- Elastic Security: other versions:
- Elastic Security overview
- What’s new
- Get started with Elastic Security
- Elastic Security UI
- Anomaly Detection with Machine Learning
- Detections and Alerts
- Creating detection rules
- Managing detection rules
- Monitoring and troubleshooting rule executions
- Rule exceptions and value lists
- About building-block rules
- Managing detection alerts
- Visual event analyzer
- Tuning prebuilt detection rules
- Prebuilt rule changes per release
- Prebuilt rule reference
- AWS Access Secret in Secrets Manager
- AWS CloudTrail Log Created
- AWS CloudTrail Log Deleted
- AWS CloudTrail Log Suspended
- AWS CloudTrail Log Updated
- AWS CloudWatch Alarm Deletion
- AWS CloudWatch Log Group Deletion
- AWS CloudWatch Log Stream Deletion
- AWS Config Service Tampering
- AWS Configuration Recorder Stopped
- AWS EC2 Encryption Disabled
- AWS EC2 Flow Log Deletion
- AWS EC2 Network Access Control List Creation
- AWS EC2 Network Access Control List Deletion
- AWS EC2 Snapshot Activity
- AWS Execution via System Manager
- AWS GuardDuty Detector Deletion
- AWS IAM Assume Role Policy Update
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM Deactivation of MFA Device
- AWS IAM Group Creation
- AWS IAM Group Deletion
- AWS IAM Password Recovery Requested
- AWS IAM User Addition to Group
- AWS Management Console Brute Force of Root User Identity
- AWS Management Console Root Login
- AWS RDS Cluster Creation
- AWS RDS Cluster Deletion
- AWS RDS Instance/Cluster Stoppage
- AWS Root Login Without MFA
- AWS S3 Bucket Configuration Deletion
- AWS WAF Access Control List Deletion
- AWS WAF Rule or Rule Group Deletion
- Abnormally Large DNS Response
- Adding Hidden File Attribute via Attrib
- Administrator Privileges Assigned to Okta Group
- Adobe Hijack Persistence
- Adversary Behavior - Detected - Endpoint Security
- Anomalous Kernel Module Activity
- Anomalous Linux Compiler Activity
- Anomalous Process For a Linux Population
- Anomalous Process For a Windows Population
- Anomalous Windows Process Creation
- Attempt to Create Okta API Token
- Attempt to Deactivate MFA for Okta User Account
- Attempt to Deactivate Okta MFA Rule
- Attempt to Deactivate Okta Policy
- Attempt to Delete Okta Policy
- Attempt to Disable IPTables or Firewall
- Attempt to Disable Syslog Service
- Attempt to Modify Okta MFA Rule
- Attempt to Modify Okta Network Zone
- Attempt to Modify Okta Policy
- Attempt to Reset MFA Factors for Okta User Account
- Attempt to Revoke Okta API Token
- Attempted Bypass of Okta MFA
- Attempts to Brute Force an Okta User Account
- Azure Automation Account Created
- Azure Automation Runbook Created or Modified
- Azure Automation Runbook Deleted
- Azure Automation Webhook Created
- Azure Blob Container Access Level Modification
- Azure Command Execution on Virtual Machine
- Azure Conditional Access Policy Modified
- Azure Diagnostic Settings Deletion
- Azure Event Hub Authorization Rule Created or Updated
- Azure Event Hub Deletion
- Azure External Guest User Invitation
- Azure Firewall Policy Deletion
- Azure Global Administrator Role Addition to PIM User
- Azure Key Vault Modified
- Azure Network Watcher Deletion
- Azure Privilege Identity Management Role Modified
- Azure Resource Group Deletion
- Azure Storage Account Key Regenerated
- Base16 or Base32 Encoding/Decoding Activity
- Base64 Encoding/Decoding Activity
- Bypass UAC via Event Viewer
- Clearing Windows Event Logs
- Cobalt Strike Command and Control Beacon
- Command Prompt Network Connection
- Compression of Keychain Credentials Directories
- Conhost Spawned By Suspicious Parent Process
- Connection to External Network via Telnet
- Connection to Internal Network via Telnet
- Creation of Hidden Files and Directories
- Creation or Modification of Domain Backup DPAPI private key
- Creation or Modification of a new GPO Scheduled Task or Service
- Credential Dumping - Detected - Endpoint Security
- Credential Dumping - Prevented - Endpoint Security
- Credential Manipulation - Detected - Endpoint Security
- Credential Manipulation - Prevented - Endpoint Security
- DNS Activity to the Internet
- DNS Tunneling
- Delete Volume USN Journal with Fsutil
- Deleting Backup Catalogs with Wbadmin
- Deletion of Bash Command Line History
- Direct Outbound SMB Connection
- Disable Windows Firewall Rules via Netsh
- Encoding or Decoding Files via CertUtil
- Endpoint Security
- Enumeration of Kernel Modules
- Execution of File Written or Modified by Microsoft Office
- Execution of File Written or Modified by PDF Reader
- Execution via MSSQL xp_cmdshell Stored Procedure
- Execution via Regsvcs/Regasm
- Exploit - Detected - Endpoint Security
- Exploit - Prevented - Endpoint Security
- External Alerts
- FTP (File Transfer Protocol) Activity to the Internet
- File Deletion via Shred
- File Permission Modification in Writable Directory
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion
- GCP Firewall Rule Modification
- GCP IAM Custom Role Creation
- GCP IAM Role Deletion
- GCP IAM Service Account Key Deletion
- GCP Logging Bucket Deletion
- GCP Logging Sink Deletion
- GCP Logging Sink Modification
- GCP Pub/Sub Subscription Creation
- GCP Pub/Sub Subscription Deletion
- GCP Pub/Sub Topic Creation
- GCP Pub/Sub Topic Deletion
- GCP Service Account Creation
- GCP Service Account Deletion
- GCP Service Account Disabled
- GCP Service Account Key Creation
- GCP Storage Bucket Configuration Modification
- GCP Storage Bucket Deletion
- GCP Storage Bucket Permissions Modification
- GCP Virtual Private Cloud Network Deletion
- GCP Virtual Private Cloud Route Creation
- GCP Virtual Private Cloud Route Deletion
- Halfbaked Command and Control Beacon
- Hex Encoding/Decoding Activity
- High Number of Okta User Password Reset or Unlock Attempts
- Hosts File Modified
- Hping Process Activity
- IIS HTTP Logging Disabled
- IPSEC NAT Traversal Port Activity
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- Inbound Connection to an Unsecure Elasticsearch Node
- InstallUtil Process Making Network Connections
- Installation of Custom Shim Databases
- Interactive Terminal Spawned via Perl
- Interactive Terminal Spawned via Python
- Kerberos Cached Credentials Dumping
- Kernel Module Removal
- Local Scheduled Task Commands
- Local Service Commands
- Malware - Detected - Endpoint Security
- Malware - Prevented - Endpoint Security
- Microsoft Build Engine Loading Windows Credential Libraries
- Microsoft Build Engine Started an Unusual Process
- Microsoft Build Engine Started by a Script Process
- Microsoft Build Engine Started by a System Process
- Microsoft Build Engine Started by an Office Application
- Microsoft Build Engine Using an Alternate Name
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- Mimikatz Memssp Log File Detected
- Mknod Process Activity
- Modification of Boot Configuration
- Modification or Removal of an Okta Application Sign-On Policy
- MsBuild Making Network Connections
- Mshta Making Network Connections
- Multi-Factor Authentication Disabled for an Azure User
- Net command via SYSTEM account
- Netcat Network Activity
- Network Connection via Certutil
- Network Connection via Compiled HTML File
- Network Connection via MsXsl
- Network Connection via Registration Utility
- Network Connection via Signed Binary
- Network Sniffing via Tcpdump
- Nmap Process Activity
- Nping Process Activity
- Okta Brute Force or Password Spraying Attack
- PPTP (Point to Point Tunneling Protocol) Activity
- Permission Theft - Detected - Endpoint Security
- Permission Theft - Prevented - Endpoint Security
- Persistence via Kernel Module Modification
- Persistence via TelemetryController Scheduled Task Hijack
- Persistence via Update Orchestrator Service Hijack
- Possible Consent Grant Attack via Azure-Registered Application
- Possible FIN7 DGA Command and Control Behavior
- Possible Okta DoS Attack
- Potential Application Shimming via Sdbinst
- Potential DLL SideLoading via Trusted Microsoft Programs
- Potential DNS Tunneling via Iodine
- Potential Disabling of SELinux
- Potential Evasion via Filter Manager
- Potential Modification of Accessibility Binaries
- Potential Secure File Deletion via SDelete Utility
- Potential Shell via Web Server
- PowerShell spawning Cmd
- Process Activity via Compiled HTML File
- Process Discovery via Tasklist
- Process Injection - Detected - Endpoint Security
- Process Injection - Prevented - Endpoint Security
- Process Injection by the Microsoft Build Engine
- Process Potentially Masquerading as WerFault
- Proxy Port Activity to the Internet
- PsExec Network Connection
- Public IP Reconnaissance Activity
- RDP (Remote Desktop Protocol) from the Internet
- RDP (Remote Desktop Protocol) to the Internet
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- Ransomware - Detected - Endpoint Security
- Ransomware - Prevented - Endpoint Security
- Rare AWS Error Code
- Remote File Copy via TeamViewer
- Remote File Download via Desktopimgdownldr Utility
- Remote File Download via MpCmdRun
- Remote SSH Login Enabled via systemsetup Command
- Renamed AutoIt Scripts Interpreter
- Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
- SMB (Windows File Sharing) Activity to the Internet
- SMTP on Port 26/TCP
- SMTP to the Internet
- SQL Traffic to the Internet
- SSH (Secure Shell) from the Internet
- SSH (Secure Shell) to the Internet
- Service Command Lateral Movement
- Setgid Bit Set via chmod
- Setuid Bit Set via chmod
- Socat Process Activity
- Spike in AWS Error Messages
- Strace Process Activity
- Sudoers File Modification
- Suspicious .NET Code Compilation
- Suspicious Activity Reported by Okta User
- Suspicious Endpoint Security Parent Process
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious Managed Code Hosting Process
- Suspicious PDF Reader Child Process
- Suspicious Powershell Script
- Suspicious PrintSpooler SPL File Created
- Suspicious PrintSpooler Service Executable File Creation
- Suspicious Process Execution via Renamed PsExec Executable
- Suspicious Process from Conhost
- Suspicious WMIC XSL Script Execution
- Suspicious WerFault Child Process
- Suspicious Zoom Child Process
- Svchost spawning Cmd
- System Shells via Services
- TCP Port 8000 Activity to the Internet
- Telnet Port Activity
- Threat Detected by Okta ThreatInsight
- Tor Activity to the Internet
- Trusted Developer Application Usage
- UAC Bypass via DiskCleanup Scheduled Task Hijack
- Unusual AWS Command for a User
- Unusual Child Process from a System Virtual Process
- Unusual Child Process of dns.exe
- Unusual Child Processes of RunDLL32
- Unusual City For an AWS Command
- Unusual Country For an AWS Command
- Unusual DNS Activity
- Unusual Executable File Creation by a System Critical Process
- Unusual File Modification by dns.exe
- Unusual Linux Network Activity
- Unusual Linux Network Connection Discovery
- Unusual Linux Network Port Activity
- Unusual Linux Network Service
- Unusual Linux Process Calling the Metadata Service
- Unusual Linux Process Discovery Activity
- Unusual Linux System Information Discovery Activity
- Unusual Linux System Network Configuration Discovery
- Unusual Linux System Owner or User Discovery Activity
- Unusual Linux User Calling the Metadata Service
- Unusual Linux Username
- Unusual Linux Web Activity
- Unusual Login Activity
- Unusual Network Activity from a Windows System Binary
- Unusual Network Connection via RunDLL32
- Unusual Network Destination Domain Name
- Unusual Parent Process for cmd.exe
- Unusual Parent-Child Relationship
- Unusual Process Execution - Temp
- Unusual Process For a Linux Host
- Unusual Process For a Windows Host
- Unusual Process Network Connection
- Unusual Sudo Activity
- Unusual Web Request
- Unusual Web User Agent
- Unusual Windows Network Activity
- Unusual Windows Path Activity
- Unusual Windows Process Calling the Metadata Service
- Unusual Windows Remote User
- Unusual Windows Service
- Unusual Windows User Calling the Metadata Service
- Unusual Windows User Privilege Elevation Activity
- Unusual Windows Username
- User Account Creation
- User Added as Owner for Azure Application
- User Added as Owner for Azure Service Principal
- User Discovery via Whoami
- VNC (Virtual Network Computing) from the Internet
- VNC (Virtual Network Computing) to the Internet
- Virtual Machine Fingerprinting
- Volume Shadow Copy Deletion via VssAdmin
- Volume Shadow Copy Deletion via WMIC
- Web Application Suspicious Activity: No User Agent
- Web Application Suspicious Activity: POST Request Declined
- Web Application Suspicious Activity: Unauthorized Method
- Web Application Suspicious Activity: sqlmap User Agent
- Whoami Process Activity
- Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
- Windows Script Executing PowerShell
- Windows Suspicious Script Object Execution
- Zoom Meeting with no Passcode
- Investigate events
- Cases (beta)
- Elastic Security APIs
- Detections API
- Exceptions API
- Lists API
- Detection Alerts Migration API
- Timeline API
- Cases API
- Create case
- Add comment
- Update case
- Update comment
- Find cases
- Get case
- Get all case comments
- Get comment
- Get all case activity
- Get tags
- Get reporters
- Get status
- Delete comment
- Delete all comments
- Delete case
- Set default Elastic Security UI connector
- Update case configurations
- Get current connector
- Find connectors
- Add external details to case
- Actions API (for pushing cases to external systems)
- Elastic Security fields and object schemas
- Enable process analyzer after an upgrade
- Release Notes
Hex Encoding/Decoding Activity
editHex Encoding/Decoding Activity
editIdentifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Defense Evasion
Version: 4 (version history)
Added (Elastic Stack release): 7.8.0
Last modified (Elastic Stack release): 7.10.0
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editAutomated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values.
Rule query
editevent.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Deobfuscate/Decode Files or Information
- ID: T1140
- Reference URL: https://attack.mitre.org/techniques/T1140/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Obfuscated Files or Information
- ID: T1027
- Reference URL: https://attack.mitre.org/techniques/T1027/
Rule version history
edit- Version 4 (7.10.0 release)
-
- Formatting only
- Version 3 (7.9.1 release)
-
- Formatting only
- Version 2 (7.9.0 release)
-
-
Updated query, changed from:
event.action:(executed or process_started) and process.name:(hex or xxd)
-