EXPLORE

EXPLORE DETECTIONS

🔍
1,862 detections found

DNF Package Manager Plugin File Creation

Detects file creation events in the plugin directories for the Yum package manager. In Linux, DNF (Dandified YUM) is a command-line utility used for handling packages on Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor DNF to gain persistence by injecting malicious code into plugins that DNF runs, thereby ensuring continued unauthorized access or control each time DNF is used for package management.

T1543T1546T1546.016T1574
Elasticlow

DNS Enumeration Detected via Defend for Containers

This rule detects the execution of DNS enumeration tools inside a container. DNS enumeration tools are used to enumerate the DNS servers and domains of the container, which can be used by an adversary to gain information about the network configuration of the container and the services running inside it.

T1016T1018T1046T1049T1613
Elasticlow

DNS Global Query Block List Modified or Disabled

Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.

T1112T1562T1562.001T1557
Elasticmedium

DNS Request for IP Lookup Service via Unsigned Binary

Detects when a DNS request is made for an IP lookup service to determine the external IP address of the system via an unsigned or untrusted binary. This is commonly used by malware for reconnaissance before establishing C2 connections.

T1016T1016.001
Elasticmedium

DNS Request to Suspicious Top Level Domain

This rule detects DNS queries to commonly abused top level domains. Malware authors may use these domains to host command and control infrastructure, exfiltrate data, or to download payloads for later execution.

T1071T1071.004T1090T1090.002T1102+8
Elasticlow

DNS Tunneling

A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.

T1071T1071.004T1572T1041
Elasticlow

DNS-over-HTTPS Enabled via Registry

Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.

T1112T1562
Elasticlow

Docker Release File Creation

This rule detects the creation of files named release_agent or notify_on_release, which are commonly associated with the abuse of Linux cgroup release mechanisms. In Docker or containerized environments, this behavior may indicate an attempt to exploit privilege escalation vulnerabilities such as CVE-2022-0492, where attackers use the release_agent feature to execute code on the host from within a container.

T1546T1611
Elasticlow

Docker Socket Enumeration

This rule detects potential Docker socket enumeration activity by monitoring processes that attempt to interact with the Docker socket file (/var/run/docker.sock). Docker socket enumeration is a common technique used by attackers to interact with the Docker daemon and perform various operations, such as creating, starting, stopping, and removing containers. Attackers may abuse Docker socket enumeration to gain unauthorized access to the host system, escalate privileges, or move laterally within the environment.

T1613T1609
Elasticmedium

Domain Added to Google Workspace Trusted Domains

Detects when an administrator adds a domain to the Google Workspace allowlisted (trusted) domains list. Adversaries with administrative access may onboard a domain they control to relax cross-organization sharing restrictions, enabling data collection and exfiltration through Drive, Chat, and other services that honor the tenant trust boundary.

T1484T1484.002T1562T1562.007
Elastichigh

Downloaded Shortcut Files

Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.

T1204T1204.002T1566T1566.001T1566.002
Elasticmedium

Downloaded URL Files

Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.

T1204T1204.002T1566T1566.001T1566.002
Elasticmedium

DPKG Package Installed by Unusual Parent Process

This rule detects the installation of a Debian package (dpkg) by an unusual parent process. The dpkg command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the dpkg command to install malicious packages on a system.

T1543T1546T1546.016T1574T1195+1
Elasticlow

Dracut Module Creation

This rule detects the creation of Dracut module files on Linux systems. Dracut is a tool used to generate an initramfs image that is used to boot the system. Dracut modules are scripts that are executed during the initramfs image generation process. Attackers may create malicious Dracut modules to execute arbitrary code at boot time, which can be leveraged to maintain persistence on a Linux system.

T1542T1543T1574T1059T1059.004
Elasticlow

Dumping Account Hashes via Built-In Commands

Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.

T1003T1003.008
Elastichigh

Dumping of Keychain Content via Security Command

Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.

T1555T1555.001
Elastichigh

Dylib Injection via Process Environment Variables

Detects the use of process environment variables (DYLD_INSERT_LIBRARIES or LD_PRELOAD) to inject a shared library into a binary at or prior to execution. A threat actor may use this technique to load a malicious shared library for persistence, privilege escalation, and defense evasion. This activity is uncommon and typically indicates malicious behavior.

T1574T1574.006
Elastichigh

Dynamic IEX Reconstruction via Method String Access

Detects PowerShell scripts that rebuilds IEX by converting method references to strings (for example, ''.IndexOf.ToString()) and extracting multiple indexed characters (for example, [n,n,n]). Attackers use method-string reconstruction to conceal dynamic execution and bypass static detections and AMSI.

T1027T1027.010T1140T1059T1059.001
Elasticlow

Dynamic Linker (ld.so) Creation

This rule detects the creation of the dynamic linker (ld.so). The dynamic linker is used to load shared libraries needed by an executable. Attackers may attempt to replace the dynamic linker with a malicious version to execute arbitrary code.

T1218T1574T1574.006T1059T1059.004
Elasticmedium

Dynamic Linker Copy

Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.

T1574T1574.006
Elastichigh

Dynamic Linker Creation

Detects the creation of files related to the configuration of the dynamic linker on Linux systems. The dynamic linker is a shared library that is used by the Linux kernel to load and execute programs. Attackers may attempt to hijack the execution flow of a program by modifying the dynamic linker configuration files. This technique is often observed by userland rootkits that leverage shared objects to maintain persistence on a compromised host.

T1574T1574.006
Elasticmedium

Dynamic Linker Modification Detected via Defend for Containers

This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and has been used to evade detection of malicious processes in container environments.

T1574T1574.006
Elastichigh

Egress Connection from Entrypoint in Container

This rule identifies a sequence of events where a process named "entrypoint.sh" is started in a container, followed by a network connection attempt. This sequence indicates a potential egress connection from an entrypoint in a container. An entrypoint is a command or script specified in the Dockerfile and executed when the container starts. Attackers can use this technique to establish a foothold in the environment, escape from a container to the host, or establish persistence.

T1059T1059.004T1611T1071
Elasticmedium

EKS Authentication Configuration Modified

Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and users to Kubernetes RBAC groups, an attacker who modifies it can grant any IAM role cluster-admin access by adding a mapping to the system:masters group. This is a well-documented persistence technique that survives pod restarts, node replacements, and RBAC changes because the authentication mapping exists outside of normal Kubernetes Role objects. Modifications to aws-auth are rare in normal operations, the ConfigMap is typically set during cluster provisioning and updated only during node group or access configuration changes.

T1098T1098.006
Elastichigh
PreviousPage 18 of 78Next