EXPLORE DETECTIONS
Office Test Registry Persistence
Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.
Okta AiTM Session Cookie Replay
Detects potential Adversary-in-the-Middle (AiTM) session cookie replay attacks against Okta. This rule identifies when an Okta session is used from multiple IP addresses or with suspicious non-browser user agents after initial authentication. AiTM attacks capture session cookies via phishing proxies (e.g., Evilginx, Modlishka) and replay them from attacker infrastructure, bypassing MFA. The detection correlates session start events with subsequent policy evaluations or SSO attempts that occur from different IPs or programmatic user agents.
Okta Alerts Following Unusual Proxy Authentication
Correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the same user. Attackers frequently use proxy infrastructure (VPNs, Tor, residential proxies) to mask their origin when using stolen credentials, and their post-authentication activity often triggers additional detection rules.
Okta FastPass Phishing Detection
Detects when Okta FastPass prevents a user from authenticating to a phishing website.
Okta Multiple OS Names Detected for a Single DT Hash
Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token and is using it to impersonate a legitimate user from a different machine.
Okta Sign-In Events via Third-Party IdP
Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP) that has not been seen before. Adversaries may add an unauthorized IdP to an Okta tenant to gain persistent access. This rule uses New Terms detection to only alert when a previously unseen IdP is used for authentication, reducing noise from legitimate federated identity providers while highlighting potentially rogue IdP additions.
Okta Successful Login After Credential Attack
Correlates Okta credential attack alerts with subsequent successful authentication for the same user account, identifying potential compromise following brute force, password spray, or credential stuffing attempts.
Okta ThreatInsight Threat Suspected Promotion
Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.
Okta User Assigned Administrator Role
Identifies when an administrator role is assigned to an Okta user or group. Adversaries may assign administrator privileges to compromised accounts to establish persistence, escalate privileges, and maintain long-term access to the environment. This detection monitors for both user-level and group-level administrator privilege grants, which can be used to bypass security controls and perform unauthorized administrative actions.
Okta User Session Impersonation
A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.
Okta User Sessions Started from Different Geolocations
Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.
Ollama API Accessed from External Network
Detects when the Ollama LLM server accepts connections from external IP addresses. Ollama lacks built-in authentication, so exposed instances allow unauthenticated model theft, prompt injection, and resource hijacking.
Openssl Client or Server Activity
This rule identifies when the openssl client or server is used to establish a connection. Attackers may use openssl to establish a secure connection to a remote server or to create a secure server to receive connections. This activity may be used to exfiltrate data or establish a command and control channel.
OpenSSL Password Hash Generation
This rule detects the usage of the "openssl" binary to generate password hashes on Linux systems. The "openssl" command is a cryptographic utility that can be used to generate password hashes. Attackers may use "openssl" to generate password hashes for new user accounts or to change the password of existing accounts, which can be leveraged to maintain persistence on a Linux system.
Outbound Scheduled Task Activity via PowerShell
Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.
Outlook Home Page Registry Modification
Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.
PANW and Elastic Defend - Command and Control Correlation
This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify the source process performing the network activity.
Parent Process Detected with Suspicious Windows Process(es)
A machine learning job combination has identified a parent process with one or more suspicious Windows processes that exhibit unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
Parent Process PID Spoofing
Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.
Payload Execution via Shell Pipe Detected by Defend for Containers
This rule detects when a payload is downloaded and piped to a shell inside a running container. This could indicate a threat actor downloaded a payload and executed it using a shell without the payload being stored on the filesystem.
Pbpaste Execution via Unusual Parent Process
Detects when an unusual parent process like Node.js, Python, or osascript executes the pbpaste binary to access clipboard data. This technique has been used by malware like OtterCookie to steal passwords and seed phrases from the clipboard.
Peripheral Device Discovery
Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.
Perl Outbound Network Connection
Detects when Perl makes an outbound network connection to a non-private IP address. Perl is a scripting language that comes pre-installed on macOS and offers extensive capabilities for adversaries. Its use for network connections on macOS systems is uncommon and potentially suspicious.
Permission Theft - Detected - Elastic Endgame
Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.