EXPLORE

EXPLORE DETECTIONS

🔍
1,867 detections found

Executable File Creation with Multiple Extensions

Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.

T1036T1036.007T1204T1204.002
Elasticmedium

Executable File Download via Wget

Detects executable file downloads via wget to suspicious locations such as /tmp or /Users/Shared. Threat actors commonly use wget to download malicious payloads and additional tools for post-exploitation.

T1105T1204T1204.002
Elasticmedium

Executable Masquerading as Kernel Process

Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes.

T1036T1036.004T1036.005T1564
Elastichigh

Execution from a Removable Media with Network Connection

Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.

T1091
Elasticlow

Execution from Unusual Directory - Command Line

Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.

T1059T1059.001T1059.003T1036T1036.005+7
Elasticmedium

Execution of a Downloaded Windows Script

Identifies the creation of a Windows script downloaded from the internet followed by the execution of a scripting utility. Adversaries may use Windows script files for initial access and execution.

T1059T1059.001T1059.003T1059.005T1059.007+5
Elasticmedium

Execution of COM object via Xwizard

Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.

T1559T1559.001T1218
Elasticmedium

Execution of File Written or Modified by Microsoft Office

Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.

T1203T1204T1204.002T1566T1566.001+1
Elastichigh

Execution of Persistent Suspicious Program

Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.

T1547T1547.001T1127T1127.001T1218+7
Elasticmedium

Execution via Electron Child Process Node.js Module

Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.

T1059T1059.007T1548
Elasticmedium

Execution via GitHub Actions Runner

This rule detects potentially dangerous commands spawned by the GitHub Actions Runner.Worker process or by shell interpreters launched via a runner entrypoint script on self-hosted runner machines. Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host. This behavior may indicate malicious or unexpected workflow activity, including code execution, reconnaissance, credential harvesting, or network exfiltration initiated through a compromised repository or unauthorized workflow.

T1059T1059.001T1059.002T1059.003T1059.004+6
Elasticmedium

Execution via local SxS Shared Module

Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.

T1129T1574T1574.001
Elasticmedium

Execution via MSSQL xp_cmdshell Stored Procedure

Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.

T1505T1505.001T1059T1059.003
Elasticmedium

Execution via OpenClaw Agent

Detects suspicious child process execution from the OpenClaw, Moltbot, or Clawdbot AI coding agents running via Node.js. These tools can execute arbitrary shell commands through skills or prompt injection attacks. Malicious skills from public registries like ClawHub have been observed executing obfuscated download-and-execute commands targeting cryptocurrency wallets and credentials. This rule identifies shells, scripting interpreters, and common LOLBins spawned by these AI agents.

T1059T1059.001T1059.002T1059.003T1059.004+8
Elasticmedium

Execution via TSClient Mountpoint

Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.

T1021T1021.001T1570
Elastichigh

Execution via Windows Command Debugging Utility

An adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule looks for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths.

T1036T1036.005T1218
Elasticmedium

Execution via Windows Subsystem for Linux

Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.

T1202T1059T1059.004
Elasticmedium

Execution with Explicit Credentials via Scripting

Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.

T1078T1548T1548.004T1059T1059.001+3
Elasticmedium

Expired or Revoked Driver Loaded

Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.

T1068T1036T1036.001T1553T1553.002
Elasticmedium

Exploit - Detected - Elastic Endgame

Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

T1203T1068
Elastichigh

Exploit - Prevented - Elastic Endgame

Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

T1203T1068
Elasticmedium

Exporting Exchange Mailbox via PowerShell

Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.

T1005T1114T1114.001T1114.002T1059+1
Elasticmedium

External Alerts

Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.

Elasticmedium

External IP Address Discovery via Curl

Detects applications making a curl request to a known public IP address lookup web service. Malware commonly performs this action during reconnaissance to assess potential targets and identify the victim's external IP address.

T1016T1016.001
Elasticlow
PreviousPage 23 of 78Next