Deployable detection rules
4,399 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 4,399
Elastic
EQL
high
T1059, T1059.001, T1059.003, T1204, T1204.004, T1218, T1218.005, T1189, T1566, T1566.001 ↗
Potential Fake CAPTCHA Phishing Attack
Identifies potential fake CAPTCHA phishing attacks based on PowerShell, Cmd, or Mshta command-line values. Adversaries employ this
technique via compromised websites with browser injects, posing either as fake CAPTCHAs to access the site or as a page
loading error requiring a fix to display the page. The victim is instructed to copy and paste a malicious command to
the Windows Run dialog box.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.name : ("powershell.exe", "cmd.exe", "mshta.exe") and process.parent.name : "explorer.exe" and
process.command_line : ("*recaptcha *", "*CAPTCHA Verif*", "*complete verification*", "*Verification ID*", "*Verification Code*", "*Verification UID*",
"*hυmаn vаlіdаtiοn*", "*human ID*", "*Action Identificator*", "*not a robot*", "*Click OK to*", "*anti-robot test*",
"*Cloudflare ID*")
Potential File Download via a Headless Browser
Identifies headless browser execution from a suspicious parent process with arguments consistent with scripted retrieval. Adversaries use browsers because they are trusted, signed binaries that proxy and application-control policies allow through, bypassing restrictions on direct download tools.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe") and
process.args : "--headless*" and
process.args : ("--dump-dom", "*http*", "data:text/html;base64,*") and
process.parent.name :
("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "conhost.exe", "msiexec.exe",
"explorer.exe", "rundll32.exe", "winword.exe", "excel.exe", "onenote.exe", "hh.exe", "powerpnt.exe", "forfiles.exe",
"pcalua.exe", "wmiprvse.exe") and
not process.executable : (
"?:\\inetpub\\wwwroot\\*\\ext\\modules\\html2pdf\\bin\\chrome\\*\\chrome-win64\\chrome.exe",
"\\Device\\HarddiskVolume*\\inetpub\\wwwroot\\*\\ext\\modules\\html2pdf\\bin\\chrome\\*\\chrome-win64\\chrome.exe"
)
Potential Foxmail Exploitation
Identifies the Foxmail client spawning a child process with arguments pointing to user-profile AppData paths or remote
shares. This may indicate exploitation of a Foxmail vulnerability for initial access and execution via a malicious email.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*")
Potential Git CVE-2025-48384 Exploitation
This rule detects potential exploitation of CVE-2025-48384 via Git. This vulnerability allows attackers to execute arbitrary code
by leveraging Git's recursive clone feature to fetch and execute malicious scripts from a remote repository.
Show query
sequence by host.id with maxspan=1m
[process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "executed", "process_started", "start", "ProcessRollup2") and
process.name == "git" and process.args == "clone" and process.args == "--recursive" and process.args like~ "http*"] by process.entity_id
[process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "executed", "process_started", "start", "ProcessRollup2") and
process.name in (
"dash", "sh", "static-sh", "bash", "bash-static", "zsh", "ash", "csh", "ksh", "tcsh", "busybox", "fish", "ksh93", "rksh",
"rksh93", "lksh", "mksh", "mksh-static", "csharp", "posh", "rc", "sash", "yash", "zsh5", "zsh5-static"
)] by process.parent.entity_id
Potential Hidden Process via Mount Hidepid
Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from
the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other
users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the
logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide
their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening
hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and
detected.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "executed", "process_started") and
process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" and
not process.parent.command_line like "/opt/cloudlinux/*"
Potential JAVA/JNDI Exploitation Attempt
Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child
processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection
vulnerability.
Show query
sequence by host.id with maxspan=1m
[network where event.action == "connection_attempted" and
process.name : "java" and
/*
outbound connection attempt to
LDAP, RMI or DNS standard ports
by JAVA process
*/
destination.port in (1389, 389, 1099, 53, 5353)] by process.pid
[process where event.type == "start" and
/* Suspicious JAVA child process */
process.parent.name : "java" and
process.name : ("sh",
"bash",
"dash",
"ksh",
"tcsh",
"zsh",
"curl",
"perl*",
"python*",
"ruby*",
"php*",
"wget") and
not process.command_line like~ (
"bash -c ulimit -u",
"bash /opt/flutter/bin/flutter*",
"bash -c echo $$",
"/bin/bash /opt/python3/bin/jira*",
"/bin/sh -c env LC_ALL=C /usr/sbin/lpc status*"
)] by process.parent.pid
Potential Kerberos Attack via Bifrost
Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or
attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.
Show query
process where host.os.type == "macos" and event.type in ("start", "process_started") and
process.args like~ "-action" and
(
process.args like~ ("-kerberoast", "askhash", "asktgs", "asktgt", "s4u") or
(process.args like~ "-ticket" and process.args like~ "ptt") or
(process.args like~ "dump" and process.args in~ ("tickets", "keytab"))
)
Potential Kerberos Coercion via DNS-Based SPN Spoofing
Identifies directory-service access or creation events involving a MicrosoftDNS record that contains a base64-encoded
blob matching the pattern "UWhRCA...BAAAA". This blob pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION
structure associated with DNS-based SPN spoofing used in Kerberos coercion tradecraft. Adversaries may abuse such
records to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for
legitimate services.
Show query
host.os.type:"windows" and ( (event.code:4662 and winlog.event_data.AdditionalInfo: *UWhRC*BAAAA*MicrosoftDNS*) or (event.code:5137 and winlog.event_data.ObjectDN: *UWhRC*BAAAA*MicrosoftDNS*) )
Potential Kerberos Relay Attack against a Computer Account
Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target
server's computer account, originating from a different host. This may indicate that an attacker has captured and
relayed Kerberos authentication material for the server's computer account to execute code on behalf of the
compromised system.
Show query
sequence by winlog.computer_name, source.ip with maxspan=5s
/* Filter for an event that indicates coercion against known abused named pipes using an account that is not the host */
[file where host.os.type == "windows" and event.code : "5145" and
not startswith~(winlog.computer_name, substring(user.name, 0, -1)) and
file.name : (
"Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc",
"eventlog", "winreg", "srvsvc", "dnsserver", "dhcpserver", "WinsPipe"
)]
/* Detects a logon attempt using the Kerberos protocol resulting from the coercion coming from the same IP address */
[authentication where host.os.type == "windows" and event.code in ("4624", "4625") and
endswith~(user.name, "$") and winlog.logon.type : "network" and
winlog.event_data.AuthenticationPackageName : "Kerberos" and
/* Filter for a machine account that matches the hostname */
startswith~(winlog.computer_name, substring(user.name, 0, -1)) and
/* Verify if the Source IP belongs to the host */
not endswith(string(source.ip), string(host.ip)) and
source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1"]
Potential Kerberos SPN Spoofing via Suspicious DNS Query
Identifies queries for a DNS name containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern
corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is
associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse such names to coerce
victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate
services (often the victim's own identity). Depending on the coerced service and negotiated authentication, this can
support Kerberos relay or NTLM reflection/relay paths without relying on normal NTLM fallback behavior.
Show query
network where host.os.type == "windows" and dns.question.name : "*UWhRC*BAAAA*"
Potential LSASS Clone Creation via PssCaptureSnapShot
Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS
process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Show query
process where host.os.type == "windows" and event.code:"4688" and process.executable : "?:\\Windows\\System32\\lsass.exe" and process.parent.executable : "?:\\Windows\\System32\\lsass.exe"
Potential LSASS Memory Dump via PssCaptureSnapShot
Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are
performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade
detection and dump LSASS memory for credential access.
Show query
event.category:process and host.os.type:windows and event.code:10 and
winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
"c:\\Windows\\system32\\lsass.exe" or
"c:\\Windows\\System32\\lsass.exe")
Potential Linux Backdoor User Account Creation
Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to
0 to establish persistence on a system.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name == "usermod" and process.args in ("-u", "--uid") and process.args == "0" and
process.args in ("-o", "--non-unique")
Potential Linux Credential Dumping via Proc Filesystem
Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz.
Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a
known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the
process and extracting lines that have a high probability of containing cleartext passwords.
Show query
sequence by host.id, process.parent.name with maxspan=1m
[process where host.os.type == "linux" and process.name == "ps" and event.action in ("exec", "start", "exec_event")
and process.args in ("-eo", "pid", "command")]
[process where host.os.type == "linux" and process.name == "strings" and event.action in ("exec", "start", "exec_event")
and process.args : "/tmp/*"]
Potential Linux Credential Dumping via Unshadow
Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host
machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password'
files. Using the combined file generated from the utility, the malicious threat actors can use them as input for
password-cracking utilities or prepare themselves for future operations by gathering credential information of the
victim.
Show query
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
process.name == "unshadow" and process.args_count >= 3
Potential Local NTLM Relay via HTTP
Identifies attempts to coerce local NTLM authentication over HTTP through WebDAV named-pipe paths such as
Print Spooler or SRVSVC. Adversaries can combine this primitive with relay tooling to elevate privileges.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.name : "rundll32.exe" and
/* Rundll32 WbeDav Client */
process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and
/* Access to named pipe via http */
process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc")
Potential Machine Account Relay Attack via SMB
Identifies potential relay attacks against a machine account by identifying network share access events coming from a
remote source.ip but using the target server computer account. This may indicate an SMB relay attack.
Show query
file where host.os.type == "windows" and event.code == "5145" and endswith(user.name, "$") and /* compare computername with user.name and make sure they match (dot-boundary prevents prefix-only matches) */ startswith~(concat(winlog.computer_name, "."), concat(substring(user.name, 0, -1), ".")) and /* exclude local access */ not endswith(string(source.ip), string(host.ip)) and source.ip != "::" and source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1"
Potential Malicious PowerShell Based on Alert Correlation
Identifies PowerShell script blocks linked to multiple distinct PowerShell detections via the same ScriptBlock ID,
indicating compound suspicious behavior. Attackers often chain obfuscation, decoding, and execution within a single
script block.
Show query
from .alerts-security.* metadata _id
// Filter for PowerShell related alerts
| where kibana.alert.rule.name like "*PowerShell*"
// as alerts don't have non-ECS fields, parse the script block ID using grok
| grok message "ScriptBlock ID: (?<Esql.script_block_id>.+)"
| where Esql.script_block_id is not null
// keep relevant fields for further processing
| keep kibana.alert.rule.name, Esql.script_block_id, _id, user.id, process.pid, host.id
// count distinct alerts and filter for matches above the threshold
| stats
Esql.kibana_alert_rule_name_count_distinct = count_distinct(kibana.alert.rule.name),
Esql.kibana_alert_rule_name_values = values(kibana.alert.rule.name),
Esql._id_values = values(_id),
Esql.user_id_values = values(user.id),
Esql.process_pid_values = values(process.pid),
Esql.host_id_values = values(host.id)
by Esql.script_block_id
// Apply detection threshold
| where Esql.kibana_alert_rule_name_count_distinct >= 5
| eval user.id = MV_MIN(Esql.user_id_values),
process.pid = MV_MIN(Esql.process_pid_values),
host.id = MV_MIN(Esql.host_id_values)
| keep host.id, user.id, process.pid, Esql.*
Potential Masquerading as Svchost
Identifies attempts to masquerade as the Service Host process `svchost.exe` to evade detection and blend in with
normal system activity.
Show query
FROM logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-* metadata _id, _version, _index
| where event.category == "process" and event.type == "start" and
match(process.name, "svchost.exe", { "fuzziness": 1, "max_expansions": 10 }) and
not to_lower(process.executable) in ("c:\\windows\\syswow64\\svchost.exe", "c:\\windows\\system32\\svchost.exe") and
not to_lower(process.executable) like """\\device\\harddiskvolume*\\windows\\system32\\svchost.exe""" and
not to_lower(process.executable) like """\\device\\harddiskvolume*\\windows\\syswow64\\svchost.exe"""
| keep *
Potential Meterpreter Reverse Shell
This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged
by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting
this pattern is indicative of a successful meterpreter shell connection.
Show query
sample by host.id, process.pid, user.id [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"] [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/passwd"] [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/route"] [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/ipv6_route"] [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"]
Potential Microsoft Office Sandbox Evasion
Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office
applications on macOS are allowed to write files that start with special characters, which can be combined with an
AutoStart location to achieve sandbox evasion.
Show query
file where host.os.type == "macos" and event.action in ("modification", "rename") and file.name like~ "~$*.zip"
Potential Modification of Accessibility Binaries
Windows contains accessibility features that may be launched with a key combination before a user has logged in. An
adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the
system.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.parent.name : ("Utilman.exe", "winlogon.exe") and user.name == "SYSTEM" and
process.pe.original_file_name : "?*" and
process.args :
(
"C:\\Windows\\System32\\osk.exe",
"C:\\Windows\\System32\\Magnify.exe",
"C:\\Windows\\System32\\Narrator.exe",
"C:\\Windows\\System32\\Sethc.exe",
"utilman.exe",
"ATBroker.exe",
"DisplaySwitch.exe",
"sethc.exe"
)
and not process.pe.original_file_name in
(
"osk.exe",
"sethc.exe",
"utilman2.exe",
"DisplaySwitch.exe",
"atbroker.exe",
"ATBroker.exe",
"ScreenMagnifier.exe",
"SR.exe",
"Narrator.exe",
"magnify.exe",
"MAGNIFY.EXE"
)
Potential NTLM Relay Attack against a Computer Account
Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target
server's computer account, originating from a different host. This may indicate that an attacker has captured and
relayed the server's computer account hash to execute code on behalf of the compromised system.
Show query
sequence by winlog.computer_name, source.ip with maxspan=5s
/* Filter for an event that indicates coercion against known abused named pipes using an account that is not the host */
[file where host.os.type == "windows" and event.code : "5145" and
not startswith~(winlog.computer_name, substring(user.name, 0, -1)) and
file.name : (
"Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc",
"eventlog", "winreg", "srvsvc", "dnsserver", "dhcpserver", "WinsPipe"
)]
/* Detects a logon attempt using the NTLM protocol resulting from the coercion coming from the same IP address */
[authentication where host.os.type == "windows" and event.code in ("4624", "4625") and
endswith~(user.name, "$") and winlog.logon.type : "network" and
winlog.event_data.AuthenticationPackageName : "NTLM" and
/* Filter for a machine account that matches the hostname */
startswith~(winlog.computer_name, substring(user.name, 0, -1)) and
/* Verify if the Source IP belongs to the host */
not endswith(string(source.ip), string(host.ip)) and
source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1"]
Potential Notepad Markdown RCE Exploitation
Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a
Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution.
Show query
process where host.os.type == "windows" and event.type == "start" and process.parent.name : "notepad.exe" and process.parent.args : "*.md" and not process.executable : "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_*\\Notepad\\Notepad.exe"
Potential Okta MFA Bombing via Push Notifications
Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the
user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured
for an organization to obtain unauthorized access.
Show query
sequence by okta.actor.id with maxspan=10m
[ any
where data_stream.dataset == "okta.system"
and (
okta.event_type == "user.mfa.okta_verify.deny_push"
or (
okta.event_type == "user.authentication.auth_via_mfa"
and okta.debug_context.debug_data.factor == "OKTA_VERIFY_PUSH"
and okta.outcome.reason == "INVALID_CREDENTIALS"
)
)
] with runs=5
until
[ any
where data_stream.dataset == "okta.system"
and okta.event_type in (
"user.authentication.sso",
"user.authentication.auth_via_mfa",
"user.authentication.verify",
"user.session.start"
)
and okta.outcome.result == "SUCCESS"
]
Potential PowerShell HackTool Script by Author
Identifies PowerShell script block content containing known offensive-tool author handles or attribution strings (for
example, public tool author names). Attackers often run public PowerShell tooling with minimal changes, leaving author
artifacts in comments or headers.
Show query
host.os.type:windows and event.category:process and
powershell.file.script_block_text : (
"mattifestation" or "JosephBialek" or
"harmj0y" or "ukstufus" or
"SecureThisShit" or "Matthew Graeber" or
"secabstraction" or "mgeeky" or
"oddvarmoe" or "am0nsec" or
"obscuresec" or "sixdub" or
"darkoperator" or "funoverip" or
"rvrsh3ll" or "kevin_robertson" or
"dafthack" or "r4wd3r" or
"danielhbohannon" or "OneLogicalMyth" or
"cobbr_io" or "xorrior" or
"PetrMedonos" or "citronneur" or
"eladshamir" or "RastaMouse" or
"enigma0x3" or "FuzzySec" or
"424f424f" or "jaredhaight" or
"fullmetalcache" or "Hubbl3" or
"curi0usJack" or "Cx01N" or
"itm4n" or "nurfed1" or
"cfalta" or "Scott Sutherland" or
"_nullbind" or "_tmenochet" or
"jaredcatkinson" or "ChrisTruncer" or
"monoxgas" or "TheRealWover" or
"splinter_code" or "samratashok" or
"leechristensen" or "nikhil_mitt"
) and
not powershell.file.script_block_text : ("Get-UEFIDatabaseSigner" or "Posh-SSH")
Potential PowerShell Pass-the-Hash/Relay Script
Detects PowerShell scripts associated with NTLM relay or pass-the-hash tooling and SMB/NTLM negotiation
artifacts. Attackers use relay and PtH techniques to authenticate without passwords and pivot to other systems.
Show query
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
("NTLMSSPNegotiate" and ("NegotiateSMB" or "NegotiateSMB2")) or
"4E544C4D53535000" or
"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50" or
"0x4e,0x54,0x20,0x4c,0x4d" or
"0x53,0x4d,0x42,0x20,0x32" or
"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38"
) and
not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads"
Potential PrintNightmare Exploit Registry Modification
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
information refer to CVE-2021-34527 and verify that the impacted system is investigated.
Show query
/* This rule is not compatible with Sysmon due to schema issues */
registry where process.name : "spoolsv.exe" and
(registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\mimikatz*\\Data File" or
(registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\*\\Configuration File" and
registry.data.strings : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll")))
Potential PrintNightmare File Modification
Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit
privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527
and verify that the impacted system is investigated.
Show query
/* This rule is compatible with both Sysmon and Elastic Endpoint */
file where process.name : "spoolsv.exe" and
file.name : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll") and
file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*"
Potential Privacy Control Bypass via Localhost Secure Copy
Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell
Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS
privacy controls to access sensitive files.
Show query
process where host.os.type == "macos" and event.type in ("start", "process_started") and
process.name == "scp" and
process.args like~ "StrictHostKeyChecking=no" and
process.command_line like~ ("*scp *localhost:/*", "*scp *127.0.0.?:/*") and
not process.command_line like~ "*vagrant@*127.0.0.1*"
Potential Privilege Escalation in Container via Runc Init
Identifies audit events for runc init child processes where the effective user is root and the login user ID is not root.
This pattern can indicate privilege escalation or credential separation abuse inside container runtimes, where a process executes
with elevated effective privileges while retaining a non-root audit identity.
Show query
host.os.type:linux and event.category:process and event.action:(executed or exec) and process.title:"runc init" and user.effective.id:0 and user.id:(* and not 0)
Potential Privilege Escalation via CVE-2023-4911
This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a
buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable.
Show query
sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.env_vars : "*GLIBC_TUNABLES=glibc.*=glibc.*=*"] with runs=5
Potential Privilege Escalation via Container Misconfiguration
This rule monitors for the execution of processes that interact with Linux containers through an interactive shell
without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with
containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be
able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container
escape attack, which might allow them to escalate privileges and gain further access onto the host file system.
Show query
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
(process.name == "runc" and process.args == "run") or
(process.name == "ctr" and process.args == "run" and process.args in ("--privileged", "--mount"))
) and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" and
process.interactive == true and process.parent.interactive == true
Potential Privilege Escalation via Enlightenment
Identifies an attempt to exploit a local privilege escalation CVE-2022-37706 via a flaw in Linux window manager package
Enlightenment. enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is
setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.
Show query
sequence by host.id, process.parent.entity_id with maxspan=5s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "enlightenment_sys" and process.args in ("/bin/mount/", "-o","noexec","nosuid","nodev","uid=*") ]
[process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and user.id == "0"]
Potential Privilege Escalation via InstallerFileTakeOver
Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation
allows an unprivileged user to escalate privileges to SYSTEM.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.Ext.token.integrity_level_name : "System" and
(
(process.name : "elevation_service.exe" and
not process.pe.original_file_name == "elevation_service.exe") or
(process.name : "elevation_service.exe" and
not process.code_signature.trusted == true) or
(process.parent.name : "elevation_service.exe" and
process.name : ("rundll32.exe", "cmd.exe", "powershell.exe"))
) and
not
(
process.name : "elevation_service.exe" and process.code_signature.trusted == true and
process.pe.original_file_name == null
)
Potential Privilege Escalation via Local Kerberos Relay over LDAP
Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to
localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage
a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local
System privileges.
Show query
authentication where /* event 4624 need to be logged */ event.action == "logged-in" and event.outcome == "success" and /* authenticate locally via relayed kerberos ticket */ winlog.event_data.AuthenticationPackageName : "Kerberos" and winlog.logon.type == "Network" and source.ip == "127.0.0.1" and source.port > 0 and /* Impersonate Administrator user via S4U2Self service ticket */ winlog.event_data.TargetUserSid : "S-1-5-21-*-500"
Potential Privilege Escalation via PKEXEC
Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment
variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.
Show query
file where host.os.type == "linux" and file.path : "/*GCONV_PATH*"
Potential Privilege Escalation via Python cap_setuid
This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python,
followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation.
Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated
privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the
privileges that are set on the binary that is being executed.
Show query
sequence by host.id, process.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.args : "import os;os.set?id(0);os.system(*)" and process.args : "*python*" and user.id != "0"]
[process where host.os.type == "linux" and event.action in ("uid_change", "gid_change") and event.type == "change" and
(user.id == "0" or group.id == "0")]
Potential Privilege Escalation via Recently Compiled Executable
This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent
alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or
software privilege escalation exploit.
Show query
sequence by host.id with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name in ("gcc", "g++", "cc") and user.id != "0"] by process.args
[file where host.os.type == "linux" and event.action == "creation" and event.type == "creation" and
process.name == "ld" and user.id != "0"] by file.name
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
user.id != "0"] by process.name
[process where host.os.type == "linux" and event.action in ("uid_change", "guid_change") and event.type == "change" and
user.id == "0"] by process.name
Potential Privilege Escalation via SUID/SGID
Detects potential privilege escalation under the root effective user when the real user and parent user are not
root, indicative of the execution of binaries with SUID or SGID bits set.
Show query
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
(process.user.id == "0" and process.real_user.id != "0" and process.parent.user.id != "0") or
(process.group.id == "0" and process.real_group.id != "0" and process.parent.group.id != "0")
) and
(
startsWith(process.executable, process.command_line) or
startsWith(process.name, process.command_line)
) and
(
process.parent.name like (".*", "python*", "perl*", "ruby*", "lua*", "php*", "node", "deno", "bun", "java") or
process.parent.executable like ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/user/*", "/var/run/user/*", "/home/*/*") or
(
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh") and
process.parent.args in ("-c", "-cl", "-lc", "--command", "-ic", "-ci", "-bash", "-sh", "-zsh", "-dash", "-fish", "-ksh", "-mksh") and
process.parent.args_count <= 4
)
)
Potential Privilege Escalation via Sudoers File Modification
A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage
of these configurations to execute commands as other users or spawn processes with higher privileges.
Show query
event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)
Potential Privilege Escalation via unshare Followed by Root Process
Detects a short sequence where a non-root user performs unshare-related namespace activity (often associated with user
namespace privilege escalation primitives) and then a root process is executed shortly after. This can indicate a
successful local privilege escalation attempt or suspicious namespace manipulation captured in Auditd Manager telemetry.
Show query
sequence by host.id, process.parent.pid with maxspan=30s
[process where host.os.type == "linux" and
(
(auditd.data.syscall == "unshare" and auditd.data.class == "namespace" and auditd.data.a0 in ("10000000", "50000000", "70000000", "10020000", "50020000", "70020000")) or
(process.name == "unshare" and
(process.args in ("--user", "--map-root-user", "--map-current-user") or process.args like ("-*U*", "-*r*")))
) and user.id != "0" and user.id != null]
[process where host.os.type == "linux" and
user.id == "0" and user.id != null and
(
process.name in ("su", "sudo", "pkexec", "passwd", "chsh", "newgrp", "doas", "run0", "sg", "dash", "sh", "bash", "zsh", "fish",
"ksh", "csh", "tcsh", "ash", "mksh", "busybox", "rbash", "rzsh", "rksh", "tmux", "screen", "node") or
process.name like ("python*", "perl*", "ruby*", "php*", "lua*")
)]
Potential Privilege Escalation via unshare and UID Change
Identifies potentially suspicious use of unshare to create a user namespace context followed by a UID change event
indicating a transition to root. Adversaries may use unshare-based primitives as part of local privilege escalation
chains. This rule is intentionally generic and can surface multiple local privesc patterns beyond a single CVE.
Show query
sequence by process.parent.entity_id, host.id with maxspan=60s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "unshare" and process.args : ("-r", "-rm", "-m", "-U", "--user") and user.id != "0"]
[process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and
user.id == "0"]
Potential Privileged Escalation via SamAccountName Spoofing
Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to
elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security
vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
Show query
iam where host.os.type == "windows" and event.action == "renamed-user-account" and /* machine account name renamed to user like account name */ winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
Potential Process Herpaderping Attempt
Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate
an evasion attempt to execute malicious code in a stealthy way.
Show query
sequence with maxspan=5s
[process where host.os.type == "windows" and event.type == "start" and not process.parent.executable :
(
"?:\\Windows\\SoftwareDistribution\\*.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\*.exe",
"?:\\Program Files (x86)\\Trend Micro\\*.exe"
)
] by host.id, process.executable, process.parent.entity_id
[file where host.os.type == "windows" and event.type == "change" and event.action == "overwrite" and file.extension == "exe"] by host.id, file.path, process.entity_id
Potential Process Injection via PowerShell
Detects PowerShell scripts that combine Win32 APIs for allocation, protection, process access, or dynamic resolution with
injection or execution APIs. Attackers use these API chains for potential process injection or in-memory payload execution.
Show query
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
(VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or
LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and
(WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or
SuspendThread or ResumeThread or GetDelegateForFunctionPointer)
) and not
file.directory: (
"C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" or
"C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads"
)
Potential Process Name Stomping with Prctl
This rule leverages Auditd data to detect the use of the "prctl" syscall to potentially hide a process
by changing its name. The "prctl" syscall is used to control various process attributes. Attackers can use
this syscall to change the name of a process to a hidden directory or file, making it harder to detect. The
query looks for the "prctl" syscall with the "PR_SET_NAME" argument set to "f" (PR_SET_NAME is used to set
the name of a process).
Show query
process where host.os.type == "linux" and auditd.data.syscall == "prctl" and auditd.data.a0 == "f" and
process.executable like (
"/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/var/run/*", "/etc/update-motd.d/*",
"/tmp/*", "/var/log/*", "/var/tmp/*", "/home/*", "/run/shm/*", "/run/*", "./*"
) and
not process.executable like ("/home/*/.vscode-server/*", "/tmp/VeeamAgent*", "/home/*/.xmonad/xmonad*linux*")
Potential Protocol Tunneling via EarthWorm
Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim
system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable
systems.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "start", "exec_event", "ProcessRollup2", "executed", "exec_event", "process_started") and
process.args : "-s" and process.args : "-d" and process.args : "rssocks"
Potential REMCOS Trojan Execution
Identifies known file and registry traces of the REMCOS Remote Access Trojan, including log files, persistence values, and cleanup artifacts. Adversaries use Remcos to maintain persistent remote access to compromised hosts.
Show query
any where host.os.type == "windows" and
(
(event.category == "file" and event.type == "deletion" and file.path like "?:\\Users\\*\\AppData\\Local\\Temp\\TH????.tmp") or
(event.category == "file" and file.path : "?:\\Users\\*\\AppData\\Roaming\\remcos\\logs.dat") or
(event.category == "registry" and
registry.value : ("Remcos", "Rmc-??????", "licence") and
registry.path : (
"*\\Windows\\CurrentVersion\\Run\\Remcos",
"*\\Windows\\CurrentVersion\\Run\\Rmc-??????",
"*\\SOFTWARE\\Remcos-*\\licence",
"*\\Software\\Rmc-??????\\licence"
)
)
)
Potential Ransomware Note File Dropped via SMB
Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files.
This may indicate a remote ransomware attack via the SMB protocol.
Show query
sequence by host.id with maxspan=1s
[network where host.os.type == "windows" and
event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and
source.ip != "127.0.0.1" and source.ip != "::1" and
network.type == "ipv4" and not endswith(source.address, destination.address)]
[file where host.os.type == "windows" and event.action == "creation" and
process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and file.extension : ("hta", "txt", "readme", "htm*") and
file.path : "C:\\Users\\*" and
/* ransom file name keywords */
file.name : ("*read*me*", "*lock*", "*@*", "*RECOVER*", "*decrypt*", "*restore*file*", "*FILES_BACK*", "*how*to*")] with runs=3
Showing 251-300 of 4,399