EXPLORE DETECTIONS
M365 SharePoint Malware File Detected
Identifies the occurrence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.
M365 SharePoint Search for Sensitive Content
Identifies search queries in SharePoint containing sensitive terms related to credentials, financial data, PII, legal matters, or infrastructure information. Adversaries who compromise user accounts often search for high-value files before exfiltration. This rule detects searches containing terms across multiple sensitivity categories, regardless of the access method (browser, PowerShell, or API). The actual search query text is analyzed against a curated list of sensitive terms to identify potential reconnaissance activity.
M365 SharePoint Site Administrator Added
Identifies when a new SharePoint Site Administrator is added in Microsoft 365. Site Administrators have full control over SharePoint Sites, including the ability to manage permissions, access all content, and modify site settings. Adversaries who compromise a privileged account may add themselves or a controlled account as a Site Administrator to maintain persistent, high-privilege access to sensitive SharePoint data. This technique was notably observed in the 0mega ransomware campaign, where attackers elevated privileges to exfiltrate data and deploy ransom notes across SharePoint sites.
M365 SharePoint Site Sharing Policy Weakened
Identifies when a SharePoint or OneDrive site sharing policy is changed to weaken security controls. The SharingPolicyChanged event fires for many routine policy modifications, but this rule targets specific high-risk transitions where sharing restrictions are relaxed. This includes enabling guest sharing, enabling anonymous link sharing, making a site public, or enabling guest user access. Adversaries who compromise administrative accounts may weaken sharing policies to exfiltrate data to external accounts or create persistent external access paths.
M365 SharePoint/OneDrive File Access via PowerShell
Identifies file downloads or access from OneDrive or SharePoint using PowerShell-based user agents. Adversaries may use native PowerShell cmdlets like Invoke-WebRequest or Invoke-RestMethod with Microsoft Graph API to exfiltrate data after compromising OAuth tokens via device code phishing or other credential theft techniques. This rule detects both direct PowerShell access and PnP PowerShell module usage for file operations. FileAccessed events are included to detect adversaries reading file content via API and saving locally, bypassing traditional download methods. Normal users access SharePoint/OneDrive via browsers or sync clients, making PowerShell-based file access inherently suspicious.
M365 Teams Custom Application Interaction Enabled
Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.
Machine Learning Detected a DNS Request Predicted to be a DGA Domain
A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity.
Machine Learning Detected a DNS Request With a High DGA Probability Score
A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity.
Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.
Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score
A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.
Machine Learning Detected DGA activity using a known SUNBURST DNS domain
A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm.
Malicious File - Detected - Elastic Defend
Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file detections only, and does not include prevention alerts.
Malicious File - Prevented - Elastic Defend
Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file preventions only, and does not include detection only alerts.
Malware - Detected - Elastic Endgame
Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
Malware - Prevented - Elastic Endgame
Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
Manual Dracut Execution
This rule detects manual execution of the "dracut" command on Linux systems. Dracut is a tool used to generate an initramfs image that is used to boot the system. Attackers may use "dracut" to create a custom initramfs image that includes malicious code or backdoors, allowing them to maintain persistence on the system.
Manual Loading of a Suspicious Chromium Extension
Detects the manual loading of a Chromium-based browser extension via command line arguments. This activity is suspicious and could indicate a threat actor loading a malicious extension to persist or collect browsing secrets such as cookies and authentication tokens.
Manual Memory Dumping via Proc Filesystem
This rule monitors for manual memory dumping via the proc filesystem. The proc filesystem in Linux provides a virtual filesystem that contains information about system processes and their memory mappings. Attackers may use this technique to dump the memory of a process, potentially extracting sensitive information such as credentials or encryption keys.
Manual Mount Discovery via /etc/exports or /etc/fstab
This rule detects manual mount discovery via the /etc/exports or /etc/fstab file on Linux systems. These files are used by NFS (Network File System) to define which directories are shared with remote hosts. Attackers may access this file to gather information about shared directories and potential targets for further exploitation.
Masquerading Space After Filename
This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.
Memory Swap Modification
This rule detects memory swap modification events on Linux systems. Memory swap modification can be used to manipulate the system's memory and potentially impact the system's performance. This behavior is commonly observed in malware that deploys miner software such as XMRig.
Memory Threat - Detected - Elastic Defend
Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature detections only, and does not include prevention alerts.
Memory Threat - Prevented- Elastic Defend
Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature preventions only, and does not include detection only alerts.
Message-of-the-Day (MOTD) File Creation
This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command.