- Elastic Security: other versions:
- Elastic Security overview
- What’s new in 8.17
- Upgrade Elastic Security to 8.17.3
- Post-upgrade steps (optional)
- Get started with Elastic Security
- AI for Security
- Detections and alerts
- Detections requirements
- Using logsdb index mode with Elastic Security
- About detection rules
- Create a detection rule
- Install and manage Elastic prebuilt rules
- Manage detection rules
- Monitor and troubleshoot rule executions
- Rule exceptions
- About building block rules
- MITRE ATT&CK® coverage
- Manage detection alerts
- Reduce notifications and alerts
- Query alert indices
- Tune detection rules
- Prebuilt rule reference
- A scheduled task was created
- A scheduled task was updated
- APT Package Manager Configuration File Creation
- AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
- AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
- AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request
- AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
- AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
- AWS CLI Command with Custom Endpoint URL
- AWS CloudTrail Log Created
- AWS CloudTrail Log Deleted
- AWS CloudTrail Log Suspended
- AWS CloudTrail Log Updated
- AWS CloudWatch Alarm Deletion
- AWS CloudWatch Log Group Deletion
- AWS CloudWatch Log Stream Deletion
- AWS Config Resource Deletion
- AWS Configuration Recorder Stopped
- AWS Deletion of RDS Instance or Cluster
- AWS Discovery API Calls via CLI from a Single Resource
- AWS EC2 Admin Credential Fetch via Assumed Role
- AWS EC2 Deprecated AMI Discovery
- AWS EC2 EBS Snapshot Shared or Made Public
- AWS EC2 Encryption Disabled
- AWS EC2 Full Network Packet Capture Detected
- AWS EC2 Instance Connect SSH Public Key Uploaded
- AWS EC2 Instance Console Login via Assumed Role
- AWS EC2 Instance Interaction with IAM Service
- AWS EC2 Multi-Region DescribeInstances API Calls
- AWS EC2 Network Access Control List Creation
- AWS EC2 Network Access Control List Deletion
- AWS EC2 Route Table Modified or Deleted
- AWS EC2 Security Group Configuration Change
- AWS EC2 Snapshot Activity
- AWS EC2 User Data Retrieval for EC2 Instance
- AWS EC2 VM Export Failure
- AWS EFS File System or Mount Deleted
- AWS ElastiCache Security Group Created
- AWS ElastiCache Security Group Modified or Deleted
- AWS EventBridge Rule Disabled or Deleted
- AWS GuardDuty Detector Deletion
- AWS IAM AdministratorAccess Policy Attached to Group
- AWS IAM AdministratorAccess Policy Attached to Role
- AWS IAM AdministratorAccess Policy Attached to User
- AWS IAM Assume Role Policy Update
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM CompromisedKeyQuarantine Policy Attached to User
- AWS IAM Create User via Assumed Role on EC2 Instance
- AWS IAM Customer-Managed Policy Attached to Role by Rare User
- AWS IAM Deactivation of MFA Device
- AWS IAM Group Creation
- AWS IAM Group Deletion
- AWS IAM Login Profile Added for Root
- AWS IAM Login Profile Added to User
- AWS IAM Password Recovery Requested
- AWS IAM Roles Anywhere Profile Creation
- AWS IAM Roles Anywhere Trust Anchor Created with External CA
- AWS IAM SAML Provider Updated
- AWS IAM User Addition to Group
- AWS IAM User Created Access Keys For Another User
- AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
- AWS Lambda Function Created or Updated
- AWS Lambda Function Policy Updated to Allow Public Invocation
- AWS Lambda Layer Added to Existing Function
- AWS Management Console Brute Force of Root User Identity
- AWS Management Console Root Login
- AWS RDS Cluster Creation
- AWS RDS DB Instance Made Public
- AWS RDS DB Instance Restored
- AWS RDS DB Instance or Cluster Deletion Protection Disabled
- AWS RDS DB Instance or Cluster Password Modified
- AWS RDS DB Snapshot Created
- AWS RDS DB Snapshot Shared with Another Account
- AWS RDS Instance Creation
- AWS RDS Instance/Cluster Stoppage
- AWS RDS Security Group Creation
- AWS RDS Security Group Deletion
- AWS RDS Snapshot Deleted
- AWS RDS Snapshot Export
- AWS Redshift Cluster Creation
- AWS Root Login Without MFA
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account
- AWS Route Table Created
- AWS Route53 private hosted zone associated with a VPC
- AWS S3 Bucket Configuration Deletion
- AWS S3 Bucket Enumeration or Brute Force
- AWS S3 Bucket Expiration Lifecycle Configuration Added
- AWS S3 Bucket Policy Added to Share with External Account
- AWS S3 Bucket Replicated to Another Account
- AWS S3 Bucket Server Access Logging Disabled
- AWS S3 Object Encryption Using External KMS Key
- AWS S3 Object Versioning Suspended
- AWS S3 Unauthenticated Bucket Access by Rare Source
- AWS SNS Email Subscription by Rare User
- AWS SNS Topic Created by Rare User
- AWS SQS Queue Purge
- AWS SSM Command Document Created by Rare User
- AWS SSM
SendCommandExecution by Rare User - AWS SSM
SendCommandwith Run Shell Command Parameters - AWS STS AssumeRole with New MFA Device
- AWS STS AssumeRoot by Rare User and Member Account
- AWS STS GetCallerIdentity API Called for the First Time
- AWS STS GetSessionToken Abuse
- AWS STS Role Assumption by Service
- AWS STS Role Assumption by User
- AWS STS Role Chaining
- AWS Service Quotas Multi-Region
GetServiceQuotaRequests - AWS Signin Single Factor Console Login with Federated User
- AWS Systems Manager SecureString Parameter Request with Decryption Flag
- AWS VPC Flow Logs Deletion
- AWS WAF Access Control List Deletion
- AWS WAF Rule or Rule Group Deletion
- Abnormal Process ID or Lock File Created
- Abnormally Large DNS Response
- Accepted Default Telnet Port Connection
- Access Control List Modification via setfacl
- Access to Keychain Credentials Directories
- Access to a Sensitive LDAP Attribute
- Accessing Outlook Data Files
- Account Configured with Never-Expiring Password
- Account Discovery Command via SYSTEM Account
- Account Password Reset Remotely
- Account or Group Discovery via Built-In Tools
- Active Directory Forced Authentication from Linux Host - SMB Named Pipes
- Active Directory Group Modification by SYSTEM
- AdFind Command Activity
- Adding Hidden File Attribute via Attrib
- AdminSDHolder Backdoor
- AdminSDHolder SDProp Exclusion Added
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Adobe Hijack Persistence
- Adversary Behavior - Detected - Elastic Endgame
- Agent Spoofing - Mismatched Agent ID
- Agent Spoofing - Multiple Hosts Using Same Agent
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Anomalous Linux Compiler Activity
- Anomalous Process For a Linux Population
- Anomalous Process For a Windows Population
- Anomalous Windows Process Creation
- Apple Script Execution followed by Network Connection
- Apple Scripting Execution with Administrator Privileges
- Application Added to Google Workspace Domain
- Application Removed from Blocklist in Google Workspace
- Archive File with Unusual Extension
- At Job Created or Modified
- At.exe Command Lateral Movement
- Attempt to Clear Kernel Ring Buffer
- Attempt to Create Okta API Token
- Attempt to Deactivate an Okta Application
- Attempt to Deactivate an Okta Network Zone
- Attempt to Deactivate an Okta Policy
- Attempt to Deactivate an Okta Policy Rule
- Attempt to Delete an Okta Application
- Attempt to Delete an Okta Network Zone
- Attempt to Delete an Okta Policy
- Attempt to Delete an Okta Policy Rule
- Attempt to Disable Auditd Service
- Attempt to Disable Gatekeeper
- Attempt to Disable IPTables or Firewall
- Attempt to Disable Syslog Service
- Attempt to Enable the Root Account
- Attempt to Establish VScode Remote Tunnel
- Attempt to Install Kali Linux via WSL
- Attempt to Install Root Certificate
- Attempt to Modify an Okta Application
- Attempt to Modify an Okta Network Zone
- Attempt to Modify an Okta Policy
- Attempt to Modify an Okta Policy Rule
- Attempt to Mount SMB Share via Command Line
- Attempt to Reset MFA Factors for an Okta User Account
- Attempt to Revoke Okta API Token
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- Attempted Bypass of Okta MFA
- Attempted Private Key Access
- Attempts to Brute Force a Microsoft 365 User Account
- Attempts to Brute Force an Okta User Account
- Authentication via Unusual PAM Grantor
- Authorization Plugin Modification
- Azure AD Global Administrator Role Assigned
- Azure Active Directory High Risk Sign-in
- Azure Active Directory High Risk User Sign-in Heuristic
- Azure Active Directory PowerShell Sign-in
- Azure Alert Suppression Rule Created or Modified
- Azure Application Credential Modification
- Azure Automation Account Created
- Azure Automation Runbook Created or Modified
- Azure Automation Runbook Deleted
- Azure Automation Webhook Created
- Azure Blob Container Access Level Modification
- Azure Blob Permissions Modification
- Azure Command Execution on Virtual Machine
- Azure Conditional Access Policy Modified
- Azure Diagnostic Settings Deletion
- Azure Entra ID Password Spraying (Non-Interactive SFA)
- Azure Entra ID Rare App ID for Principal Authentication
- Azure Entra ID Rare Authentication Requirement for Principal User
- Azure Entra MFA TOTP Brute Force Attempts
- Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
- Azure Entra Sign-in Brute Force against Microsoft 365 Accounts
- Azure Event Hub Authorization Rule Created or Updated
- Azure Event Hub Deletion
- Azure External Guest User Invitation
- Azure Firewall Policy Deletion
- Azure Frontdoor Web Application Firewall (WAF) Policy Deleted
- Azure Full Network Packet Capture Detected
- Azure Global Administrator Role Addition to PIM User
- Azure Key Vault Modified
- Azure Kubernetes Events Deleted
- Azure Kubernetes Pods Deleted
- Azure Kubernetes Rolebindings Created
- Azure Network Watcher Deletion
- Azure OpenAI Insecure Output Handling
- Azure Privilege Identity Management Role Modified
- Azure Resource Group Deletion
- Azure Service Principal Addition
- Azure Service Principal Credentials Added
- Azure Storage Account Key Regenerated
- Azure Virtual Network Device Modified or Deleted
- BPF filter applied using TC
- Base16 or Base32 Encoding/Decoding Activity
- Base64 Decoded Payload Piped to Interpreter
- Bash Shell Profile Modification
- Behavior - Detected - Elastic Defend
- Behavior - Prevented - Elastic Defend
- Binary Content Copy via Cmd.exe
- Binary Executed from Shared Memory Directory
- Bitsadmin Activity
- Boot File Copy
- Browser Extension Install
- Bypass UAC via Event Viewer
- CAP_SYS_ADMIN Assigned to Binary
- Chkconfig Service Add
- Clearing Windows Console History
- Clearing Windows Event Logs
- Cobalt Strike Command and Control Beacon
- Code Signing Policy Modification Through Built-in tools
- Code Signing Policy Modification Through Registry
- Command Execution via ForFiles
- Command Execution via SolarWinds Process
- Command Prompt Network Connection
- Command Shell Activity Started via RunDLL32
- Command and Scripting Interpreter via Windows Scripts
- Component Object Model Hijacking
- Compression DLL Loaded by Unusual Process
- Conhost Spawned By Suspicious Parent Process
- Connection to Commonly Abused Free SSL Certificate Providers
- Connection to Commonly Abused Web Services
- Connection to External Network via Telnet
- Connection to Internal Network via Telnet
- Control Panel Process with Unusual Arguments
- Creation of Hidden Files and Directories via CommandLine
- Creation of Hidden Launch Agent or Daemon
- Creation of Hidden Login Item via Apple Script
- Creation of Hidden Shared Object File
- Creation of Kernel Module
- Creation of SettingContent-ms Files
- Creation of a DNS-Named Record
- Creation of a Hidden Local User Account
- Creation or Modification of Domain Backup DPAPI private key
- Creation or Modification of Pluggable Authentication Module or Configuration
- Creation or Modification of Root Certificate
- Creation or Modification of a new GPO Scheduled Task or Service
- Credential Acquisition via Registry Hive Dumping
- Credential Dumping - Detected - Elastic Endgame
- Credential Dumping - Prevented - Elastic Endgame
- Credential Manipulation - Detected - Elastic Endgame
- Credential Manipulation - Prevented - Elastic Endgame
- Cron Job Created or Modified
- Cupsd or Foomatic-rip Shell Execution
- Curl SOCKS Proxy Activity from Unusual Parent
- CyberArk Privileged Access Security Error
- CyberArk Privileged Access Security Recommended Monitor
- D-Bus Service Created
- DNF Package Manager Plugin File Creation
- DNS Global Query Block List Modified or Disabled
- DNS Tunneling
- DNS-over-HTTPS Enabled via Registry
- DPKG Package Installed by Unusual Parent Process
- Decline in host-based traffic
- Default Cobalt Strike Team Server Certificate
- Delayed Execution via Ping
- Delete Volume USN Journal with Fsutil
- Deleting Backup Catalogs with Wbadmin
- Deprecated - AWS Credentials Searched For Inside A Container
- Deprecated - Container Management Utility Run Inside A Container
- Deprecated - Container Workload Protection
- Deprecated - File Made Executable via Chmod Inside A Container
- Deprecated - File System Debugger Launched Inside a Privileged Container
- Deprecated - Interactive Exec Command Launched Against A Running Container
- Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container
- Deprecated - Mount Launched Inside a Privileged Container
- Deprecated - Netcat Listener Established Inside A Container
- Deprecated - Potential Container Escape via Modified notify_on_release File
- Deprecated - Potential Container Escape via Modified release_agent File
- Deprecated - SSH Authorized Keys File Modified Inside a Container
- Deprecated - SSH Connection Established Inside A Running Container
- Deprecated - SSH Process Launched From Inside A Container
- Deprecated - Sensitive Files Compression Inside A Container
- Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container
- Deprecated - Suspicious File Creation in /etc for Persistence
- Deprecated - Suspicious Interactive Shell Spawned From Inside A Container
- Deprecated - Suspicious Network Tool Launched Inside A Container
- Directory Creation in /bin directory
- Disable Windows Event and Security Logs Using Built-in Tools
- Disable Windows Firewall Rules via Netsh
- Disabling User Account Control via Registry Modification
- Disabling Windows Defender Security Settings via PowerShell
- Discovery of Domain Groups
- Discovery of Internet Capabilities via Built-in Tools
- Docker Escape via Nsenter
- Docker Socket Enumeration
- Domain Added to Google Workspace Trusted Domains
- Downloaded Shortcut Files
- Downloaded URL Files
- Dracut Module Creation
- Dumping Account Hashes via Built-In Commands
- Dumping of Keychain Content via Security Command
- Dynamic Linker (ld.so) Creation
- Dynamic Linker Copy
- Dynamic Linker Creation or Modification
- EC2 AMI Shared with Another Account
- ESXI Discovery via Find
- ESXI Discovery via Grep
- ESXI Timestomping using Touch Command
- EggShell Backdoor Execution
- Egress Connection from Entrypoint in Container
- Elastic Agent Service Terminated
- Emond Rules Creation or Modification
- Enable Host Network Discovery via Netsh
- Encoded Executable Stored in the Registry
- Encrypting Files with WinRar or 7z
- Endpoint Security (Elastic Defend)
- Entra ID Device Code Auth with Broker Client
- Enumerating Domain Trusts via DSQUERY.EXE
- Enumerating Domain Trusts via NLTEST.EXE
- Enumeration Command Spawned via WMIPrvSE
- Enumeration of Administrator Accounts
- Enumeration of Kernel Modules
- Enumeration of Kernel Modules via Proc
- Enumeration of Privileged Local Groups Membership
- Enumeration of Users or Groups via Built-in Commands
- Excessive AWS S3 Object Encryption with SSE-C
- Exchange Mailbox Export via PowerShell
- Executable Bit Set for Potential Persistence Script
- Executable File Creation with Multiple Extensions
- Executable File with Unusual Extension
- Executable Masquerading as Kernel Process
- Execution from Unusual Directory - Command Line
- Execution from a Removable Media with Network Connection
- Execution of COM object via Xwizard
- Execution of File Written or Modified by Microsoft Office
- Execution of File Written or Modified by PDF Reader
- Execution of Persistent Suspicious Program
- Execution of a Downloaded Windows Script
- Execution of an Unsigned Service
- Execution via Electron Child Process Node.js Module
- Execution via MS VisualStudio Pre/Post Build Events
- Execution via MSSQL xp_cmdshell Stored Procedure
- Execution via Microsoft DotNet ClickOnce Host
- Execution via TSClient Mountpoint
- Execution via Windows Command Debugging Utility
- Execution via Windows Subsystem for Linux
- Execution via local SxS Shared Module
- Execution with Explicit Credentials via Scripting
- Expired or Revoked Driver Loaded
- Exploit - Detected - Elastic Endgame
- Exploit - Prevented - Elastic Endgame
- Exporting Exchange Mailbox via PowerShell
- External Alerts
- External IP Lookup from Non-Browser Process
- External User Added to Google Workspace Group
- File Compressed or Archived into Common Format by Unsigned Process
- File Creation Time Changed
- File Creation by Cups or Foomatic-rip Child
- File Creation in /var/log via Suspicious Process
- File Creation, Execution and Self-Deletion in Suspicious Directory
- File Deletion via Shred
- File Permission Modification in Writable Directory
- File Staged in Root Folder of Recycle Bin
- File Transfer or Listener Established via Netcat
- File and Directory Permissions Modification
- File made Immutable by Chattr
- File or Directory Deletion Command
- File with Right-to-Left Override Character (RTLO) Created/Executed
- File with Suspicious Extension Downloaded
- Finder Sync Plugin Registered and Enabled
- First Occurrence GitHub Event for a Personal Access Token (PAT)
- First Occurrence of Entra ID Auth via DeviceCode Protocol
- First Occurrence of GitHub Repo Interaction From a New IP
- First Occurrence of GitHub User Interaction with Private Repo
- First Occurrence of IP Address For GitHub Personal Access Token (PAT)
- First Occurrence of IP Address For GitHub User
- First Occurrence of Okta User Session Started via Proxy
- First Occurrence of Personal Access Token (PAT) Use For a GitHub User
- First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)
- First Occurrence of STS GetFederationToken Request by User
- First Occurrence of User Agent For a GitHub Personal Access Token (PAT)
- First Occurrence of User-Agent For a GitHub User
- First Time AWS Cloudformation Stack Creation by User
- First Time Seen AWS Secret Value Accessed in Secrets Manager
- First Time Seen Commonly Abused Remote Access Tool Execution
- First Time Seen Driver Loaded
- First Time Seen Google Workspace OAuth Login from Third-Party Application
- First Time Seen NewCredentials Logon Process
- First Time Seen Removable Device
- FirstTime Seen Account Performing DCSync
- Forwarded Google Workspace Security Alert
- Full User-Mode Dumps Enabled System-Wide
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion
- GCP Firewall Rule Modification
- GCP IAM Custom Role Creation
- GCP IAM Role Deletion
- GCP IAM Service Account Key Deletion
- GCP Logging Bucket Deletion
- GCP Logging Sink Deletion
- GCP Logging Sink Modification
- GCP Pub/Sub Subscription Creation
- GCP Pub/Sub Subscription Deletion
- GCP Pub/Sub Topic Creation
- GCP Pub/Sub Topic Deletion
- GCP Service Account Creation
- GCP Service Account Deletion
- GCP Service Account Disabled
- GCP Service Account Key Creation
- GCP Storage Bucket Configuration Modification
- GCP Storage Bucket Deletion
- GCP Storage Bucket Permissions Modification
- GCP Virtual Private Cloud Network Deletion
- GCP Virtual Private Cloud Route Creation
- GCP Virtual Private Cloud Route Deletion
- GRUB Configuration File Creation
- GRUB Configuration Generation through Built-in Utilities
- Git Hook Child Process
- Git Hook Command Execution
- Git Hook Created or Modified
- Git Hook Egress Network Connection
- GitHub App Deleted
- GitHub Owner Role Granted To User
- GitHub PAT Access Revoked
- GitHub Protected Branch Settings Changed
- GitHub Repo Created
- GitHub Repository Deleted
- GitHub UEBA - Multiple Alerts from a GitHub Account
- GitHub User Blocked From Organization
- Google Drive Ownership Transferred via Google Workspace
- Google Workspace 2SV Policy Disabled
- Google Workspace API Access Granted via Domain-Wide Delegation
- Google Workspace Admin Role Assigned to a User
- Google Workspace Admin Role Deletion
- Google Workspace Bitlocker Setting Disabled
- Google Workspace Custom Admin Role Created
- Google Workspace Custom Gmail Route Created or Modified
- Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
- Google Workspace MFA Enforcement Disabled
- Google Workspace Object Copied to External Drive with App Consent
- Google Workspace Password Policy Modified
- Google Workspace Restrictions for Marketplace Modified to Allow Any App
- Google Workspace Role Modified
- Google Workspace Suspended User Account Renewed
- Google Workspace User Organizational Unit Changed
- Group Policy Abuse for Privilege Addition
- Group Policy Discovery via Microsoft GPResult Utility
- Halfbaked Command and Control Beacon
- Hidden Directory Creation via Unusual Parent
- Hidden Files and Directories via Hidden Flag
- High Mean of Process Arguments in an RDP Session
- High Mean of RDP Session Duration
- High Number of Cloned GitHub Repos From PAT
- High Number of Egress Network Connections from Unusual Executable
- High Number of Okta Device Token Cookies Generated for Authentication
- High Number of Okta User Password Reset or Unlock Attempts
- High Number of Process Terminations
- High Number of Process and/or Service Terminations
- High Variance in RDP Session Duration
- Host Files System Changes via Windows Subsystem for Linux
- Hosts File Modified
- Hping Process Activity
- IIS HTTP Logging Disabled
- IPSEC NAT Traversal Port Activity
- IPv4/IPv6 Forwarding Activity
- Image File Execution Options Injection
- Image Loaded with Invalid Signature
- ImageLoad via Windows Update Auto Update Client
- Inbound Connection to an Unsecure Elasticsearch Node
- Incoming DCOM Lateral Movement via MSHTA
- Incoming DCOM Lateral Movement with MMC
- Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
- Incoming Execution via PowerShell Remoting
- Incoming Execution via WinRM Remote Shell
- Indirect Command Execution via Forfiles/Pcalua
- Ingress Transfer via Windows BITS
- Initramfs Extraction via CPIO
- Initramfs Unpacking via unmkinitramfs
- Insecure AWS EC2 VPC Security Group Ingress Rule Added
- InstallUtil Activity
- InstallUtil Process Making Network Connections
- Installation of Custom Shim Databases
- Installation of Security Support Provider
- Interactive Logon by an Unusual Process
- Interactive Terminal Spawned via Perl
- Interactive Terminal Spawned via Python
- KRBTGT Delegation Backdoor
- Kerberos Cached Credentials Dumping
- Kerberos Pre-authentication Disabled for User
- Kerberos Traffic from Unusual Process
- Kernel Driver Load
- Kernel Driver Load by non-root User
- Kernel Load or Unload via Kexec Detected
- Kernel Module Load via insmod
- Kernel Module Removal
- Kernel Object File Creation
- Kernel Seeking Activity
- Kernel Unpacking Activity
- Keychain Password Retrieval via Command Line
- Kill Command Execution
- Kirbi File Creation
- Kubernetes Anonymous Request Authorized
- Kubernetes Container Created with Excessive Linux Capabilities
- Kubernetes Denied Service Account Request
- Kubernetes Exposed Service Created With Type NodePort
- Kubernetes Pod Created With HostIPC
- Kubernetes Pod Created With HostNetwork
- Kubernetes Pod Created With HostPID
- Kubernetes Pod created with a Sensitive hostPath Volume
- Kubernetes Privileged Pod Created
- Kubernetes Suspicious Assignment of Controller Service Account
- Kubernetes Suspicious Self-Subject Review
- Kubernetes User Exec into Pod
- LSASS Memory Dump Creation
- LSASS Memory Dump Handle Access
- LSASS Process Access via Windows API
- Lateral Movement via Startup Folder
- Launch Agent Creation or Modification and Immediate Loading
- LaunchDaemon Creation or Modification and Immediate Loading
- Linux Clipboard Activity Detected
- Linux Group Creation
- Linux Process Hooking via GDB
- Linux Restricted Shell Breakout via Linux Binary(s)
- Linux SSH X11 Forwarding
- Linux System Information Discovery
- Linux System Information Discovery via Getconf
- Linux User Account Creation
- Linux User Account Credential Modification
- Linux User Added to Privileged Group
- Linux init (PID 1) Secret Dump via GDB
- Loadable Kernel Module Configuration File Creation
- Local Account TokenFilter Policy Disabled
- Local Scheduled Task Creation
- Login via Unusual System User
- M365 OneDrive Excessive File Downloads with OAuth Token
- MFA Deactivation with no Re-Activation for Okta User Account
- MFA Disabled for Google Workspace Organization
- MS Office Macro Security Registry Modifications
- MacOS Installer Package Spawns Network Event
- Machine Learning Detected DGA activity using a known SUNBURST DNS domain
- Machine Learning Detected a DNS Request Predicted to be a DGA Domain
- Machine Learning Detected a DNS Request With a High DGA Probability Score
- Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
- Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score
- Malicious File - Detected - Elastic Defend
- Malicious File - Prevented - Elastic Defend
- Malware - Detected - Elastic Endgame
- Malware - Prevented - Elastic Endgame
- Manual Dracut Execution
- Masquerading Space After Filename
- Member Removed From GitHub Organization
- Memory Dump File with Unusual Extension
- Memory Swap Modification
- Memory Threat - Detected - Elastic Defend
- Memory Threat - Prevented- Elastic Defend
- Message-of-the-Day (MOTD) File Creation
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Exchange DKIM Signing Configuration Disabled
- Microsoft 365 Exchange DLP Policy Removed
- Microsoft 365 Exchange Malware Filter Policy Deletion
- Microsoft 365 Exchange Malware Filter Rule Modification
- Microsoft 365 Exchange Management Group Role Assignment
- Microsoft 365 Exchange Safe Attachment Rule Disabled
- Microsoft 365 Exchange Safe Link Policy Disabled
- Microsoft 365 Exchange Transport Rule Creation
- Microsoft 365 Exchange Transport Rule Modification
- Microsoft 365 Global Administrator Role Assigned
- Microsoft 365 Inbox Forwarding Rule Created
- Microsoft 365 Portal Login from Rare Location
- Microsoft 365 Portal Logins from Impossible Travel Locations
- Microsoft 365 Potential ransomware activity
- Microsoft 365 Teams Custom Application Interaction Allowed
- Microsoft 365 Teams External Access Enabled
- Microsoft 365 Teams Guest Access Enabled
- Microsoft 365 Unusual Volume of File Deletion
- Microsoft 365 User Restricted from Sending Email
- Microsoft Build Engine Started an Unusual Process
- Microsoft Build Engine Started by a Script Process
- Microsoft Build Engine Started by a System Process
- Microsoft Build Engine Started by an Office Application
- Microsoft Build Engine Using an Alternate Name
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files
- Microsoft Exchange Transport Agent Install Script
- Microsoft Exchange Worker Spawning Suspicious Processes
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- Microsoft Management Console File from Unusual Path
- Microsoft Windows Defender Tampering
- Mimikatz Memssp Log File Detected
- Modification of AmsiEnable Registry Key
- Modification of Boot Configuration
- Modification of Dynamic Linker Preload Shared Object
- Modification of Environment Variable via Unsigned or Untrusted Parent
- Modification of OpenSSH Binaries
- Modification of Safari Settings via Defaults Command
- Modification of Standard Authentication Module or Configuration
- Modification of WDigest Security Provider
- Modification of the msPKIAccountCredentials
- Modification or Removal of an Okta Application Sign-On Policy
- Mofcomp Activity
- Mounting Hidden or WebDav Remote Shares
- MsBuild Making Network Connections
- Mshta Making Network Connections
- MsiExec Service Child Process With Network Connection
- Multi-Factor Authentication Disabled for an Azure User
- Multiple Alerts Involving a User
- Multiple Alerts in Different ATT&CK Tactics on a Single Host
- Multiple Device Token Hashes for Single Okta Session
- Multiple Logon Failure Followed by Logon Success
- Multiple Logon Failure from the same Source Address
- Multiple Okta Sessions Detected for a Single User
- Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
- Multiple Okta User Authentication Events with Client Address
- Multiple Okta User Authentication Events with Same Device Token Hash
- Multiple Vault Web Credentials Read
- My First Rule
- NTDS Dump via Wbadmin
- NTDS or SAM Database File Copied
- Namespace Manipulation Using Unshare
- Netcat Listener Established via rlwrap
- Netsh Helper DLL
- Network Activity Detected via Kworker
- Network Activity Detected via cat
- Network Connection Initiated by SSHD Child Process
- Network Connection by Cups or Foomatic-rip Child
- Network Connection from Binary with RWX Memory Region
- Network Connection via Certutil
- Network Connection via Compiled HTML File
- Network Connection via MsXsl
- Network Connection via Recently Compiled Executable
- Network Connection via Registration Utility
- Network Connection via Signed Binary
- Network Connection via Sudo Binary
- Network Connections Initiated Through XDG Autostart Entry
- Network Logon Provider Registry Modification
- Network Traffic Capture via CAP_NET_RAW
- Network Traffic to Rare Destination Country
- Network-Level Authentication (NLA) Disabled
- NetworkManager Dispatcher Script Creation
- New ActiveSyncAllowedDeviceID Added via PowerShell
- New GitHub App Installed
- New GitHub Owner Added
- New Okta Authentication Behavior Detected
- New Okta Identity Provider (IdP) Added by Admin
- New User Added To GitHub Organization
- New or Modified Federation Domain
- Nping Process Activity
- NullSessionPipe Registry Modification
- O365 Email Reported by User as Malware or Phish
- O365 Excessive Single Sign-On Logon Errors
- O365 Exchange Suspicious Mailbox Right Delegation
- O365 Mailbox Audit Logging Bypass
- Office Test Registry Persistence
- Okta Brute Force or Password Spraying Attack
- Okta FastPass Phishing Detection
- Okta Sign-In Events via Third-Party IdP
- Okta ThreatInsight Threat Suspected Promotion
- Okta User Session Impersonation
- Okta User Sessions Started from Different Geolocations
- OneDrive Malware File Upload
- OpenSSL Password Hash Generation
- Openssl Client or Server Activity
- Outbound Scheduled Task Activity via PowerShell
- Outlook Home Page Registry Modification
- Parent Process PID Spoofing
- Peripheral Device Discovery
- Permission Theft - Detected - Elastic Endgame
- Permission Theft - Prevented - Elastic Endgame
- Persistence via BITS Job Notify Cmdline
- Persistence via DirectoryService Plugin Modification
- Persistence via Docker Shortcut Modification
- Persistence via Folder Action Script
- Persistence via Hidden Run Key Detected
- Persistence via KDE AutoStart Script or Desktop File Modification
- Persistence via Login or Logout Hook
- Persistence via Microsoft Office AddIns
- Persistence via Microsoft Outlook VBA
- Persistence via PowerShell profile
- Persistence via Scheduled Job Creation
- Persistence via TelemetryController Scheduled Task Hijack
- Persistence via Update Orchestrator Service Hijack
- Persistence via WMI Event Subscription
- Persistence via WMI Standard Registry Provider
- Persistence via a Windows Installer
- Persistent Scripts in the Startup Directory
- Pluggable Authentication Module (PAM) Creation in Unusual Directory
- Pluggable Authentication Module (PAM) Source Download
- Pluggable Authentication Module (PAM) Version Discovery
- Polkit Policy Creation
- Polkit Version Discovery
- Port Forwarding Rule Addition
- Possible Consent Grant Attack via Azure-Registered Application
- Possible FIN7 DGA Command and Control Behavior
- Possible Okta DoS Attack
- Potential ADIDNS Poisoning via Wildcard Record Creation
- Potential AWS S3 Bucket Ransomware Note Uploaded
- Potential Abuse of Resources by High Token Count and Large Response Sizes
- Potential Active Directory Replication Account Backdoor
- Potential Admin Group Account Addition
- Potential Antimalware Scan Interface Bypass via PowerShell
- Potential Application Shimming via Sdbinst
- Potential Azure OpenAI Model Theft
- Potential Buffer Overflow Attack Detected
- Potential Chroot Container Escape via Mount
- Potential Code Execution via Postgresql
- Potential Command and Control via Internet Explorer
- Potential Cookies Theft via Browser Debugging
- Potential Credential Access via DCSync
- Potential Credential Access via DuplicateHandle in LSASS
- Potential Credential Access via LSASS Memory Dump
- Potential Credential Access via Memory Dump File Creation
- Potential Credential Access via Renamed COM+ Services DLL
- Potential Credential Access via Trusted Developer Utility
- Potential Credential Access via Windows Utilities
- Potential DGA Activity
- Potential DLL Side-Loading via Microsoft Antimalware Service Executable
- Potential DLL Side-Loading via Trusted Microsoft Programs
- Potential DNS Tunneling via NsLookup
- Potential Data Exfiltration Activity to an Unusual Destination Port
- Potential Data Exfiltration Activity to an Unusual IP Address
- Potential Data Exfiltration Activity to an Unusual ISO Code
- Potential Data Exfiltration Activity to an Unusual Region
- Potential Data Splitting Detected
- Potential Defense Evasion via CMSTP.exe
- Potential Defense Evasion via Doas
- Potential Defense Evasion via PRoot
- Potential Denial of Azure OpenAI ML Service
- Potential Disabling of AppArmor
- Potential Disabling of SELinux
- Potential Enumeration via Active Directory Web Service
- Potential Escalation via Vulnerable MSI Repair
- Potential Evasion via Filter Manager
- Potential Evasion via Windows Filtering Platform
- Potential Execution of rc.local Script
- Potential Execution via XZBackdoor
- Potential Exploitation of an Unquoted Service Path Vulnerability
- Potential External Linux SSH Brute Force Detected
- Potential File Download via a Headless Browser
- Potential File Transfer via Certreq
- Potential File Transfer via Curl for Windows
- Potential Foxmail Exploitation
- Potential Hex Payload Execution
- Potential Hidden Local User Account Creation
- Potential Hidden Process via Mount Hidepid
- Potential Internal Linux SSH Brute Force Detected
- Potential Invoke-Mimikatz PowerShell Script
- Potential JAVA/JNDI Exploitation Attempt
- Potential Kerberos Attack via Bifrost
- Potential LSA Authentication Package Abuse
- Potential LSASS Clone Creation via PssCaptureSnapShot
- Potential LSASS Memory Dump via PssCaptureSnapShot
- Potential Lateral Tool Transfer via SMB Share
- Potential Linux Backdoor User Account Creation
- Potential Linux Credential Dumping via Proc Filesystem
- Potential Linux Credential Dumping via Unshadow
- Potential Linux Hack Tool Launched
- Potential Linux Local Account Brute Force Detected
- Potential Linux Ransomware Note Creation Detected
- Potential Linux Tunneling and/or Port Forwarding
- Potential Local NTLM Relay via HTTP
- Potential Malware-Driven SSH Brute Force Attempt
- Potential Masquerading as Browser Process
- Potential Masquerading as Business App Installer
- Potential Masquerading as Communication Apps
- Potential Masquerading as System32 DLL
- Potential Masquerading as System32 Executable
- Potential Masquerading as VLC DLL
- Potential Memory Seeking Activity
- Potential Meterpreter Reverse Shell
- Potential Microsoft Office Sandbox Evasion
- Potential Modification of Accessibility Binaries
- Potential Network Scan Detected
- Potential Network Scan Executed From Host
- Potential Network Share Discovery
- Potential Network Sweep Detected
- Potential Non-Standard Port HTTP/HTTPS connection
- Potential Non-Standard Port SSH connection
- Potential Okta MFA Bombing via Push Notifications
- Potential OpenSSH Backdoor Logging Activity
- Potential Outgoing RDP Connection by Unusual Process
- Potential Pass-the-Hash (PtH) Attempt
- Potential Persistence via Atom Init Script Modification
- Potential Persistence via File Modification
- Potential Persistence via Login Hook
- Potential Persistence via Periodic Tasks
- Potential Persistence via Time Provider Modification
- Potential Port Monitor or Print Processor Registration Abuse
- Potential Port Scanning Activity from Compromised Host
- Potential PowerShell HackTool Script by Author
- Potential PowerShell HackTool Script by Function Names
- Potential PowerShell Obfuscated Script
- Potential PowerShell Pass-the-Hash/Relay Script
- Potential Privacy Control Bypass via Localhost Secure Copy
- Potential Privacy Control Bypass via TCCDB Modification
- Potential Privilege Escalation through Writable Docker Socket
- Potential Privilege Escalation via CVE-2023-4911
- Potential Privilege Escalation via Container Misconfiguration
- Potential Privilege Escalation via Enlightenment
- Potential Privilege Escalation via InstallerFileTakeOver
- Potential Privilege Escalation via Linux DAC permissions
- Potential Privilege Escalation via OverlayFS
- Potential Privilege Escalation via PKEXEC
- Potential Privilege Escalation via Python cap_setuid
- Potential Privilege Escalation via Recently Compiled Executable
- Potential Privilege Escalation via Service ImagePath Modification
- Potential Privilege Escalation via Sudoers File Modification
- Potential Privilege Escalation via UID INT_MAX Bug Detected
- Potential Privileged Escalation via SamAccountName Spoofing
- Potential Process Injection from Malicious Document
- Potential Process Injection via PowerShell
- Potential Process Name Stomping with Prctl
- Potential Protocol Tunneling via Chisel Client
- Potential Protocol Tunneling via Chisel Server
- Potential Protocol Tunneling via EarthWorm
- Potential Pspy Process Monitoring Detected
- Potential Ransomware Behavior - High count of Readme files by System
- Potential Ransomware Note File Dropped via SMB
- Potential Relay Attack against a Domain Controller
- Potential Remote Code Execution via Web Server
- Potential Remote Credential Access via Registry
- Potential Remote Desktop Shadowing Activity
- Potential Remote Desktop Tunneling Detected
- Potential Remote File Execution via MSIEXEC
- Potential Reverse Shell
- Potential Reverse Shell Activity via Terminal
- Potential Reverse Shell via Background Process
- Potential Reverse Shell via Child
- Potential Reverse Shell via Java
- Potential Reverse Shell via Suspicious Binary
- Potential Reverse Shell via Suspicious Child Process
- Potential Reverse Shell via UDP
- Potential SSH-IT SSH Worm Downloaded
- Potential SYN-Based Port Scan Detected
- Potential Secure File Deletion via SDelete Utility
- Potential Shadow Credentials added to AD Object
- Potential Shadow File Read via Command Line Utilities
- Potential SharpRDP Behavior
- Potential Shell via Wildcard Injection Detected
- Potential Subnet Scanning Activity from Compromised Host
- Potential Successful Linux FTP Brute Force Attack Detected
- Potential Successful Linux RDP Brute Force Attack Detected
- Potential Successful SSH Brute Force Attack
- Potential Sudo Hijacking
- Potential Sudo Privilege Escalation via CVE-2019-14287
- Potential Sudo Token Manipulation via Process Injection
- Potential Suspicious DebugFS Root Device Access
- Potential Suspicious File Edit
- Potential Unauthorized Access via Wildcard Injection Detected
- Potential Upgrade of Non-interactive Shell
- Potential Veeam Credential Access Command
- Potential WPAD Spoofing via DNS Record Creation
- Potential WSUS Abuse for Lateral Movement
- Potential Widespread Malware Infection Across Multiple Hosts
- Potential Windows Error Manager Masquerading
- Potential Windows Session Hijacking via CcmExec
- Potential curl CVE-2023-38545 Exploitation
- Potential macOS SSH Brute Force Detected
- Potential privilege escalation via CVE-2022-38028
- Potentially Successful MFA Bombing via Push Notifications
- Potentially Suspicious Process Started via tmux or screen
- PowerShell Invoke-NinjaCopy script
- PowerShell Kerberos Ticket Dump
- PowerShell Kerberos Ticket Request
- PowerShell Keylogging Script
- PowerShell Mailbox Collection Script
- PowerShell MiniDump Script
- PowerShell PSReflect Script
- PowerShell Script Block Logging Disabled
- PowerShell Script with Archive Compression Capabilities
- PowerShell Script with Discovery Capabilities
- PowerShell Script with Encryption/Decryption Capabilities
- PowerShell Script with Log Clear Capabilities
- PowerShell Script with Password Policy Discovery Capabilities
- PowerShell Script with Remote Execution Capabilities via WinRM
- PowerShell Script with Token Impersonation Capabilities
- PowerShell Script with Veeam Credential Access Capabilities
- PowerShell Script with Webcam Video Capture Capabilities
- PowerShell Script with Windows Defender Tampering Capabilities
- PowerShell Share Enumeration Script
- PowerShell Suspicious Discovery Related Windows API Functions
- PowerShell Suspicious Payload Encoded and Compressed
- PowerShell Suspicious Script with Audio Capture Capabilities
- PowerShell Suspicious Script with Clipboard Retrieval Capabilities
- PowerShell Suspicious Script with Screenshot Capabilities
- Printer User (lp) Shell Execution
- Private Key Searching Activity
- Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
- Privilege Escalation via CAP_SETUID/SETGID Capabilities
- Privilege Escalation via GDB CAP_SYS_PTRACE
- Privilege Escalation via Named Pipe Impersonation
- Privilege Escalation via Rogue Named Pipe Impersonation
- Privilege Escalation via Root Crontab File Modification
- Privilege Escalation via SUID/SGID
- Privilege Escalation via Windir Environment Variable
- Privileged Account Brute Force
- Privileged Docker Container Creation
- Privileges Elevation via Parent Process PID Spoofing
- Process Activity via Compiled HTML File
- Process Backgrounded by Unusual Parent
- Process Capability Enumeration
- Process Capability Set via setcap Utility
- Process Created with a Duplicated Token
- Process Created with an Elevated Token
- Process Creation via Secondary Logon
- Process Discovery Using Built-in Tools
- Process Discovery via Built-In Applications
- Process Execution from an Unusual Directory
- Process Injection - Detected - Elastic Endgame
- Process Injection - Prevented - Elastic Endgame
- Process Injection by the Microsoft Build Engine
- Process Spawned from Message-of-the-Day (MOTD)
- Process Started from Process ID (PID) File
- Process Started with Executable Stack
- Process Termination followed by Deletion
- Processes with Trailing Spaces
- Program Files Directory Masquerading
- Prompt for Credentials with OSASCRIPT
- ProxyChains Activity
- PsExec Network Connection
- Python Path File (pth) Creation
- Python Site or User Customize File Creation
- Quarantine Attrib Removed by Unsigned or Untrusted Process
- Query Registry using Built-in Tools
- RDP (Remote Desktop Protocol) from the Internet
- RDP Enabled via Registry
- ROT Encoded Python Script Execution
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- RPM Package Installed by Unusual Parent Process
- Ransomware - Detected - Elastic Defend
- Ransomware - Detected - Elastic Endgame
- Ransomware - Prevented - Elastic Defend
- Ransomware - Prevented - Elastic Endgame
- Rapid Secret Retrieval Attempts from AWS SecretsManager
- Rapid7 Threat Command CVEs Correlation
- Rare AWS Error Code
- Rare SMB Connection to the Internet
- Rare User Logon
- Registry Persistence via AppCert DLL
- Registry Persistence via AppInit DLL
- Remote Computer Account DnsHostName Update
- Remote Desktop Enabled in Windows Firewall by Netsh
- Remote Desktop File Opened from Suspicious Path
- Remote Execution via File Shares
- Remote File Copy to a Hidden Share
- Remote File Copy via TeamViewer
- Remote File Creation in World Writeable Directory
- Remote File Download via Desktopimgdownldr Utility
- Remote File Download via MpCmdRun
- Remote File Download via PowerShell
- Remote File Download via Script Interpreter
- Remote SSH Login Enabled via systemsetup Command
- Remote Scheduled Task Creation
- Remote Scheduled Task Creation via RPC
- Remote System Discovery Commands
- Remote Windows Service Installed
- Remote XSL Script Execution via COM
- Remotely Started Services via RPC
- Renamed AutoIt Scripts Interpreter
- Renamed Utility Executed with Short Program Name
- Root Certificate Installation
- Root Network Connection via GDB CAP_SYS_PTRACE
- Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
- Route53 Resolver Query Log Configuration Deleted
- SELinux Configuration Creation or Renaming
- SIP Provider Modification
- SMB (Windows File Sharing) Activity to the Internet
- SMB Connections via LOLBin or Untrusted Process
- SMTP on Port 26/TCP
- SNS Topic Message Publish by Rare User
- SSH Authorized Keys File Deletion
- SSH Authorized Keys File Modification
- SSH Key Generated via ssh-keygen
- SSL Certificate Deletion
- SSM Session Started to EC2 Instance
- SUID/SGID Bit Set
- SUID/SGUID Enumeration Detected
- SUNBURST Command and Control Activity
- Scheduled Task Created by a Windows Script
- Scheduled Task Execution at Scale via GPO
- Scheduled Tasks AT Command Enabled
- ScreenConnect Server Spawning Suspicious Processes
- Screensaver Plist File Modified by Unexpected Process
- Script Execution via Microsoft HTML Application
- SeDebugPrivilege Enabled by a Suspicious Process
- Searching for Saved Credentials via VaultCmd
- Security File Access via Common Utilities
- Security Software Discovery using WMIC
- Security Software Discovery via Grep
- Segfault Detected
- Sensitive Audit Policy Sub-Category Disabled
- Sensitive Files Compression
- Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
- Sensitive Registry Hive Access via RegBack
- Service Command Lateral Movement
- Service Control Spawned via Script Interpreter
- Service Creation via Local Kerberos Authentication
- Service DACL Modification via sc.exe
- Service Disabled via Registry Modification
- Service Path Modification
- Service Path Modification via sc.exe
- Setcap setuid/setgid Capability Set
- Shadow File Modification by Unusual Process
- SharePoint Malware File Upload
- Shared Object Created or Changed by Previously Unknown Process
- Shell Configuration Creation or Modification
- Shell Execution via Apple Scripting
- Shortcut File Written or Modified on Startup Folder
- Signed Proxy Execution via MS Work Folders
- Simple HTTP Web Server Connection
- Simple HTTP Web Server Creation
- SoftwareUpdate Preferences Modification
- SolarWinds Process Disabling Services via Registry
- Spike in AWS Error Messages
- Spike in Bytes Sent to an External Device
- Spike in Bytes Sent to an External Device via Airdrop
- Spike in Failed Logon Events
- Spike in Firewall Denies
- Spike in Logon Events
- Spike in Network Traffic
- Spike in Network Traffic To a Country
- Spike in Number of Connections Made from a Source IP
- Spike in Number of Connections Made to a Destination IP
- Spike in Number of Processes in an RDP Session
- Spike in Remote File Transfers
- Spike in Successful Logon Events from a Source IP
- Spike in host-based traffic
- Startup Folder Persistence via Unsigned Process
- Startup Persistence by a Suspicious Process
- Startup or Run Key Registry Modification
- Startup/Logon Script added to Group Policy Object
- Statistical Model Detected C2 Beaconing Activity
- Statistical Model Detected C2 Beaconing Activity with High Confidence
- Stolen Credentials Used to Login to Okta Account After MFA Reset
- Sublime Plugin or Application Script Modification
- Successful Application SSO from Rare Unknown Client Device
- Successful SSH Authentication from Unusual IP Address
- Successful SSH Authentication from Unusual SSH Public Key
- Successful SSH Authentication from Unusual User
- Sudo Command Enumeration Detected
- Sudo Heap-Based Buffer Overflow Attempt
- Sudoers File Modification
- Suspicious .NET Code Compilation
- Suspicious .NET Reflection via PowerShell
- Suspicious /proc/maps Discovery
- Suspicious APT Package Manager Execution
- Suspicious APT Package Manager Network Connection
- Suspicious Access to LDAP Attributes
- Suspicious Activity Reported by Okta User
- Suspicious Antimalware Scan Interface DLL
- Suspicious Automator Workflows Execution
- Suspicious Browser Child Process
- Suspicious Calendar File Modification
- Suspicious CertUtil Commands
- Suspicious Child Process of Adobe Acrobat Reader Update Service
- Suspicious Cmd Execution via WMI
- Suspicious Communication App Child Process
- Suspicious Content Extracted or Decompressed via Funzip
- Suspicious CronTab Creation or Modification
- Suspicious DLL Loaded for Persistence or Privilege Escalation
- Suspicious Data Encryption via OpenSSL Utility
- Suspicious Dynamic Linker Discovery via od
- Suspicious Emond Child Process
- Suspicious Endpoint Security Parent Process
- Suspicious Execution from Foomatic-rip or Cupsd Parent
- Suspicious Execution from INET Cache
- Suspicious Execution from a Mounted Device
- Suspicious Execution via MSIEXEC
- Suspicious Execution via Microsoft Office Add-Ins
- Suspicious Execution via Scheduled Task
- Suspicious Execution via Windows Subsystem for Linux
- Suspicious Explorer Child Process
- Suspicious File Creation via Kworker
- Suspicious File Downloaded from Google Drive
- Suspicious File Renamed via SMB
- Suspicious HTML File Creation
- Suspicious Hidden Child Process of Launchd
- Suspicious Image Load (taskschd.dll) from MS Office
- Suspicious ImagePath Service Creation
- Suspicious Inter-Process Communication via Outlook
- Suspicious JetBrains TeamCity Child Process
- Suspicious Kworker UID Elevation
- Suspicious LSASS Access via MalSecLogon
- Suspicious Lsass Process Access
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious Managed Code Hosting Process
- Suspicious Memory grep Activity
- Suspicious Microsoft 365 Mail Access by ClientAppId
- Suspicious Microsoft Diagnostics Wizard Execution
- Suspicious Mining Process Creation Event
- Suspicious Modprobe File Event
- Suspicious Module Loaded by LSASS
- Suspicious Network Activity to the Internet by Previously Unknown Executable
- Suspicious Network Connection via systemd
- Suspicious Outlook Child Process
- Suspicious PDF Reader Child Process
- Suspicious Passwd File Event Action
- Suspicious Path Invocation from Command Line
- Suspicious Portable Executable Encoded in Powershell Script
- Suspicious PowerShell Engine ImageLoad
- Suspicious Powershell Script
- Suspicious Print Spooler File Deletion
- Suspicious Print Spooler Point and Print DLL
- Suspicious Print Spooler SPL File Created
- Suspicious PrintSpooler Service Executable File Creation
- Suspicious Proc Pseudo File System Enumeration
- Suspicious Process Access via Direct System Call
- Suspicious Process Creation CallTrace
- Suspicious Process Execution via Renamed PsExec Executable
- Suspicious RDP ActiveX Client Loaded
- Suspicious Remote Registry Access via SeBackupPrivilege
- Suspicious Renaming of ESXI Files
- Suspicious Renaming of ESXI index.html File
- Suspicious ScreenConnect Client Child Process
- Suspicious Script Object Execution
- Suspicious Service was Installed in the System
- Suspicious SolarWinds Child Process
- Suspicious Startup Shell Folder Modification
- Suspicious Symbolic Link Created
- Suspicious Sysctl File Event
- Suspicious System Commands Executed by Previously Unknown Executable
- Suspicious Termination of ESXI Process
- Suspicious Troubleshooting Pack Cabinet Execution
- Suspicious Usage of bpf_probe_write_user Helper
- Suspicious Utility Launched via ProxyChains
- Suspicious WMI Event Subscription Created
- Suspicious WMI Image Load from MS Office
- Suspicious WMIC XSL Script Execution
- Suspicious Web Browser Sensitive File Access
- Suspicious WerFault Child Process
- Suspicious Windows Command Shell Arguments
- Suspicious Windows Powershell Arguments
- Suspicious Windows Process Cluster Spawned by a Host
- Suspicious Windows Process Cluster Spawned by a Parent Process
- Suspicious Windows Process Cluster Spawned by a User
- Suspicious Zoom Child Process
- Suspicious macOS MS Office Child Process
- Suspicious pbpaste High Volume Activity
- Suspicious rc.local Error Message
- Suspicious which Enumeration
- Svchost spawning Cmd
- Symbolic Link to Shadow Copy Created
- System Binary Moved or Copied
- System Binary Path File Permission Modification
- System Hosts File Access
- System Information Discovery via Windows Command Shell
- System Log File Deletion
- System Network Connections Discovery
- System Owner/User Discovery Linux
- System Service Discovery through built-in Windows Utilities
- System Shells via Services
- System Time Discovery
- System V Init Script Created
- SystemKey Access via Command Line
- Systemd Generator Created
- Systemd Service Created
- Systemd Service Started by Unusual Parent Process
- Systemd Shell Execution During Boot
- Systemd Timer Created
- Systemd-udevd Rule File Creation
- TCC Bypass via Mounted APFS Snapshot Access
- Tainted Kernel Module Load
- Tainted Out-Of-Tree Kernel Module Load
- Tampering of Shell Command-Line History
- Temporarily Scheduled Task Creation
- Third-party Backup Files Deleted via Unexpected Process
- Threat Intel Hash Indicator Match
- Threat Intel IP Address Indicator Match
- Threat Intel URL Indicator Match
- Threat Intel Windows Registry Indicator Match
- Timestomping using Touch Command
- Trap Signals Execution
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt via Privileged IFileOperation COM Interface
- UAC Bypass Attempt via Windows Directory Masquerading
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via DiskCleanup Scheduled Task Hijack
- UAC Bypass via ICMLuaUtil Elevated COM Interface
- UAC Bypass via Windows Firewall Snap-In Hijack
- UID Elevation from Previously Unknown Executable
- Unauthorized Access to an Okta Application
- Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
- Uncommon Destination Port Connection by Web Server
- Uncommon Registry Persistence Change
- Unexpected Child Process of macOS Screensaver Engine
- Unix Socket Connection
- Unknown Execution of Binary with RWX Memory Region
- Unsigned BITS Service Client Process
- Unsigned DLL Loaded by Svchost
- Unsigned DLL Loaded by a Trusted Process
- Unsigned DLL Side-Loading from a Suspicious Folder
- Unsigned DLL loaded by DNS Service
- Untrusted DLL Loaded by Azure AD Sync Service
- Untrusted Driver Loaded
- Unusual AWS Command for a User
- Unusual AWS S3 Object Encryption with SSE-C
- Unusual Base64 Encoding/Decoding Activity
- Unusual Child Process from a System Virtual Process
- Unusual Child Process of dns.exe
- Unusual Child Processes of RunDLL32
- Unusual City For an AWS Command
- Unusual Command Execution from Web Server Parent
- Unusual Country For an AWS Command
- Unusual D-Bus Daemon Child Process
- Unusual DNS Activity
- Unusual DPKG Execution
- Unusual Discovery Activity by User
- Unusual Discovery Signal Alert with Unusual Process Command Line
- Unusual Discovery Signal Alert with Unusual Process Executable
- Unusual Executable File Creation by a System Critical Process
- Unusual Execution via Microsoft Common Console File
- Unusual File Creation - Alternate Data Stream
- Unusual File Creation by Web Server
- Unusual File Modification by dns.exe
- Unusual File Transfer Utility Launched
- Unusual High Confidence Content Filter Blocks Detected
- Unusual High Denied Sensitive Information Policy Blocks Detected
- Unusual High Denied Topic Blocks Detected
- Unusual High Word Policy Blocks Detected
- Unusual Hour for a User to Logon
- Unusual Instance Metadata Service (IMDS) API Request
- Unusual Interactive Shell Launched from System User
- Unusual Linux Network Activity
- Unusual Linux Network Configuration Discovery
- Unusual Linux Network Connection Discovery
- Unusual Linux Network Port Activity
- Unusual Linux Process Calling the Metadata Service
- Unusual Linux Process Discovery Activity
- Unusual Linux System Information Discovery Activity
- Unusual Linux User Calling the Metadata Service
- Unusual Linux User Discovery Activity
- Unusual Linux Username
- Unusual Login Activity
- Unusual Network Activity from a Windows System Binary
- Unusual Network Connection via DllHost
- Unusual Network Connection via RunDLL32
- Unusual Network Destination Domain Name
- Unusual Parent Process for cmd.exe
- Unusual Parent-Child Relationship
- Unusual Persistence via Services Registry
- Unusual Pkexec Execution
- Unusual Preload Environment Variable Process Execution
- Unusual Print Spooler Child Process
- Unusual Process Execution Path - Alternate Data Stream
- Unusual Process Execution on WBEM Path
- Unusual Process Extension
- Unusual Process For MSSQL Service Accounts
- Unusual Process For a Linux Host
- Unusual Process For a Windows Host
- Unusual Process Network Connection
- Unusual Process Spawned by a Host
- Unusual Process Spawned by a Parent Process
- Unusual Process Spawned by a User
- Unusual Process Spawned from Web Server Parent
- Unusual Process Writing Data to an External Device
- Unusual Remote File Creation
- Unusual Remote File Directory
- Unusual Remote File Extension
- Unusual Remote File Size
- Unusual SSHD Child Process
- Unusual Service Host Child Process - Childless Service
- Unusual Source IP for a User to Logon from
- Unusual Sudo Activity
- Unusual Time or Day for an RDP Session
- Unusual User Privilege Enumeration via id
- Unusual Web Request
- Unusual Web User Agent
- Unusual Windows Network Activity
- Unusual Windows Path Activity
- Unusual Windows Process Calling the Metadata Service
- Unusual Windows Remote User
- Unusual Windows Service
- Unusual Windows User Calling the Metadata Service
- Unusual Windows User Privilege Elevation Activity
- Unusual Windows Username
- User Account Creation
- User Added as Owner for Azure Application
- User Added as Owner for Azure Service Principal
- User Added to Privileged Group
- User Added to the Admin Group
- User account exposed to Kerberoasting
- User or Group Creation/Modification
- VNC (Virtual Network Computing) from the Internet
- VNC (Virtual Network Computing) to the Internet
- Veeam Backup Library Loaded by Unusual Process
- Virtual Machine Fingerprinting
- Virtual Machine Fingerprinting via Grep
- Virtual Private Network Connection Attempt
- Volume Shadow Copy Deleted or Resized via VssAdmin
- Volume Shadow Copy Deletion via PowerShell
- Volume Shadow Copy Deletion via WMIC
- WDAC Policy File by an Unusual Process
- WMI Incoming Lateral Movement
- WMI WBEMTEST Utility Execution
- WMIC Remote Command
- WPS Office Exploitation via DLL Hijack
- WRITEDAC Access on Active Directory Object
- Web Application Suspicious Activity: POST Request Declined
- Web Application Suspicious Activity: Unauthorized Method
- Web Application Suspicious Activity: sqlmap User Agent
- Web Server Spawned via Python
- Web Shell Detection: Script Process Child of Common Web Processes
- WebProxy Settings Modification
- WebServer Access Logs Deleted
- Werfault ReflectDebugger Persistence
- Whoami Process Activity
- Windows Account or Group Discovery
- Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
- Windows Defender Disabled via Registry Modification
- Windows Defender Exclusions Added via PowerShell
- Windows Event Logs Cleared
- Windows Firewall Disabled via PowerShell
- Windows Installer with Suspicious Properties
- Windows Network Enumeration
- Windows Registry File Creation in SMB Share
- Windows Script Executing PowerShell
- Windows Script Interpreter Executing Process via WMI
- Windows Service Installed via an Unusual Client
- Windows Subsystem for Linux Distribution Installed
- Windows Subsystem for Linux Enabled via Dism Utility
- Windows System Information Discovery
- Windows System Network Connections Discovery
- Wireless Credential Dumping using Netsh Command
- Yum Package Manager Plugin File Creation
- Yum/DNF Plugin Status Discovery
- Zoom Meeting with no Passcode
- rc.local/rc.common File Creation
- Downloadable rule updates
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Dashboards
- Explore
- Advanced Entity Analytics
- Investigation tools
- Elastic Security APIs
- Detections API
- Exceptions API
- Create exception container
- Create exceptions used by multiple rules
- Create shared exception list
- Find exception containers
- Find exception items
- Get exception container
- Get exception item
- Import exception list
- Export exception list
- Update exception container
- Summary exception container
- Update exception item
- Delete exception container
- Delete exception item
- Lists index endpoint
- Lists API
- Detection Alerts Migration API
- Timeline API
- Get Timelines or Timeline templates
- Get Timeline or Timeline template by savedObjectId
- Get Timeline template by templateTimelineId
- Create Timeline or Timeline template
- Update Timeline or Timeline template
- Add a note to an existing Timeline
- Pin an event to an existing Timeline
- Delete Timelines or Timeline templates
- Import timelines and timeline templates
- Cases API
- Actions API (for pushing cases to external systems)
- Endpoint management API
- Get endpoint
- List endpoints
- Isolate a host
- Release an isolated host
- Terminate a process
- Suspend a process
- Get processes
- Get a file from a host
- Execute a command on a host
- Upload file to host
- Scan a file or folder
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Get action details
- List response actions
- Elastic AI Assistant API
- Elastic Security fields and object schemas
- Troubleshooting
- Release notes
AWS SNS Topic Created by Rare User
editAWS SNS Topic Created by Rare User
editIdentifies when an SNS topic is created by a user who does not typically perform this action. Adversaries may create SNS topics to stage capabilities for data exfiltration or other malicious activities.
Rule type: new_terms
Rule indices:
- filebeat-*
- logs-aws.cloudtrail-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS SNS
- Resources: Investigation Guide
- Use Case: Threat Detection
- Tactic: Resource Development
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and Analysis
Investigating AWS SNS Topic Created by Rare User
This rule detects the creation of an AWS Simple Notification Service (SNS) topic by a user who does not typically perform this action. Adversaries may create SNS topics to facilitate data exfiltration or other malicious activities.
This is a New Terms rule that only flags when this behavior is observed for the first time on a host in the last 10 days.
Possible Investigation Steps
1. Identify the Actor and Context
- User Identity and Role:
-
Examine
aws.cloudtrail.user_identity.arnto determine who created the SNS topic. -
Identify whether the actor assumed a privileged IAM role (
aws.cloudtrail.user_identity.type: "AssumedRole"). - User Agent and Tooling:
-
Check
user_agent.nameto determine if this action was performed via the AWS CLI, SDK, or Console. -
If
aws-cliwas used, review whether it aligns with typical automation or administrative behavior. - Source IP and Geographic Location:
-
Review
source.ipandsource.geofields to confirm if the request originated from a trusted or unexpected location.
2. Evaluate the SNS Topic Creation
- Topic Name and Purpose:
-
Check
aws.cloudtrail.flattened.request_parameters.namefor the SNS topic name and determine whether it appears suspicious (e.g., random strings, unusual keywords). - Target Region and Account:
-
Verify
cloud.regionandcloud.account.idto ensure the SNS topic was created in an expected environment. - Associated API Calls:
-
Identify additional actions before or after this event using
event.actionvalues like: -
Subscribe -
Publish -
SetTopicAttributes - These may indicate follow-up steps taken to misuse the SNS topic.
3. Analyze Potential Malicious Intent
- Is This an Isolated Action or a Pattern?
- Check if this user has previously created SNS topics using historical CloudTrail logs.
- Look for multiple topic creations in a short period, which may suggest an automation script or malicious behavior.
- Unusual Role Usage:
-
If
aws.cloudtrail.user_identity.arnreferences an EC2 instance role, verify whether that instance typically performs SNS operations. - Potential Data Exfiltration or Persistence:
-
Review whether new subscriptions were added (
SubscribeAPI action) to forward data externally. - If an SNS topic was configured to trigger Lambda functions or S3 events, it may indicate an attempt to persist in the environment.
False Positive Analysis
- Legitimate Usage of SNS:
- SNS is commonly used for event-driven notifications in AWS.
- Check whether the SNS topic creation aligns with known DevOps, automation, or monitoring activities.
- Routine IAM Role Activity:
- If the user typically interacts with SNS, consider allowlisting expected IAM roles for this action.
- AWS Services Creating Topics Automatically:
- Some AWS services may auto-create SNS topics for alerts and monitoring. Confirm whether the creation was system-generated.
Response and Remediation
- Confirm Authorization:
- If the user was not expected to create SNS topics, verify whether their IAM permissions should be restricted.
- Revoke Unauthorized Access:
- If unauthorized, disable the access keys or IAM role associated with the event.
- Monitor for Further SNS Modifications:
-
Set up additional monitoring for SNS Publish or Subscription events (
Publish,Subscribe). - Enhance IAM Policy Controls:
- Consider enforcing least privilege IAM policies and enabling multi-factor authentication (MFA) where applicable.
- Investigate for Persistence:
- Check whether the SNS topic is being used as a notification channel for Lambda, S3, or other AWS services.
Rule query
editevent.dataset: "aws.cloudtrail" and event.provider: "sns.amazonaws.com" and event.action: "CreateTopic" and event.outcome: "success" and aws.cloudtrail.user_identity.type: "AssumedRole" and aws.cloudtrail.user_identity.arn: *i-*
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Resource Development
- ID: TA0042
- Reference URL: https://attack.mitre.org/tactics/TA0042/
-
Technique:
- Name: Stage Capabilities
- ID: T1608
- Reference URL: https://attack.mitre.org/techniques/T1608/
On this page
Was this helpful?
Thank you for your feedback.