EXPLORE DETECTIONS
Process Creation via Secondary Logon
Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Process Execution from an Unusual Directory
Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.
Process Injection - Detected - Elastic Endgame
Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
Process Injection - Prevented - Elastic Endgame
Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
Process Injection by the Microsoft Build Engine
An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.
Process Killing Detected via Defend for Containers
This rule detects the killing of processes inside a container. An adversary may attempt to find and kill competing processes to gain control of the container.
Process Spawned from Message-of-the-Day (MOTD)
Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.
Process Started from Process ID (PID) File
Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.
Process Started with Executable Stack
This rule monitors the syslog log file for messages related to instances of processes that are started with an executable stack. This can be an indicator of a process that is attempting to execute code from the stack, which can be a security risk.
Processes with Trailing Spaces
Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity to evade default file handling mechanisms.
Program Files Directory Masquerading
Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.
Prompt for Credentials with Osascript
Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.
Proxy Execution via Console Window Host
Identifies abuse of the Console Window Host (conhost.exe) to execute commands via proxy. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.
Proxy Execution via Windows OpenSSH
Identifies attempts to execute commands via proxy using the Windows OpenSSH client. This may indicate an attempt to bypass application control via trusted windows binaries.
Proxy Shell Execution via Busybox
Detects the execution of a shell through Busybox. Attackers may use this technique to execute shells while attempting to evade detection.
ProxyChains Activity
This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
PsExec Network Connection
Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.
Python Path File (pth) Creation
This rule detects the creation of .pth files in system-wide and user-specific Python package directories, which can be abused for persistent code execution. .pth files automatically execute Python code when the interpreter starts, making them a stealthy persistence mechanism. Monitoring these paths helps identify unauthorized modifications that could indicate persistence by an attacker or malicious package injection.
Python Site or User Customize File Creation
This rule detects the creation and modification of sitecustomize.py and usercustomize.py, which Python automatically executes on startup. Attackers can exploit these files for persistence by injecting malicious code. The rule monitors system-wide, user-specific, and virtual environment locations to catch unauthorized changes that could indicate persistence or backdooring attempts.
Quarantine Attrib Removed by Unsigned or Untrusted Process
Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.
Ransomware - Detected - Elastic Defend
Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware detections only, and does not include prevention alerts.
Ransomware - Detected - Elastic Endgame
Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
Ransomware - Prevented - Elastic Defend
Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware preventions only, and does not include detection only alerts.
Ransomware - Prevented - Elastic Endgame
Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.