EXPLORE
Sign In
← Back to Explore
T1059

Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows C...

ESXiIaaSIdentity ProviderLinuxmacOSNetwork DevicesOffice SuiteWindows
462
Detections
5
Sources
17
Threat Actors

BY SOURCE

280elastic75sigma67sublime35splunk_escu5crowdstrike_cql

PROCEDURES (172)

General Monitoring28 detections

Auto-extracted: 28 detections for general monitoring

Process Creation Monitoring25 detections

Auto-extracted: 25 detections for process creation monitoring

Script Execution Monitoring22 detections

Auto-extracted: 22 detections for script execution monitoring

Suspicious10 detections

Auto-extracted: 10 detections for suspicious

Persist10 detections

Auto-extracted: 10 detections for persist

Amsi10 detections

Auto-extracted: 10 detections for amsi

Download7 detections

Auto-extracted: 7 detections for download

Script Block7 detections

Auto-extracted: 7 detections for script block

Parent Process7 detections

Auto-extracted: 7 detections for parent process

Phish6 detections

Auto-extracted: 6 detections for phish

Container6 detections

Auto-extracted: 6 detections for container

Suspicious6 detections

Auto-extracted: 6 detections for suspicious

Privilege6 detections

Auto-extracted: 6 detections for privilege

Suspicious6 detections

Auto-extracted: 6 detections for suspicious

Credential5 detections

Auto-extracted: 5 detections for credential

Email5 detections

Auto-extracted: 5 detections for email

Inject5 detections

Auto-extracted: 5 detections for inject

Bypass5 detections

Auto-extracted: 5 detections for bypass

Base645 detections

Auto-extracted: 5 detections for base64

Container5 detections

Auto-extracted: 5 detections for container

Attachment5 detections

Auto-extracted: 5 detections for attachment

Child Process5 detections

Auto-extracted: 5 detections for child process

Lateral5 detections

Auto-extracted: 5 detections for lateral

Email4 detections

Auto-extracted: 4 detections for email

Exfiltrat4 detections

Auto-extracted: 4 detections for exfiltrat

Startup4 detections

Auto-extracted: 4 detections for startup

Remote4 detections

Auto-extracted: 4 detections for remote

Powershell4 detections

Auto-extracted: 4 detections for powershell

Service4 detections

Auto-extracted: 4 detections for service

Child Process4 detections

Auto-extracted: 4 detections for child process

Parent Process4 detections

Auto-extracted: 4 detections for parent process

Powershell4 detections

Auto-extracted: 4 detections for powershell

Remote4 detections

Auto-extracted: 4 detections for remote

Command And Control4 detections

Auto-extracted: 4 detections for command and control

Http3 detections

Auto-extracted: 3 detections for http

Privilege3 detections

Auto-extracted: 3 detections for privilege

C23 detections

Auto-extracted: 3 detections for c2

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Bypass3 detections

Auto-extracted: 3 detections for bypass

Remote3 detections

Auto-extracted: 3 detections for remote

Obfuscat3 detections

Auto-extracted: 3 detections for obfuscat

Remote3 detections

Auto-extracted: 3 detections for remote

Token3 detections

Auto-extracted: 3 detections for token

Phish3 detections

Auto-extracted: 3 detections for phish

Powershell3 detections

Auto-extracted: 3 detections for powershell

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Ransomware3 detections

Auto-extracted: 3 detections for ransomware

Bypass3 detections

Auto-extracted: 3 detections for bypass

Service3 detections

Auto-extracted: 3 detections for service

Persist3 detections

Auto-extracted: 3 detections for persist

Service3 detections

Auto-extracted: 3 detections for service

Parent Process3 detections

Auto-extracted: 3 detections for parent process

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Child Process3 detections

Auto-extracted: 3 detections for child process

Download3 detections

Auto-extracted: 3 detections for download

Command Line Monitoring3 detections

Auto-extracted: 3 detections for command line monitoring

Unusual3 detections

Auto-extracted: 3 detections for unusual

Aws3 detections

Auto-extracted: 3 detections for aws

Kubernetes3 detections

Auto-extracted: 3 detections for kubernetes

Attachment2 detections

Auto-extracted: 2 detections for attachment

Child Process2 detections

Auto-extracted: 2 detections for child process

Office2 detections

Auto-extracted: 2 detections for office

Inject2 detections

Auto-extracted: 2 detections for inject

Unusual2 detections

Auto-extracted: 2 detections for unusual

Dump2 detections

Auto-extracted: 2 detections for dump

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Unusual2 detections

Auto-extracted: 2 detections for unusual

Lateral2 detections

Auto-extracted: 2 detections for lateral

Registry2 detections

Auto-extracted: 2 detections for registry

Service2 detections

Auto-extracted: 2 detections for service

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Macro2 detections

Auto-extracted: 2 detections for macro

Service2 detections

Auto-extracted: 2 detections for service

Email2 detections

Auto-extracted: 2 detections for email

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Office2 detections

Auto-extracted: 2 detections for office

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Evasion2 detections

Auto-extracted: 2 detections for evasion

Inject2 detections

Auto-extracted: 2 detections for inject

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Inject2 detections

Auto-extracted: 2 detections for inject

Powershell2 detections

Auto-extracted: 2 detections for powershell

Container2 detections

Auto-extracted: 2 detections for container

Aws2 detections

Auto-extracted: 2 detections for aws

Base642 detections

Auto-extracted: 2 detections for base64

Attachment2 detections

Auto-extracted: 2 detections for attachment

Wmi1 detections

Auto-extracted: 1 detections for wmi

C21 detections

Auto-extracted: 1 detections for c2

Token1 detections

Auto-extracted: 1 detections for token

C21 detections

Auto-extracted: 1 detections for c2

Amsi1 detections

Auto-extracted: 1 detections for amsi

Persist1 detections

Auto-extracted: 1 detections for persist

Http1 detections

Auto-extracted: 1 detections for http

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Anomal1 detections

Auto-extracted: 1 detections for anomal

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Startup1 detections

Auto-extracted: 1 detections for startup

Unusual1 detections

Auto-extracted: 1 detections for unusual

Evasion1 detections

Auto-extracted: 1 detections for evasion

Registry1 detections

Auto-extracted: 1 detections for registry

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud1 detections

Auto-extracted: 1 detections for cloud

Anomal1 detections

Auto-extracted: 1 detections for anomal

Privilege1 detections

Auto-extracted: 1 detections for privilege

Office1 detections

Auto-extracted: 1 detections for office

Attachment1 detections

Auto-extracted: 1 detections for attachment

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Macro1 detections

Auto-extracted: 1 detections for macro

Attachment1 detections

Auto-extracted: 1 detections for attachment

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Azure1 detections

Auto-extracted: 1 detections for azure

Kernel1 detections

Auto-extracted: 1 detections for kernel

Base641 detections

Auto-extracted: 1 detections for base64

Persist1 detections

Auto-extracted: 1 detections for persist

Kernel1 detections

Auto-extracted: 1 detections for kernel

Download1 detections

Auto-extracted: 1 detections for download

Http1 detections

Auto-extracted: 1 detections for http

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Persist1 detections

Auto-extracted: 1 detections for persist

Dns1 detections

Auto-extracted: 1 detections for dns

Evasion1 detections

Auto-extracted: 1 detections for evasion

Azure1 detections

Auto-extracted: 1 detections for azure

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Container1 detections

Auto-extracted: 1 detections for container

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Service1 detections

Auto-extracted: 1 detections for service

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Dns1 detections

Auto-extracted: 1 detections for dns

Credential1 detections

Auto-extracted: 1 detections for credential

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Amsi1 detections

Auto-extracted: 1 detections for amsi

Bypass1 detections

Auto-extracted: 1 detections for bypass

Lateral1 detections

Auto-extracted: 1 detections for lateral

Inject1 detections

Auto-extracted: 1 detections for inject

Dump1 detections

Auto-extracted: 1 detections for dump

Token1 detections

Auto-extracted: 1 detections for token

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Script Block1 detections

Auto-extracted: 1 detections for script block

Tamper1 detections

Auto-extracted: 1 detections for tamper

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Download1 detections

Auto-extracted: 1 detections for download

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

Anomal1 detections

Auto-extracted: 1 detections for anomal

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Cloud1 detections

Auto-extracted: 1 detections for cloud

Wmi1 detections

Auto-extracted: 1 detections for wmi

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Http1 detections

Auto-extracted: 1 detections for http

Macro1 detections

Auto-extracted: 1 detections for macro

Powershell1 detections

Auto-extracted: 1 detections for powershell

Credential1 detections

Auto-extracted: 1 detections for credential

Lateral1 detections

Auto-extracted: 1 detections for lateral

Unusual1 detections

Auto-extracted: 1 detections for unusual

Macro1 detections

Auto-extracted: 1 detections for macro

Tamper1 detections

Auto-extracted: 1 detections for tamper

Unusual1 detections

Auto-extracted: 1 detections for unusual

Kernel1 detections

Auto-extracted: 1 detections for kernel

Unusual1 detections

Auto-extracted: 1 detections for unusual

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Amsi1 detections

Auto-extracted: 1 detections for amsi

Bypass1 detections

Auto-extracted: 1 detections for bypass

Privilege1 detections

Auto-extracted: 1 detections for privilege

THREAT ACTORS (17)

APT19APT32APT37APT39DragonflyFIN5FIN6FIN7Fox KittenKe3changMustang PandaOilRigSaint BearStealth FalconWhiteflyWindigoWinter Vivern

DETECTIONS (462)

Abusable DLL Potential Sideloading From Suspicious Location
sigmahigh
Add Insecure Download Source To Winget
sigmahigh
Add New Download Source To Winget
sigmamedium
Add Potential Suspicious New Download Source To Winget
sigmamedium
Anomalous Windows Process Creation
elasticlow
Apple Script Execution followed by Network Connection
elasticmedium
Apple Scripting Execution with Administrator Privileges
elasticmedium
Applications Spawning CMD or Powershell
crowdstrike_cql
Attachment: .csproj with suspicious commands
sublimehigh
Attachment: Any .sap file (unsolicited)
sublimelow
Attachment: Archive contains DLL-loading macro
sublimehigh
Attachment: cmd file extension
sublimelow
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
sublimecritical
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
sublimecritical
Attachment: Double base64-encoded zip file in HTML smuggling attachment
sublimehigh
Attachment: Embedded Javascript in SVG file
sublimehigh
Attachment: Embedded VBScript in MHT file (unsolicited)
sublimemedium
Attachment: EML containing a base64 encoded script
sublimehigh
Attachment: EML with embedded Javascript in SVG file
sublimehigh
Attachment: Encrypted Microsoft Office file (unsolicited)
sublimemedium
Attachment: Fake Slack installer
sublimehigh
Attachment: Fake Zoom installer
sublimehigh
Attachment: File execution via Javascript
sublimemedium
Attachment: HTML attachment with Javascript location
sublimehigh
Attachment: HTML attachment with login portal indicators
sublimemedium
Attachment: HTML file contains exclusively Javascript
sublimemedium
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
sublimehigh
Attachment: HTML file with reference to recipient and suspicious patterns
sublimehigh
Attachment: HTML smuggling 'body onload' linking to suspicious destination
sublimehigh
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
sublimehigh
Attachment: HTML smuggling with atob and high entropy
sublimehigh
Attachment: HTML smuggling with atob and high entropy via calendar invite
sublimehigh
Attachment: HTML smuggling with auto-downloaded file
sublimehigh
Attachment: HTML smuggling with base64 encoded JavaScript function
sublimehigh
Attachment: HTML smuggling with base64 encoded ZIP file
sublimemedium
Attachment: HTML smuggling with concatenation obfuscation
sublimehigh
Attachment: HTML smuggling with decimal encoding
sublimehigh
Attachment: HTML smuggling with embedded base64 streamed file download
sublimehigh
Attachment: HTML smuggling with eval and atob
sublimehigh
Attachment: HTML smuggling with eval and atob via calendar invite
sublimehigh
Attachment: HTML smuggling with excessive line break obfuscation
sublimehigh
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
sublimemedium
Attachment: HTML smuggling with fromCharCode and other signals
sublimehigh
Attachment: HTML smuggling with high entropy and other signals
sublimehigh
Attachment: HTML smuggling with RC4 decryption
sublimehigh
Attachment: HTML smuggling with ROT13
sublimehigh
Attachment: HTML smuggling with setTimeout
sublimehigh
Attachment: HTML smuggling with unescape
sublimehigh
Attachment: HTML with emoji-to-character map
sublimehigh
Attachment: HTML with hidden body
sublimehigh
Attachment: HTML with JavaScript functions for HTTP requests
sublimehigh
Attachment: HTML with obfuscation and recipient's email in JavaScript strings
sublimehigh
Attachment: ICS with embedded Javascript in SVG file
sublimehigh
Attachment: JavaScript file with suspicious base64-encoded executable
sublimehigh
Attachment: LNK with embedded content
sublimehigh
Attachment: Macro files containing MHT content
sublimemedium
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
sublimehigh
Attachment: Malicious OneNote commands
sublimehigh
Attachment: Microsoft impersonation via PDF with link and suspicious language
sublimehigh
Attachment: Office document with VSTO add-in
sublimehigh
Attachment: Office file with suspicious function calls or downloaded file path
sublimehigh
Attachment: PDF with embedded Javascript
sublimemedium
Attachment: PowerPoint with suspicious hyperlink
sublimehigh
Attachment: PowerShell content
sublimehigh
Attachment: SFX archive containing commands
sublimemedium
Attachment: SVG file execution
sublimehigh
Attempt to Install Kali Linux via WSL
elastichigh
AWS CloudShell Environment Created
elasticlow
AWS EC2 LOLBin Execution via SSM SendCommand
elasticmedium
AWS SSM `SendCommand` with Run Shell Command Parameters
elasticmedium
Azure New CloudShell Created
sigmamedium
Base64 Decoded Payload Piped to Interpreter
elastichigh
Binary Executed from Shared Memory Directory
elastichigh
Boot File Copy
elasticlow
BPF filter applied using TC
elastichigh
BPFDoor Abnormal Process ID or Lock File Accessed
sigmahigh
Capsh Shell Invocation - Linux
sigmahigh
CHCP Command Execution
splunk_escu
Cisco NVM - Installation of Typosquatted Python Package
splunk_escu
Cisco NVM - Suspicious File Download via Headless Browser
splunk_escu
Cisco Secure Firewall - Binary File Type Download
splunk_escu
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
splunk_escu
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
splunk_escu
Cisco Secure Firewall - Possibly Compromised Host
splunk_escu
Cisco Secure Firewall - Privileged Command Execution via HTTP
splunk_escu
Cisco Secure Firewall - Wget or Curl Download
splunk_escu
Clearing Windows Console History
elasticmedium
Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
sigmamedium
Command and Scripting Interpreter via Windows Scripts
elastichigh
Command Execution via SolarWinds Process
elasticmedium
Command Line Obfuscation via Whitespace Padding
elasticmedium
Command Shell Activity Started via RunDLL32
elasticlow
Conhost Spawned By Suspicious Parent Process
elastichigh
Conhost Spawned By Uncommon Parent Process
sigmamedium
Creation of Hidden Login Item via Apple Script
elasticmedium
Cupsd or Foomatic-rip Shell Execution
elastichigh
Curl Execution via Shell Profile
elastichigh
Curl or Wget Egress Network Connection via LoLBin
elasticmedium
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
sublimecritical
Decoded Payload Piped to Interpreter Detected via Defend for Containers
elastichigh
Delayed Execution via Ping
elasticlow
Deprecated - EggShell Backdoor Execution
elastichigh
Deprecated - Potential PowerShell Obfuscated Script
elasticlow
Detect Outbound LDAP Traffic
splunk_escu
Detection of External Direct IP Usage in CommandLine Windows and Mac
crowdstrike_cql
Direct Interactive Kubernetes API Request by Common Utilities
elasticmedium
Direct Interactive Kubernetes API Request by Unusual Utilities
elasticlow
Direct Interactive Kubernetes API Request Detected via Defend for Containers
elasticlow
Disabling Windows Defender Security Settings via PowerShell
elasticmedium
Dracut Module Creation
elasticlow
Dynamic IEX Reconstruction via Method String Access
elasticlow
Dynamic Linker (ld.so) Creation
elasticmedium
Egress Connection from Entrypoint in Container
elasticmedium
Elevated System Shell Spawned From Uncommon Parent Location
sigmamedium
Encoded Payload Detected via Defend for Containers
elasticmedium
Entra ID PowerShell Sign-in
elasticlow
ESXi Reverse Shell Patterns
splunk_escu
Excessive distinct processes from Windows Temp
splunk_escu
Excessive number of taskhost processes
splunk_escu
Execution from Unusual Directory - Command Line
elasticmedium
Execution of a Downloaded Windows Script
elasticmedium
Execution of Persistent Suspicious Program
elasticmedium
Execution via Electron Child Process Node.js Module
elasticmedium
Execution via GitHub Actions Runner
elasticmedium
Execution via MSSQL xp_cmdshell Stored Procedure
elasticmedium
Execution via OpenClaw Agent
elasticmedium
Execution via Windows Subsystem for Linux
elasticmedium
Execution with Explicit Credentials via Scripting
elasticmedium
Exporting Exchange Mailbox via PowerShell
elasticmedium
File Creation and Execution Detected via Defend for Containers
elasticmedium
File Creation by Cups or Foomatic-rip Child
elasticmedium
File Creation in /var/log via Suspicious Process
elasticmedium
File Creation, Execution and Self-Deletion in Suspicious Directory
elastichigh
File Download Detected via Defend for Containers
elasticmedium
File Execution Permission Modification Detected via Defend for Containers
elasticlow
File Transfer or Listener Established via Netcat
elasticmedium
File Transfer Utility Launched from Unusual Parent
elasticmedium
Find OpenClaw on Endpoints
crowdstrike_cql
First Time Python Spawned a Shell on Host
elasticmedium
Forbidden Direct Interactive Kubernetes API Request
elasticmedium
Forfiles Command Execution
sigmamedium
Git Hook Child Process
elasticlow
Git Hook Command Execution
elasticlow
Git Hook Created or Modified
elasticlow
Git Hook Egress Network Connection
elasticmedium
GitHub Actions Unusual Bot Push to Repository
elasticlow
GitHub Actions Workflow Modification Blocked
elasticmedium
Github Activity on a Private Repository from an Unusual IP
elasticlow
GitHub Authentication Token Access via Node.js
elasticmedium
Google Calendar C2 via Script Interpreter
elastichigh
HackTool - Sliver C2 Implant Activity Pattern
sigmacritical
HackTool - Stracciatella Execution
sigmahigh
Hacktool Ruler
sigmahigh
Host File System Changes via Windows Subsystem for Linux
elasticmedium
HTML smuggling containing recipient email address
sublimemedium
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
sublimemedium
Incoming Execution via PowerShell Remoting
elasticmedium
Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
elastichigh
Initramfs Unpacking via unmkinitramfs
elasticlow
Inline Python Execution - Spawn Shell Via OS System Library
sigmahigh
Install New Package Via Winget Local Manifest
sigmamedium
Installation of WSL Kali-Linux
sigmahigh
Interactive Exec Into Container Detected via Defend for Containers
elasticlow
Interactive Shell Launched via Unusual Parent Process in a Container
elasticmedium
Interactive Shell Spawn Detected via Defend for Containers
elasticlow
Interactive Terminal Spawned via Perl
elastichigh
Interactive Terminal Spawned via Python
elastichigh
Juniper Networks Remote Code Execution Exploit Detection
splunk_escu
Kill Command Execution
elasticlow
Kubernetes Direct API Request via Curl or Wget
elasticmedium
LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection
crowdstrike_cql
Link: Cryptocurrency fraud with suspicious links
sublimehigh
Link: JavaScript obfuscation with Telegram bot integration
sublimehigh
Link: Landing page with search-ms protocol redirect
sublimehigh
Linux Restricted Shell Breakout via Linux Binary(s)
elasticmedium
Living Off The Land Detection
splunk_escu
Log4Shell CVE-2021-44228 Exploitation
splunk_escu
M365 SharePoint/OneDrive File Access via PowerShell
elasticmedium
Manual Dracut Execution
elasticlow
Mass campaign: Cross Site Scripting (XSS) attempt
sublimemedium
MCP Filesystem Server Suspicious Extension Write
splunk_escu
MCP Prompt Injection
splunk_escu
Memory Swap Modification
elasticmedium
Microsoft Build Engine Started an Unusual Process
elasticlow
Microsoft Build Engine Started by a Script Process
elasticmedium
Microsoft Exchange Worker Spawning Suspicious Processes
elastichigh
Microsoft Management Console File from Unusual Path
elasticmedium
Multi-Base64 Decoding Attempt from Suspicious Location
elasticmedium
Netcat File Transfer or Listener Detected via Defend for Containers
elasticmedium
Netcat Listener Established via rlwrap
elasticmedium
Network Connection by Cups or Foomatic-rip Child
elastichigh
Network Connection from Binary with RWX Memory Region
elasticmedium
Network Connection to OAST Domain via Script Interpreter
elastichigh
Network Connection via Recently Compiled Executable
elasticmedium
Network Connections Initiated Through XDG Autostart Entry
elasticmedium
NetworkManager Dispatcher Script Creation
elasticlow
New ActiveSyncAllowedDeviceID Added via PowerShell
elasticmedium
Node.js Pre or Post-Install Script Execution
elasticmedium
Ollama Suspicious Prompt Injection Jailbreak
splunk_escu
Openssl Client or Server Activity
elasticmedium