*api_key*"
or process.command_line like "*api.key*"
or process.command_line like "*access_key*"
or process.command_line like "*private_key*"
or process.command_line like "*client_secret*"
or process.command_line like "*credential*"
or process.command_line like "*auth*"
or process.command_line like "*bearer*"
or process.command_line like "*BEGIN*PRIVATE*KEY*"
or process.command_line like "*ssh-rsa*"
or process.command_line like "*ghp_*"
or process.command_line like "*github_pat*"
or process.command_line like "*xoxb-*"
or process.command_line like "*hooks.slack.com*"
or process.command_line like "*discord.com/api/webhooks*"
or process.command_line like "*/.aws/*"
or process.command_line like "*/.git/*"
or process.command_line like "*/.env*"
)
and (process.parent.command_line is null or not (to_lower(process.parent.command_line) like "*shell-snapshots*" and process.parent.name in ("bash", "sh", "zsh")))
| eval Esql.time_bucket = date_trunc(1 minute, @timestamp)
| stats Esql.unique_cmd = count_distinct(process.command_line),
Esql.cmd_values = values(process.command_line),
Esql.pcmd_values = values(process.parent.command_line)
by process.name, host.id, host.name, agent.id, process.parent.name, user.name, Esql.time_bucket
| where Esql.unique_cmd >= 3
| keep host.id, host.name, agent.id, user.name, process.parent.name, Esql.*
Potential Defense Evasion via PRoot
Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount
--bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to
multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack
is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a
consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also
provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The
post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute
malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment.
Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.
Show query
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
process.parent.name == "proot"
Potential Direct Kubelet Access via Process Arguments
Detects potential direct Kubelet API access attempts on Linux by identifying process executions whose arguments contain
URLs targeting Kubelet ports (10250/10255). Adversaries may probe or access Kubelet endpoints to enumerate pods, fetch
logs, or attempt remote execution, which can enable discovery and lateral movement in Kubernetes environments.
Show query
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and
(
/* direct utility execution */
process.name like ("curl", "wget", "python*", "perl*", "php*", "node*", "java", "ruby*", "lua*", ".*") or
process.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/home/*", "/run/user/*", "/busybox/*")
) and
process.args like ("http*:10250/*", "http*:10255/*", "wss:*:10250/*", "wss:*:10255/*")
Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers
This rule detects potential direct Kubelet access via process arguments. An adversary may need to access the
Kubelet API to gain access to the Kubernetes API server or other resources within the cluster. These requests
are often used to enumerate or execute commands on the Kubernetes API server or other resources within the
cluster, and may indicate an attempt to move laterally within the cluster.
Show query
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.args like ("http*:10250*", "http*:10255*", "wss:*:10250*", "wss:*:10255*") and container.id like "?*"
Potential Disabling of AppArmor
This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces
fine-grained access control policies to restrict the actions and resources that specific applications and processes can
access. Adversaries may disable security tools to avoid possible detection of their tools and activities.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
(
(process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask") and process.args in ("apparmor", "apparmor.service")) or
(process.name == "service" and process.args == "apparmor" and process.args == "stop") or
(process.name == "chkconfig" and process.args == "apparmor" and process.args == "off") or
(process.name == "update-rc.d" and process.args == "apparmor" and process.args in ("remove", "disable")) or
(process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/")
) and
not ?process.parent.executable == "/opt/puppetlabs/puppet/bin/ruby"
Potential Disabling of SELinux
Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to
support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and
activities.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name == "setenforce" and process.args == "0"
Potential Escalation via Vulnerable MSI Repair
Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. This
may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup.
Show query
process where event.type == "start" and host.os.type == "windows" and
user.domain : ("NT AUTHORITY", "AUTORITE NT", "AUTORIDADE NT") and
process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe",
"opera.exe", "iexplore", "firefox.exe", "waterfox.exe", "iexplore.exe", "tor.exe", "safari.exe") and
process.parent.command_line : "*go.microsoft.com*"
Potential Etherhiding C2 via Blockchain Connection
Detects when a scripting interpreter makes an outbound network connection to an Ethereum blockchain endpoint
for command and control purposes. Adversaries may leverage Ethereum blockchain infrastructure as a covert C2
channel to receive commands and exfiltrate data, as observed in campaigns like SleepyDuck malware.
Show query
sequence by process.entity_id with maxspan=15s
[network where host.os.type == "macos" and event.type == "start" and
(process.name in ("bash", "sh", "zsh", "osascript", "node", "Cursor") or
process.name like ("python*", "ruby*", "perl*", "tclsh*")) and
destination.domain like ("eth-mainnet*", "ethereum*", "eth.*.com")]
[file where host.os.type == "macos" and event.action == "modification" and file.extension in ("js", "py", "sh")]
Elastic
EQL
high
T1059, T1059.001, T1059.003, T1204, T1204.002, T1204.004, T1218, T1218.005, T1566, T1566.001, T1566.002 ↗
Potential Execution via FileFix Phishing Attack
Identifies the execution of Windows commands or downloaded files via the browser's dialog box. Adversaries may use
phishing to instruct the victim to copy and paste malicious commands for execution via crafted phishing web pages.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.parent.args == "--message-loop-type-ui" and process.parent.args == "--service-sandbox-type=none" and
(
process.name : ("pwsh.exe", "powershell.exe", "curl.exe", "msiexec.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "certutil.exe", "certreq.exe") or
process.executable : "?:\\Users\\*\\Downloads\\*"
) and
not (process.name : "rundll32.exe" and process.args : ("ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile", "shwebsvc.dll,AddNetPlaceRunDll"))
Showing 201-250 of 4,399