EXPLORE
← Back to Explore
T1059

Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows C...

ContainersESXiIaaSIdentity ProviderLinuxmacOSNetwork DevicesOffice SuiteSaaSWindows
514
Detections
7
Sources
17
Threat Actors

BY SOURCE

300elastic78sigma68sublime40splunk_escu11jamf_protect11crowdstrike_cql6kql

PROCEDURES (181)

Process Creation Monitoring29 detections

Auto-extracted: 29 detections for process creation monitoring

General Monitoring27 detections

Auto-extracted: 27 detections for general monitoring

Script Execution Monitoring23 detections

Auto-extracted: 23 detections for script execution monitoring

Persist10 detections

Auto-extracted: 10 detections for persist

Amsi10 detections

Auto-extracted: 10 detections for amsi

Privilege9 detections

Auto-extracted: 9 detections for privilege

Suspicious8 detections

Auto-extracted: 8 detections for suspicious

Script Block8 detections

Auto-extracted: 8 detections for script block

Exfiltrat8 detections

Auto-extracted: 8 detections for exfiltrat

Download7 detections

Auto-extracted: 7 detections for download

Suspicious6 detections

Auto-extracted: 6 detections for suspicious

Parent Process6 detections

Auto-extracted: 6 detections for parent process

Child Process6 detections

Auto-extracted: 6 detections for child process

Phish5 detections

Auto-extracted: 5 detections for phish

Attachment5 detections

Auto-extracted: 5 detections for attachment

Inject5 detections

Auto-extracted: 5 detections for inject

Email5 detections

Auto-extracted: 5 detections for email

Service5 detections

Auto-extracted: 5 detections for service

Suspicious5 detections

Auto-extracted: 5 detections for suspicious

Base645 detections

Auto-extracted: 5 detections for base64

Remote4 detections

Auto-extracted: 4 detections for remote

Remote4 detections

Auto-extracted: 4 detections for remote

Kubernetes4 detections

Auto-extracted: 4 detections for kubernetes

Bypass4 detections

Auto-extracted: 4 detections for bypass

Parent Process4 detections

Auto-extracted: 4 detections for parent process

Startup4 detections

Auto-extracted: 4 detections for startup

Child Process4 detections

Auto-extracted: 4 detections for child process

Network Connection Monitoring4 detections

Auto-extracted: 4 detections for network connection monitoring

Powershell4 detections

Auto-extracted: 4 detections for powershell

Email4 detections

Auto-extracted: 4 detections for email

Powershell4 detections

Auto-extracted: 4 detections for powershell

Http4 detections

Auto-extracted: 4 detections for http

Service4 detections

Auto-extracted: 4 detections for service

Container4 detections

Auto-extracted: 4 detections for container

Command And Control4 detections

Auto-extracted: 4 detections for command and control

Container4 detections

Auto-extracted: 4 detections for container

Credential4 detections

Auto-extracted: 4 detections for credential

Exfiltrat4 detections

Auto-extracted: 4 detections for exfiltrat

Phish3 detections

Auto-extracted: 3 detections for phish

Persist3 detections

Auto-extracted: 3 detections for persist

Powershell3 detections

Auto-extracted: 3 detections for powershell

Inject3 detections

Auto-extracted: 3 detections for inject

Token3 detections

Auto-extracted: 3 detections for token

Ransomware3 detections

Auto-extracted: 3 detections for ransomware

Powershell3 detections

Auto-extracted: 3 detections for powershell

Child Process3 detections

Auto-extracted: 3 detections for child process

Remote3 detections

Auto-extracted: 3 detections for remote

Aws3 detections

Auto-extracted: 3 detections for aws

Child Process3 detections

Auto-extracted: 3 detections for child process

Unusual3 detections

Auto-extracted: 3 detections for unusual

Bypass3 detections

Auto-extracted: 3 detections for bypass

Base643 detections

Auto-extracted: 3 detections for base64

Download3 detections

Auto-extracted: 3 detections for download

C23 detections

Auto-extracted: 3 detections for c2

Kubernetes3 detections

Auto-extracted: 3 detections for kubernetes

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Privilege2 detections

Auto-extracted: 2 detections for privilege

Child Process2 detections

Auto-extracted: 2 detections for child process

Privilege2 detections

Auto-extracted: 2 detections for privilege

Attachment2 detections

Auto-extracted: 2 detections for attachment

Persist2 detections

Auto-extracted: 2 detections for persist

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Office2 detections

Auto-extracted: 2 detections for office

Email2 detections

Auto-extracted: 2 detections for email

Http2 detections

Auto-extracted: 2 detections for http

Office2 detections

Auto-extracted: 2 detections for office

Lateral2 detections

Auto-extracted: 2 detections for lateral

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Azure2 detections

Auto-extracted: 2 detections for azure

Unusual2 detections

Auto-extracted: 2 detections for unusual

Unusual2 detections

Auto-extracted: 2 detections for unusual

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Service2 detections

Auto-extracted: 2 detections for service

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Parent Process2 detections

Auto-extracted: 2 detections for parent process

C22 detections

Auto-extracted: 2 detections for c2

Macro2 detections

Auto-extracted: 2 detections for macro

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Aws2 detections

Auto-extracted: 2 detections for aws

Inject2 detections

Auto-extracted: 2 detections for inject

Command Line Monitoring2 detections

Auto-extracted: 2 detections for command line monitoring

Unusual2 detections

Auto-extracted: 2 detections for unusual

C22 detections

Auto-extracted: 2 detections for c2

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Unusual2 detections

Auto-extracted: 2 detections for unusual

Cloud1 detections

Auto-extracted: 1 detections for cloud

Registry1 detections

Auto-extracted: 1 detections for registry

Office1 detections

Auto-extracted: 1 detections for office

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Anomal1 detections

Auto-extracted: 1 detections for anomal

Attachment1 detections

Auto-extracted: 1 detections for attachment

Tamper1 detections

Auto-extracted: 1 detections for tamper

Dns1 detections

Auto-extracted: 1 detections for dns

Container1 detections

Auto-extracted: 1 detections for container

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Registry1 detections

Auto-extracted: 1 detections for registry

Amsi1 detections

Auto-extracted: 1 detections for amsi

Macro1 detections

Auto-extracted: 1 detections for macro

Base641 detections

Auto-extracted: 1 detections for base64

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Lateral1 detections

Auto-extracted: 1 detections for lateral

Anomal1 detections

Auto-extracted: 1 detections for anomal

Wmi1 detections

Auto-extracted: 1 detections for wmi

Attachment1 detections

Auto-extracted: 1 detections for attachment

Persist1 detections

Auto-extracted: 1 detections for persist

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Amsi1 detections

Auto-extracted: 1 detections for amsi

Cloud1 detections

Auto-extracted: 1 detections for cloud

Attachment1 detections

Auto-extracted: 1 detections for attachment

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Kernel1 detections

Auto-extracted: 1 detections for kernel

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

C21 detections

Auto-extracted: 1 detections for c2

Token1 detections

Auto-extracted: 1 detections for token

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Dns1 detections

Auto-extracted: 1 detections for dns

Inject1 detections

Auto-extracted: 1 detections for inject

Dump1 detections

Auto-extracted: 1 detections for dump

Dump1 detections

Auto-extracted: 1 detections for dump

Service1 detections

Auto-extracted: 1 detections for service

Lateral1 detections

Auto-extracted: 1 detections for lateral

Unusual1 detections

Auto-extracted: 1 detections for unusual

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Bypass1 detections

Auto-extracted: 1 detections for bypass

Privilege1 detections

Auto-extracted: 1 detections for privilege

Process Access1 detections

Auto-extracted: 1 detections for process access

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Cloud1 detections

Auto-extracted: 1 detections for cloud

Anomal1 detections

Auto-extracted: 1 detections for anomal

Azure1 detections

Auto-extracted: 1 detections for azure

Kernel1 detections

Auto-extracted: 1 detections for kernel

Persist1 detections

Auto-extracted: 1 detections for persist

Azure1 detections

Auto-extracted: 1 detections for azure

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

Amsi1 detections

Auto-extracted: 1 detections for amsi

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Container1 detections

Auto-extracted: 1 detections for container

Tamper1 detections

Auto-extracted: 1 detections for tamper

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Script Block1 detections

Auto-extracted: 1 detections for script block

Tamper1 detections

Auto-extracted: 1 detections for tamper

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Download1 detections

Auto-extracted: 1 detections for download

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

Evasion1 detections

Auto-extracted: 1 detections for evasion

Remote1 detections

Auto-extracted: 1 detections for remote

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Inject1 detections

Auto-extracted: 1 detections for inject

Wmi1 detections

Auto-extracted: 1 detections for wmi

Remote1 detections

Auto-extracted: 1 detections for remote

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Macro1 detections

Auto-extracted: 1 detections for macro

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Wmi1 detections

Auto-extracted: 1 detections for wmi

Registry1 detections

Auto-extracted: 1 detections for registry

Amsi1 detections

Auto-extracted: 1 detections for amsi

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Amsi1 detections

Auto-extracted: 1 detections for amsi

Evasion1 detections

Auto-extracted: 1 detections for evasion

Wmi1 detections

Auto-extracted: 1 detections for wmi

Registry1 detections

Auto-extracted: 1 detections for registry

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Base641 detections

Auto-extracted: 1 detections for base64

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Amsi1 detections

Auto-extracted: 1 detections for amsi

Bypass1 detections

Auto-extracted: 1 detections for bypass

Macro1 detections

Auto-extracted: 1 detections for macro

Kernel1 detections

Auto-extracted: 1 detections for kernel

Evasion1 detections

Auto-extracted: 1 detections for evasion

Token1 detections

Auto-extracted: 1 detections for token

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

DETECTIONS (514)

Abusable DLL Potential Sideloading From Suspicious Location
sigmahigh
Add Insecure Download Source To Winget
sigmahigh
Add New Download Source To Winget
sigmamedium
Add Potential Suspicious New Download Source To Winget
sigmamedium
AMSI Script Detection
kql
Anomalous Windows Process Creation
elasticlow
Apple Script Execution followed by Network Connection
elasticmedium
Apple Scripting Execution with Administrator Privileges
elasticmedium
AppleScript Clipboard Activity
jamf_protectinformational
AppleScript Dialog Activity
jamf_protectinformational
Applications Spawning CMD or Powershell
crowdstrike_cql
Applications Spawning CMD or Powershell
crowdstrike_cql
Attachment: .csproj with suspicious commands
sublimehigh
Attachment: Any .sap file (unsolicited)
sublimelow
Attachment: Archive contains DLL-loading macro
sublimehigh
Attachment: cmd file extension
sublimelow
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
sublimecritical
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
sublimecritical
Attachment: Double base64-encoded zip file in HTML smuggling attachment
sublimehigh
Attachment: Embedded Javascript in SVG file
sublimehigh
Attachment: Embedded VBScript in MHT file
sublimemedium
Attachment: EML containing a base64 encoded script
sublimehigh
Attachment: EML with embedded Javascript in SVG file
sublimehigh
Attachment: Encrypted Microsoft Office file (unsolicited)
sublimemedium
Attachment: Fake Slack installer
sublimehigh
Attachment: Fake Zoom installer
sublimehigh
Attachment: File execution via Javascript
sublimemedium
Attachment: HTML attachment with Javascript location
sublimehigh
Attachment: HTML attachment with login portal indicators
sublimemedium
Attachment: HTML file contains exclusively Javascript
sublimemedium
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
sublimehigh
Attachment: HTML file with reference to recipient and suspicious patterns
sublimehigh
Attachment: HTML smuggling 'body onload' linking to suspicious destination
sublimehigh
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
sublimehigh
Attachment: HTML smuggling with atob and high entropy
sublimehigh
Attachment: HTML smuggling with atob and high entropy via calendar invite
sublimehigh
Attachment: HTML smuggling with auto-downloaded file
sublimehigh
Attachment: HTML smuggling with base64 encoded JavaScript function
sublimehigh
Attachment: HTML smuggling with base64 encoded ZIP file
sublimemedium
Attachment: HTML smuggling with concatenation obfuscation
sublimehigh
Attachment: HTML smuggling with decimal encoding
sublimehigh
Attachment: HTML smuggling with embedded base64 streamed file download
sublimehigh
Attachment: HTML smuggling with eval and atob
sublimehigh
Attachment: HTML smuggling with eval and atob via calendar invite
sublimehigh
Attachment: HTML smuggling with excessive line break obfuscation
sublimehigh
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
sublimemedium
Attachment: HTML smuggling with fromCharCode and other signals
sublimehigh
Attachment: HTML smuggling with high entropy and other signals
sublimehigh
Attachment: HTML smuggling with RC4 decryption
sublimehigh
Attachment: HTML smuggling with ROT13
sublimehigh
Attachment: HTML smuggling with setTimeout
sublimehigh
Attachment: HTML smuggling with unescape
sublimehigh
Attachment: HTML with emoji-to-character map
sublimehigh
Attachment: HTML with hidden body
sublimehigh
Attachment: HTML with JavaScript functions for HTTP requests
sublimehigh
Attachment: HTML with obfuscation and recipient's email in JavaScript strings
sublimehigh
Attachment: ICS with embedded Javascript in SVG file
sublimehigh
Attachment: JavaScript file with suspicious base64-encoded executable
sublimehigh
Attachment: LNK with embedded content
sublimehigh
Attachment: Macro files containing MHT content
sublimemedium
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
sublimehigh
Attachment: Malicious OneNote commands
sublimehigh
Attachment: Microsoft impersonation via PDF with link and suspicious language
sublimehigh
Attachment: Office document with VSTO add-in
sublimehigh
Attachment: Office file with suspicious function calls or downloaded file path
sublimehigh
Attachment: PDF with embedded Javascript
sublimemedium
Attachment: PowerPoint with suspicious hyperlink
sublimehigh
Attachment: PowerShell content
sublimehigh
Attachment: SFX archive containing commands
sublimemedium
Attachment: SVG file execution
sublimehigh
Attempt to Install or Run Kali Linux via WSL
elastichigh
AWS CloudShell Environment Created
elastichigh
AWS EC2 LOLBin Execution via SSM SendCommand
elasticmedium
AWS EC2 Stop, Start, and User Data Modification Correlation
elastichigh
AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content
elastichigh
AWS SSM `SendCommand` with Run Shell Command Parameters
elasticmedium
AWS SSM Session Manager Child Process Execution
elasticmedium
Azure New CloudShell Created
sigmamedium
Azure Run Command Correlated with Process Execution
elasticmedium
Azure Run Command Script Child Process
elasticmedium
Base64 Decoded Payload Piped to Interpreter
elastichigh
Binary Executed from Shared Memory Directory
elastichigh
Boot File Copy
elasticlow
BPF filter applied using TC
elastichigh
BPFDoor Abnormal Process ID or Lock File Accessed
sigmahigh
Capsh Shell Invocation - Linux
sigmahigh
CHCP Command Execution
splunk_escu
Cisco NVM - Installation of Typosquatted Python Package
splunk_escu
Cisco NVM - Suspicious File Download via Headless Browser
splunk_escu
Cisco Secure Firewall - Binary File Type Download
splunk_escu
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
splunk_escu
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
splunk_escu
Cisco Secure Firewall - Possibly Compromised Host
splunk_escu
Cisco Secure Firewall - Privileged Command Execution via HTTP
splunk_escu
Cisco Secure Firewall - Wget or Curl Download
splunk_escu
Clearing Windows Console History
elasticmedium
Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
sigmamedium
Command and Scripting Interpreter via Windows Scripts
elastichigh
Command Execution via SolarWinds Process
elasticmedium
Command Line Obfuscation via Whitespace Padding
elasticmedium
Command Shell Activity Started via RunDLL32
elasticlow
Conhost Spawned By Suspicious Parent Process
elastichigh
Conhost Spawned By Uncommon Parent Process
sigmamedium
Creation of Hidden Login Item via Apple Script
elasticmedium
Credential theft: JavaScript date manipulation in HTML body
sublimemedium
Cupsd or Foomatic-rip Shell Execution
elastichigh
Curl Execution via Shell Profile
elastichigh
Curl or Wget Egress Network Connection via LoLBin
elasticmedium
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
sublimecritical
Decoded Payload Piped to Interpreter Detected via Defend for Containers
elastichigh
Delayed Execution via Ping
elasticlow
Deprecated - EggShell Backdoor Execution
elastichigh
Deprecated - Linux Restricted Shell Breakout via Linux Binary(s)
elasticmedium
Deprecated - Potential PowerShell Obfuscated Script
elasticlow
Deprecated - Uncommon Destination Port Connection by Web Server
elasticlow
Deprecated - Unusual Command Execution from Web Server Parent
elasticlow
Deprecated - Unusual Process Spawned from Web Server Parent
elasticlow
Detect Outbound LDAP Traffic
splunk_escu
Detection of External Direct IP Usage in CommandLine Windows and Mac
crowdstrike_cql
Detection of External Direct IP Usage in CommandLine Windows and Mac
crowdstrike_cql
Direct Interactive Kubernetes API Request by Common Utilities
elasticmedium
Direct Interactive Kubernetes API Request by Unusual Utilities
elasticlow
Direct Interactive Kubernetes API Request Detected via Defend for Containers
elasticlow
Disabling Windows Defender Security Settings via PowerShell
elasticmedium
Dracut Module Creation
elasticlow
Dynamic IEX Reconstruction via Method String Access
elasticlow
Dynamic Linker (ld.so) Creation
elasticmedium
Egress Connection from Entrypoint in Container
elasticmedium
Elevated System Shell Spawned
sigmamedium
Elevated System Shell Spawned From Uncommon Parent Location
sigmamedium
Encoded Payload Detected via Defend for Containers
elasticmedium
Entra ID PowerShell Sign-in
elasticlow
ESXi Reverse Shell Patterns
splunk_escu
Excessive distinct processes from Windows Temp
splunk_escu
Excessive number of taskhost processes
splunk_escu
Execution from Unusual Directory - Command Line
elasticmedium
Execution of a Downloaded Windows Script
elasticmedium
Execution of Persistent Suspicious Program
elasticmedium
Execution via Electron Child Process Node.js Module
elasticmedium
Execution via GitHub Actions Runner
elasticmedium
Execution via MSSQL xp_cmdshell Stored Procedure
elasticmedium
Execution via OpenClaw Agent
elasticmedium
Execution via Windows Subsystem for Linux
elasticmedium
Execution with Explicit Credentials via Scripting
elasticmedium
Exporting Exchange Mailbox via PowerShell
elasticmedium
File Creation and Execution Detected via Defend for Containers
elasticmedium
File Creation by Cups or Foomatic-rip Child
elasticmedium
File Creation in /var/log via Suspicious Process
elasticmedium
File Creation, Execution and Self-Deletion in Suspicious Directory
elastichigh
File Download Detected via Defend for Containers
elasticmedium
File Execution Permission Modification Detected via Defend for Containers
elasticlow
File Transfer or Listener Established via Netcat
elasticmedium
File Transfer Utility Launched from Unusual Parent
elasticmedium
Find OpenClaw on Endpoints
crowdstrike_cql
Find OpenClaw on Endpoints
crowdstrike_cql
First Time Python Spawned a Shell on Host
elasticmedium
Forbidden Direct Interactive Kubernetes API Request
elasticmedium
Forfiles Command Execution
sigmamedium
Git Hook Child Process
elasticlow
Git Hook Command Execution
elasticlow
Git Hook Created or Modified
elasticlow
Git Hook Egress Network Connection
elasticmedium
GitHub Actions Unusual Bot Push to Repository
elasticlow
GitHub Actions Workflow Modification Blocked
elasticmedium
Github Activity on a Private Repository from an Unusual IP
elasticlow
GitHub Authentication Token Access via Node.js
elasticmedium
Google Calendar C2 via Script Interpreter
elastichigh
HackTool - Sliver C2 Implant Activity Pattern
sigmacritical
HackTool - Stracciatella Execution
sigmahigh
Hacktool Ruler
sigmahigh
Host File System Changes via Windows Subsystem for Linux
elasticmedium
HTML smuggling containing recipient email address
sublimemedium
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
sublimemedium
Incoming Execution via PowerShell Remoting
elasticmedium
Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
elastichigh
Initramfs Unpacking via unmkinitramfs
elasticlow
Inline Python Execution - Spawn Shell Via OS System Library
sigmahigh
Install New Package Via Winget Local Manifest
sigmamedium
Installation of WSL Kali-Linux
sigmahigh
Interactive Exec Into Container Detected via Defend for Containers
elasticlow
Interactive Shell Launched via Unusual Parent Process in a Container
elasticmedium
Interactive Shell Spawn Detected via Defend for Containers
elasticlow
Interactive Terminal Spawned via Perl
elastichigh
Interactive Terminal Spawned via Python
elastichigh
Juniper Networks Remote Code Execution Exploit Detection
splunk_escu
Kill Command Execution
elasticlow
Kubernetes Direct API Request via Curl or Wget
elasticmedium
Kubernetes Pod Exec Potential Reverse Shell
elastichigh
LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection
crowdstrike_cql
LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection
crowdstrike_cql
Link: Cryptocurrency fraud with suspicious links
sublimehigh
Link: JavaScript obfuscation with Telegram bot integration
sublimehigh
Link: Landing page with search-ms protocol redirect
sublimehigh
Living Off The Land Detection
splunk_escu
Lockscreen Check
jamf_protectinformational
Log4Shell CVE-2021-44228 Exploitation
splunk_escu
Long Base64 Encoded Command via Scripting Interpreter
elastichigh
M365 SharePoint/OneDrive File Access via PowerShell
elastichigh
Manual Dracut Execution
elasticlow
Manual Execution of Script Inside of a Compressed File
sigmamedium