EXPLORE
Sign In
← Back to Explore
T1059

Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows C...

ContainersESXiIaaSIdentity ProviderLinuxmacOSNetwork DevicesOffice SuiteSaaSWindows
486
Detections
6
Sources
17
Threat Actors

BY SOURCE

286elastic77sigma67sublime40splunk_escu10crowdstrike_cql6kql

PROCEDURES (181)

General Monitoring27 detections

Auto-extracted: 27 detections for general monitoring

Process Creation Monitoring25 detections

Auto-extracted: 25 detections for process creation monitoring

Script Execution Monitoring20 detections

Auto-extracted: 20 detections for script execution monitoring

Persist10 detections

Auto-extracted: 10 detections for persist

Amsi10 detections

Auto-extracted: 10 detections for amsi

Privilege8 detections

Auto-extracted: 8 detections for privilege

Script Block8 detections

Auto-extracted: 8 detections for script block

Suspicious8 detections

Auto-extracted: 8 detections for suspicious

Download7 detections

Auto-extracted: 7 detections for download

Child Process6 detections

Auto-extracted: 6 detections for child process

Parent Process6 detections

Auto-extracted: 6 detections for parent process

Suspicious6 detections

Auto-extracted: 6 detections for suspicious

Suspicious5 detections

Auto-extracted: 5 detections for suspicious

Attachment5 detections

Auto-extracted: 5 detections for attachment

Exfiltrat5 detections

Auto-extracted: 5 detections for exfiltrat

Phish5 detections

Auto-extracted: 5 detections for phish

Email5 detections

Auto-extracted: 5 detections for email

Base645 detections

Auto-extracted: 5 detections for base64

Container4 detections

Auto-extracted: 4 detections for container

Parent Process4 detections

Auto-extracted: 4 detections for parent process

Container4 detections

Auto-extracted: 4 detections for container

Exfiltrat4 detections

Auto-extracted: 4 detections for exfiltrat

Inject4 detections

Auto-extracted: 4 detections for inject

Powershell4 detections

Auto-extracted: 4 detections for powershell

Powershell4 detections

Auto-extracted: 4 detections for powershell

Remote4 detections

Auto-extracted: 4 detections for remote

Email4 detections

Auto-extracted: 4 detections for email

Startup4 detections

Auto-extracted: 4 detections for startup

Kubernetes4 detections

Auto-extracted: 4 detections for kubernetes

Http4 detections

Auto-extracted: 4 detections for http

Child Process4 detections

Auto-extracted: 4 detections for child process

Service4 detections

Auto-extracted: 4 detections for service

Command And Control4 detections

Auto-extracted: 4 detections for command and control

Bypass4 detections

Auto-extracted: 4 detections for bypass

Token3 detections

Auto-extracted: 3 detections for token

Persist3 detections

Auto-extracted: 3 detections for persist

Powershell3 detections

Auto-extracted: 3 detections for powershell

Inject3 detections

Auto-extracted: 3 detections for inject

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Powershell3 detections

Auto-extracted: 3 detections for powershell

Child Process3 detections

Auto-extracted: 3 detections for child process

Remote3 detections

Auto-extracted: 3 detections for remote

Aws3 detections

Auto-extracted: 3 detections for aws

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Remote3 detections

Auto-extracted: 3 detections for remote

Base643 detections

Auto-extracted: 3 detections for base64

Service3 detections

Auto-extracted: 3 detections for service

Bypass3 detections

Auto-extracted: 3 detections for bypass

Ransomware3 detections

Auto-extracted: 3 detections for ransomware

Kubernetes3 detections

Auto-extracted: 3 detections for kubernetes

Phish3 detections

Auto-extracted: 3 detections for phish

Download3 detections

Auto-extracted: 3 detections for download

C23 detections

Auto-extracted: 3 detections for c2

Child Process3 detections

Auto-extracted: 3 detections for child process

Credential3 detections

Auto-extracted: 3 detections for credential

Obfuscat3 detections

Auto-extracted: 3 detections for obfuscat

Privilege2 detections

Auto-extracted: 2 detections for privilege

Privilege2 detections

Auto-extracted: 2 detections for privilege

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Unusual2 detections

Auto-extracted: 2 detections for unusual

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Child Process2 detections

Auto-extracted: 2 detections for child process

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Privilege2 detections

Auto-extracted: 2 detections for privilege

Lateral2 detections

Auto-extracted: 2 detections for lateral

Unusual2 detections

Auto-extracted: 2 detections for unusual

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Office2 detections

Auto-extracted: 2 detections for office

Service2 detections

Auto-extracted: 2 detections for service

Inject2 detections

Auto-extracted: 2 detections for inject

Http2 detections

Auto-extracted: 2 detections for http

Macro2 detections

Auto-extracted: 2 detections for macro

Email2 detections

Auto-extracted: 2 detections for email

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Office2 detections

Auto-extracted: 2 detections for office

Service2 detections

Auto-extracted: 2 detections for service

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Download2 detections

Auto-extracted: 2 detections for download

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Base641 detections

Auto-extracted: 1 detections for base64

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Amsi1 detections

Auto-extracted: 1 detections for amsi

Bypass1 detections

Auto-extracted: 1 detections for bypass

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Evasion1 detections

Auto-extracted: 1 detections for evasion

Token1 detections

Auto-extracted: 1 detections for token

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Cloud1 detections

Auto-extracted: 1 detections for cloud

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Token1 detections

Auto-extracted: 1 detections for token

Anomal1 detections

Auto-extracted: 1 detections for anomal

Kernel1 detections

Auto-extracted: 1 detections for kernel

Dns1 detections

Auto-extracted: 1 detections for dns

Container1 detections

Auto-extracted: 1 detections for container

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Lateral1 detections

Auto-extracted: 1 detections for lateral

Attachment1 detections

Auto-extracted: 1 detections for attachment

Amsi1 detections

Auto-extracted: 1 detections for amsi

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Amsi1 detections

Auto-extracted: 1 detections for amsi

Cloud1 detections

Auto-extracted: 1 detections for cloud

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Aws1 detections

Auto-extracted: 1 detections for aws

C21 detections

Auto-extracted: 1 detections for c2

Service1 detections

Auto-extracted: 1 detections for service

Bypass1 detections

Auto-extracted: 1 detections for bypass

Persist1 detections

Auto-extracted: 1 detections for persist

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Dns1 detections

Auto-extracted: 1 detections for dns

Lateral1 detections

Auto-extracted: 1 detections for lateral

Inject1 detections

Auto-extracted: 1 detections for inject

Dump1 detections

Auto-extracted: 1 detections for dump

Dump1 detections

Auto-extracted: 1 detections for dump

Anomal1 detections

Auto-extracted: 1 detections for anomal

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Wmi1 detections

Auto-extracted: 1 detections for wmi

Macro1 detections

Auto-extracted: 1 detections for macro

Tamper1 detections

Auto-extracted: 1 detections for tamper

Bypass1 detections

Auto-extracted: 1 detections for bypass

Privilege1 detections

Auto-extracted: 1 detections for privilege

Process Access1 detections

Auto-extracted: 1 detections for process access

Cloud1 detections

Auto-extracted: 1 detections for cloud

C21 detections

Auto-extracted: 1 detections for c2

Aws1 detections

Auto-extracted: 1 detections for aws

Anomal1 detections

Auto-extracted: 1 detections for anomal

Office1 detections

Auto-extracted: 1 detections for office

Attachment1 detections

Auto-extracted: 1 detections for attachment

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Attachment1 detections

Auto-extracted: 1 detections for attachment

Macro1 detections

Auto-extracted: 1 detections for macro

Attachment1 detections

Auto-extracted: 1 detections for attachment

Azure1 detections

Auto-extracted: 1 detections for azure

Kernel1 detections

Auto-extracted: 1 detections for kernel

Base641 detections

Auto-extracted: 1 detections for base64

Persist1 detections

Auto-extracted: 1 detections for persist

Kernel1 detections

Auto-extracted: 1 detections for kernel

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Azure1 detections

Auto-extracted: 1 detections for azure

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

C21 detections

Auto-extracted: 1 detections for c2

Amsi1 detections

Auto-extracted: 1 detections for amsi

Persist1 detections

Auto-extracted: 1 detections for persist

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Service1 detections

Auto-extracted: 1 detections for service

Script Block1 detections

Auto-extracted: 1 detections for script block

Tamper1 detections

Auto-extracted: 1 detections for tamper

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Download1 detections

Auto-extracted: 1 detections for download

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

Evasion1 detections

Auto-extracted: 1 detections for evasion

Remote1 detections

Auto-extracted: 1 detections for remote

Inject1 detections

Auto-extracted: 1 detections for inject

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Macro1 detections

Auto-extracted: 1 detections for macro

Unusual1 detections

Auto-extracted: 1 detections for unusual

Powershell1 detections

Auto-extracted: 1 detections for powershell

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Wmi1 detections

Auto-extracted: 1 detections for wmi

Registry1 detections

Auto-extracted: 1 detections for registry

Kernel1 detections

Auto-extracted: 1 detections for kernel

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Amsi1 detections

Auto-extracted: 1 detections for amsi

Evasion1 detections

Auto-extracted: 1 detections for evasion

Wmi1 detections

Auto-extracted: 1 detections for wmi

Registry1 detections

Auto-extracted: 1 detections for registry

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Command And Control1 detections

Auto-extracted: 1 detections for command and control

THREAT ACTORS (17)

APT19APT32APT37APT39DragonflyFIN5FIN6FIN7Fox KittenKe3changMustang PandaOilRigSaint BearStealth FalconWhiteflyWindigoWinter Vivern

DETECTIONS (486)

Abusable DLL Potential Sideloading From Suspicious Location
sigmahigh
Add Insecure Download Source To Winget
sigmahigh
Add New Download Source To Winget
sigmamedium
Add Potential Suspicious New Download Source To Winget
sigmamedium
AMSI Script Detection
kql
Anomalous Windows Process Creation
elasticlow
Apple Script Execution followed by Network Connection
elasticmedium
Apple Scripting Execution with Administrator Privileges
elasticmedium
Applications Spawning CMD or Powershell
crowdstrike_cql
Applications Spawning CMD or Powershell
crowdstrike_cql
Attachment: .csproj with suspicious commands
sublimehigh
Attachment: Any .sap file (unsolicited)
sublimelow
Attachment: Archive contains DLL-loading macro
sublimehigh
Attachment: cmd file extension
sublimelow
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
sublimecritical
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
sublimecritical
Attachment: Double base64-encoded zip file in HTML smuggling attachment
sublimehigh
Attachment: Embedded Javascript in SVG file
sublimehigh
Attachment: Embedded VBScript in MHT file
sublimemedium
Attachment: EML containing a base64 encoded script
sublimehigh
Attachment: EML with embedded Javascript in SVG file
sublimehigh
Attachment: Encrypted Microsoft Office file (unsolicited)
sublimemedium
Attachment: Fake Slack installer
sublimehigh
Attachment: Fake Zoom installer
sublimehigh
Attachment: File execution via Javascript
sublimemedium
Attachment: HTML attachment with Javascript location
sublimehigh
Attachment: HTML attachment with login portal indicators
sublimemedium
Attachment: HTML file contains exclusively Javascript
sublimemedium
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
sublimehigh
Attachment: HTML file with reference to recipient and suspicious patterns
sublimehigh
Attachment: HTML smuggling 'body onload' linking to suspicious destination
sublimehigh
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
sublimehigh
Attachment: HTML smuggling with atob and high entropy
sublimehigh
Attachment: HTML smuggling with atob and high entropy via calendar invite
sublimehigh
Attachment: HTML smuggling with auto-downloaded file
sublimehigh
Attachment: HTML smuggling with base64 encoded JavaScript function
sublimehigh
Attachment: HTML smuggling with base64 encoded ZIP file
sublimemedium
Attachment: HTML smuggling with concatenation obfuscation
sublimehigh
Attachment: HTML smuggling with decimal encoding
sublimehigh
Attachment: HTML smuggling with embedded base64 streamed file download
sublimehigh
Attachment: HTML smuggling with eval and atob
sublimehigh
Attachment: HTML smuggling with eval and atob via calendar invite
sublimehigh
Attachment: HTML smuggling with excessive line break obfuscation
sublimehigh
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
sublimemedium
Attachment: HTML smuggling with fromCharCode and other signals
sublimehigh
Attachment: HTML smuggling with high entropy and other signals
sublimehigh
Attachment: HTML smuggling with RC4 decryption
sublimehigh
Attachment: HTML smuggling with ROT13
sublimehigh
Attachment: HTML smuggling with setTimeout
sublimehigh
Attachment: HTML smuggling with unescape
sublimehigh
Attachment: HTML with emoji-to-character map
sublimehigh
Attachment: HTML with hidden body
sublimehigh
Attachment: HTML with JavaScript functions for HTTP requests
sublimehigh
Attachment: HTML with obfuscation and recipient's email in JavaScript strings
sublimehigh
Attachment: ICS with embedded Javascript in SVG file
sublimehigh
Attachment: JavaScript file with suspicious base64-encoded executable
sublimehigh
Attachment: LNK with embedded content
sublimehigh
Attachment: Macro files containing MHT content
sublimemedium
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
sublimehigh
Attachment: Malicious OneNote commands
sublimehigh
Attachment: Microsoft impersonation via PDF with link and suspicious language
sublimehigh
Attachment: Office document with VSTO add-in
sublimehigh
Attachment: Office file with suspicious function calls or downloaded file path
sublimehigh
Attachment: PDF with embedded Javascript
sublimemedium
Attachment: PowerPoint with suspicious hyperlink
sublimehigh
Attachment: PowerShell content
sublimehigh
Attachment: SFX archive containing commands
sublimemedium
Attachment: SVG file execution
sublimehigh
Attempt to Install or Run Kali Linux via WSL
elastichigh
AWS CloudShell Environment Created
elasticlow
AWS EC2 LOLBin Execution via SSM SendCommand
elasticmedium
AWS EC2 Stop, Start, and User Data Modification Correlation
elastichigh
AWS SSM `SendCommand` with Run Shell Command Parameters
elasticmedium
AWS SSM Session Manager Child Process Execution
elasticmedium
Azure New CloudShell Created
sigmamedium
Base64 Decoded Payload Piped to Interpreter
elastichigh
Binary Executed from Shared Memory Directory
elastichigh
Boot File Copy
elasticlow
BPF filter applied using TC
elastichigh
BPFDoor Abnormal Process ID or Lock File Accessed
sigmahigh
Capsh Shell Invocation - Linux
sigmahigh
CHCP Command Execution
splunk_escu
Cisco NVM - Installation of Typosquatted Python Package
splunk_escu
Cisco NVM - Suspicious File Download via Headless Browser
splunk_escu
Cisco Secure Firewall - Binary File Type Download
splunk_escu
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
splunk_escu
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
splunk_escu
Cisco Secure Firewall - Possibly Compromised Host
splunk_escu
Cisco Secure Firewall - Privileged Command Execution via HTTP
splunk_escu
Cisco Secure Firewall - Wget or Curl Download
splunk_escu
Clearing Windows Console History
elasticmedium
Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
sigmamedium
Command and Scripting Interpreter via Windows Scripts
elastichigh
Command Execution via SolarWinds Process
elasticmedium
Command Line Obfuscation via Whitespace Padding
elasticmedium
Command Shell Activity Started via RunDLL32
elasticlow
Conhost Spawned By Suspicious Parent Process
elastichigh
Conhost Spawned By Uncommon Parent Process
sigmamedium
Creation of Hidden Login Item via Apple Script
elasticmedium
Cupsd or Foomatic-rip Shell Execution
elastichigh
Curl Execution via Shell Profile
elastichigh
Curl or Wget Egress Network Connection via LoLBin
elasticmedium
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
sublimecritical
Decoded Payload Piped to Interpreter Detected via Defend for Containers
elastichigh
Delayed Execution via Ping
elasticlow
Deprecated - EggShell Backdoor Execution
elastichigh
Deprecated - Potential PowerShell Obfuscated Script
elasticlow
Detect Outbound LDAP Traffic
splunk_escu
Detection of External Direct IP Usage in CommandLine Windows and Mac
crowdstrike_cql
Detection of External Direct IP Usage in CommandLine Windows and Mac
crowdstrike_cql
Direct Interactive Kubernetes API Request by Common Utilities
elasticmedium
Direct Interactive Kubernetes API Request by Unusual Utilities
elasticlow
Direct Interactive Kubernetes API Request Detected via Defend for Containers
elasticlow
Disabling Windows Defender Security Settings via PowerShell
elasticmedium
Dracut Module Creation
elasticlow
Dynamic IEX Reconstruction via Method String Access
elasticlow
Dynamic Linker (ld.so) Creation
elasticmedium
Egress Connection from Entrypoint in Container
elasticmedium
Elevated System Shell Spawned
sigmamedium
Elevated System Shell Spawned From Uncommon Parent Location
sigmamedium
Encoded Payload Detected via Defend for Containers
elasticmedium
Entra ID PowerShell Sign-in
elasticlow
ESXi Reverse Shell Patterns
splunk_escu
Excessive distinct processes from Windows Temp
splunk_escu
Excessive number of taskhost processes
splunk_escu
Execution from Unusual Directory - Command Line
elasticmedium
Execution of a Downloaded Windows Script
elasticmedium
Execution of Persistent Suspicious Program
elasticmedium
Execution via Electron Child Process Node.js Module
elasticmedium
Execution via GitHub Actions Runner
elasticmedium
Execution via MSSQL xp_cmdshell Stored Procedure
elasticmedium
Execution via OpenClaw Agent
elasticmedium
Execution via Windows Subsystem for Linux
elasticmedium
Execution with Explicit Credentials via Scripting
elasticmedium
Exporting Exchange Mailbox via PowerShell
elasticmedium
File Creation and Execution Detected via Defend for Containers
elasticmedium
File Creation by Cups or Foomatic-rip Child
elasticmedium
File Creation in /var/log via Suspicious Process
elasticmedium
File Creation, Execution and Self-Deletion in Suspicious Directory
elastichigh
File Download Detected via Defend for Containers
elasticmedium
File Execution Permission Modification Detected via Defend for Containers
elasticlow
File Transfer or Listener Established via Netcat
elasticmedium
File Transfer Utility Launched from Unusual Parent
elasticmedium
Find OpenClaw on Endpoints
crowdstrike_cql
Find OpenClaw on Endpoints
crowdstrike_cql
First Time Python Spawned a Shell on Host
elasticmedium
Forbidden Direct Interactive Kubernetes API Request
elasticmedium
Forfiles Command Execution
sigmamedium
Git Hook Child Process
elasticlow
Git Hook Command Execution
elasticlow
Git Hook Created or Modified
elasticlow
Git Hook Egress Network Connection
elasticmedium
GitHub Actions Unusual Bot Push to Repository
elasticlow
GitHub Actions Workflow Modification Blocked
elasticmedium
Github Activity on a Private Repository from an Unusual IP
elasticlow
GitHub Authentication Token Access via Node.js
elasticmedium
Google Calendar C2 via Script Interpreter
elastichigh
HackTool - Sliver C2 Implant Activity Pattern
sigmacritical
HackTool - Stracciatella Execution
sigmahigh
Hacktool Ruler
sigmahigh
Host File System Changes via Windows Subsystem for Linux
elasticmedium
HTML smuggling containing recipient email address
sublimemedium
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
sublimemedium
Incoming Execution via PowerShell Remoting
elasticmedium
Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
elastichigh
Initramfs Unpacking via unmkinitramfs
elasticlow
Inline Python Execution - Spawn Shell Via OS System Library
sigmahigh
Install New Package Via Winget Local Manifest
sigmamedium
Installation of WSL Kali-Linux
sigmahigh
Interactive Exec Into Container Detected via Defend for Containers
elasticlow
Interactive Shell Launched via Unusual Parent Process in a Container
elasticmedium
Interactive Shell Spawn Detected via Defend for Containers
elasticlow
Interactive Terminal Spawned via Perl
elastichigh
Interactive Terminal Spawned via Python
elastichigh
Juniper Networks Remote Code Execution Exploit Detection
splunk_escu
Kill Command Execution
elasticlow
Kubernetes Direct API Request via Curl or Wget
elasticmedium
Kubernetes Pod Exec Potential Reverse Shell
elastichigh
LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection
crowdstrike_cql
LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection
crowdstrike_cql
Link: Cryptocurrency fraud with suspicious links
sublimehigh
Link: JavaScript obfuscation with Telegram bot integration
sublimehigh
Link: Landing page with search-ms protocol redirect
sublimehigh
Linux Restricted Shell Breakout via Linux Binary(s)
elasticmedium
Living Off The Land Detection
splunk_escu
Log4Shell CVE-2021-44228 Exploitation
splunk_escu
Long Base64 Encoded Command via Scripting Interpreter
elastichigh
M365 SharePoint/OneDrive File Access via PowerShell
elasticmedium
Manual Dracut Execution
elasticlow
Manual Execution of Script Inside of a Compressed File
sigmamedium
Mass campaign: Cross Site Scripting (XSS) attempt
sublimemedium
MCP Filesystem Server Suspicious Extension Write
splunk_escu
MCP Prompt Injection
splunk_escu
Memory Swap Modification
elasticmedium
Microsoft Build Engine Started an Unusual Process
elasticlow
Microsoft Build Engine Started by a Script Process
elasticmedium
Microsoft Exchange Worker Spawning Suspicious Processes
elastichigh
Microsoft Management Console File from Unusual Path
elasticmedium
Multi-Base64 Decoding Attempt from Suspicious Location
elasticmedium
Netcat File Transfer or Listener Detected via Defend for Containers
elasticmedium