EXPLORE DETECTIONS
Temporarily Scheduled Task Creation
Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.
Third-party Backup Files Deleted via Unexpected Process
Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.
Threat Intel Email Indicator Match
This rule is triggered when an email indicator from the Threat Intel Filebeat module or integrations matches an event containing email-related data, such as logs from email security gateways or email service providers.
Threat Intel Hash Indicator Match
This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.
Threat Intel IP Address Indicator Match
This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.
Threat Intel URL Indicator Match
This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.
Threat Intel Windows Registry Indicator Match
This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.
Timestomping using Touch Command
Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.
Tool Enumeration Detected via Defend for Containers
This rule detects the enumeration of tools by the "which" command inside a container. The "which" command is used to list what tools are installed on a system, and may be used by an adversary to gain information about the container and the services running inside it.
Tool Installation Detected via Defend for Containers
This rule detects the installation of tools inside a container. An adversary may need to install additional software to enumerate the container, its environment, and move laterally within the environment.
Trap Signals Execution
Identify activity related where adversaries can include a trap command which then allows programs and shells to specify commands that will be executed upon receiving interrupt signals.
Tunneling and/or Port Forwarding Detected via Defend for Containers
This rule detects the use of tunneling and/or port forwarding tools inside a container. This could indicate a threat actor is using these tools to communicate with a C2 server, is attempting to exfiltrate data from the container, or is attempting to pivot within the container network.
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
UAC Bypass Attempt via Privileged IFileOperation COM Interface
Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
UAC Bypass Attempt via Windows Directory Masquerading
Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
UAC Bypass via DiskCleanup Scheduled Task Hijack
Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.
UAC Bypass via ICMLuaUtil Elevated COM Interface
Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
UAC Bypass via Windows Firewall Snap-In Hijack
Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.
UID Elevation from Previously Unknown Executable
Monitors for the elevation of regular user permissions to root permissions through a previously unknown executable. Attackers may attempt to evade detection by hijacking the execution flow and hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.
Unauthorized Access to an Okta Application
Identifies unauthorized access attempts to Okta applications.
Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an adversary is attempting to obtain an access token for unauthorized scopes. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule where the `okta.actor.display_name` field value has not been seen in the last 14 days regarding this event.
Uncommon Destination Port Connection by Web Server
This rule identifies unusual destination port network activity originating from a web server process. The rule is designed to detect potential web shell activity or unauthorized communication from a web server process to external systems.
Uncommon Registry Persistence Change
Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.