EXPLORE

EXPLORE DETECTIONS

🔍
1,862 detections found

Deprecated - M365 Security Compliance User Restricted from Sending Email

Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.

Elasticmedium

Deprecated - M365 Teams External Access Enabled

Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.

T1484T1562
Elasticmedium

Deprecated - M365 Teams Guest Access Enabled

Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.

T1098T1484
Elasticmedium

Deprecated - MFA Disabled for Google Workspace Organization

Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.

T1556
Elastichigh

Deprecated - Potential PowerShell Obfuscated Script

Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).

T1027T1027.010T1140T1059T1059.001
Elasticlow

Deprecated - Sudo Heap-Based Buffer Overflow Attempt

Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.

T1068T1548T1548.003
Elastichigh

Deprecated - SUNBURST Command and Control Activity

The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.

T1071T1071.001T1195T1195.002
Elastichigh

Deprecated - Suspicious PrintSpooler Service Executable File Creation

Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.

T1068T1574T1574.001
Elasticlow

Deprecated - Uncommon Destination Port Connection by Web Server

This rule identifies unusual destination port network activity originating from a web server process. The rule is designed to detect potential web shell activity or unauthorized communication from a web server process to external systems.

T1505T1505.003T1059T1059.004T1071+1
Elasticlow

Deprecated - Unusual Command Execution from Web Server Parent

This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may attempt to execute commands from a web server parent process to blend in with normal web server activity and evade detection. This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent processes, which may indicate a compromised host or an ongoing attack. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.

T1505T1505.003T1059T1059.004T1071+1
Elasticlow

Deprecated - Unusual Process Spawned from Web Server Parent

This rule detects unusual processes spawned from a web server parent process by identifying low frequency counts of process spawning activity. Unusual process spawning activity may indicate an attacker attempting to establish persistence, execute malicious commands, or establish command and control channels on the host system. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.

T1505T1505.003T1059T1059.004T1059.006+4
Elasticlow

Deprecated TLS Version or Weak Cipher Negotiated Externally

Identifies successful outbound TLS sessions that negotiate deprecated protocol versions (SSLv3, TLS 1.0, or TLS 1.1) or weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Adversaries-in-the-middle and legacy malware often force these negotiations to decrypt or intercept traffic. Modern clients and services should negotiate TLS 1.2 or 1.3 with strong ciphers on internet-bound connections.

T1557T1573
Elasticmedium

Detection Alert on a Process Exhibiting CPU Spike

This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.

Elastichigh

Direct Interactive Kubernetes API Request by Common Utilities

This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the execution of direct interactive Kubernetes API requests. An adversary may need to execute direct interactive Kubernetes API requests to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster. Note that this rule may not trigger if the authorization token of the request is expanded within the process argument list, as the length of the "process.args" field may lead to the field being ignored.

T1059T1059.004T1609T1613
Elasticmedium

Direct Interactive Kubernetes API Request by Unusual Utilities

This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the execution of direct interactive Kubernetes API requests via unusual utilities. An adversary may need to execute direct interactive Kubernetes API requests to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster.

T1059T1059.004T1609T1610T1069+2
Elasticlow

Direct Interactive Kubernetes API Request Detected via Defend for Containers

This rule detects the execution of direct interactive Kubernetes API requests inside a container. An adversary may need to execute direct interactive Kubernetes API requests to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster. Note that this rule may not trigger if the token is expanded within the process argument list, as the length of the "process.args" field may lead to the field being ignored.

T1059T1059.004T1609T1613T1550+1
Elasticlow

Directory Creation in /bin directory

This rule identifies the creation of directories in the /bin directory. The /bin directory contains essential binary files that are required for the system to function properly. The creation of directories in this location could be an attempt to hide malicious files or executables, as these /bin directories usually just contain binaries.

T1036T1036.005T1564T1564.001
Elasticlow

Disable Windows Event and Security Logs Using Built-in Tools

Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.

T1070T1070.001T1562T1562.002T1562.006
Elasticlow

Disable Windows Firewall Rules via Netsh

Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.

T1562T1562.004
Elasticmedium

Disabling Lsa Protection via Registry Modification

LSA protecton is provided to prevent nonprotected processes from reading memory and injecting code. This feature provides added security for the credentials that LSA stores and manages. Adversaries may modify the RunAsPPL registry and wait or initiate a system restart to enable Lsass credentials access.

T1112T1562T1562.001T1003T1003.001
Elastichigh

Disabling User Account Control via Registry Modification

User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.

T1548T1548.002T1112T1562T1562.001
Elasticmedium

Disabling Windows Defender Security Settings via PowerShell

Identifies use of the Set-MpPreference or Add-MpPreference PowerShell commands to disable or weaken certain Windows Defender settings, including detection of base64-encoded variants used to bypass command-line inspection.

T1562T1562.001T1059T1059.001
Elasticmedium

Discovery Command Output Written to Suspicious File

Detects when a discovery command is executed followed by the immediate modification of a suspicious file via the same process. Many types of malware execute discovery commands, save the output to a file, and then exfiltrate that file via their C2 channel.

T1074T1074.001T1016T1033T1082
Elasticmedium

dMSA Account Creation by an Unusual User

Detects creation of a delegated Managed Service Account by an unusual subject account. Attackers can abuse weak child-object or msDS-DelegatedManagedServiceAccount rights during account migration to elevate privileges.

T1078T1078.002T1098T1136T1136.002
Elastichigh
PreviousPage 17 of 78Next