EXPLORE DETECTIONS
Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers
This rule detects potential direct Kubelet access via process arguments. An adversary may need to access the Kubelet API to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate or execute commands on the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster.
Potential Disabling of AppArmor
This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.
Potential Disabling of SELinux
Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.
Potential DLL Side-Loading via Trusted Microsoft Programs
Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.
Potential DNS Tunneling via NsLookup
This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.
Potential Docker Escape via Nsenter
This rule identifies a UID change event via "nsenter". The "nsenter" command is used to enter a namespace, which is a way to isolate processes and resources. Attackers can use "nsenter" to escape from a container to the host, which can lead to privilege escalation and lateral movement.
Potential Dynamic IEX Reconstruction via Environment Variables
Detects PowerShell scripts that reconstructs IEX (Invoke-Expression) by indexing environment variable strings (for example, $env:VAR[1,2,3]) or related `.name[...]` slices and joining characters at runtime. Attackers use environment-variable slicing to hide dynamic execution and evade keyword-based detections and AMSI.
Potential Enumeration via Active Directory Web Service
Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
Potential Escalation via Vulnerable MSI Repair
Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. This may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup.
Potential Etherhiding C2 via Blockchain Connection
Detects when a scripting interpreter makes an outbound network connection to an Ethereum blockchain endpoint for command and control purposes. Adversaries may leverage Ethereum blockchain infrastructure as a covert C2 channel to receive commands and exfiltrate data, as observed in campaigns like SleepyDuck malware.
Potential Evasion via Filter Manager
The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.
Potential Evasion via Windows Filtering Platform
Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.
Potential Execution of rc.local Script
This rule detects the potential execution of the "/etc/rc.local" script through the "already_running" event action created by the "rc-local.service" systemd service. The "/etc/rc.local" script is a legacy initialization script that is executed at the end of the boot process. The "/etc/rc.local" script is not enabled by default on most Linux distributions. The "/etc/rc.local" script can be used by attackers to persistently execute malicious commands or scripts on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the execution event is not ingested, and therefore the "already_running" event is leveraged to provide insight into the potential execution of "rc.local".
Potential Execution via FileFix Phishing Attack
Identifies the execution of Windows commands or downloaded files via the browser's dialog box. Adversaries may use phishing to instruct the victim to copy and paste malicious commands for execution via crafted phsihing web pages.
Potential Execution via SSH Backdoor
It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.
Potential Exploitation of an Unquoted Service Path Vulnerability
Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.
Potential External Linux SSH Brute Force Detected
Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.
Potential Fake CAPTCHA Phishing Attack
Identifies potential fake CAPTCHA phishing attack based on PowerShell or Cmd argument values. Adversaries employ this technique via compromised websites with browser injects, posing either as fake CAPTCHAs to access the site or as a page loading error requiring a fix to display the page. The victim is instructed to copy and past a malicious command to the Windows Run dialog box.
Potential File Download via a Headless Browser
Identifies headless browser execution from a suspicious parent process with arguments consistent with scripted retrieval. Adversaries use browsers because they are trusted, signed binaries that proxy and application-control policies allow through, bypassing restrictions on direct download tools.
Potential File Transfer via Certreq
Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.
Potential File Transfer via Curl for Windows
Identifies Curl for Windows making an HTTP request. Adversaries could abuse Curl to download files or upload data to a remote URL.
Potential Foxmail Exploitation
Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via a malicious email.
Potential Git CVE-2025-48384 Exploitation
This rule detects potential exploitation of CVE-2025-48384 via Git. This vulnerability allows attackers to execute arbitrary code by leveraging Git's recursive clone feature to fetch and execute malicious scripts from a remote repository.
Potential Hex Payload Execution via Command-Line
This rule detects when a process executes a command line containing hexadecimal characters. Malware authors may use hexadecimal encoding to obfuscate their payload and evade detection.