Skip to content

Instantly share code, notes, and snippets.

@tradebot-elastic

tradebot-elastic/Elastic-detection-rules-all.json

Last active May 13, 2026 13:31
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tradebot-elastic/0443cfb5016bed103f1940b2f336e45a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tradebot-elastic/0443cfb5016bed103f1940b2f336e45a to your computer and use it in GitHub Desktop.
Download ZIP
ATT&CK Navigator layer files.
Raw
Elastic-detection-rules-all.json
This file has been truncated, but you can view the full file.
{
"name": "Elastic-detection-rules-all",
"versions": {
"attack": "18.1.0",
"layer": "4.4",
"navigator": "4.5.5"
},
"techniques": [
{
"techniqueID": "T1102",
"tactic": "command-and-control",
"score": 17,
"metadata": [
{
"name": "Connection to Common Large Language Model Endpoints",
"value": "eql/eql"
},
{
"name": "Suspicious File Downloaded from Google Drive",
"value": "eql/eql"
},
{
"name": "AWS SNS Rare Protocol Subscription by User",
"value": "new_terms/kuery"
},
{
"name": "AWS SNS Topic Message Publish by Rare User",
"value": "new_terms/kuery"
},
{
"name": "Statistical Model Detected C2 Beaconing Activity",
"value": "query/kuery"
},
{
"name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"value": "query/kuery"
},
{
"name": "AWS CLI Command with Custom Endpoint URL",
"value": "new_terms/kuery"
},
{
"name": "Linux Telegram API Request",
"value": "eql/eql"
},
{
"name": "Suspicious AWS S3 Connection via Script Interpreter",
"value": "esql/esql"
},
{
"name": "Google Calendar C2 via Script Interpreter",
"value": "eql/eql"
},
{
"name": "Network Connection to OAST Domain via Script Interpreter",
"value": "eql/eql"
},
{
"name": "Potential Etherhiding C2 via Blockchain Connection",
"value": "eql/eql"
},
{
"name": "Suspicious Curl to Google App Script Endpoint",
"value": "eql/eql"
},
{
"name": "Unusual Network Connection to Suspicious Web Service",
"value": "new_terms/kuery"
},
{
"name": "Unusual Web Request",
"value": "machine_learning/None"
},
{
"name": "Connection to Commonly Abused Web Services",
"value": "eql/eql"
},
{
"name": "DNS to Commonly Abused Web Services",
"value": "eql/eql"
}
],
"links": [
{
"label": "Connection to Common Large Language Model Endpoints",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_common_llm_endpoint.toml"
},
{
"label": "Suspicious File Downloaded from Google Drive",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml"
},
{
"label": "AWS SNS Rare Protocol Subscription by User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml"
},
{
"label": "AWS SNS Topic Message Publish by Rare User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml"
},
{
"label": "Statistical Model Detected C2 Beaconing Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/beaconing/command_and_control_beaconing.toml"
},
{
"label": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml"
},
{
"label": "AWS CLI Command with Custom Endpoint URL",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml"
},
{
"label": "Linux Telegram API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_telegram_api_request.toml"
},
{
"label": "Suspicious AWS S3 Connection via Script Interpreter",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_aws_s3_connection_via_script.toml"
},
{
"label": "Google Calendar C2 via Script Interpreter",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_google_calendar_c2_via_script.toml"
},
{
"label": "Network Connection to OAST Domain via Script Interpreter",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_network_connection_to_oast_domain.toml"
},
{
"label": "Potential Etherhiding C2 via Blockchain Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_potential_etherhiding_c2.toml"
},
{
"label": "Suspicious Curl to Google App Script Endpoint",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml"
},
{
"label": "Unusual Network Connection to Suspicious Web Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml"
},
{
"label": "Unusual Web Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml"
},
{
"label": "Connection to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_common_webservices.toml"
},
{
"label": "DNS to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_dns_to_commonly_abused_webservices.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1102.002",
"tactic": "command-and-control",
"score": 10,
"metadata": [
{
"name": "Connection to Common Large Language Model Endpoints",
"value": "eql/eql"
},
{
"name": "Statistical Model Detected C2 Beaconing Activity",
"value": "query/kuery"
},
{
"name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"value": "query/kuery"
},
{
"name": "AWS CLI Command with Custom Endpoint URL",
"value": "new_terms/kuery"
},
{
"name": "Linux Telegram API Request",
"value": "eql/eql"
},
{
"name": "Google Calendar C2 via Script Interpreter",
"value": "eql/eql"
},
{
"name": "Potential Etherhiding C2 via Blockchain Connection",
"value": "eql/eql"
},
{
"name": "Suspicious Curl to Google App Script Endpoint",
"value": "eql/eql"
},
{
"name": "Connection to Commonly Abused Web Services",
"value": "eql/eql"
},
{
"name": "DNS to Commonly Abused Web Services",
"value": "eql/eql"
}
],
"links": [
{
"label": "Connection to Common Large Language Model Endpoints",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_common_llm_endpoint.toml"
},
{
"label": "Statistical Model Detected C2 Beaconing Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/beaconing/command_and_control_beaconing.toml"
},
{
"label": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml"
},
{
"label": "AWS CLI Command with Custom Endpoint URL",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml"
},
{
"label": "Linux Telegram API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_telegram_api_request.toml"
},
{
"label": "Google Calendar C2 via Script Interpreter",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_google_calendar_c2_via_script.toml"
},
{
"label": "Potential Etherhiding C2 via Blockchain Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_potential_etherhiding_c2.toml"
},
{
"label": "Suspicious Curl to Google App Script Endpoint",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml"
},
{
"label": "Connection to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_common_webservices.toml"
},
{
"label": "DNS to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_dns_to_commonly_abused_webservices.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1071",
"tactic": "command-and-control",
"score": 93,
"metadata": [
{
"name": "Curl or Wget Spawned via Node.js",
"value": "eql/eql"
},
{
"name": "GenAI Process Connection to Suspicious Top Level Domain",
"value": "eql/eql"
},
{
"name": "GenAI Process Connection to Unusual Domain",
"value": "new_terms/kuery"
},
{
"name": "PANW and Elastic Defend - Command and Control Correlation",
"value": "eql/eql"
},
{
"name": "Suricata and Elastic Defend Network Correlation",
"value": "eql/eql"
},
{
"name": "Execution via OpenClaw Agent",
"value": "eql/eql"
},
{
"name": "Web Server Potential Command Injection Request",
"value": "esql/esql"
},
{
"name": "Entra ID Protection - Risk Detection - Sign-in Risk",
"value": "query/kuery"
},
{
"name": "Entra ID Protection - Risk Detection - User Risk",
"value": "query/kuery"
},
{
"name": "Statistical Model Detected C2 Beaconing Activity",
"value": "query/kuery"
},
{
"name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"value": "query/kuery"
},
{
"name": "File Download Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious Process Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "File Creation and Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "System Path File Creation and Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Payload Execution via Shell Pipe Detected by Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious Interpreter Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Web Server Exploitation Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"value": "query/kuery"
},
{
"name": "Potential DGA Activity",
"value": "machine_learning/None"
},
{
"name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"value": "query/kuery"
},
{
"name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"value": "query/kuery"
},
{
"name": "High Number of Egress Network Connections from Unusual Executable",
"value": "esql/esql"
},
{
"name": "Git Repository or File Download to Suspicious Directory",
"value": "eql/eql"
},
{
"name": "Potential Linux Tunneling and/or Port Forwarding",
"value": "eql/eql"
},
{
"name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"value": "new_terms/kuery"
},
{
"name": "Linux Telegram API Request",
"value": "eql/eql"
},
{
"name": "Egress Connection from Entrypoint in Container",
"value": "eql/eql"
},
{
"name": "Network Connection from Binary with RWX Memory Region",
"value": "eql/eql"
},
{
"name": "Network Connection via Recently Compiled Executable",
"value": "eql/eql"
},
{
"name": "Openssl Client or Server Activity",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell via Background Process",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell via Child",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell via Java",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell via Suspicious Child Process",
"value": "eql/eql"
},
{
"name": "Potential Meterpreter Reverse Shell",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell via Suspicious Binary",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell via UDP",
"value": "eql/eql"
},
{
"name": "Suspicious Named Pipe Creation",
"value": "new_terms/kuery"
},
{
"name": "Potential Malware-Driven SSH Brute Force Attempt",
"value": "esql/esql"
},
{
"name": "Connection to External Network via Telnet",
"value": "eql/eql"
},
{
"name": "Git Hook Egress Network Connection",
"value": "eql/eql"
},
{
"name": "Simple HTTP Web Server Connection",
"value": "eql/eql"
},
{
"name": "Simple HTTP Web Server Creation",
"value": "eql/eql"
},
{
"name": "Unusual Process Spawned from Web Server Parent",
"value": "esql/esql"
},
{
"name": "Unusual Command Execution from Web Server Parent",
"value": "esql/esql"
},
{
"name": "Uncommon Destination Port Connection by Web Server",
"value": "eql/eql"
},
{
"name": "Unusual Web Server Command Execution",
"value": "new_terms/kuery"
},
{
"name": "Root Network Connection via GDB CAP_SYS_PTRACE",
"value": "eql/eql"
},
{
"name": "Perl Outbound Network Connection",
"value": "eql/eql"
},
{
"name": "Suspicious Curl from macOS Application",
"value": "eql/eql"
},
{
"name": "Suspicious Curl to Google App Script Endpoint",
"value": "eql/eql"
},
{
"name": "Unusual Network Connection to Suspicious Top Level Domain",
"value": "new_terms/kuery"
},
{
"name": "Unusual Network Connection to Suspicious Web Service",
"value": "new_terms/kuery"
},
{
"name": "Suspicious Installer Package Spawns Network Event",
"value": "eql/eql"
},
{
"name": "Apple Script Execution followed by Network Connection",
"value": "eql/eql"
},
{
"name": "DNS Tunneling",
"value": "machine_learning/None"
},
{
"name": "Unusual DNS Activity",
"value": "machine_learning/None"
},
{
"name": "Unusual Web Request",
"value": "machine_learning/None"
},
{
"name": "Unusual Web User Agent",
"value": "machine_learning/None"
},
{
"name": "Spike in host-based traffic",
"value": "machine_learning/None"
},
{
"name": "Spike in Firewall Denies",
"value": "machine_learning/None"
},
{
"name": "Unusual Linux Network Activity",
"value": "machine_learning/None"
},
{
"name": "Unusual Linux Network Port Activity",
"value": "machine_learning/None"
},
{
"name": "Unusual Network Destination Domain Name",
"value": "machine_learning/None"
},
{
"name": "Network Traffic to Rare Destination Country",
"value": "machine_learning/None"
},
{
"name": "Spike in Network Traffic To a Country",
"value": "machine_learning/None"
},
{
"name": "Unusual Windows Network Activity",
"value": "machine_learning/None"
},
{
"name": "Accepted Default Telnet Port Connection",
"value": "query/kuery"
},
{
"name": "Cobalt Strike Command and Control Beacon",
"value": "query/lucene"
},
{
"name": "Default Cobalt Strike Team Server Certificate",
"value": "query/kuery"
},
{
"name": "Possible FIN7 DGA Command and Control Behavior",
"value": "query/lucene"
},
{
"name": "Halfbaked Command and Control Beacon",
"value": "query/lucene"
},
{
"name": "SMTP on Port 26/TCP",
"value": "query/kuery"
},
{
"name": "Potential File Transfer via Certreq",
"value": "eql/eql"
},
{
"name": "Connection to Commonly Abused Web Services",
"value": "eql/eql"
},
{
"name": "Network Activity to a Suspicious Top Level Domain",
"value": "eql/eql"
},
{
"name": "Potential DNS Tunneling via NsLookup",
"value": "eql/eql"
},
{
"name": "Potential Command and Control via Internet Explorer",
"value": "eql/eql"
},
{
"name": "Outlook Home Page Registry Modification",
"value": "eql/eql"
},
{
"name": "Deprecated - SUNBURST Command and Control Activity",
"value": "eql/eql"
},
{
"name": "Potential File Transfer via Curl for Windows",
"value": "eql/eql"
},
{
"name": "MsBuild Making Network Connections",
"value": "eql/eql"
},
{
"name": "Unusual Network Connection via DllHost",
"value": "eql/eql"
},
{
"name": "Unusual Network Connection via RunDLL32",
"value": "eql/eql"
},
{
"name": "System Public IP Discovery via DNS Query",
"value": "eql/eql"
},
{
"name": "Suspicious Command Prompt Network Connection",
"value": "eql/eql"
},
{
"name": "Network Connection via Compiled HTML File",
"value": "eql/eql"
},
{
"name": "Suspicious Execution from a WebDav Share",
"value": "eql/eql"
},
{
"name": "DNS to Commonly Abused Web Services",
"value": "eql/eql"
},
{
"name": "Web Server Potential SQL Injection Request",
"value": "eql/eql"
},
{
"name": "Unusual File Creation by Web Server",
"value": "esql/esql"
}
],
"links": [
{
"label": "Curl or Wget Spawned via Node.js",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml"
},
{
"label": "GenAI Process Connection to Suspicious Top Level Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml"
},
{
"label": "GenAI Process Connection to Unusual Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml"
},
{
"label": "PANW and Elastic Defend - Command and Control Correlation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml"
},
{
"label": "Suricata and Elastic Defend Network Correlation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml"
},
{
"label": "Execution via OpenClaw Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_openclaw_agent_child_process.toml"
},
{
"label": "Web Server Potential Command Injection Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/persistence_web_server_potential_command_injection.toml"
},
{
"label": "Entra ID Protection - Risk Detection - Sign-in Risk",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml"
},
{
"label": "Entra ID Protection - Risk Detection - User Risk",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml"
},
{
"label": "Statistical Model Detected C2 Beaconing Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/beaconing/command_and_control_beaconing.toml"
},
{
"label": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml"
},
{
"label": "File Download Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml"
},
{
"label": "Suspicious Process Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml"
},
{
"label": "File Creation and Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_interactive_file_creation_followed_by_execution.toml"
},
{
"label": "System Path File Creation and Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml"
},
{
"label": "Payload Execution via Shell Pipe Detected by Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml"
},
{
"label": "Suspicious Interpreter Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml"
},
{
"label": "Web Server Exploitation Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml"
},
{
"label": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml"
},
{
"label": "Potential DGA Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml"
},
{
"label": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml"
},
{
"label": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml"
},
{
"label": "High Number of Egress Network Connections from Unusual Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml"
},
{
"label": "Git Repository or File Download to Suspicious Directory",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml"
},
{
"label": "Potential Linux Tunneling and/or Port Forwarding",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml"
},
{
"label": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml"
},
{
"label": "Linux Telegram API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_telegram_api_request.toml"
},
{
"label": "Egress Connection from Entrypoint in Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml"
},
{
"label": "Network Connection from Binary with RWX Memory Region",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml"
},
{
"label": "Network Connection via Recently Compiled Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_network_event_post_compilation.toml"
},
{
"label": "Openssl Client or Server Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_openssl_client_or_server.toml"
},
{
"label": "Potential Reverse Shell via Background Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_background_process.toml"
},
{
"label": "Potential Reverse Shell via Child",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_child_tcp_utility_linux.toml"
},
{
"label": "Potential Reverse Shell via Java",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_java_revshell_linux.toml"
},
{
"label": "Potential Reverse Shell via Suspicious Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml"
},
{
"label": "Potential Meterpreter Reverse Shell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_meterpreter_linux.toml"
},
{
"label": "Potential Reverse Shell via Suspicious Binary",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_suspicious_binary.toml"
},
{
"label": "Potential Reverse Shell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml"
},
{
"label": "Potential Reverse Shell via UDP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_udp_cli_utility_linux.toml"
},
{
"label": "Suspicious Named Pipe Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_mkfifo_execution.toml"
},
{
"label": "Potential Malware-Driven SSH Brute Force Attempt",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/impact_potential_bruteforce_malware_infection.toml"
},
{
"label": "Connection to External Network via Telnet",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/lateral_movement_telnet_network_activity_external.toml"
},
{
"label": "Git Hook Egress Network Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_git_hook_netcon.toml"
},
{
"label": "Simple HTTP Web Server Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_simple_web_server_connection_accepted.toml"
},
{
"label": "Simple HTTP Web Server Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_simple_web_server_creation.toml"
},
{
"label": "Unusual Process Spawned from Web Server Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_web_server_sus_child_spawned.toml"
},
{
"label": "Unusual Command Execution from Web Server Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_web_server_sus_command_execution.toml"
},
{
"label": "Uncommon Destination Port Connection by Web Server",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_web_server_sus_destination_port.toml"
},
{
"label": "Unusual Web Server Command Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_web_server_unusual_command_execution.toml"
},
{
"label": "Root Network Connection via GDB CAP_SYS_PTRACE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml"
},
{
"label": "Perl Outbound Network Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_perl_outbound_network_connection.toml"
},
{
"label": "Suspicious Curl from macOS Application",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml"
},
{
"label": "Suspicious Curl to Google App Script Endpoint",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml"
},
{
"label": "Unusual Network Connection to Suspicious Top Level Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml"
},
{
"label": "Unusual Network Connection to Suspicious Web Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml"
},
{
"label": "Suspicious Installer Package Spawns Network Event",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/execution_installer_package_spawned_network_event.toml"
},
{
"label": "Apple Script Execution followed by Network Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml"
},
{
"label": "DNS Tunneling",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml"
},
{
"label": "Unusual DNS Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml"
},
{
"label": "Unusual Web Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml"
},
{
"label": "Unusual Web User Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml"
},
{
"label": "Spike in host-based traffic",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_high_count_events_for_a_host_name.toml"
},
{
"label": "Spike in Firewall Denies",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_high_count_network_denies.toml"
},
{
"label": "Unusual Linux Network Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_linux_anomalous_network_activity.toml"
},
{
"label": "Unusual Linux Network Port Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_linux_anomalous_network_port_activity.toml"
},
{
"label": "Unusual Network Destination Domain Name",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_packetbeat_rare_server_domain.toml"
},
{
"label": "Network Traffic to Rare Destination Country",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_rare_destination_country.toml"
},
{
"label": "Spike in Network Traffic To a Country",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_spike_in_traffic_to_a_country.toml"
},
{
"label": "Unusual Windows Network Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_windows_anomalous_network_activity.toml"
},
{
"label": "Accepted Default Telnet Port Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_accepted_default_telnet_port_connection.toml"
},
{
"label": "Cobalt Strike Command and Control Beacon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_cobalt_strike_beacon.toml"
},
{
"label": "Default Cobalt Strike Team Server Certificate",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml"
},
{
"label": "Possible FIN7 DGA Command and Control Behavior",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_fin7_c2_behavior.toml"
},
{
"label": "Halfbaked Command and Control Beacon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_halfbaked_beacon.toml"
},
{
"label": "SMTP on Port 26/TCP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_port_26_activity.toml"
},
{
"label": "Potential File Transfer via Certreq",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_certreq_postdata.toml"
},
{
"label": "Connection to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_common_webservices.toml"
},
{
"label": "Network Activity to a Suspicious Top Level Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_dns_susp_tld.toml"
},
{
"label": "Potential DNS Tunneling via NsLookup",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_dns_tunneling_nslookup.toml"
},
{
"label": "Potential Command and Control via Internet Explorer",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_iexplore_via_com.toml"
},
{
"label": "Outlook Home Page Registry Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_outlook_home_page.toml"
},
{
"label": "Deprecated - SUNBURST Command and Control Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_sunburst_c2_activity_detected.toml"
},
{
"label": "Potential File Transfer via Curl for Windows",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_tool_transfer_via_curl.toml"
},
{
"label": "MsBuild Making Network Connections",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_msbuild_making_network_connections.toml"
},
{
"label": "Unusual Network Connection via DllHost",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml"
},
{
"label": "Unusual Network Connection via RunDLL32",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml"
},
{
"label": "System Public IP Discovery via DNS Query",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_host_public_ip_address_lookup.toml"
},
{
"label": "Suspicious Command Prompt Network Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_command_prompt_connecting_to_the_internet.toml"
},
{
"label": "Network Connection via Compiled HTML File",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml"
},
{
"label": "Suspicious Execution from a WebDav Share",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_scripting_remote_webdav.toml"
},
{
"label": "DNS to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_dns_to_commonly_abused_webservices.toml"
},
{
"label": "Web Server Potential SQL Injection Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/persistence_web_server_potential_sql_injection.toml"
},
{
"label": "Unusual File Creation by Web Server",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/persistence_web_server_sus_file_creation.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1071.001",
"tactic": "command-and-control",
"score": 30,
"metadata": [
{
"name": "Curl or Wget Spawned via Node.js",
"value": "eql/eql"
},
{
"name": "GenAI Process Connection to Unusual Domain",
"value": "new_terms/kuery"
},
{
"name": "Execution via OpenClaw Agent",
"value": "eql/eql"
},
{
"name": "File Download Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious Interpreter Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Git Repository or File Download to Suspicious Directory",
"value": "eql/eql"
},
{
"name": "Linux Telegram API Request",
"value": "eql/eql"
},
{
"name": "Simple HTTP Web Server Connection",
"value": "eql/eql"
},
{
"name": "Simple HTTP Web Server Creation",
"value": "eql/eql"
},
{
"name": "Perl Outbound Network Connection",
"value": "eql/eql"
},
{
"name": "Suspicious Curl from macOS Application",
"value": "eql/eql"
},
{
"name": "Suspicious Curl to Google App Script Endpoint",
"value": "eql/eql"
},
{
"name": "Unusual Network Connection to Suspicious Top Level Domain",
"value": "new_terms/kuery"
},
{
"name": "Unusual Network Connection to Suspicious Web Service",
"value": "new_terms/kuery"
},
{
"name": "Suspicious Installer Package Spawns Network Event",
"value": "eql/eql"
},
{
"name": "Unusual Web Request",
"value": "machine_learning/None"
},
{
"name": "Unusual Web User Agent",
"value": "machine_learning/None"
},
{
"name": "Unusual Network Destination Domain Name",
"value": "machine_learning/None"
},
{
"name": "Cobalt Strike Command and Control Beacon",
"value": "query/lucene"
},
{
"name": "Default Cobalt Strike Team Server Certificate",
"value": "query/kuery"
},
{
"name": "Possible FIN7 DGA Command and Control Behavior",
"value": "query/lucene"
},
{
"name": "Halfbaked Command and Control Beacon",
"value": "query/lucene"
},
{
"name": "Potential File Transfer via Certreq",
"value": "eql/eql"
},
{
"name": "Connection to Commonly Abused Web Services",
"value": "eql/eql"
},
{
"name": "Outlook Home Page Registry Modification",
"value": "eql/eql"
},
{
"name": "Deprecated - SUNBURST Command and Control Activity",
"value": "eql/eql"
},
{
"name": "Potential File Transfer via Curl for Windows",
"value": "eql/eql"
},
{
"name": "Unusual Network Connection via RunDLL32",
"value": "eql/eql"
},
{
"name": "Suspicious Execution from a WebDav Share",
"value": "eql/eql"
},
{
"name": "DNS to Commonly Abused Web Services",
"value": "eql/eql"
}
],
"links": [
{
"label": "Curl or Wget Spawned via Node.js",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml"
},
{
"label": "GenAI Process Connection to Unusual Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml"
},
{
"label": "Execution via OpenClaw Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_openclaw_agent_child_process.toml"
},
{
"label": "File Download Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml"
},
{
"label": "Suspicious Interpreter Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml"
},
{
"label": "Git Repository or File Download to Suspicious Directory",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml"
},
{
"label": "Linux Telegram API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_telegram_api_request.toml"
},
{
"label": "Simple HTTP Web Server Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_simple_web_server_connection_accepted.toml"
},
{
"label": "Simple HTTP Web Server Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_simple_web_server_creation.toml"
},
{
"label": "Perl Outbound Network Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_perl_outbound_network_connection.toml"
},
{
"label": "Suspicious Curl from macOS Application",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml"
},
{
"label": "Suspicious Curl to Google App Script Endpoint",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml"
},
{
"label": "Unusual Network Connection to Suspicious Top Level Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml"
},
{
"label": "Unusual Network Connection to Suspicious Web Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml"
},
{
"label": "Suspicious Installer Package Spawns Network Event",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/execution_installer_package_spawned_network_event.toml"
},
{
"label": "Unusual Web Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml"
},
{
"label": "Unusual Web User Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml"
},
{
"label": "Unusual Network Destination Domain Name",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_packetbeat_rare_server_domain.toml"
},
{
"label": "Cobalt Strike Command and Control Beacon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_cobalt_strike_beacon.toml"
},
{
"label": "Default Cobalt Strike Team Server Certificate",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml"
},
{
"label": "Possible FIN7 DGA Command and Control Behavior",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_fin7_c2_behavior.toml"
},
{
"label": "Halfbaked Command and Control Beacon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_halfbaked_beacon.toml"
},
{
"label": "Potential File Transfer via Certreq",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_certreq_postdata.toml"
},
{
"label": "Connection to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_common_webservices.toml"
},
{
"label": "Outlook Home Page Registry Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_outlook_home_page.toml"
},
{
"label": "Deprecated - SUNBURST Command and Control Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_sunburst_c2_activity_detected.toml"
},
{
"label": "Potential File Transfer via Curl for Windows",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_tool_transfer_via_curl.toml"
},
{
"label": "Unusual Network Connection via RunDLL32",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml"
},
{
"label": "Suspicious Execution from a WebDav Share",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_scripting_remote_webdav.toml"
},
{
"label": "DNS to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_dns_to_commonly_abused_webservices.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1105",
"tactic": "command-and-control",
"score": 61,
"metadata": [
{
"name": "Curl or Wget Spawned via Node.js",
"value": "eql/eql"
},
{
"name": "Suspicious File Downloaded from Google Drive",
"value": "eql/eql"
},
{
"name": "AWS EC2 LOLBin Execution via SSM SendCommand",
"value": "esql/esql"
},
{
"name": "Potential Git CVE-2025-48384 Exploitation",
"value": "eql/eql"
},
{
"name": "Execution via OpenClaw Agent",
"value": "eql/eql"
},
{
"name": "Initial Access via File Upload Followed by GET Request",
"value": "eql/eql"
},
{
"name": "Web Server Potential Command Injection Request",
"value": "esql/esql"
},
{
"name": "File Download Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious Network Tool Launch Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "System Path File Creation and Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Payload Execution via Shell Pipe Detected by Defend for Containers",
"value": "eql/eql"
},
{
"name": "Tool Installation Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Web Server Exploitation Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Kubernetes Pod Exec with Curl or Wget to HTTPS",
"value": "esql/esql"
},
{
"name": "Curl or Wget Execution from Container Context",
"value": "query/kuery"
},
{
"name": "Git Repository or File Download to Suspicious Directory",
"value": "eql/eql"
},
{
"name": "Curl or Wget Egress Network Connection via LoLBin",
"value": "eql/eql"
},
{
"name": "Potentially Suspicious Process Started via tmux or screen",
"value": "eql/eql"
},
{
"name": "Suspicious Network Tool Launched Inside A Container",
"value": "eql/eql"
},
{
"name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"value": "eql/eql"
},
{
"name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"value": "eql/eql"
},
{
"name": "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation",
"value": "eql/eql"
},
{
"name": "Remote File Creation in World Writeable Directory",
"value": "new_terms/kuery"
},
{
"name": "Potential THC Tool Downloaded",
"value": "eql/eql"
},
{
"name": "Unusual Remote File Creation",
"value": "new_terms/kuery"
},
{
"name": "Pluggable Authentication Module (PAM) Source Download",
"value": "eql/eql"
},
{
"name": "Executable File Download via Wget",
"value": "eql/eql"
},
{
"name": "Suspicious Curl from macOS Application",
"value": "eql/eql"
},
{
"name": "Suspicious Curl to Google App Script Endpoint",
"value": "eql/eql"
},
{
"name": "Suspicious Browser Child Process",
"value": "eql/eql"
},
{
"name": "Suspicious Installer Package Spawns Network Event",
"value": "eql/eql"
},
{
"name": "Apple Script Execution followed by Network Connection",
"value": "eql/eql"
},
{
"name": "Curl Execution via Shell Profile",
"value": "eql/eql"
},
{
"name": "Unusual Network Destination Domain Name",
"value": "machine_learning/None"
},
{
"name": "Network Traffic to Rare Destination Country",
"value": "machine_learning/None"
},
{
"name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"value": "query/kuery"
},
{
"name": "Potential File Transfer via Certreq",
"value": "eql/eql"
},
{
"name": "Potential File Download via a Headless Browser",
"value": "eql/eql"
},
{
"name": "Ingress Transfer via Windows BITS",
"value": "eql/eql"
},
{
"name": "Remote File Download via Desktopimgdownldr Utility",
"value": "eql/eql"
},
{
"name": "Remote File Download via MpCmdRun",
"value": "eql/eql"
},
{
"name": "Remote File Download via PowerShell",
"value": "eql/eql"
},
{
"name": "Remote File Download via Script Interpreter",
"value": "eql/eql"
},
{
"name": "Suspicious ScreenConnect Client Child Process",
"value": "eql/eql"
},
{
"name": "Remote File Copy via TeamViewer",
"value": "eql/eql"
},
{
"name": "Potential File Transfer via Curl for Windows",
"value": "eql/eql"
},
{
"name": "Potential Remote Install via MsiExec",
"value": "eql/eql"
},
{
"name": "Network Connection via MsXsl",
"value": "eql/eql"
},
{
"name": "Suspicious CertUtil Commands",
"value": "eql/eql"
},
{
"name": "Suspicious Command Prompt Network Connection",
"value": "eql/eql"
},
{
"name": "Suspicious Execution from a WebDav Share",
"value": "eql/eql"
},
{
"name": "Suspicious JavaScript Execution via Deno",
"value": "eql/eql"
},
{
"name": "Suspicious Windows Command Shell Arguments",
"value": "eql/eql"
},
{
"name": "Suspicious Windows Powershell Arguments",
"value": "eql/eql"
},
{
"name": "Suspicious Execution from INET Cache",
"value": "eql/eql"
},
{
"name": "Potential Remote File Execution via MSIEXEC",
"value": "eql/eql"
},
{
"name": "Suspicious Execution from VS Code Extension",
"value": "eql/eql"
},
{
"name": "Bitsadmin Activity",
"value": "eql/eql"
},
{
"name": "Network Connection via Certutil",
"value": "eql/eql"
},
{
"name": "Ollama DNS Query to Untrusted Domain",
"value": "eql/eql"
}
],
"links": [
{
"label": "Curl or Wget Spawned via Node.js",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml"
},
{
"label": "Suspicious File Downloaded from Google Drive",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml"
},
{
"label": "AWS EC2 LOLBin Execution via SSM SendCommand",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml"
},
{
"label": "Potential Git CVE-2025-48384 Exploitation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml"
},
{
"label": "Execution via OpenClaw Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_openclaw_agent_child_process.toml"
},
{
"label": "Initial Access via File Upload Followed by GET Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml"
},
{
"label": "Web Server Potential Command Injection Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/persistence_web_server_potential_command_injection.toml"
},
{
"label": "File Download Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml"
},
{
"label": "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml"
},
{
"label": "Suspicious Network Tool Launch Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml"
},
{
"label": "System Path File Creation and Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml"
},
{
"label": "Payload Execution via Shell Pipe Detected by Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml"
},
{
"label": "Tool Installation Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_tool_installation.toml"
},
{
"label": "Web Server Exploitation Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml"
},
{
"label": "Kubernetes Pod Exec with Curl or Wget to HTTPS",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/execution_kubernetes_pod_exec_curl_wget_https.toml"
},
{
"label": "Curl or Wget Execution from Container Context",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_auditd_curl_wget_from_container.toml"
},
{
"label": "Git Repository or File Download to Suspicious Directory",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml"
},
{
"label": "Curl or Wget Egress Network Connection via LoLBin",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml"
},
{
"label": "Potentially Suspicious Process Started via tmux or screen",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml"
},
{
"label": "Suspicious Network Tool Launched Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml"
},
{
"label": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml"
},
{
"label": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_file_execution_followed_by_deletion.toml"
},
{
"label": "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml"
},
{
"label": "Remote File Creation in World Writeable Directory",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml"
},
{
"label": "Potential THC Tool Downloaded",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/lateral_movement_ssh_it_worm_download.toml"
},
{
"label": "Unusual Remote File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/lateral_movement_unusual_remote_file_creation.toml"
},
{
"label": "Pluggable Authentication Module (PAM) Source Download",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_source_download.toml"
},
{
"label": "Executable File Download via Wget",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_executable_download_via_wget.toml"
},
{
"label": "Suspicious Curl from macOS Application",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml"
},
{
"label": "Suspicious Curl to Google App Script Endpoint",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml"
},
{
"label": "Suspicious Browser Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/execution_initial_access_suspicious_browser_childproc.toml"
},
{
"label": "Suspicious Installer Package Spawns Network Event",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/execution_installer_package_spawned_network_event.toml"
},
{
"label": "Apple Script Execution followed by Network Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml"
},
{
"label": "Curl Execution via Shell Profile",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_curl_execution_via_shell_profile.toml"
},
{
"label": "Unusual Network Destination Domain Name",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_packetbeat_rare_server_domain.toml"
},
{
"label": "Network Traffic to Rare Destination Country",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_rare_destination_country.toml"
},
{
"label": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_download_rar_powershell_from_internet.toml"
},
{
"label": "Potential File Transfer via Certreq",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_certreq_postdata.toml"
},
{
"label": "Potential File Download via a Headless Browser",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_headless_browser.toml"
},
{
"label": "Ingress Transfer via Windows BITS",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_ingress_transfer_bits.toml"
},
{
"label": "Remote File Download via Desktopimgdownldr Utility",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml"
},
{
"label": "Remote File Download via MpCmdRun",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml"
},
{
"label": "Remote File Download via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_remote_file_copy_powershell.toml"
},
{
"label": "Remote File Download via Script Interpreter",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_remote_file_copy_scripts.toml"
},
{
"label": "Suspicious ScreenConnect Client Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_screenconnect_childproc.toml"
},
{
"label": "Remote File Copy via TeamViewer",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_teamviewer_remote_file_copy.toml"
},
{
"label": "Potential File Transfer via Curl for Windows",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_tool_transfer_via_curl.toml"
},
{
"label": "Potential Remote Install via MsiExec",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_msiexec_remote_payload.toml"
},
{
"label": "Network Connection via MsXsl",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_msxsl_network.toml"
},
{
"label": "Suspicious CertUtil Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_suspicious_certutil_commands.toml"
},
{
"label": "Suspicious Command Prompt Network Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_command_prompt_connecting_to_the_internet.toml"
},
{
"label": "Suspicious Execution from a WebDav Share",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_scripting_remote_webdav.toml"
},
{
"label": "Suspicious JavaScript Execution via Deno",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_susp_javascript_via_deno.toml"
},
{
"label": "Suspicious Windows Command Shell Arguments",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_windows_cmd_shell_susp_args.toml"
},
{
"label": "Suspicious Windows Powershell Arguments",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_windows_powershell_susp_args.toml"
},
{
"label": "Suspicious Execution from INET Cache",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_execution_from_inetcache.toml"
},
{
"label": "Potential Remote File Execution via MSIEXEC",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_execution_remote_via_msiexec.toml"
},
{
"label": "Suspicious Execution from VS Code Extension",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml"
},
{
"label": "Bitsadmin Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_bitsadmin_activity.toml"
},
{
"label": "Network Connection via Certutil",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_certutil_network_connection.toml"
},
{
"label": "Ollama DNS Query to Untrusted Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_ollama_model_download_untrusted_source.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1071.004",
"tactic": "command-and-control",
"score": 12,
"metadata": [
{
"name": "GenAI Process Connection to Suspicious Top Level Domain",
"value": "eql/eql"
},
{
"name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"value": "query/kuery"
},
{
"name": "Potential DGA Activity",
"value": "machine_learning/None"
},
{
"name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"value": "query/kuery"
},
{
"name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"value": "query/kuery"
},
{
"name": "DNS Tunneling",
"value": "machine_learning/None"
},
{
"name": "Unusual DNS Activity",
"value": "machine_learning/None"
},
{
"name": "Unusual Network Destination Domain Name",
"value": "machine_learning/None"
},
{
"name": "Network Activity to a Suspicious Top Level Domain",
"value": "eql/eql"
},
{
"name": "Potential DNS Tunneling via NsLookup",
"value": "eql/eql"
},
{
"name": "Potential Command and Control via Internet Explorer",
"value": "eql/eql"
},
{
"name": "System Public IP Discovery via DNS Query",
"value": "eql/eql"
}
],
"links": [
{
"label": "GenAI Process Connection to Suspicious Top Level Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml"
},
{
"label": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml"
},
{
"label": "Potential DGA Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml"
},
{
"label": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml"
},
{
"label": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml"
},
{
"label": "DNS Tunneling",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml"
},
{
"label": "Unusual DNS Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml"
},
{
"label": "Unusual Network Destination Domain Name",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_packetbeat_rare_server_domain.toml"
},
{
"label": "Network Activity to a Suspicious Top Level Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_dns_susp_tld.toml"
},
{
"label": "Potential DNS Tunneling via NsLookup",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_dns_tunneling_nslookup.toml"
},
{
"label": "Potential Command and Control via Internet Explorer",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_iexplore_via_com.toml"
},
{
"label": "System Public IP Discovery via DNS Query",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_host_public_ip_address_lookup.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1102.003",
"tactic": "command-and-control",
"score": 2,
"metadata": [
{
"name": "Suspicious File Downloaded from Google Drive",
"value": "eql/eql"
},
{
"name": "AWS SNS Rare Protocol Subscription by User",
"value": "new_terms/kuery"
}
],
"links": [
{
"label": "Suspicious File Downloaded from Google Drive",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml"
},
{
"label": "AWS SNS Rare Protocol Subscription by User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1090",
"tactic": "command-and-control",
"score": 19,
"metadata": [
{
"name": "Kubectl Network Configuration Modification",
"value": "eql/eql"
},
{
"name": "FortiGate SOCKS Traffic from an Unusual Process",
"value": "eql/eql"
},
{
"name": "Potential Traffic Tunneling using QEMU",
"value": "eql/eql"
},
{
"name": "Curl SOCKS Proxy Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Tunneling and/or Port Forwarding Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Curl SOCKS Proxy Activity from Unusual Parent",
"value": "eql/eql"
},
{
"name": "IPv4/IPv6 Forwarding Activity",
"value": "eql/eql"
},
{
"name": "Potential Protocol Tunneling via Chisel Client",
"value": "eql/eql"
},
{
"name": "ProxyChains Activity",
"value": "eql/eql"
},
{
"name": "Suspicious Utility Launched via ProxyChains",
"value": "eql/eql"
},
{
"name": "Potential Linux Tunneling and/or Port Forwarding",
"value": "eql/eql"
},
{
"name": "Potential Linux Tunneling and/or Port Forwarding via SSH Option",
"value": "eql/eql"
},
{
"name": "Potential Linux Tunneling and/or Port Forwarding via Command Line",
"value": "eql/eql"
},
{
"name": "Potential Protocol Tunneling via EarthWorm",
"value": "eql/eql"
},
{
"name": "Connection to Commonly Abused Web Services",
"value": "eql/eql"
},
{
"name": "Port Forwarding Rule Addition",
"value": "eql/eql"
},
{
"name": "Potential Protocol Tunneling via Cloudflared",
"value": "eql/eql"
},
{
"name": "Potential Protocol Tunneling via Yuze",
"value": "eql/eql"
},
{
"name": "DNS to Commonly Abused Web Services",
"value": "eql/eql"
}
],
"links": [
{
"label": "Kubectl Network Configuration Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_kubectl_networking_modification.toml"
},
{
"label": "FortiGate SOCKS Traffic from an Unusual Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml"
},
{
"label": "Potential Traffic Tunneling using QEMU",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_tunnel_qemu.toml"
},
{
"label": "Curl SOCKS Proxy Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml"
},
{
"label": "Tunneling and/or Port Forwarding Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml"
},
{
"label": "Curl SOCKS Proxy Activity from Unusual Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_curl_socks_proxy_detected.toml"
},
{
"label": "IPv4/IPv6 Forwarding Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_ip_forwarding_activity.toml"
},
{
"label": "Potential Protocol Tunneling via Chisel Client",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_chisel_client_activity.toml"
},
{
"label": "ProxyChains Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_proxychains_activity.toml"
},
{
"label": "Suspicious Utility Launched via ProxyChains",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml"
},
{
"label": "Potential Linux Tunneling and/or Port Forwarding",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml"
},
{
"label": "Potential Linux Tunneling and/or Port Forwarding via SSH Option",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml"
},
{
"label": "Potential Linux Tunneling and/or Port Forwarding via Command Line",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_potential_tunneling_command_line.toml"
},
{
"label": "Potential Protocol Tunneling via EarthWorm",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_tunneling_via_earthworm.toml"
},
{
"label": "Connection to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_common_webservices.toml"
},
{
"label": "Port Forwarding Rule Addition",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_port_forwarding_added_registry.toml"
},
{
"label": "Potential Protocol Tunneling via Cloudflared",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_tunnel_cloudflared.toml"
},
{
"label": "Potential Protocol Tunneling via Yuze",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_tunnel_yuze.toml"
},
{
"label": "DNS to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_dns_to_commonly_abused_webservices.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1572",
"tactic": "command-and-control",
"score": 21,
"metadata": [
{
"name": "Kubectl Network Configuration Modification",
"value": "eql/eql"
},
{
"name": "Potential Traffic Tunneling using QEMU",
"value": "eql/eql"
},
{
"name": "Curl SOCKS Proxy Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Tunneling and/or Port Forwarding Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Curl SOCKS Proxy Activity from Unusual Parent",
"value": "eql/eql"
},
{
"name": "IPv4/IPv6 Forwarding Activity",
"value": "eql/eql"
},
{
"name": "Potential Protocol Tunneling via Chisel Client",
"value": "eql/eql"
},
{
"name": "ProxyChains Activity",
"value": "eql/eql"
},
{
"name": "Linux SSH X11 Forwarding",
"value": "eql/eql"
},
{
"name": "Suspicious Utility Launched via ProxyChains",
"value": "eql/eql"
},
{
"name": "Potential Linux Tunneling and/or Port Forwarding",
"value": "eql/eql"
},
{
"name": "Potential Linux Tunneling and/or Port Forwarding via SSH Option",
"value": "eql/eql"
},
{
"name": "Potential Linux Tunneling and/or Port Forwarding via Command Line",
"value": "eql/eql"
},
{
"name": "Potential Protocol Tunneling via EarthWorm",
"value": "eql/eql"
},
{
"name": "DNS Tunneling",
"value": "machine_learning/None"
},
{
"name": "IPSEC NAT Traversal Port Activity",
"value": "query/kuery"
},
{
"name": "Potential DNS Tunneling via NsLookup",
"value": "eql/eql"
},
{
"name": "Port Forwarding Rule Addition",
"value": "eql/eql"
},
{
"name": "Potential Remote Desktop Tunneling Detected",
"value": "eql/eql"
},
{
"name": "Potential Protocol Tunneling via Cloudflared",
"value": "eql/eql"
},
{
"name": "Potential Protocol Tunneling via Yuze",
"value": "eql/eql"
}
],
"links": [
{
"label": "Kubectl Network Configuration Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_kubectl_networking_modification.toml"
},
{
"label": "Potential Traffic Tunneling using QEMU",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_tunnel_qemu.toml"
},
{
"label": "Curl SOCKS Proxy Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml"
},
{
"label": "Tunneling and/or Port Forwarding Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml"
},
{
"label": "Curl SOCKS Proxy Activity from Unusual Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_curl_socks_proxy_detected.toml"
},
{
"label": "IPv4/IPv6 Forwarding Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_ip_forwarding_activity.toml"
},
{
"label": "Potential Protocol Tunneling via Chisel Client",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_chisel_client_activity.toml"
},
{
"label": "ProxyChains Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_proxychains_activity.toml"
},
{
"label": "Linux SSH X11 Forwarding",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml"
},
{
"label": "Suspicious Utility Launched via ProxyChains",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml"
},
{
"label": "Potential Linux Tunneling and/or Port Forwarding",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml"
},
{
"label": "Potential Linux Tunneling and/or Port Forwarding via SSH Option",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml"
},
{
"label": "Potential Linux Tunneling and/or Port Forwarding via Command Line",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_potential_tunneling_command_line.toml"
},
{
"label": "Potential Protocol Tunneling via EarthWorm",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_tunneling_via_earthworm.toml"
},
{
"label": "DNS Tunneling",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml"
},
{
"label": "IPSEC NAT Traversal Port Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_nat_traversal_port_activity.toml"
},
{
"label": "Potential DNS Tunneling via NsLookup",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_dns_tunneling_nslookup.toml"
},
{
"label": "Port Forwarding Rule Addition",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_port_forwarding_added_registry.toml"
},
{
"label": "Potential Remote Desktop Tunneling Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_rdp_tunnel_plink.toml"
},
{
"label": "Potential Protocol Tunneling via Cloudflared",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_tunnel_cloudflared.toml"
},
{
"label": "Potential Protocol Tunneling via Yuze",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_tunnel_yuze.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1571",
"tactic": "command-and-control",
"score": 7,
"metadata": [
{
"name": "Suricata and Elastic Defend Network Correlation",
"value": "eql/eql"
},
{
"name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"value": "machine_learning/None"
},
{
"name": "Uncommon Destination Port Connection by Web Server",
"value": "eql/eql"
},
{
"name": "Script Interpreter Connection to Non-Standard Port",
"value": "eql/eql"
},
{
"name": "Suspicious Outbound Network Connection via Unsigned Binary",
"value": "eql/eql"
},
{
"name": "Unusual Linux Network Port Activity",
"value": "machine_learning/None"
},
{
"name": "SMTP on Port 26/TCP",
"value": "query/kuery"
}
],
"links": [
{
"label": "Suricata and Elastic Defend Network Correlation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml"
},
{
"label": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml"
},
{
"label": "Uncommon Destination Port Connection by Web Server",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_web_server_sus_destination_port.toml"
},
{
"label": "Script Interpreter Connection to Non-Standard Port",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml"
},
{
"label": "Suspicious Outbound Network Connection via Unsigned Binary",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml"
},
{
"label": "Unusual Linux Network Port Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_linux_anomalous_network_port_activity.toml"
},
{
"label": "SMTP on Port 26/TCP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_port_26_activity.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1219",
"tactic": "command-and-control",
"score": 15,
"metadata": [
{
"name": "Potential Traffic Tunneling using QEMU",
"value": "eql/eql"
},
{
"name": "Remote GitHub Actions Runner Registration",
"value": "eql/eql"
},
{
"name": "VNC (Virtual Network Computing) from the Internet",
"value": "query/kuery"
},
{
"name": "VNC (Virtual Network Computing) to the Internet",
"value": "query/kuery"
},
{
"name": "First Time Seen DNS Query to RMM Domain",
"value": "esql/esql"
},
{
"name": "Multiple Remote Management Tool Vendors on Same Host",
"value": "esql/esql"
},
{
"name": "First Time Seen Remote Monitoring and Management Tool",
"value": "new_terms/kuery"
},
{
"name": "Newly Observed ScreenConnect Host Server",
"value": "esql/esql"
},
{
"name": "Potential REMCOS Trojan Execution",
"value": "eql/eql"
},
{
"name": "Remote Management Access Launch After MSI Install",
"value": "eql/eql"
},
{
"name": "NetSupport Manager Execution from an Unusual Path",
"value": "eql/eql"
},
{
"name": "Suspicious ScreenConnect Client Child Process",
"value": "eql/eql"
},
{
"name": "Remote File Copy via TeamViewer",
"value": "eql/eql"
},
{
"name": "Attempt to Establish VScode Remote Tunnel",
"value": "eql/eql"
},
{
"name": "Suspicious Shell Execution via Velociraptor",
"value": "eql/eql"
}
],
"links": [
{
"label": "Potential Traffic Tunneling using QEMU",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_tunnel_qemu.toml"
},
{
"label": "Remote GitHub Actions Runner Registration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_register_github_actions_runner.toml"
},
{
"label": "VNC (Virtual Network Computing) from the Internet",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml"
},
{
"label": "VNC (Virtual Network Computing) to the Internet",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml"
},
{
"label": "First Time Seen DNS Query to RMM Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_dns_rmm_domains_non_browser.toml"
},
{
"label": "Multiple Remote Management Tool Vendors on Same Host",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml"
},
{
"label": "First Time Seen Remote Monitoring and Management Tool",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml"
},
{
"label": "Newly Observed ScreenConnect Host Server",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_newly_observed_screenconnect_host_server.toml"
},
{
"label": "Potential REMCOS Trojan Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_remcos_rat_iocs.toml"
},
{
"label": "Remote Management Access Launch After MSI Install",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_rmm_after_msi_install.toml"
},
{
"label": "NetSupport Manager Execution from an Unusual Path",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_rmm_netsupport_susp_path.toml"
},
{
"label": "Suspicious ScreenConnect Client Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_screenconnect_childproc.toml"
},
{
"label": "Remote File Copy via TeamViewer",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_teamviewer_remote_file_copy.toml"
},
{
"label": "Attempt to Establish VScode Remote Tunnel",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_tunnel_vscode.toml"
},
{
"label": "Suspicious Shell Execution via Velociraptor",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_velociraptor_shell_execution.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1095",
"tactic": "command-and-control",
"score": 18,
"metadata": [
{
"name": "Potential Reverse Shell Activity via Terminal",
"value": "eql/eql"
},
{
"name": "Suspicious React Server Child Process",
"value": "eql/eql"
},
{
"name": "Netcat File Transfer or Listener Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious Interpreter Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Web Server Exploitation Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Network Activity Detected via cat",
"value": "eql/eql"
},
{
"name": "File Transfer or Listener Established via Netcat",
"value": "eql/eql"
},
{
"name": "Netcat Listener Established via rlwrap",
"value": "eql/eql"
},
{
"name": "Network Connection via Recently Compiled Executable",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell via Background Process",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell via Child",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell via Suspicious Child Process",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell via Suspicious Binary",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell",
"value": "eql/eql"
},
{
"name": "Potential Reverse Shell via UDP",
"value": "eql/eql"
},
{
"name": "Network Connection Initiated by Suspicious SSHD Child Process",
"value": "eql/eql"
},
{
"name": "IPSEC NAT Traversal Port Activity",
"value": "query/kuery"
},
{
"name": "Potential Command Shell via NetCat",
"value": "eql/eql"
}
],
"links": [
{
"label": "Potential Reverse Shell Activity via Terminal",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_revershell_via_shell_cmd.toml"
},
{
"label": "Suspicious React Server Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml"
},
{
"label": "Netcat File Transfer or Listener Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml"
},
{
"label": "Suspicious Interpreter Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml"
},
{
"label": "Web Server Exploitation Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml"
},
{
"label": "Network Activity Detected via cat",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_cat_network_activity.toml"
},
{
"label": "File Transfer or Listener Established via Netcat",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml"
},
{
"label": "Netcat Listener Established via rlwrap",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_nc_listener_via_rlwrap.toml"
},
{
"label": "Network Connection via Recently Compiled Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_network_event_post_compilation.toml"
},
{
"label": "Potential Reverse Shell via Background Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_background_process.toml"
},
{
"label": "Potential Reverse Shell via Child",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_child_tcp_utility_linux.toml"
},
{
"label": "Potential Reverse Shell via Suspicious Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml"
},
{
"label": "Potential Reverse Shell via Suspicious Binary",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_suspicious_binary.toml"
},
{
"label": "Potential Reverse Shell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml"
},
{
"label": "Potential Reverse Shell via UDP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_udp_cli_utility_linux.toml"
},
{
"label": "Network Connection Initiated by Suspicious SSHD Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_ssh_netcon.toml"
},
{
"label": "IPSEC NAT Traversal Port Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_nat_traversal_port_activity.toml"
},
{
"label": "Potential Command Shell via NetCat",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_revshell_cmd_via_netcat.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1568",
"tactic": "command-and-control",
"score": 10,
"metadata": [
{
"name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"value": "query/kuery"
},
{
"name": "Potential DGA Activity",
"value": "machine_learning/None"
},
{
"name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"value": "query/kuery"
},
{
"name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"value": "query/kuery"
},
{
"name": "Unusual DNS Activity",
"value": "machine_learning/None"
},
{
"name": "Cobalt Strike Command and Control Beacon",
"value": "query/lucene"
},
{
"name": "Possible FIN7 DGA Command and Control Behavior",
"value": "query/lucene"
},
{
"name": "Halfbaked Command and Control Beacon",
"value": "query/lucene"
},
{
"name": "Connection to Commonly Abused Web Services",
"value": "eql/eql"
},
{
"name": "DNS to Commonly Abused Web Services",
"value": "eql/eql"
}
],
"links": [
{
"label": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml"
},
{
"label": "Potential DGA Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml"
},
{
"label": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml"
},
{
"label": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml"
},
{
"label": "Unusual DNS Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml"
},
{
"label": "Cobalt Strike Command and Control Beacon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_cobalt_strike_beacon.toml"
},
{
"label": "Possible FIN7 DGA Command and Control Behavior",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_fin7_c2_behavior.toml"
},
{
"label": "Halfbaked Command and Control Beacon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_halfbaked_beacon.toml"
},
{
"label": "Connection to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_common_webservices.toml"
},
{
"label": "DNS to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_dns_to_commonly_abused_webservices.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1568.002",
"tactic": "command-and-control",
"score": 9,
"metadata": [
{
"name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"value": "query/kuery"
},
{
"name": "Potential DGA Activity",
"value": "machine_learning/None"
},
{
"name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"value": "query/kuery"
},
{
"name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"value": "query/kuery"
},
{
"name": "Cobalt Strike Command and Control Beacon",
"value": "query/lucene"
},
{
"name": "Possible FIN7 DGA Command and Control Behavior",
"value": "query/lucene"
},
{
"name": "Halfbaked Command and Control Beacon",
"value": "query/lucene"
},
{
"name": "Connection to Commonly Abused Web Services",
"value": "eql/eql"
},
{
"name": "DNS to Commonly Abused Web Services",
"value": "eql/eql"
}
],
"links": [
{
"label": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml"
},
{
"label": "Potential DGA Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml"
},
{
"label": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml"
},
{
"label": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml"
},
{
"label": "Cobalt Strike Command and Control Beacon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_cobalt_strike_beacon.toml"
},
{
"label": "Possible FIN7 DGA Command and Control Behavior",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_fin7_c2_behavior.toml"
},
{
"label": "Halfbaked Command and Control Beacon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_halfbaked_beacon.toml"
},
{
"label": "Connection to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_common_webservices.toml"
},
{
"label": "DNS to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_dns_to_commonly_abused_webservices.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1090.002",
"tactic": "command-and-control",
"score": 4,
"metadata": [
{
"name": "Curl SOCKS Proxy Activity from Unusual Parent",
"value": "eql/eql"
},
{
"name": "Connection to Commonly Abused Web Services",
"value": "eql/eql"
},
{
"name": "Potential Protocol Tunneling via Cloudflared",
"value": "eql/eql"
},
{
"name": "DNS to Commonly Abused Web Services",
"value": "eql/eql"
}
],
"links": [
{
"label": "Curl SOCKS Proxy Activity from Unusual Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_curl_socks_proxy_detected.toml"
},
{
"label": "Connection to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_common_webservices.toml"
},
{
"label": "Potential Protocol Tunneling via Cloudflared",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_tunnel_cloudflared.toml"
},
{
"label": "DNS to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_dns_to_commonly_abused_webservices.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1090.001",
"tactic": "command-and-control",
"score": 2,
"metadata": [
{
"name": "IPv4/IPv6 Forwarding Activity",
"value": "eql/eql"
},
{
"name": "Port Forwarding Rule Addition",
"value": "eql/eql"
}
],
"links": [
{
"label": "IPv4/IPv6 Forwarding Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_ip_forwarding_activity.toml"
},
{
"label": "Port Forwarding Rule Addition",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_port_forwarding_added_registry.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1090.003",
"tactic": "command-and-control",
"score": 2,
"metadata": [
{
"name": "ProxyChains Activity",
"value": "eql/eql"
},
{
"name": "Suspicious Utility Launched via ProxyChains",
"value": "eql/eql"
}
],
"links": [
{
"label": "ProxyChains Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_proxychains_activity.toml"
},
{
"label": "Suspicious Utility Launched via ProxyChains",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1132",
"tactic": "command-and-control",
"score": 2,
"metadata": [
{
"name": "Base16 or Base32 Encoding/Decoding Activity",
"value": "eql/eql"
},
{
"name": "File Compressed or Archived into Common Format by Unsigned Process",
"value": "eql/eql"
}
],
"links": [
{
"label": "Base16 or Base32 Encoding/Decoding Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml"
},
{
"label": "File Compressed or Archived into Common Format by Unsigned Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_common_compressed_archived_file.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1132.001",
"tactic": "command-and-control",
"score": 2,
"metadata": [
{
"name": "Base16 or Base32 Encoding/Decoding Activity",
"value": "eql/eql"
},
{
"name": "File Compressed or Archived into Common Format by Unsigned Process",
"value": "eql/eql"
}
],
"links": [
{
"label": "Base16 or Base32 Encoding/Decoding Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml"
},
{
"label": "File Compressed or Archived into Common Format by Unsigned Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_common_compressed_archived_file.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1573",
"tactic": "command-and-control",
"score": 4,
"metadata": [
{
"name": "Openssl Client or Server Activity",
"value": "eql/eql"
},
{
"name": "Default Cobalt Strike Team Server Certificate",
"value": "query/kuery"
},
{
"name": "IPSEC NAT Traversal Port Activity",
"value": "query/kuery"
},
{
"name": "Connection to Commonly Abused Free SSL Certificate Providers",
"value": "eql/eql"
}
],
"links": [
{
"label": "Openssl Client or Server Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_openssl_client_or_server.toml"
},
{
"label": "Default Cobalt Strike Team Server Certificate",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml"
},
{
"label": "IPSEC NAT Traversal Port Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_nat_traversal_port_activity.toml"
},
{
"label": "Connection to Commonly Abused Free SSL Certificate Providers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_encrypted_channel_freesslcert.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1573.002",
"tactic": "command-and-control",
"score": 1,
"metadata": [
{
"name": "Openssl Client or Server Activity",
"value": "eql/eql"
}
],
"links": [
{
"label": "Openssl Client or Server Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_openssl_client_or_server.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1102.001",
"tactic": "command-and-control",
"score": 4,
"metadata": [
{
"name": "Google Calendar C2 via Script Interpreter",
"value": "eql/eql"
},
{
"name": "Potential Etherhiding C2 via Blockchain Connection",
"value": "eql/eql"
},
{
"name": "Connection to Commonly Abused Web Services",
"value": "eql/eql"
},
{
"name": "DNS to Commonly Abused Web Services",
"value": "eql/eql"
}
],
"links": [
{
"label": "Google Calendar C2 via Script Interpreter",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_google_calendar_c2_via_script.toml"
},
{
"label": "Potential Etherhiding C2 via Blockchain Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_potential_etherhiding_c2.toml"
},
{
"label": "Connection to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_common_webservices.toml"
},
{
"label": "DNS to Commonly Abused Web Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/command_and_control_dns_to_commonly_abused_webservices.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1071.003",
"tactic": "command-and-control",
"score": 1,
"metadata": [
{
"name": "SMTP on Port 26/TCP",
"value": "query/kuery"
}
],
"links": [
{
"label": "SMTP on Port 26/TCP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_port_26_activity.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1219.002",
"tactic": "command-and-control",
"score": 6,
"metadata": [
{
"name": "First Time Seen DNS Query to RMM Domain",
"value": "esql/esql"
},
{
"name": "Multiple Remote Management Tool Vendors on Same Host",
"value": "esql/esql"
},
{
"name": "First Time Seen Remote Monitoring and Management Tool",
"value": "new_terms/kuery"
},
{
"name": "Newly Observed ScreenConnect Host Server",
"value": "esql/esql"
},
{
"name": "Remote Management Access Launch After MSI Install",
"value": "eql/eql"
},
{
"name": "Suspicious Shell Execution via Velociraptor",
"value": "eql/eql"
}
],
"links": [
{
"label": "First Time Seen DNS Query to RMM Domain",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_dns_rmm_domains_non_browser.toml"
},
{
"label": "Multiple Remote Management Tool Vendors on Same Host",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml"
},
{
"label": "First Time Seen Remote Monitoring and Management Tool",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml"
},
{
"label": "Newly Observed ScreenConnect Host Server",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_newly_observed_screenconnect_host_server.toml"
},
{
"label": "Remote Management Access Launch After MSI Install",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_rmm_after_msi_install.toml"
},
{
"label": "Suspicious Shell Execution via Velociraptor",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_velociraptor_shell_execution.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1046",
"tactic": "discovery",
"score": 19,
"metadata": [
{
"name": "Suricata and Elastic Defend Network Correlation",
"value": "eql/eql"
},
{
"name": "DNS Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious Network Tool Launch Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Potentially Suspicious Process Started via tmux or screen",
"value": "eql/eql"
},
{
"name": "Hping Process Activity",
"value": "eql/eql"
},
{
"name": "Nping Process Activity",
"value": "eql/eql"
},
{
"name": "Potential Network Scan Executed From Host",
"value": "threshold/kuery"
},
{
"name": "Potential Port Scanning Activity from Compromised Host",
"value": "esql/esql"
},
{
"name": "Potential Subnet Scanning Activity from Compromised Host",
"value": "esql/esql"
},
{
"name": "Suspicious Network Tool Launched Inside A Container",
"value": "eql/eql"
},
{
"name": "Potential Linux Hack Tool Launched",
"value": "eql/eql"
},
{
"name": "Spike in host-based traffic",
"value": "machine_learning/None"
},
{
"name": "Spike in Firewall Denies",
"value": "machine_learning/None"
},
{
"name": "Spike in Network Traffic",
"value": "machine_learning/None"
},
{
"name": "Spike in Network Traffic To a Country",
"value": "machine_learning/None"
},
{
"name": "Potential Network Sweep Detected",
"value": "threshold/kuery"
},
{
"name": "Potential Network Scan Detected",
"value": "esql/esql"
},
{
"name": "Potential SYN-Based Port Scan Detected",
"value": "threshold/kuery"
},
{
"name": "Potential PowerShell HackTool Script by Function Names",
"value": "query/kuery"
}
],
"links": [
{
"label": "Suricata and Elastic Defend Network Correlation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml"
},
{
"label": "DNS Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_dns_enumeration.toml"
},
{
"label": "Suspicious Network Tool Launch Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml"
},
{
"label": "Potentially Suspicious Process Started via tmux or screen",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml"
},
{
"label": "Hping Process Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_linux_hping_activity.toml"
},
{
"label": "Nping Process Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_linux_nping_activity.toml"
},
{
"label": "Potential Network Scan Executed From Host",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_ping_sweep_detected.toml"
},
{
"label": "Potential Port Scanning Activity from Compromised Host",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml"
},
{
"label": "Potential Subnet Scanning Activity from Compromised Host",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml"
},
{
"label": "Suspicious Network Tool Launched Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml"
},
{
"label": "Potential Linux Hack Tool Launched",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_potential_hack_tool_executed.toml"
},
{
"label": "Spike in host-based traffic",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_high_count_events_for_a_host_name.toml"
},
{
"label": "Spike in Firewall Denies",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_high_count_network_denies.toml"
},
{
"label": "Spike in Network Traffic",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_high_count_network_events.toml"
},
{
"label": "Spike in Network Traffic To a Country",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_spike_in_traffic_to_a_country.toml"
},
{
"label": "Potential Network Sweep Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/discovery_potential_network_sweep_detected.toml"
},
{
"label": "Potential Network Scan Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/discovery_potential_port_scan_detected.toml"
},
{
"label": "Potential SYN-Based Port Scan Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/discovery_potential_syn_port_scan_detected.toml"
},
{
"label": "Potential PowerShell HackTool Script by Function Names",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_posh_hacktool_functions.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1083",
"tactic": "discovery",
"score": 25,
"metadata": [
{
"name": "Potential Credential Discovery via Recursive Grep",
"value": "esql/esql"
},
{
"name": "Web Server Local File Inclusion Activity",
"value": "esql/esql"
},
{
"name": "Web Server Potential Remote File Inclusion Activity",
"value": "esql/esql"
},
{
"name": "Cloud Credential Search Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Kubelet Pod Discovery Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "AWS Credentials Searched For Inside A Container",
"value": "eql/eql"
},
{
"name": "Sensitive Keys Or Passwords Searched For Inside A Container",
"value": "eql/eql"
},
{
"name": "Suspicious Dynamic Linker Discovery via od",
"value": "eql/eql"
},
{
"name": "ESXI Discovery via Find",
"value": "eql/eql"
},
{
"name": "ESXI Discovery via Grep",
"value": "eql/eql"
},
{
"name": "Kernel Instrumentation Discovery via kprobes and tracefs",
"value": "eql/eql"
},
{
"name": "Kubeconfig File Discovery",
"value": "eql/eql"
},
{
"name": "Private Key Searching Activity",
"value": "eql/eql"
},
{
"name": "Process Capability Enumeration",
"value": "eql/eql"
},
{
"name": "Security File Access via Common Utilities",
"value": "eql/eql"
},
{
"name": "SUID/SGUID Enumeration Detected",
"value": "eql/eql"
},
{
"name": "Suspicious Memory grep Activity",
"value": "eql/eql"
},
{
"name": "Suspicious which Enumeration",
"value": "eql/eql"
},
{
"name": "Yum/DNF Plugin Status Discovery",
"value": "eql/eql"
},
{
"name": "Suspicious System Commands Executed by Previously Unknown Executable",
"value": "new_terms/kuery"
},
{
"name": "Full Disk Access Permission Check",
"value": "eql/eql"
},
{
"name": "System Information Discovery via Windows Command Shell",
"value": "eql/eql"
},
{
"name": "Suspicious Modprobe File Event",
"value": "new_terms/kuery"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Potential Credential Discovery via Recursive Grep",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_grep_recursive_credential_discovery.toml"
},
{
"label": "Web Server Local File Inclusion Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml"
},
{
"label": "Web Server Potential Remote File Inclusion Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml"
},
{
"label": "Cloud Credential Search Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml"
},
{
"label": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml"
},
{
"label": "Kubelet Pod Discovery Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml"
},
{
"label": "AWS Credentials Searched For Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_aws_creds_search_inside_container.toml"
},
{
"label": "Sensitive Keys Or Passwords Searched For Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml"
},
{
"label": "Suspicious Dynamic Linker Discovery via od",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_dynamic_linker_via_od.toml"
},
{
"label": "ESXI Discovery via Find",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_esxi_software_via_find.toml"
},
{
"label": "ESXI Discovery via Grep",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_esxi_software_via_grep.toml"
},
{
"label": "Kernel Instrumentation Discovery via kprobes and tracefs",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml"
},
{
"label": "Kubeconfig File Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_kubeconfig_file_discovery.toml"
},
{
"label": "Private Key Searching Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_private_key_password_searching_activity.toml"
},
{
"label": "Process Capability Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_process_capabilities.toml"
},
{
"label": "Security File Access via Common Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_security_file_access_via_common_utility.toml"
},
{
"label": "SUID/SGUID Enumeration Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_suid_sguid_enumeration.toml"
},
{
"label": "Suspicious Memory grep Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_suspicious_memory_grep_activity.toml"
},
{
"label": "Suspicious which Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_suspicious_which_command_execution.toml"
},
{
"label": "Yum/DNF Plugin Status Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_yum_dnf_plugin_detection.toml"
},
{
"label": "Suspicious System Commands Executed by Previously Unknown Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_executable_running_system_commands.toml"
},
{
"label": "Full Disk Access Permission Check",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_full_disk_access_check.toml"
},
{
"label": "System Information Discovery via Windows Command Shell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_files_dir_systeminfo_via_cmd.toml"
},
{
"label": "Suspicious Modprobe File Event",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_linux_modprobe_enumeration.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1613",
"tactic": "discovery",
"score": 38,
"metadata": [
{
"name": "Potential Kubectl Masquerading via Unexpected Process",
"value": "eql/eql"
},
{
"name": "Kubectl Permission Discovery",
"value": "eql/eql"
},
{
"name": "Kubectl Secrets Enumeration Across All Namespaces",
"value": "eql/eql"
},
{
"name": "Direct Interactive Kubernetes API Request by Common Utilities",
"value": "eql/eql"
},
{
"name": "Forbidden Direct Interactive Kubernetes API Request",
"value": "eql/eql"
},
{
"name": "Direct Interactive Kubernetes API Request by Unusual Utilities",
"value": "eql/eql"
},
{
"name": "Service Account Token or Certificate Access Followed by Kubernetes API Request",
"value": "eql/eql"
},
{
"name": "Kubernetes Direct API Request via Curl or Wget",
"value": "eql/eql"
},
{
"name": "DNS Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Environment Variable Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Kubelet Certificate File Access Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Kubelet Pod Discovery Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Potential Cluster Enumeration via jq Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Service Account Namespace Read Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Tool Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Container Management Utility Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Direct Interactive Kubernetes API Request Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Potential Kubeletctl Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Kubernetes Secrets List Across Cluster or Sensitive Namespaces",
"value": "query/kuery"
},
{
"name": "Kubernetes Denied Service Account Request via Unusual User Agent",
"value": "new_terms/kuery"
},
{
"name": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected",
"value": "esql/esql"
},
{
"name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected",
"value": "esql/esql"
},
{
"name": "Kubernetes Multi-Resource Discovery",
"value": "esql/esql"
},
{
"name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent",
"value": "new_terms/kuery"
},
{
"name": "Kubernetes Forbidden Request from Unusual User Agent",
"value": "new_terms/kuery"
},
{
"name": "GitHub Authentication Token Access via Node.js",
"value": "eql/eql"
},
{
"name": "Kubernetes Service Account Secret Access",
"value": "eql/eql"
},
{
"name": "Docker Socket Enumeration",
"value": "eql/eql"
},
{
"name": "Kubeconfig File Discovery",
"value": "eql/eql"
},
{
"name": "Potential Kubeletctl Execution",
"value": "eql/eql"
},
{
"name": "Unusual Process Connection to Docker or Containerd Socket",
"value": "query/kuery"
},
{
"name": "Container Management Utility Run Inside A Container",
"value": "eql/eql"
},
{
"name": "Potential Direct Kubelet Access via Process Arguments",
"value": "eql/eql"
},
{
"name": "Kubelet API Connection Attempt to Internal IP",
"value": "eql/eql"
},
{
"name": "Kubectl Configuration Discovery",
"value": "eql/eql"
},
{
"name": "Kubectl Workload and Cluster Discovery",
"value": "eql/eql"
}
],
"links": [
{
"label": "Potential Kubectl Masquerading via Unexpected Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_potential_kubectl_masquerading.toml"
},
{
"label": "Kubectl Permission Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_kubectl_permission_discovery.toml"
},
{
"label": "Kubectl Secrets Enumeration Across All Namespaces",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_kubectl_secrets_all_namespaces.toml"
},
{
"label": "Direct Interactive Kubernetes API Request by Common Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml"
},
{
"label": "Forbidden Direct Interactive Kubernetes API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml"
},
{
"label": "Direct Interactive Kubernetes API Request by Unusual Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml"
},
{
"label": "Service Account Token or Certificate Access Followed by Kubernetes API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml"
},
{
"label": "Kubernetes Direct API Request via Curl or Wget",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_kubernetes_direct_api_request_via_curl_or_wget.toml"
},
{
"label": "DNS Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_dns_enumeration.toml"
},
{
"label": "Environment Variable Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_environment_enumeration.toml"
},
{
"label": "Kubelet Certificate File Access Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml"
},
{
"label": "Kubelet Pod Discovery Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml"
},
{
"label": "Potential Cluster Enumeration via jq Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_potential_cluster_enumeration_via_jq.toml"
},
{
"label": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml"
},
{
"label": "Service Account Namespace Read Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml"
},
{
"label": "Tool Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_tool_enumeration.toml"
},
{
"label": "Container Management Utility Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml"
},
{
"label": "Direct Interactive Kubernetes API Request Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml"
},
{
"label": "Potential Kubeletctl Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml"
},
{
"label": "Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml"
},
{
"label": "Kubernetes Secrets List Across Cluster or Sensitive Namespaces",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml"
},
{
"label": "Kubernetes Denied Service Account Request via Unusual User Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/discovery_denied_service_account_request.toml"
},
{
"label": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml"
},
{
"label": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_user_and_srcip.toml"
},
{
"label": "Kubernetes Multi-Resource Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/discovery_kubernetes_multi_resource_setup_recon.toml"
},
{
"label": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml"
},
{
"label": "Kubernetes Forbidden Request from Unusual User Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml"
},
{
"label": "GitHub Authentication Token Access via Node.js",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_gh_auth_via_nodejs.toml"
},
{
"label": "Kubernetes Service Account Secret Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_kubernetes_service_account_secret_access.toml"
},
{
"label": "Docker Socket Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_docker_socket_discovery.toml"
},
{
"label": "Kubeconfig File Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_kubeconfig_file_discovery.toml"
},
{
"label": "Potential Kubeletctl Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_potential_kubeletctl_execution.toml"
},
{
"label": "Unusual Process Connection to Docker or Containerd Socket",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_unusual_process_connection_to_container_runtime_socket.toml"
},
{
"label": "Container Management Utility Run Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_container_management_binary_launched_inside_container.toml"
},
{
"label": "Potential Direct Kubelet Access via Process Arguments",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/lateral_movement_direct_kubelet_access_via_process_args.toml"
},
{
"label": "Kubelet API Connection Attempt to Internal IP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/lateral_movement_kubelet_api_connection_attempt_internal_ip.toml"
},
{
"label": "Kubectl Configuration Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_kubectl_configuration_discovery.toml"
},
{
"label": "Kubectl Workload and Cluster Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_kubectl_workload_and_cluster_discovery.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1069",
"tactic": "discovery",
"score": 26,
"metadata": [
{
"name": "Kubectl Permission Discovery",
"value": "eql/eql"
},
{
"name": "Direct Interactive Kubernetes API Request by Unusual Utilities",
"value": "eql/eql"
},
{
"name": "Kubernetes Direct API Request via Curl or Wget",
"value": "eql/eql"
},
{
"name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"value": "threshold/kuery"
},
{
"name": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"value": "eql/eql"
},
{
"name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"value": "query/kuery"
},
{
"name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent",
"value": "new_terms/kuery"
},
{
"name": "Unusual Group Name Accessed by a User",
"value": "machine_learning/None"
},
{
"name": "Sudo Command Enumeration Detected",
"value": "eql/eql"
},
{
"name": "Unusual User Privilege Enumeration via id",
"value": "eql/eql"
},
{
"name": "Enumeration of Users or Groups via Built-in Commands",
"value": "eql/eql"
},
{
"name": "Potential Enumeration via Active Directory Web Service",
"value": "eql/eql"
},
{
"name": "Active Directory Discovery using AdExplorer",
"value": "eql/eql"
},
{
"name": "AdFind Command Activity",
"value": "eql/eql"
},
{
"name": "Enumeration of Administrator Accounts",
"value": "eql/eql"
},
{
"name": "Suspicious Access to LDAP Attributes",
"value": "eql/eql"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Enumeration of Privileged Local Groups Membership",
"value": "new_terms/kuery"
},
{
"name": "Whoami Process Activity",
"value": "eql/eql"
},
{
"name": "Windows Account or Group Discovery",
"value": "eql/eql"
},
{
"name": "Kubectl Workload and Cluster Discovery",
"value": "eql/eql"
},
{
"name": "System Owner/User Discovery Linux",
"value": "new_terms/kuery"
},
{
"name": "Account or Group Discovery via Built-In Tools",
"value": "new_terms/kuery"
},
{
"name": "Discovery of Domain Groups",
"value": "eql/eql"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "Remote System Discovery Commands",
"value": "eql/eql"
}
],
"links": [
{
"label": "Kubectl Permission Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_kubectl_permission_discovery.toml"
},
{
"label": "Direct Interactive Kubernetes API Request by Unusual Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml"
},
{
"label": "Kubernetes Direct API Request via Curl or Wget",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_kubernetes_direct_api_request_via_curl_or_wget.toml"
},
{
"label": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml"
},
{
"label": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml"
},
{
"label": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml"
},
{
"label": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml"
},
{
"label": "Unusual Group Name Accessed by a User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml"
},
{
"label": "Sudo Command Enumeration Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_sudo_allowed_command_enumeration.toml"
},
{
"label": "Unusual User Privilege Enumeration via id",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_unusual_user_enumeration_via_id.toml"
},
{
"label": "Enumeration of Users or Groups via Built-in Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_users_domain_built_in_commands.toml"
},
{
"label": "Potential Enumeration via Active Directory Web Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_active_directory_webservice.toml"
},
{
"label": "Active Directory Discovery using AdExplorer",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_ad_explorer_execution.toml"
},
{
"label": "AdFind Command Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_adfind_command_activity.toml"
},
{
"label": "Enumeration of Administrator Accounts",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_admin_recon.toml"
},
{
"label": "Suspicious Access to LDAP Attributes",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_high_number_ad_properties.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Enumeration of Privileged Local Groups Membership",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_privileged_localgroup_membership.toml"
},
{
"label": "Whoami Process Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_whoami_command_activity.toml"
},
{
"label": "Windows Account or Group Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_generic_account_groups.toml"
},
{
"label": "Kubectl Workload and Cluster Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_kubectl_workload_and_cluster_discovery.toml"
},
{
"label": "System Owner/User Discovery Linux",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_linux_system_owner_user_discovery.toml"
},
{
"label": "Account or Group Discovery via Built-In Tools",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_of_accounts_or_groups_via_builtin_tools.toml"
},
{
"label": "Discovery of Domain Groups",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_of_domain_groups.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "Remote System Discovery Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_remote_system_discovery_commands_windows.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1518",
"tactic": "discovery",
"score": 15,
"metadata": [
{
"name": "Security Software Discovery via Grep",
"value": "eql/eql"
},
{
"name": "AWS SSM Inventory Reconnaissance by Rare User",
"value": "new_terms/kuery"
},
{
"name": "Tool Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "ESXI Discovery via Find",
"value": "eql/eql"
},
{
"name": "ESXI Discovery via Grep",
"value": "eql/eql"
},
{
"name": "Unusual Kernel Module Enumeration",
"value": "new_terms/kuery"
},
{
"name": "Pluggable Authentication Module (PAM) Version Discovery",
"value": "eql/eql"
},
{
"name": "Polkit Version Discovery",
"value": "eql/eql"
},
{
"name": "Suspicious which Enumeration",
"value": "eql/eql"
},
{
"name": "Yum/DNF Plugin Status Discovery",
"value": "eql/eql"
},
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "Enumeration of Kernel Modules via Proc",
"value": "new_terms/kuery"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "Process Discovery via Built-In Applications",
"value": "new_terms/kuery"
},
{
"name": "Security Software Discovery using WMIC",
"value": "eql/eql"
}
],
"links": [
{
"label": "Security Software Discovery via Grep",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_security_software_grep.toml"
},
{
"label": "AWS SSM Inventory Reconnaissance by Rare User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml"
},
{
"label": "Tool Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_tool_enumeration.toml"
},
{
"label": "ESXI Discovery via Find",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_esxi_software_via_find.toml"
},
{
"label": "ESXI Discovery via Grep",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_esxi_software_via_grep.toml"
},
{
"label": "Unusual Kernel Module Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_kernel_module_enumeration.toml"
},
{
"label": "Pluggable Authentication Module (PAM) Version Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_pam_version_discovery.toml"
},
{
"label": "Polkit Version Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_polkit_version_discovery.toml"
},
{
"label": "Suspicious which Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_suspicious_which_command_execution.toml"
},
{
"label": "Yum/DNF Plugin Status Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_yum_dnf_plugin_detection.toml"
},
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "Enumeration of Kernel Modules via Proc",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_kernel_module_enumeration_via_proc.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "Process Discovery via Built-In Applications",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_process_discovery_via_builtin_tools.toml"
},
{
"label": "Security Software Discovery using WMIC",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_security_software_wmic.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1518.001",
"tactic": "discovery",
"score": 4,
"metadata": [
{
"name": "Security Software Discovery via Grep",
"value": "eql/eql"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "Process Discovery via Built-In Applications",
"value": "new_terms/kuery"
},
{
"name": "Security Software Discovery using WMIC",
"value": "eql/eql"
}
],
"links": [
{
"label": "Security Software Discovery via Grep",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_security_software_grep.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "Process Discovery via Built-In Applications",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_process_discovery_via_builtin_tools.toml"
},
{
"label": "Security Software Discovery using WMIC",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_security_software_wmic.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1082",
"tactic": "discovery",
"score": 44,
"metadata": [
{
"name": "Virtual Machine Fingerprinting via Grep",
"value": "eql/eql"
},
{
"name": "Suspicious React Server Child Process",
"value": "eql/eql"
},
{
"name": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"value": "eql/eql"
},
{
"name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"value": "query/kuery"
},
{
"name": "Environment Variable Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Service Account Namespace Read Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Unusual Instance Metadata Service (IMDS) API Request",
"value": "eql/eql"
},
{
"name": "Suspicious Kernel Feature Activity",
"value": "eql/eql"
},
{
"name": "System Information Discovery via dmidecode from Parent Shell",
"value": "eql/eql"
},
{
"name": "Kernel Instrumentation Discovery via kprobes and tracefs",
"value": "eql/eql"
},
{
"name": "Unusual Kernel Module Enumeration",
"value": "new_terms/kuery"
},
{
"name": "Kernel Seeking Activity",
"value": "eql/eql"
},
{
"name": "Kernel Unpacking Activity",
"value": "eql/eql"
},
{
"name": "Hping Process Activity",
"value": "eql/eql"
},
{
"name": "Manual Mount Discovery via /etc/exports or /etc/fstab",
"value": "eql/eql"
},
{
"name": "Pluggable Authentication Module (PAM) Version Discovery",
"value": "eql/eql"
},
{
"name": "Polkit Version Discovery",
"value": "eql/eql"
},
{
"name": "Suspicious which Enumeration",
"value": "eql/eql"
},
{
"name": "Virtual Machine Fingerprinting",
"value": "eql/eql"
},
{
"name": "Yum/DNF Plugin Status Discovery",
"value": "eql/eql"
},
{
"name": "Potential Linux Hack Tool Launched",
"value": "eql/eql"
},
{
"name": "Potential Meterpreter Reverse Shell",
"value": "eql/eql"
},
{
"name": "Suspicious System Commands Executed by Previously Unknown Executable",
"value": "new_terms/kuery"
},
{
"name": "Discovery Command Output Written to Suspicious File",
"value": "eql/eql"
},
{
"name": "Suspicious SIP Check by macOS Application",
"value": "eql/eql"
},
{
"name": "System and Network Configuration Check",
"value": "eql/eql"
},
{
"name": "Unusual Linux System Information Discovery Activity",
"value": "machine_learning/None"
},
{
"name": "Wireless Credential Dumping using Netsh Command",
"value": "eql/eql"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "Suspicious PDF Reader Child Process",
"value": "eql/eql"
},
{
"name": "Suspicious JetBrains TeamCity Child Process",
"value": "eql/eql"
},
{
"name": "Suspicious MS Office Child Process",
"value": "eql/eql"
},
{
"name": "System Information Discovery via Windows Command Shell",
"value": "eql/eql"
},
{
"name": "Linux System Information Discovery via Getconf",
"value": "new_terms/kuery"
},
{
"name": "Enumeration of Kernel Modules via Proc",
"value": "new_terms/kuery"
},
{
"name": "Suspicious Modprobe File Event",
"value": "new_terms/kuery"
},
{
"name": "Suspicious Sysctl File Event",
"value": "new_terms/kuery"
},
{
"name": "Linux System Information Discovery",
"value": "new_terms/kuery"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "Suspicious Proc Pseudo File System Enumeration",
"value": "threshold/kuery"
},
{
"name": "Windows System Network Connections Discovery",
"value": "eql/eql"
},
{
"name": "Windows System Information Discovery",
"value": "eql/eql"
}
],
"links": [
{
"label": "Virtual Machine Fingerprinting via Grep",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml"
},
{
"label": "Suspicious React Server Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml"
},
{
"label": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml"
},
{
"label": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml"
},
{
"label": "Environment Variable Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_environment_enumeration.toml"
},
{
"label": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml"
},
{
"label": "Service Account Namespace Read Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml"
},
{
"label": "Unusual Instance Metadata Service (IMDS) API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml"
},
{
"label": "Suspicious Kernel Feature Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml"
},
{
"label": "System Information Discovery via dmidecode from Parent Shell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_dmidecode_system_discovery.toml"
},
{
"label": "Kernel Instrumentation Discovery via kprobes and tracefs",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml"
},
{
"label": "Unusual Kernel Module Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_kernel_module_enumeration.toml"
},
{
"label": "Kernel Seeking Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_kernel_seeking.toml"
},
{
"label": "Kernel Unpacking Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_kernel_unpacking.toml"
},
{
"label": "Hping Process Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_linux_hping_activity.toml"
},
{
"label": "Manual Mount Discovery via /etc/exports or /etc/fstab",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml"
},
{
"label": "Pluggable Authentication Module (PAM) Version Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_pam_version_discovery.toml"
},
{
"label": "Polkit Version Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_polkit_version_discovery.toml"
},
{
"label": "Suspicious which Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_suspicious_which_command_execution.toml"
},
{
"label": "Virtual Machine Fingerprinting",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_virtual_machine_fingerprinting.toml"
},
{
"label": "Yum/DNF Plugin Status Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_yum_dnf_plugin_detection.toml"
},
{
"label": "Potential Linux Hack Tool Launched",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_potential_hack_tool_executed.toml"
},
{
"label": "Potential Meterpreter Reverse Shell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_meterpreter_linux.toml"
},
{
"label": "Suspicious System Commands Executed by Previously Unknown Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_executable_running_system_commands.toml"
},
{
"label": "Discovery Command Output Written to Suspicious File",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/collection_discovery_output_written_to_suspicious_file.toml"
},
{
"label": "Suspicious SIP Check by macOS Application",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_suspicious_sip_check.toml"
},
{
"label": "System and Network Configuration Check",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_system_and_network_configuration_check.toml"
},
{
"label": "Unusual Linux System Information Discovery Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/discovery_ml_linux_system_information_discovery.toml"
},
{
"label": "Wireless Credential Dumping using Netsh Command",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_wireless_creds_dumping.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "Suspicious PDF Reader Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_suspicious_pdf_reader.toml"
},
{
"label": "Suspicious JetBrains TeamCity Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_exploit_jetbrains_teamcity.toml"
},
{
"label": "Suspicious MS Office Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_suspicious_ms_office_child_process.toml"
},
{
"label": "System Information Discovery via Windows Command Shell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_files_dir_systeminfo_via_cmd.toml"
},
{
"label": "Linux System Information Discovery via Getconf",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_getconf_execution.toml"
},
{
"label": "Enumeration of Kernel Modules via Proc",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_kernel_module_enumeration_via_proc.toml"
},
{
"label": "Suspicious Modprobe File Event",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_linux_modprobe_enumeration.toml"
},
{
"label": "Suspicious Sysctl File Event",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_linux_sysctl_enumeration.toml"
},
{
"label": "Linux System Information Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_linux_system_information_discovery.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "Suspicious Proc Pseudo File System Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_suspicious_proc_enumeration.toml"
},
{
"label": "Windows System Network Connections Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_win_network_connections.toml"
},
{
"label": "Windows System Information Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_windows_system_information_discovery.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1087",
"tactic": "discovery",
"score": 26,
"metadata": [
{
"name": "Direct Interactive Kubernetes API Request by Unusual Utilities",
"value": "eql/eql"
},
{
"name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"value": "threshold/kuery"
},
{
"name": "AWS Discovery API Calls via CLI from a Single Resource",
"value": "esql/esql"
},
{
"name": "AWS STS GetCallerIdentity API Called for the First Time",
"value": "new_terms/kuery"
},
{
"name": "AWS EC2 Role GetCallerIdentity from New Source AS Organization",
"value": "new_terms/kuery"
},
{
"name": "AWS Account Discovery By Rare User",
"value": "new_terms/kuery"
},
{
"name": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"value": "eql/eql"
},
{
"name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"value": "query/kuery"
},
{
"name": "Unusual User Privilege Enumeration via id",
"value": "eql/eql"
},
{
"name": "Potential Meterpreter Reverse Shell",
"value": "eql/eql"
},
{
"name": "Enumeration of Users or Groups via Built-in Commands",
"value": "eql/eql"
},
{
"name": "Potential Enumeration via Active Directory Web Service",
"value": "eql/eql"
},
{
"name": "Active Directory Discovery using AdExplorer",
"value": "eql/eql"
},
{
"name": "AdFind Command Activity",
"value": "eql/eql"
},
{
"name": "Enumeration of Administrator Accounts",
"value": "eql/eql"
},
{
"name": "Account Discovery Command via SYSTEM Account",
"value": "eql/eql"
},
{
"name": "Suspicious Access to LDAP Attributes",
"value": "eql/eql"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "Potential PowerShell HackTool Script by Function Names",
"value": "query/kuery"
},
{
"name": "Suspicious JetBrains TeamCity Child Process",
"value": "eql/eql"
},
{
"name": "Mounting Hidden or WebDav Remote Shares",
"value": "eql/eql"
},
{
"name": "Windows Account or Group Discovery",
"value": "eql/eql"
},
{
"name": "Account or Group Discovery via Built-In Tools",
"value": "new_terms/kuery"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "Windows System Network Connections Discovery",
"value": "eql/eql"
}
],
"links": [
{
"label": "Direct Interactive Kubernetes API Request by Unusual Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml"
},
{
"label": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml"
},
{
"label": "AWS Discovery API Calls via CLI from a Single Resource",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml"
},
{
"label": "AWS STS GetCallerIdentity API Called for the First Time",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml"
},
{
"label": "AWS EC2 Role GetCallerIdentity from New Source AS Organization",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity_ec2_role_new_source_as.toml"
},
{
"label": "AWS Account Discovery By Rare User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_organization_discovery_by_rare_user.toml"
},
{
"label": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml"
},
{
"label": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml"
},
{
"label": "Unusual User Privilege Enumeration via id",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_unusual_user_enumeration_via_id.toml"
},
{
"label": "Potential Meterpreter Reverse Shell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_meterpreter_linux.toml"
},
{
"label": "Enumeration of Users or Groups via Built-in Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_users_domain_built_in_commands.toml"
},
{
"label": "Potential Enumeration via Active Directory Web Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_active_directory_webservice.toml"
},
{
"label": "Active Directory Discovery using AdExplorer",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_ad_explorer_execution.toml"
},
{
"label": "AdFind Command Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_adfind_command_activity.toml"
},
{
"label": "Enumeration of Administrator Accounts",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_admin_recon.toml"
},
{
"label": "Account Discovery Command via SYSTEM Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_command_system_account.toml"
},
{
"label": "Suspicious Access to LDAP Attributes",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_high_number_ad_properties.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "Potential PowerShell HackTool Script by Function Names",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_posh_hacktool_functions.toml"
},
{
"label": "Suspicious JetBrains TeamCity Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_exploit_jetbrains_teamcity.toml"
},
{
"label": "Mounting Hidden or WebDav Remote Shares",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml"
},
{
"label": "Windows Account or Group Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_generic_account_groups.toml"
},
{
"label": "Account or Group Discovery via Built-In Tools",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_of_accounts_or_groups_via_builtin_tools.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "Windows System Network Connections Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_win_network_connections.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1033",
"tactic": "discovery",
"score": 18,
"metadata": [
{
"name": "Suspicious React Server Child Process",
"value": "eql/eql"
},
{
"name": "AWS STS GetCallerIdentity API Called for the First Time",
"value": "new_terms/kuery"
},
{
"name": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Potentially Suspicious Process Started via tmux or screen",
"value": "eql/eql"
},
{
"name": "Sudo Command Enumeration Detected",
"value": "eql/eql"
},
{
"name": "Unusual User Privilege Enumeration via id",
"value": "eql/eql"
},
{
"name": "Suspicious System Commands Executed by Previously Unknown Executable",
"value": "new_terms/kuery"
},
{
"name": "Discovery Command Output Written to Suspicious File",
"value": "eql/eql"
},
{
"name": "Unusual Linux User Discovery Activity",
"value": "machine_learning/None"
},
{
"name": "Account Discovery Command via SYSTEM Account",
"value": "eql/eql"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Whoami Process Activity",
"value": "eql/eql"
},
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "Suspicious PDF Reader Child Process",
"value": "eql/eql"
},
{
"name": "Suspicious JetBrains TeamCity Child Process",
"value": "eql/eql"
},
{
"name": "Suspicious MS Office Child Process",
"value": "eql/eql"
},
{
"name": "Windows Account or Group Discovery",
"value": "eql/eql"
},
{
"name": "System Owner/User Discovery Linux",
"value": "new_terms/kuery"
}
],
"links": [
{
"label": "Suspicious React Server Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml"
},
{
"label": "AWS STS GetCallerIdentity API Called for the First Time",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml"
},
{
"label": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml"
},
{
"label": "Potentially Suspicious Process Started via tmux or screen",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml"
},
{
"label": "Sudo Command Enumeration Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_sudo_allowed_command_enumeration.toml"
},
{
"label": "Unusual User Privilege Enumeration via id",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_unusual_user_enumeration_via_id.toml"
},
{
"label": "Suspicious System Commands Executed by Previously Unknown Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_executable_running_system_commands.toml"
},
{
"label": "Discovery Command Output Written to Suspicious File",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/collection_discovery_output_written_to_suspicious_file.toml"
},
{
"label": "Unusual Linux User Discovery Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/discovery_ml_linux_system_user_discovery.toml"
},
{
"label": "Account Discovery Command via SYSTEM Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_command_system_account.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Whoami Process Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_whoami_command_activity.toml"
},
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "Suspicious PDF Reader Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_suspicious_pdf_reader.toml"
},
{
"label": "Suspicious JetBrains TeamCity Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_exploit_jetbrains_teamcity.toml"
},
{
"label": "Suspicious MS Office Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_suspicious_ms_office_child_process.toml"
},
{
"label": "Windows Account or Group Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_generic_account_groups.toml"
},
{
"label": "System Owner/User Discovery Linux",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_linux_system_owner_user_discovery.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1619",
"tactic": "discovery",
"score": 5,
"metadata": [
{
"name": "AWS S3 Unauthenticated Bucket Access by Rare Source",
"value": "new_terms/kuery"
},
{
"name": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal",
"value": "esql/esql"
},
{
"name": "AWS S3 Bucket Enumeration or Brute Force",
"value": "threshold/kuery"
},
{
"name": "Azure Blob Storage Container Access Level Modified",
"value": "query/kuery"
},
{
"name": "M365 SharePoint Search for Sensitive Content",
"value": "eql/eql"
}
],
"links": [
{
"label": "AWS S3 Unauthenticated Bucket Access by Rare Source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml"
},
{
"label": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_s3_rapid_bucket_posture_api_calls.toml"
},
{
"label": "AWS S3 Bucket Enumeration or Brute Force",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml"
},
{
"label": "Azure Blob Storage Container Access Level Modified",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml"
},
{
"label": "M365 SharePoint Search for Sensitive Content",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1580",
"tactic": "discovery",
"score": 20,
"metadata": [
{
"name": "AWS EC2 Deprecated AMI Discovery",
"value": "query/kuery"
},
{
"name": "AWS EC2 User Data Retrieval for EC2 Instance",
"value": "new_terms/kuery"
},
{
"name": "AWS Discovery API Calls via CLI from a Single Resource",
"value": "esql/esql"
},
{
"name": "AWS Discovery API Calls from VPN ASN for the First Time by Identity",
"value": "new_terms/kuery"
},
{
"name": "AWS Account Discovery By Rare User",
"value": "new_terms/kuery"
},
{
"name": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal",
"value": "esql/esql"
},
{
"name": "AWS Service Quotas Multi-Region GetServiceQuota Requests",
"value": "esql/esql"
},
{
"name": "AWS SSM Inventory Reconnaissance by Rare User",
"value": "new_terms/kuery"
},
{
"name": "AWS S3 Bucket Enumeration or Brute Force",
"value": "threshold/kuery"
},
{
"name": "Spike in AWS Error Messages",
"value": "machine_learning/None"
},
{
"name": "Rare AWS Error Code",
"value": "machine_learning/None"
},
{
"name": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"value": "eql/eql"
},
{
"name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"value": "query/kuery"
},
{
"name": "Spike in Azure Activity Logs Failed Messages",
"value": "machine_learning/None"
},
{
"name": "Rare Azure Activity Logs Event Failures",
"value": "machine_learning/None"
},
{
"name": "Spike in GCP Audit Failed Messages",
"value": "machine_learning/None"
},
{
"name": "Rare GCP Audit Failure Event Code",
"value": "machine_learning/None"
},
{
"name": "Unusual Instance Metadata Service (IMDS) API Request",
"value": "eql/eql"
},
{
"name": "Unusual Windows Process Calling the Metadata Service",
"value": "machine_learning/None"
},
{
"name": "AWS EC2 Multi-Region DescribeInstances API Calls",
"value": "esql/esql"
}
],
"links": [
{
"label": "AWS EC2 Deprecated AMI Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml"
},
{
"label": "AWS EC2 User Data Retrieval for EC2 Instance",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml"
},
{
"label": "AWS Discovery API Calls via CLI from a Single Resource",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml"
},
{
"label": "AWS Discovery API Calls from VPN ASN for the First Time by Identity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_new_terms_vpn_asn_discovery_api_calls.toml"
},
{
"label": "AWS Account Discovery By Rare User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_organization_discovery_by_rare_user.toml"
},
{
"label": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_s3_rapid_bucket_posture_api_calls.toml"
},
{
"label": "AWS Service Quotas Multi-Region GetServiceQuota Requests",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml"
},
{
"label": "AWS SSM Inventory Reconnaissance by Rare User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml"
},
{
"label": "AWS S3 Bucket Enumeration or Brute Force",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml"
},
{
"label": "Spike in AWS Error Messages",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml"
},
{
"label": "Rare AWS Error Code",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml"
},
{
"label": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml"
},
{
"label": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml"
},
{
"label": "Spike in Azure Activity Logs Failed Messages",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/ml_azure_event_failures.toml"
},
{
"label": "Rare Azure Activity Logs Event Failures",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/ml_azure_rare_event_failures.toml"
},
{
"label": "Spike in GCP Audit Failed Messages",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/ml_gcp_error_message_spike.toml"
},
{
"label": "Rare GCP Audit Failure Event Code",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/ml_gcp_rare_error_code.toml"
},
{
"label": "Unusual Instance Metadata Service (IMDS) API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml"
},
{
"label": "Unusual Windows Process Calling the Metadata Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml"
},
{
"label": "AWS EC2 Multi-Region DescribeInstances API Calls",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_ec2_multi_region_describe_instances.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1069.003",
"tactic": "discovery",
"score": 4,
"metadata": [
{
"name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"value": "threshold/kuery"
},
{
"name": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"value": "eql/eql"
},
{
"name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"value": "query/kuery"
},
{
"name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent",
"value": "new_terms/kuery"
}
],
"links": [
{
"label": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml"
},
{
"label": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml"
},
{
"label": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml"
},
{
"label": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1087.004",
"tactic": "discovery",
"score": 7,
"metadata": [
{
"name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"value": "threshold/kuery"
},
{
"name": "AWS Discovery API Calls via CLI from a Single Resource",
"value": "esql/esql"
},
{
"name": "AWS STS GetCallerIdentity API Called for the First Time",
"value": "new_terms/kuery"
},
{
"name": "AWS EC2 Role GetCallerIdentity from New Source AS Organization",
"value": "new_terms/kuery"
},
{
"name": "AWS Account Discovery By Rare User",
"value": "new_terms/kuery"
},
{
"name": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"value": "eql/eql"
},
{
"name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"value": "query/kuery"
}
],
"links": [
{
"label": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml"
},
{
"label": "AWS Discovery API Calls via CLI from a Single Resource",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml"
},
{
"label": "AWS STS GetCallerIdentity API Called for the First Time",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml"
},
{
"label": "AWS EC2 Role GetCallerIdentity from New Source AS Organization",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity_ec2_role_new_source_as.toml"
},
{
"label": "AWS Account Discovery By Rare User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_organization_discovery_by_rare_user.toml"
},
{
"label": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml"
},
{
"label": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1526",
"tactic": "discovery",
"score": 13,
"metadata": [
{
"name": "AWS Discovery API Calls via CLI from a Single Resource",
"value": "esql/esql"
},
{
"name": "AWS Discovery API Calls from VPN ASN for the First Time by Identity",
"value": "new_terms/kuery"
},
{
"name": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal",
"value": "esql/esql"
},
{
"name": "AWS Service Quotas Multi-Region GetServiceQuota Requests",
"value": "esql/esql"
},
{
"name": "AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity",
"value": "esql/esql"
},
{
"name": "Spike in AWS Error Messages",
"value": "machine_learning/None"
},
{
"name": "Rare AWS Error Code",
"value": "machine_learning/None"
},
{
"name": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"value": "eql/eql"
},
{
"name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"value": "query/kuery"
},
{
"name": "Spike in Azure Activity Logs Failed Messages",
"value": "machine_learning/None"
},
{
"name": "Rare Azure Activity Logs Event Failures",
"value": "machine_learning/None"
},
{
"name": "Spike in GCP Audit Failed Messages",
"value": "machine_learning/None"
},
{
"name": "Rare GCP Audit Failure Event Code",
"value": "machine_learning/None"
}
],
"links": [
{
"label": "AWS Discovery API Calls via CLI from a Single Resource",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml"
},
{
"label": "AWS Discovery API Calls from VPN ASN for the First Time by Identity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_new_terms_vpn_asn_discovery_api_calls.toml"
},
{
"label": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_s3_rapid_bucket_posture_api_calls.toml"
},
{
"label": "AWS Service Quotas Multi-Region GetServiceQuota Requests",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml"
},
{
"label": "AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/lateral_movement_k8_assumed_web_identity_session_with_multi_phase_api_use.toml"
},
{
"label": "Spike in AWS Error Messages",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml"
},
{
"label": "Rare AWS Error Code",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml"
},
{
"label": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml"
},
{
"label": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml"
},
{
"label": "Spike in Azure Activity Logs Failed Messages",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/ml_azure_event_failures.toml"
},
{
"label": "Rare Azure Activity Logs Event Failures",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/ml_azure_rare_event_failures.toml"
},
{
"label": "Spike in GCP Audit Failed Messages",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/ml_gcp_error_message_spike.toml"
},
{
"label": "Rare GCP Audit Failure Event Code",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/ml_gcp_rare_error_code.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1538",
"tactic": "discovery",
"score": 1,
"metadata": [
{
"name": "AWS SSM Inventory Reconnaissance by Rare User",
"value": "new_terms/kuery"
}
],
"links": [
{
"label": "AWS SSM Inventory Reconnaissance by Rare User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1040",
"tactic": "discovery",
"score": 3,
"metadata": [
{
"name": "AWS EC2 Full Network Packet Capture Detected",
"value": "query/kuery"
},
{
"name": "Azure VNet Full Network Packet Capture Enabled",
"value": "query/kuery"
},
{
"name": "Network Traffic Capture via CAP_NET_RAW",
"value": "new_terms/kuery"
}
],
"links": [
{
"label": "AWS EC2 Full Network Packet Capture Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml"
},
{
"label": "Azure VNet Full Network Packet Capture Enabled",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml"
},
{
"label": "Network Traffic Capture via CAP_NET_RAW",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_capnetraw_capability.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1201",
"tactic": "discovery",
"score": 6,
"metadata": [
{
"name": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"value": "eql/eql"
},
{
"name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"value": "query/kuery"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Windows Account or Group Discovery",
"value": "eql/eql"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "PowerShell Script with Password Policy Discovery Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml"
},
{
"label": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Windows Account or Group Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_generic_account_groups.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "PowerShell Script with Password Policy Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_password_policy.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1673",
"tactic": "discovery",
"score": 2,
"metadata": [
{
"name": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"value": "eql/eql"
},
{
"name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"value": "query/kuery"
}
],
"links": [
{
"label": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml"
},
{
"label": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1016",
"tactic": "discovery",
"score": 25,
"metadata": [
{
"name": "DNS Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Unusual Instance Metadata Service (IMDS) API Request",
"value": "eql/eql"
},
{
"name": "Potential Meterpreter Reverse Shell",
"value": "eql/eql"
},
{
"name": "Suspicious System Commands Executed by Previously Unknown Executable",
"value": "new_terms/kuery"
},
{
"name": "Discovery Command Output Written to Suspicious File",
"value": "eql/eql"
},
{
"name": "DNS Request for IP Lookup Service via Unsigned Binary",
"value": "eql/eql"
},
{
"name": "External IP Address Discovery via Curl",
"value": "eql/eql"
},
{
"name": "System and Network Configuration Check",
"value": "eql/eql"
},
{
"name": "Unusual Linux Network Configuration Discovery",
"value": "machine_learning/None"
},
{
"name": "Wireless Credential Dumping using Netsh Command",
"value": "eql/eql"
},
{
"name": "Active Directory Discovery using AdExplorer",
"value": "eql/eql"
},
{
"name": "AdFind Command Activity",
"value": "eql/eql"
},
{
"name": "System Public IP Discovery via DNS Query",
"value": "eql/eql"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "Suspicious PDF Reader Child Process",
"value": "eql/eql"
},
{
"name": "Suspicious JetBrains TeamCity Child Process",
"value": "eql/eql"
},
{
"name": "Suspicious MS Office Child Process",
"value": "eql/eql"
},
{
"name": "System Hosts File Access",
"value": "eql/eql"
},
{
"name": "Discovery of Internet Capabilities via Built-in Tools",
"value": "new_terms/kuery"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "External IP Lookup from Non-Browser Process",
"value": "eql/eql"
},
{
"name": "Remote System Discovery Commands",
"value": "eql/eql"
},
{
"name": "System Network Connections Discovery",
"value": "new_terms/kuery"
},
{
"name": "Windows System Network Connections Discovery",
"value": "eql/eql"
}
],
"links": [
{
"label": "DNS Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_dns_enumeration.toml"
},
{
"label": "Unusual Instance Metadata Service (IMDS) API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml"
},
{
"label": "Potential Meterpreter Reverse Shell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_meterpreter_linux.toml"
},
{
"label": "Suspicious System Commands Executed by Previously Unknown Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_executable_running_system_commands.toml"
},
{
"label": "Discovery Command Output Written to Suspicious File",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/collection_discovery_output_written_to_suspicious_file.toml"
},
{
"label": "DNS Request for IP Lookup Service via Unsigned Binary",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_dns_request_for_ip_lookup_service.toml"
},
{
"label": "External IP Address Discovery via Curl",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_external_ip_address_discovery_via_curl.toml"
},
{
"label": "System and Network Configuration Check",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_system_and_network_configuration_check.toml"
},
{
"label": "Unusual Linux Network Configuration Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml"
},
{
"label": "Wireless Credential Dumping using Netsh Command",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_wireless_creds_dumping.toml"
},
{
"label": "Active Directory Discovery using AdExplorer",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_ad_explorer_execution.toml"
},
{
"label": "AdFind Command Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_adfind_command_activity.toml"
},
{
"label": "System Public IP Discovery via DNS Query",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_host_public_ip_address_lookup.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "Suspicious PDF Reader Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_suspicious_pdf_reader.toml"
},
{
"label": "Suspicious JetBrains TeamCity Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_exploit_jetbrains_teamcity.toml"
},
{
"label": "Suspicious MS Office Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_suspicious_ms_office_child_process.toml"
},
{
"label": "System Hosts File Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_hosts_file_access.toml"
},
{
"label": "Discovery of Internet Capabilities via Built-in Tools",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_internet_capabilities.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "External IP Lookup from Non-Browser Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_post_exploitation_external_ip_lookup.toml"
},
{
"label": "Remote System Discovery Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_remote_system_discovery_commands_windows.toml"
},
{
"label": "System Network Connections Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_system_network_connections.toml"
},
{
"label": "Windows System Network Connections Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_win_network_connections.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1018",
"tactic": "discovery",
"score": 14,
"metadata": [
{
"name": "DNS Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Potential Network Scan Executed From Host",
"value": "threshold/kuery"
},
{
"name": "Potential Subnet Scanning Activity from Compromised Host",
"value": "esql/esql"
},
{
"name": "Spike in Firewall Denies",
"value": "machine_learning/None"
},
{
"name": "Potential Network Sweep Detected",
"value": "threshold/kuery"
},
{
"name": "Potential Enumeration via Active Directory Web Service",
"value": "eql/eql"
},
{
"name": "Active Directory Discovery using AdExplorer",
"value": "eql/eql"
},
{
"name": "AdFind Command Activity",
"value": "eql/eql"
},
{
"name": "Enumerating Domain Trusts via DSQUERY.EXE",
"value": "eql/eql"
},
{
"name": "Enumerating Domain Trusts via NLTEST.EXE",
"value": "eql/eql"
},
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "System Hosts File Access",
"value": "eql/eql"
},
{
"name": "Windows Network Enumeration",
"value": "eql/eql"
},
{
"name": "Remote System Discovery Commands",
"value": "eql/eql"
}
],
"links": [
{
"label": "DNS Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_dns_enumeration.toml"
},
{
"label": "Potential Network Scan Executed From Host",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_ping_sweep_detected.toml"
},
{
"label": "Potential Subnet Scanning Activity from Compromised Host",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml"
},
{
"label": "Spike in Firewall Denies",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/ml_high_count_network_denies.toml"
},
{
"label": "Potential Network Sweep Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/discovery_potential_network_sweep_detected.toml"
},
{
"label": "Potential Enumeration via Active Directory Web Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_active_directory_webservice.toml"
},
{
"label": "Active Directory Discovery using AdExplorer",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_ad_explorer_execution.toml"
},
{
"label": "AdFind Command Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_adfind_command_activity.toml"
},
{
"label": "Enumerating Domain Trusts via DSQUERY.EXE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml"
},
{
"label": "Enumerating Domain Trusts via NLTEST.EXE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml"
},
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "System Hosts File Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_hosts_file_access.toml"
},
{
"label": "Windows Network Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_net_view.toml"
},
{
"label": "Remote System Discovery Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_remote_system_discovery_commands_windows.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1049",
"tactic": "discovery",
"score": 9,
"metadata": [
{
"name": "DNS Enumeration Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious System Commands Executed by Previously Unknown Executable",
"value": "new_terms/kuery"
},
{
"name": "Unusual Linux Network Connection Discovery",
"value": "machine_learning/None"
},
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "Suspicious JetBrains TeamCity Child Process",
"value": "eql/eql"
},
{
"name": "Suspicious MS Office Child Process",
"value": "eql/eql"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "System Network Connections Discovery",
"value": "new_terms/kuery"
},
{
"name": "Windows System Network Connections Discovery",
"value": "eql/eql"
}
],
"links": [
{
"label": "DNS Enumeration Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_dns_enumeration.toml"
},
{
"label": "Suspicious System Commands Executed by Previously Unknown Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_executable_running_system_commands.toml"
},
{
"label": "Unusual Linux Network Connection Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml"
},
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "Suspicious JetBrains TeamCity Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_exploit_jetbrains_teamcity.toml"
},
{
"label": "Suspicious MS Office Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_suspicious_ms_office_child_process.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "System Network Connections Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_system_network_connections.toml"
},
{
"label": "Windows System Network Connections Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_win_network_connections.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1057",
"tactic": "discovery",
"score": 18,
"metadata": [
{
"name": "Potential Linux Credential Dumping via Proc Filesystem",
"value": "eql/eql"
},
{
"name": "Suspicious Dynamic Linker Discovery via od",
"value": "eql/eql"
},
{
"name": "Suspicious /proc/maps Discovery",
"value": "eql/eql"
},
{
"name": "Process Capability Enumeration",
"value": "eql/eql"
},
{
"name": "Suspicious Memory grep Activity",
"value": "eql/eql"
},
{
"name": "Potential Linux Hack Tool Launched",
"value": "eql/eql"
},
{
"name": "Suspicious System Commands Executed by Previously Unknown Executable",
"value": "new_terms/kuery"
},
{
"name": "Unusual Linux Process Discovery Activity",
"value": "machine_learning/None"
},
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "Suspicious PDF Reader Child Process",
"value": "eql/eql"
},
{
"name": "Suspicious JetBrains TeamCity Child Process",
"value": "eql/eql"
},
{
"name": "Suspicious MS Office Child Process",
"value": "eql/eql"
},
{
"name": "Process Discovery Using Built-in Tools",
"value": "eql/eql"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "Potential Memory Seeking Activity",
"value": "eql/eql"
},
{
"name": "Process Discovery via Built-In Applications",
"value": "new_terms/kuery"
},
{
"name": "Suspicious Proc Pseudo File System Enumeration",
"value": "threshold/kuery"
},
{
"name": "System Service Discovery through built-in Windows Utilities",
"value": "eql/eql"
}
],
"links": [
{
"label": "Potential Linux Credential Dumping via Proc Filesystem",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_proc_credential_dumping.toml"
},
{
"label": "Suspicious Dynamic Linker Discovery via od",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_dynamic_linker_via_od.toml"
},
{
"label": "Suspicious /proc/maps Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_proc_maps_read.toml"
},
{
"label": "Process Capability Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_process_capabilities.toml"
},
{
"label": "Suspicious Memory grep Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_suspicious_memory_grep_activity.toml"
},
{
"label": "Potential Linux Hack Tool Launched",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_potential_hack_tool_executed.toml"
},
{
"label": "Suspicious System Commands Executed by Previously Unknown Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_executable_running_system_commands.toml"
},
{
"label": "Unusual Linux Process Discovery Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/discovery_ml_linux_system_process_discovery.toml"
},
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "Suspicious PDF Reader Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_suspicious_pdf_reader.toml"
},
{
"label": "Suspicious JetBrains TeamCity Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_exploit_jetbrains_teamcity.toml"
},
{
"label": "Suspicious MS Office Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_suspicious_ms_office_child_process.toml"
},
{
"label": "Process Discovery Using Built-in Tools",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_generic_process_discovery.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "Potential Memory Seeking Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_potential_memory_seeking_activity.toml"
},
{
"label": "Process Discovery via Built-In Applications",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_process_discovery_via_builtin_tools.toml"
},
{
"label": "Suspicious Proc Pseudo File System Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_suspicious_proc_enumeration.toml"
},
{
"label": "System Service Discovery through built-in Windows Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_system_service_discovery.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1135",
"tactic": "discovery",
"score": 7,
"metadata": [
{
"name": "Manual Mount Discovery via /etc/exports or /etc/fstab",
"value": "eql/eql"
},
{
"name": "PowerShell Share Enumeration Script",
"value": "query/kuery"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Potential Network Share Discovery",
"value": "eql/eql"
},
{
"name": "Windows Network Enumeration",
"value": "eql/eql"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "System Service Discovery through built-in Windows Utilities",
"value": "eql/eql"
}
],
"links": [
{
"label": "Manual Mount Discovery via /etc/exports or /etc/fstab",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml"
},
{
"label": "PowerShell Share Enumeration Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_invoke_sharefinder.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Potential Network Share Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_net_share_discovery_winlog.toml"
},
{
"label": "Windows Network Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_net_view.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "System Service Discovery through built-in Windows Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_system_service_discovery.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1069.001",
"tactic": "discovery",
"score": 9,
"metadata": [
{
"name": "Sudo Command Enumeration Detected",
"value": "eql/eql"
},
{
"name": "Unusual User Privilege Enumeration via id",
"value": "eql/eql"
},
{
"name": "Enumeration of Users or Groups via Built-in Commands",
"value": "eql/eql"
},
{
"name": "Enumeration of Administrator Accounts",
"value": "eql/eql"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Enumeration of Privileged Local Groups Membership",
"value": "new_terms/kuery"
},
{
"name": "Windows Account or Group Discovery",
"value": "eql/eql"
},
{
"name": "Account or Group Discovery via Built-In Tools",
"value": "new_terms/kuery"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Sudo Command Enumeration Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_sudo_allowed_command_enumeration.toml"
},
{
"label": "Unusual User Privilege Enumeration via id",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_unusual_user_enumeration_via_id.toml"
},
{
"label": "Enumeration of Users or Groups via Built-in Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_users_domain_built_in_commands.toml"
},
{
"label": "Enumeration of Administrator Accounts",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_admin_recon.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Enumeration of Privileged Local Groups Membership",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_privileged_localgroup_membership.toml"
},
{
"label": "Windows Account or Group Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_generic_account_groups.toml"
},
{
"label": "Account or Group Discovery via Built-In Tools",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_of_accounts_or_groups_via_builtin_tools.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1087.001",
"tactic": "discovery",
"score": 9,
"metadata": [
{
"name": "Unusual User Privilege Enumeration via id",
"value": "eql/eql"
},
{
"name": "Potential Meterpreter Reverse Shell",
"value": "eql/eql"
},
{
"name": "Enumeration of Users or Groups via Built-in Commands",
"value": "eql/eql"
},
{
"name": "Enumeration of Administrator Accounts",
"value": "eql/eql"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Mounting Hidden or WebDav Remote Shares",
"value": "eql/eql"
},
{
"name": "Windows Account or Group Discovery",
"value": "eql/eql"
},
{
"name": "Account or Group Discovery via Built-In Tools",
"value": "new_terms/kuery"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Unusual User Privilege Enumeration via id",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_unusual_user_enumeration_via_id.toml"
},
{
"label": "Potential Meterpreter Reverse Shell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_shell_via_meterpreter_linux.toml"
},
{
"label": "Enumeration of Users or Groups via Built-in Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_users_domain_built_in_commands.toml"
},
{
"label": "Enumeration of Administrator Accounts",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_admin_recon.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Mounting Hidden or WebDav Remote Shares",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml"
},
{
"label": "Windows Account or Group Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_generic_account_groups.toml"
},
{
"label": "Account or Group Discovery via Built-In Tools",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_of_accounts_or_groups_via_builtin_tools.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1497",
"tactic": "discovery",
"score": 2,
"metadata": [
{
"name": "Virtual Machine Fingerprinting",
"value": "eql/eql"
},
{
"name": "Suspicious SIP Check by macOS Application",
"value": "eql/eql"
}
],
"links": [
{
"label": "Virtual Machine Fingerprinting",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_virtual_machine_fingerprinting.toml"
},
{
"label": "Suspicious SIP Check by macOS Application",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_suspicious_sip_check.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1497.001",
"tactic": "discovery",
"score": 2,
"metadata": [
{
"name": "Virtual Machine Fingerprinting",
"value": "eql/eql"
},
{
"name": "Suspicious SIP Check by macOS Application",
"value": "eql/eql"
}
],
"links": [
{
"label": "Virtual Machine Fingerprinting",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_virtual_machine_fingerprinting.toml"
},
{
"label": "Suspicious SIP Check by macOS Application",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_suspicious_sip_check.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1016.001",
"tactic": "discovery",
"score": 7,
"metadata": [
{
"name": "DNS Request for IP Lookup Service via Unsigned Binary",
"value": "eql/eql"
},
{
"name": "External IP Address Discovery via Curl",
"value": "eql/eql"
},
{
"name": "System Public IP Discovery via DNS Query",
"value": "eql/eql"
},
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "Suspicious PDF Reader Child Process",
"value": "eql/eql"
},
{
"name": "Discovery of Internet Capabilities via Built-in Tools",
"value": "new_terms/kuery"
},
{
"name": "External IP Lookup from Non-Browser Process",
"value": "eql/eql"
}
],
"links": [
{
"label": "DNS Request for IP Lookup Service via Unsigned Binary",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_dns_request_for_ip_lookup_service.toml"
},
{
"label": "External IP Address Discovery via Curl",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_external_ip_address_discovery_via_curl.toml"
},
{
"label": "System Public IP Discovery via DNS Query",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_host_public_ip_address_lookup.toml"
},
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "Suspicious PDF Reader Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_suspicious_pdf_reader.toml"
},
{
"label": "Discovery of Internet Capabilities via Built-in Tools",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_internet_capabilities.toml"
},
{
"label": "External IP Lookup from Non-Browser Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_post_exploitation_external_ip_lookup.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1069.002",
"tactic": "discovery",
"score": 12,
"metadata": [
{
"name": "Enumeration of Users or Groups via Built-in Commands",
"value": "eql/eql"
},
{
"name": "Potential Enumeration via Active Directory Web Service",
"value": "eql/eql"
},
{
"name": "Active Directory Discovery using AdExplorer",
"value": "eql/eql"
},
{
"name": "AdFind Command Activity",
"value": "eql/eql"
},
{
"name": "Enumeration of Administrator Accounts",
"value": "eql/eql"
},
{
"name": "Suspicious Access to LDAP Attributes",
"value": "eql/eql"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Windows Account or Group Discovery",
"value": "eql/eql"
},
{
"name": "Account or Group Discovery via Built-In Tools",
"value": "new_terms/kuery"
},
{
"name": "Discovery of Domain Groups",
"value": "eql/eql"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "Remote System Discovery Commands",
"value": "eql/eql"
}
],
"links": [
{
"label": "Enumeration of Users or Groups via Built-in Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_users_domain_built_in_commands.toml"
},
{
"label": "Potential Enumeration via Active Directory Web Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_active_directory_webservice.toml"
},
{
"label": "Active Directory Discovery using AdExplorer",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_ad_explorer_execution.toml"
},
{
"label": "AdFind Command Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_adfind_command_activity.toml"
},
{
"label": "Enumeration of Administrator Accounts",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_admin_recon.toml"
},
{
"label": "Suspicious Access to LDAP Attributes",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_high_number_ad_properties.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Windows Account or Group Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_generic_account_groups.toml"
},
{
"label": "Account or Group Discovery via Built-In Tools",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_of_accounts_or_groups_via_builtin_tools.toml"
},
{
"label": "Discovery of Domain Groups",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_of_domain_groups.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "Remote System Discovery Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_remote_system_discovery_commands_windows.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1087.002",
"tactic": "discovery",
"score": 11,
"metadata": [
{
"name": "Enumeration of Users or Groups via Built-in Commands",
"value": "eql/eql"
},
{
"name": "Potential Enumeration via Active Directory Web Service",
"value": "eql/eql"
},
{
"name": "Active Directory Discovery using AdExplorer",
"value": "eql/eql"
},
{
"name": "AdFind Command Activity",
"value": "eql/eql"
},
{
"name": "Enumeration of Administrator Accounts",
"value": "eql/eql"
},
{
"name": "Suspicious Access to LDAP Attributes",
"value": "eql/eql"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Mounting Hidden or WebDav Remote Shares",
"value": "eql/eql"
},
{
"name": "Windows Account or Group Discovery",
"value": "eql/eql"
},
{
"name": "Account or Group Discovery via Built-In Tools",
"value": "new_terms/kuery"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Enumeration of Users or Groups via Built-in Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/discovery_users_domain_built_in_commands.toml"
},
{
"label": "Potential Enumeration via Active Directory Web Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_active_directory_webservice.toml"
},
{
"label": "Active Directory Discovery using AdExplorer",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_ad_explorer_execution.toml"
},
{
"label": "AdFind Command Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_adfind_command_activity.toml"
},
{
"label": "Enumeration of Administrator Accounts",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_admin_recon.toml"
},
{
"label": "Suspicious Access to LDAP Attributes",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_high_number_ad_properties.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Mounting Hidden or WebDav Remote Shares",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml"
},
{
"label": "Windows Account or Group Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_generic_account_groups.toml"
},
{
"label": "Account or Group Discovery via Built-In Tools",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_of_accounts_or_groups_via_builtin_tools.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1120",
"tactic": "discovery",
"score": 2,
"metadata": [
{
"name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"value": "query/kuery"
},
{
"name": "Peripheral Device Discovery",
"value": "eql/eql"
}
],
"links": [
{
"label": "PowerShell Suspicious Script with Audio Capture Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_posh_audio_capture.toml"
},
{
"label": "Peripheral Device Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_peripheral_device.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1482",
"tactic": "discovery",
"score": 9,
"metadata": [
{
"name": "Active Directory Discovery using AdExplorer",
"value": "eql/eql"
},
{
"name": "AdFind Command Activity",
"value": "eql/eql"
},
{
"name": "Enumerating Domain Trusts via DSQUERY.EXE",
"value": "eql/eql"
},
{
"name": "Enumerating Domain Trusts via NLTEST.EXE",
"value": "eql/eql"
},
{
"name": "Suspicious Access to LDAP Attributes",
"value": "eql/eql"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Potential PowerShell HackTool Script by Function Names",
"value": "query/kuery"
},
{
"name": "Suspicious JetBrains TeamCity Child Process",
"value": "eql/eql"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Active Directory Discovery using AdExplorer",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_ad_explorer_execution.toml"
},
{
"label": "AdFind Command Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_adfind_command_activity.toml"
},
{
"label": "Enumerating Domain Trusts via DSQUERY.EXE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml"
},
{
"label": "Enumerating Domain Trusts via NLTEST.EXE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml"
},
{
"label": "Suspicious Access to LDAP Attributes",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_high_number_ad_properties.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Potential PowerShell HackTool Script by Function Names",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_posh_hacktool_functions.toml"
},
{
"label": "Suspicious JetBrains TeamCity Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_exploit_jetbrains_teamcity.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1615",
"tactic": "discovery",
"score": 3,
"metadata": [
{
"name": "Group Policy Discovery via Microsoft GPResult Utility",
"value": "eql/eql"
},
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Group Policy Discovery via Microsoft GPResult Utility",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_group_policy_object_discovery.toml"
},
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1007",
"tactic": "discovery",
"score": 4,
"metadata": [
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
},
{
"name": "System Service Discovery through built-in Windows Utilities",
"value": "eql/eql"
}
],
"links": [
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
},
{
"label": "System Service Discovery through built-in Windows Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_system_service_discovery.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1012",
"tactic": "discovery",
"score": 3,
"metadata": [
{
"name": "Enumeration Command Spawned via WMIPrvSE",
"value": "eql/eql"
},
{
"name": "Query Registry using Built-in Tools",
"value": "new_terms/kuery"
},
{
"name": "Deprecated - PowerShell Script with Discovery Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Enumeration Command Spawned via WMIPrvSE",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_enumeration_via_wmiprvse.toml"
},
{
"label": "Query Registry using Built-in Tools",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_generic_registry_query.toml"
},
{
"label": "Deprecated - PowerShell Script with Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_generic.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1614",
"tactic": "discovery",
"score": 2,
"metadata": [
{
"name": "External IP Lookup from Non-Browser Process",
"value": "eql/eql"
},
{
"name": "System Time Discovery",
"value": "eql/eql"
}
],
"links": [
{
"label": "External IP Lookup from Non-Browser Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_post_exploitation_external_ip_lookup.toml"
},
{
"label": "System Time Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_system_time_discovery.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1124",
"tactic": "discovery",
"score": 1,
"metadata": [
{
"name": "System Time Discovery",
"value": "eql/eql"
}
],
"links": [
{
"label": "System Time Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_system_time_discovery.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1539",
"tactic": "credential-access",
"score": 9,
"metadata": [
{
"name": "Potential Cookies Theft via Browser Debugging",
"value": "eql/eql"
},
{
"name": "Multiple Device Token Hashes for Single Okta Session",
"value": "esql/esql"
},
{
"name": "Okta Multiple OS Names Detected for a Single DT Hash",
"value": "threshold/kuery"
},
{
"name": "Okta AiTM Session Cookie Replay",
"value": "esql/esql"
},
{
"name": "WebProxy Settings Modification",
"value": "eql/eql"
},
{
"name": "First Time Python Accessed Sensitive Credential Files",
"value": "new_terms/kuery"
},
{
"name": "Suspicious Web Browser Sensitive File Access",
"value": "eql/eql"
},
{
"name": "Manual Loading of a Suspicious Chromium Extension",
"value": "eql/eql"
},
{
"name": "Browser Process Spawned from an Unusual Parent",
"value": "eql/eql"
}
],
"links": [
{
"label": "Potential Cookies Theft via Browser Debugging",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml"
},
{
"label": "Multiple Device Token Hashes for Single Okta Session",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml"
},
{
"label": "Okta Multiple OS Names Detected for a Single DT Hash",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml"
},
{
"label": "Okta AiTM Session Cookie Replay",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml"
},
{
"label": "WebProxy Settings Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_mitm_localhost_webproxy.toml"
},
{
"label": "First Time Python Accessed Sensitive Credential Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml"
},
{
"label": "Suspicious Web Browser Sensitive File Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml"
},
{
"label": "Manual Loading of a Suspicious Chromium Extension",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_manual_chromium_extension_loading.toml"
},
{
"label": "Browser Process Spawned from an Unusual Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_browsers_unusual_parent.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1187",
"tactic": "credential-access",
"score": 10,
"metadata": [
{
"name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes",
"value": "eql/eql"
},
{
"name": "Potential Computer Account NTLM Relay Activity",
"value": "eql/eql"
},
{
"name": "Potential Kerberos Relay Attack against a Computer Account",
"value": "eql/eql"
},
{
"name": "Potential NTLM Relay Attack against a Computer Account",
"value": "eql/eql"
},
{
"name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
"value": "query/kuery"
},
{
"name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query",
"value": "eql/eql"
},
{
"name": "Potential Machine Account Relay Attack via SMB",
"value": "eql/eql"
},
{
"name": "Rare Connection to WebDAV Target",
"value": "esql/esql"
},
{
"name": "Potential Local NTLM Relay via HTTP",
"value": "eql/eql"
},
{
"name": "Rare SMB Connection to the Internet",
"value": "new_terms/kuery"
}
],
"links": [
{
"label": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_forced_authentication_pipes.toml"
},
{
"label": "Potential Computer Account NTLM Relay Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dollar_account_relay.toml"
},
{
"label": "Potential Kerberos Relay Attack against a Computer Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dollar_account_relay_kerberos.toml"
},
{
"label": "Potential NTLM Relay Attack against a Computer Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dollar_account_relay_ntlm.toml"
},
{
"label": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kerberos_coerce.toml"
},
{
"label": "Potential Kerberos SPN Spoofing via Suspicious DNS Query",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kerberos_coerce_dns.toml"
},
{
"label": "Potential Machine Account Relay Attack via SMB",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_machine_account_smb_relay.toml"
},
{
"label": "Rare Connection to WebDAV Target",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_rare_webdav_destination.toml"
},
{
"label": "Potential Local NTLM Relay via HTTP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml"
},
{
"label": "Rare SMB Connection to the Internet",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/exfiltration_smb_rare_destination.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1552",
"tactic": "credential-access",
"score": 70,
"metadata": [
{
"name": "GenAI Process Accessing Sensitive Files",
"value": "eql/eql"
},
{
"name": "Potential Secret Scanning via Gitleaks",
"value": "eql/eql"
},
{
"name": "Potential Credential Discovery via Recursive Grep",
"value": "esql/esql"
},
{
"name": "Multi-Cloud CLI Token and Credential Access Commands",
"value": "esql/esql"
},
{
"name": "Credential Access via TruffleHog Execution",
"value": "eql/eql"
},
{
"name": "Potential Impersonation Attempt via Kubectl",
"value": "eql/eql"
},
{
"name": "Kubectl Secrets Enumeration Across All Namespaces",
"value": "eql/eql"
},
{
"name": "Web Server Local File Inclusion Activity",
"value": "esql/esql"
},
{
"name": "Service Account Token or Certificate Access Followed by Kubernetes API Request",
"value": "eql/eql"
},
{
"name": "Kubernetes Direct API Request via Curl or Wget",
"value": "eql/eql"
},
{
"name": "Web Server Potential Command Injection Request",
"value": "esql/esql"
},
{
"name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role",
"value": "new_terms/kuery"
},
{
"name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User",
"value": "eql/eql"
},
{
"name": "AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts",
"value": "esql/esql"
},
{
"name": "AWS IAM Long-Term Access Key First Seen from Source IP",
"value": "new_terms/kuery"
},
{
"name": "AWS EC2 User Data Retrieval for EC2 Instance",
"value": "new_terms/kuery"
},
{
"name": "AWS EC2 Instance Console Login via Assumed Role",
"value": "eql/eql"
},
{
"name": "AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization",
"value": "new_terms/kuery"
},
{
"name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access",
"value": "eql/eql"
},
{
"name": "Azure Storage Account Key Regenerated",
"value": "query/kuery"
},
{
"name": "Azure Arc Cluster Credential Access by Identity from Unusual Source",
"value": "new_terms/kuery"
},
{
"name": "Azure Event Hub Authorization Rule Created or Updated",
"value": "query/kuery"
},
{
"name": "Cloud Credential Search Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Sensitive File Compression Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Service Account Token or Certificate Read Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Kubelet Certificate File Access Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Web Server Exploitation Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"value": "eql/eql"
},
{
"name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy",
"value": "esql/esql"
},
{
"name": "Kubernetes Secret Access via Unusual User Agent",
"value": "new_terms/kuery"
},
{
"name": "Kubernetes Rapid Secret GET Activity Against Multiple Objects",
"value": "esql/esql"
},
{
"name": "Kubernetes Pod Exec Cloud Instance Metadata Access",
"value": "esql/esql"
},
{
"name": "Kubernetes Pod Exec Sensitive File or Credential Path Access",
"value": "esql/esql"
},
{
"name": "Kubernetes Secret get or list with Suspicious User Agent",
"value": "query/kuery"
},
{
"name": "Kubernetes Secret get or list from Node or Pod Service Account",
"value": "query/kuery"
},
{
"name": "Kubernetes Secrets List Across Cluster or Sensitive Namespaces",
"value": "query/kuery"
},
{
"name": "Kubernetes Service Account Token Created via TokenRequest API",
"value": "query/kuery"
},
{
"name": "Sensitive Identity File Open by Suspicious Process via Auditd",
"value": "query/kuery"
},
{
"name": "AWS Credentials Searched For Inside A Container",
"value": "eql/eql"
},
{
"name": "Sensitive Files Compression",
"value": "new_terms/kuery"
},
{
"name": "Sensitive Files Compression Inside A Container",
"value": "eql/eql"
},
{
"name": "GitHub Authentication Token Access via Node.js",
"value": "eql/eql"
},
{
"name": "Kubernetes and Cloud Credential Path Access via Process Arguments",
"value": "query/kuery"
},
{
"name": "Kubernetes Service Account Secret Access",
"value": "eql/eql"
},
{
"name": "Sensitive Keys Or Passwords Searched For Inside A Container",
"value": "eql/eql"
},
{
"name": "Unusual Instance Metadata Service (IMDS) API Request",
"value": "eql/eql"
},
{
"name": "Kubeconfig File Discovery",
"value": "eql/eql"
},
{
"name": "Private Key Searching Activity",
"value": "eql/eql"
},
{
"name": "Security File Access via Common Utilities",
"value": "eql/eql"
},
{
"name": "Kubeconfig File Creation or Modification",
"value": "eql/eql"
},
{
"name": "Potential Privilege Escalation via Linux DAC permissions",
"value": "new_terms/kuery"
},
{
"name": "First Time Python Accessed Sensitive Credential Files",
"value": "new_terms/kuery"
},
{
"name": "Potential Kerberos Attack via Bifrost",
"value": "eql/eql"
},
{
"name": "Unusual Linux Process Calling the Metadata Service",
"value": "machine_learning/None"
},
{
"name": "Unusual Linux User Calling the Metadata Service",
"value": "machine_learning/None"
},
{
"name": "Unusual Windows Process Calling the Metadata Service",
"value": "machine_learning/None"
},
{
"name": "Unusual Windows User Calling the Metadata Service",
"value": "machine_learning/None"
},
{
"name": "FortiGate Configuration File Downloaded",
"value": "eql/eql"
},
{
"name": "Creation or Modification of Domain Backup DPAPI private key",
"value": "eql/eql"
},
{
"name": "Microsoft IIS Service Account Password Dumped",
"value": "eql/eql"
},
{
"name": "Microsoft IIS Connection Strings Decryption",
"value": "eql/eql"
},
{
"name": "Access to a Sensitive LDAP Attribute",
"value": "eql/eql"
},
{
"name": "Unusual Web Config File Access",
"value": "new_terms/kuery"
},
{
"name": "Wireless Credential Dumping using Netsh Command",
"value": "eql/eql"
},
{
"name": "Suspicious CertUtil Commands",
"value": "eql/eql"
},
{
"name": "Command Shell Activity Started via RunDLL32",
"value": "eql/eql"
},
{
"name": "Potential PowerShell HackTool Script by Function Names",
"value": "query/kuery"
},
{
"name": "Attempted Private Key Access",
"value": "eql/eql"
},
{
"name": "PowerShell Script with Password Policy Discovery Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "GenAI Process Accessing Sensitive Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml"
},
{
"label": "Potential Secret Scanning via Gitleaks",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_gitleaks_execution.toml"
},
{
"label": "Potential Credential Discovery via Recursive Grep",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_grep_recursive_credential_discovery.toml"
},
{
"label": "Multi-Cloud CLI Token and Credential Access Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_multi_cloud_cli_token_harvesting.toml"
},
{
"label": "Credential Access via TruffleHog Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_trufflehog_execution.toml"
},
{
"label": "Potential Impersonation Attempt via Kubectl",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_potential_kubectl_impersonation.toml"
},
{
"label": "Kubectl Secrets Enumeration Across All Namespaces",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_kubectl_secrets_all_namespaces.toml"
},
{
"label": "Web Server Local File Inclusion Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml"
},
{
"label": "Service Account Token or Certificate Access Followed by Kubernetes API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml"
},
{
"label": "Kubernetes Direct API Request via Curl or Wget",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_kubernetes_direct_api_request_via_curl_or_wget.toml"
},
{
"label": "Web Server Potential Command Injection Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/persistence_web_server_potential_command_injection.toml"
},
{
"label": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml"
},
{
"label": "AWS IAM CompromisedKeyQuarantine Policy Attached to User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml"
},
{
"label": "AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_iam_long_term_access_key_correlated_with_elevated_detection_alerts.toml"
},
{
"label": "AWS IAM Long-Term Access Key First Seen from Source IP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_iam_long_term_access_key_first_seen_from_source_ip.toml"
},
{
"label": "AWS EC2 User Data Retrieval for EC2 Instance",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml"
},
{
"label": "AWS EC2 Instance Console Login via Assumed Role",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml"
},
{
"label": "AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_new_terms_ec2_create_keypair_unusual_source_as.toml"
},
{
"label": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml"
},
{
"label": "Azure Storage Account Key Regenerated",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml"
},
{
"label": "Azure Arc Cluster Credential Access by Identity from Unusual Source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml"
},
{
"label": "Azure Event Hub Authorization Rule Created or Updated",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_event_hub_created_or_updated.toml"
},
{
"label": "Cloud Credential Search Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml"
},
{
"label": "Sensitive File Compression Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml"
},
{
"label": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml"
},
{
"label": "Service Account Token or Certificate Read Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml"
},
{
"label": "Kubelet Certificate File Access Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml"
},
{
"label": "Web Server Exploitation Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml"
},
{
"label": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml"
},
{
"label": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml"
},
{
"label": "Kubernetes Secret Access via Unusual User Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_get_secrets_access.toml"
},
{
"label": "Kubernetes Rapid Secret GET Activity Against Multiple Objects",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_multiple_secret_retrieval_burst.toml"
},
{
"label": "Kubernetes Pod Exec Cloud Instance Metadata Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_pod_exec_cloud_instance_metadata.toml"
},
{
"label": "Kubernetes Pod Exec Sensitive File or Credential Path Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_pod_exec_sensitive_file_access.toml"
},
{
"label": "Kubernetes Secret get or list with Suspicious User Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_secret_access_scripting_http_clients.toml"
},
{
"label": "Kubernetes Secret get or list from Node or Pod Service Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_secret_read_by_node_or_pod_service_account.toml"
},
{
"label": "Kubernetes Secrets List Across Cluster or Sensitive Namespaces",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml"
},
{
"label": "Kubernetes Service Account Token Created via TokenRequest API",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_service_account_token_created_via_tokenrequest.toml"
},
{
"label": "Sensitive Identity File Open by Suspicious Process via Auditd",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_auditd_sensitive_cloud_and_host_identity_file_open.toml"
},
{
"label": "AWS Credentials Searched For Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_aws_creds_search_inside_container.toml"
},
{
"label": "Sensitive Files Compression",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_collection_sensitive_files.toml"
},
{
"label": "Sensitive Files Compression Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml"
},
{
"label": "GitHub Authentication Token Access via Node.js",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_gh_auth_via_nodejs.toml"
},
{
"label": "Kubernetes and Cloud Credential Path Access via Process Arguments",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_kubernetes_and_cloud_credential_paths_via_process_args.toml"
},
{
"label": "Kubernetes Service Account Secret Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_kubernetes_service_account_secret_access.toml"
},
{
"label": "Sensitive Keys Or Passwords Searched For Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml"
},
{
"label": "Unusual Instance Metadata Service (IMDS) API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml"
},
{
"label": "Kubeconfig File Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_kubeconfig_file_discovery.toml"
},
{
"label": "Private Key Searching Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_private_key_password_searching_activity.toml"
},
{
"label": "Security File Access via Common Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_security_file_access_via_common_utility.toml"
},
{
"label": "Kubeconfig File Creation or Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/lateral_movement_kubeconfig_file_activity.toml"
},
{
"label": "Potential Privilege Escalation via Linux DAC permissions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_dac_permissions.toml"
},
{
"label": "First Time Python Accessed Sensitive Credential Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml"
},
{
"label": "Potential Kerberos Attack via Bifrost",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml"
},
{
"label": "Unusual Linux Process Calling the Metadata Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml"
},
{
"label": "Unusual Linux User Calling the Metadata Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml"
},
{
"label": "Unusual Windows Process Calling the Metadata Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml"
},
{
"label": "Unusual Windows User Calling the Metadata Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml"
},
{
"label": "FortiGate Configuration File Downloaded",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/collection_fortigate_config_download.toml"
},
{
"label": "Creation or Modification of Domain Backup DPAPI private key",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml"
},
{
"label": "Microsoft IIS Service Account Password Dumped",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml"
},
{
"label": "Microsoft IIS Connection Strings Decryption",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_iis_connectionstrings_dumping.toml"
},
{
"label": "Access to a Sensitive LDAP Attribute",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_ldap_attributes.toml"
},
{
"label": "Unusual Web Config File Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_web_config_file_access.toml"
},
{
"label": "Wireless Credential Dumping using Netsh Command",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_wireless_creds_dumping.toml"
},
{
"label": "Suspicious CertUtil Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_suspicious_certutil_commands.toml"
},
{
"label": "Command Shell Activity Started via RunDLL32",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_command_shell_via_rundll32.toml"
},
{
"label": "Potential PowerShell HackTool Script by Function Names",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_posh_hacktool_functions.toml"
},
{
"label": "Attempted Private Key Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/credential_access_win_private_key_access.toml"
},
{
"label": "PowerShell Script with Password Policy Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_password_policy.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1552.001",
"tactic": "credential-access",
"score": 32,
"metadata": [
{
"name": "GenAI Process Accessing Sensitive Files",
"value": "eql/eql"
},
{
"name": "Potential Secret Scanning via Gitleaks",
"value": "eql/eql"
},
{
"name": "Potential Credential Discovery via Recursive Grep",
"value": "esql/esql"
},
{
"name": "Multi-Cloud CLI Token and Credential Access Commands",
"value": "esql/esql"
},
{
"name": "Credential Access via TruffleHog Execution",
"value": "eql/eql"
},
{
"name": "Web Server Local File Inclusion Activity",
"value": "esql/esql"
},
{
"name": "Service Account Token or Certificate Access Followed by Kubernetes API Request",
"value": "eql/eql"
},
{
"name": "Web Server Potential Command Injection Request",
"value": "esql/esql"
},
{
"name": "Cloud Credential Search Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Sensitive File Compression Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Service Account Token or Certificate Read Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Web Server Exploitation Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Kubernetes Pod Exec Sensitive File or Credential Path Access",
"value": "esql/esql"
},
{
"name": "Sensitive Identity File Open by Suspicious Process via Auditd",
"value": "query/kuery"
},
{
"name": "AWS Credentials Searched For Inside A Container",
"value": "eql/eql"
},
{
"name": "Sensitive Files Compression",
"value": "new_terms/kuery"
},
{
"name": "Sensitive Files Compression Inside A Container",
"value": "eql/eql"
},
{
"name": "Kubernetes and Cloud Credential Path Access via Process Arguments",
"value": "query/kuery"
},
{
"name": "Kubernetes Service Account Secret Access",
"value": "eql/eql"
},
{
"name": "Sensitive Keys Or Passwords Searched For Inside A Container",
"value": "eql/eql"
},
{
"name": "Kubeconfig File Discovery",
"value": "eql/eql"
},
{
"name": "Private Key Searching Activity",
"value": "eql/eql"
},
{
"name": "Security File Access via Common Utilities",
"value": "eql/eql"
},
{
"name": "Kubeconfig File Creation or Modification",
"value": "eql/eql"
},
{
"name": "First Time Python Accessed Sensitive Credential Files",
"value": "new_terms/kuery"
},
{
"name": "Potential Kerberos Attack via Bifrost",
"value": "eql/eql"
},
{
"name": "FortiGate Configuration File Downloaded",
"value": "eql/eql"
},
{
"name": "Microsoft IIS Service Account Password Dumped",
"value": "eql/eql"
},
{
"name": "Microsoft IIS Connection Strings Decryption",
"value": "eql/eql"
},
{
"name": "Unusual Web Config File Access",
"value": "new_terms/kuery"
},
{
"name": "Wireless Credential Dumping using Netsh Command",
"value": "eql/eql"
}
],
"links": [
{
"label": "GenAI Process Accessing Sensitive Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml"
},
{
"label": "Potential Secret Scanning via Gitleaks",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_gitleaks_execution.toml"
},
{
"label": "Potential Credential Discovery via Recursive Grep",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_grep_recursive_credential_discovery.toml"
},
{
"label": "Multi-Cloud CLI Token and Credential Access Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_multi_cloud_cli_token_harvesting.toml"
},
{
"label": "Credential Access via TruffleHog Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_trufflehog_execution.toml"
},
{
"label": "Web Server Local File Inclusion Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml"
},
{
"label": "Service Account Token or Certificate Access Followed by Kubernetes API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml"
},
{
"label": "Web Server Potential Command Injection Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/persistence_web_server_potential_command_injection.toml"
},
{
"label": "Cloud Credential Search Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml"
},
{
"label": "Sensitive File Compression Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml"
},
{
"label": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml"
},
{
"label": "Service Account Token or Certificate Read Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml"
},
{
"label": "Web Server Exploitation Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml"
},
{
"label": "Kubernetes Pod Exec Sensitive File or Credential Path Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_pod_exec_sensitive_file_access.toml"
},
{
"label": "Sensitive Identity File Open by Suspicious Process via Auditd",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_auditd_sensitive_cloud_and_host_identity_file_open.toml"
},
{
"label": "AWS Credentials Searched For Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_aws_creds_search_inside_container.toml"
},
{
"label": "Sensitive Files Compression",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_collection_sensitive_files.toml"
},
{
"label": "Sensitive Files Compression Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml"
},
{
"label": "Kubernetes and Cloud Credential Path Access via Process Arguments",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_kubernetes_and_cloud_credential_paths_via_process_args.toml"
},
{
"label": "Kubernetes Service Account Secret Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_kubernetes_service_account_secret_access.toml"
},
{
"label": "Sensitive Keys Or Passwords Searched For Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml"
},
{
"label": "Kubeconfig File Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_kubeconfig_file_discovery.toml"
},
{
"label": "Private Key Searching Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_private_key_password_searching_activity.toml"
},
{
"label": "Security File Access via Common Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_security_file_access_via_common_utility.toml"
},
{
"label": "Kubeconfig File Creation or Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/lateral_movement_kubeconfig_file_activity.toml"
},
{
"label": "First Time Python Accessed Sensitive Credential Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml"
},
{
"label": "Potential Kerberos Attack via Bifrost",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml"
},
{
"label": "FortiGate Configuration File Downloaded",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/collection_fortigate_config_download.toml"
},
{
"label": "Microsoft IIS Service Account Password Dumped",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml"
},
{
"label": "Microsoft IIS Connection Strings Decryption",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_iis_connectionstrings_dumping.toml"
},
{
"label": "Unusual Web Config File Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_web_config_file_access.toml"
},
{
"label": "Wireless Credential Dumping using Netsh Command",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_wireless_creds_dumping.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1555",
"tactic": "credential-access",
"score": 28,
"metadata": [
{
"name": "GenAI Process Accessing Sensitive Files",
"value": "eql/eql"
},
{
"name": "Potential Secret Scanning via Gitleaks",
"value": "eql/eql"
},
{
"name": "Multiple Cloud Secrets Accessed by Source Address",
"value": "esql/esql"
},
{
"name": "Credential Access via TruffleHog Execution",
"value": "eql/eql"
},
{
"name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"value": "new_terms/kuery"
},
{
"name": "AWS Secrets Manager Rapid Secrets Retrieval",
"value": "threshold/kuery"
},
{
"name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"value": "new_terms/kuery"
},
{
"name": "AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity",
"value": "esql/esql"
},
{
"name": "Azure Storage Account Keys Accessed by Privileged User",
"value": "new_terms/kuery"
},
{
"name": "Azure Key Vault Excessive Secret or Key Retrieved",
"value": "esql/esql"
},
{
"name": "Azure Key Vault Unusual Secret Key Usage",
"value": "new_terms/kuery"
},
{
"name": "CyberArk Privileged Access Security Recommended Monitor",
"value": "query/kuery"
},
{
"name": "Keychain CommandLine Interaction via Unsigned or Untrusted Process",
"value": "eql/eql"
},
{
"name": "Dumping of Keychain Content via Security Command",
"value": "eql/eql"
},
{
"name": "Keychain Password Retrieval via Command Line",
"value": "eql/eql"
},
{
"name": "First Time Python Accessed Sensitive Credential Files",
"value": "new_terms/kuery"
},
{
"name": "Suspicious Web Browser Sensitive File Access",
"value": "eql/eql"
},
{
"name": "SystemKey Access via Command Line",
"value": "eql/eql"
},
{
"name": "Browser Process Spawned from an Unusual Parent",
"value": "eql/eql"
},
{
"name": "Potential Credential Access via Trusted Developer Utility",
"value": "eql/eql"
},
{
"name": "Creation or Modification of Domain Backup DPAPI private key",
"value": "eql/eql"
},
{
"name": "Potential Invoke-Mimikatz PowerShell Script",
"value": "query/kuery"
},
{
"name": "PowerShell Script with Veeam Credential Access Capabilities",
"value": "query/kuery"
},
{
"name": "Multiple Vault Web Credentials Read",
"value": "eql/eql"
},
{
"name": "Searching for Saved Credentials via VaultCmd",
"value": "eql/eql"
},
{
"name": "Veeam Backup Library Loaded by Unusual Process",
"value": "eql/eql"
},
{
"name": "Potential Veeam Credential Access Command",
"value": "eql/eql"
},
{
"name": "Wireless Credential Dumping using Netsh Command",
"value": "eql/eql"
}
],
"links": [
{
"label": "GenAI Process Accessing Sensitive Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml"
},
{
"label": "Potential Secret Scanning via Gitleaks",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_gitleaks_execution.toml"
},
{
"label": "Multiple Cloud Secrets Accessed by Source Address",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml"
},
{
"label": "Credential Access via TruffleHog Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_trufflehog_execution.toml"
},
{
"label": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml"
},
{
"label": "AWS Secrets Manager Rapid Secrets Retrieval",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml"
},
{
"label": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml"
},
{
"label": "AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/lateral_movement_k8_assumed_web_identity_session_with_multi_phase_api_use.toml"
},
{
"label": "Azure Storage Account Keys Accessed by Privileged User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml"
},
{
"label": "Azure Key Vault Excessive Secret or Key Retrieved",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml"
},
{
"label": "Azure Key Vault Unusual Secret Key Usage",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml"
},
{
"label": "CyberArk Privileged Access Security Recommended Monitor",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml"
},
{
"label": "Keychain CommandLine Interaction via Unsigned or Untrusted Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_credentials_keychains.toml"
},
{
"label": "Dumping of Keychain Content via Security Command",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_dumping_keychain_security.toml"
},
{
"label": "Keychain Password Retrieval via Command Line",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml"
},
{
"label": "First Time Python Accessed Sensitive Credential Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml"
},
{
"label": "Suspicious Web Browser Sensitive File Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml"
},
{
"label": "SystemKey Access via Command Line",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_systemkey_dumping.toml"
},
{
"label": "Browser Process Spawned from an Unusual Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_browsers_unusual_parent.toml"
},
{
"label": "Potential Credential Access via Trusted Developer Utility",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_credential_dumping_msbuild.toml"
},
{
"label": "Creation or Modification of Domain Backup DPAPI private key",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml"
},
{
"label": "Potential Invoke-Mimikatz PowerShell Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_powershell_module.toml"
},
{
"label": "PowerShell Script with Veeam Credential Access Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_veeam_sql.toml"
},
{
"label": "Multiple Vault Web Credentials Read",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_saved_creds_vault_winlog.toml"
},
{
"label": "Searching for Saved Credentials via VaultCmd",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_saved_creds_vaultcmd.toml"
},
{
"label": "Veeam Backup Library Loaded by Unusual Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_veeam_backup_dll_imageload.toml"
},
{
"label": "Potential Veeam Credential Access Command",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_veeam_commands.toml"
},
{
"label": "Wireless Credential Dumping using Netsh Command",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_wireless_creds_dumping.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1003",
"tactic": "credential-access",
"score": 67,
"metadata": [
{
"name": "Potential Secret Scanning via Gitleaks",
"value": "eql/eql"
},
{
"name": "Credential Access via TruffleHog Execution",
"value": "eql/eql"
},
{
"name": "Web Server Potential Command Injection Request",
"value": "esql/esql"
},
{
"name": "Potential Linux Credential Dumping via Unshadow",
"value": "eql/eql"
},
{
"name": "Linux init (PID 1) Secret Dump via GDB",
"value": "eql/eql"
},
{
"name": "Linux Process Hooking via GDB",
"value": "eql/eql"
},
{
"name": "Manual Memory Dumping via Proc Filesystem",
"value": "eql/eql"
},
{
"name": "Potential Linux Credential Dumping via Proc Filesystem",
"value": "eql/eql"
},
{
"name": "Suspicious /proc/maps Discovery",
"value": "eql/eql"
},
{
"name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"value": "eql/eql"
},
{
"name": "Potential Suspicious File Edit",
"value": "eql/eql"
},
{
"name": "Potential Unauthorized Access via Wildcard Injection Detected",
"value": "eql/eql"
},
{
"name": "Potential Privilege Escalation via Linux DAC permissions",
"value": "new_terms/kuery"
},
{
"name": "Suspicious Symbolic Link Created",
"value": "eql/eql"
},
{
"name": "Potential Shadow File Read via Command Line Utilities",
"value": "new_terms/kuery"
},
{
"name": "Dumping Account Hashes via Built-In Commands",
"value": "eql/eql"
},
{
"name": "Kerberos Cached Credentials Dumping",
"value": "eql/eql"
},
{
"name": "Credential Dumping - Detected - Elastic Endgame",
"value": "query/kuery"
},
{
"name": "Credential Dumping - Prevented - Elastic Endgame",
"value": "query/kuery"
},
{
"name": "Potential Credential Access via Windows Utilities",
"value": "eql/eql"
},
{
"name": "NTDS or SAM Database File Copied",
"value": "eql/eql"
},
{
"name": "Potential Credential Access via Trusted Developer Utility",
"value": "eql/eql"
},
{
"name": "First Time Seen Account Performing DCSync",
"value": "new_terms/kuery"
},
{
"name": "Potential Credential Access via DCSync",
"value": "new_terms/kuery"
},
{
"name": "Potential Active Directory Replication Account Backdoor",
"value": "query/kuery"
},
{
"name": "Creation or Modification of Domain Backup DPAPI private key",
"value": "eql/eql"
},
{
"name": "Credential Acquisition via Registry Hive Dumping",
"value": "eql/eql"
},
{
"name": "Full User-Mode Dumps Enabled System-Wide",
"value": "eql/eql"
},
{
"name": "Microsoft IIS Service Account Password Dumped",
"value": "eql/eql"
},
{
"name": "Microsoft IIS Connection Strings Decryption",
"value": "eql/eql"
},
{
"name": "Untrusted DLL Loaded by Azure AD Connect Authentication Agent",
"value": "eql/eql"
},
{
"name": "Kirbi File Creation",
"value": "eql/eql"
},
{
"name": "Access to a Sensitive LDAP Attribute",
"value": "eql/eql"
},
{
"name": "Suspicious LSASS Access via MalSecLogon",
"value": "eql/eql"
},
{
"name": "Suspicious Module Loaded by LSASS",
"value": "eql/eql"
},
{
"name": "LSASS Memory Dump Creation",
"value": "eql/eql"
},
{
"name": "LSASS Memory Dump Handle Access",
"value": "new_terms/kuery"
},
{
"name": "LSASS Process Access via Windows API",
"value": "esql/esql"
},
{
"name": "Mimikatz Memssp Log File Detected",
"value": "eql/eql"
},
{
"name": "Potential Invoke-Mimikatz PowerShell Script",
"value": "query/kuery"
},
{
"name": "Modification of WDigest Security Provider",
"value": "eql/eql"
},
{
"name": "Windows Registry File Creation in SMB Share",
"value": "eql/eql"
},
{
"name": "PowerShell Invoke-NinjaCopy script",
"value": "query/kuery"
},
{
"name": "PowerShell Kerberos Ticket Dump",
"value": "query/kuery"
},
{
"name": "PowerShell MiniDump Script",
"value": "query/kuery"
},
{
"name": "PowerShell Script with Veeam Credential Access Capabilities",
"value": "query/kuery"
},
{
"name": "Potential Credential Access via DuplicateHandle in LSASS",
"value": "eql/eql"
},
{
"name": "Sensitive Registry Hive Access via RegBack",
"value": "eql/eql"
},
{
"name": "Potential Remote Credential Access via Registry",
"value": "eql/eql"
},
{
"name": "Multiple Vault Web Credentials Read",
"value": "eql/eql"
},
{
"name": "Searching for Saved Credentials via VaultCmd",
"value": "eql/eql"
},
{
"name": "Potential Credential Access via Renamed COM+ Services DLL",
"value": "eql/eql"
},
{
"name": "Suspicious Lsass Process Access",
"value": "eql/eql"
},
{
"name": "Potential Credential Access via LSASS Memory Dump",
"value": "eql/eql"
},
{
"name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"value": "threshold/kuery"
},
{
"name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"value": "eql/eql"
},
{
"name": "Symbolic Link to Shadow Copy Created",
"value": "eql/eql"
},
{
"name": "Veeam Backup Library Loaded by Unusual Process",
"value": "eql/eql"
},
{
"name": "Potential Veeam Credential Access Command",
"value": "eql/eql"
},
{
"name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"value": "eql/eql"
},
{
"name": "NTDS Dump via Wbadmin",
"value": "eql/eql"
},
{
"name": "Wireless Credential Dumping using Netsh Command",
"value": "eql/eql"
},
{
"name": "Disabling Lsa Protection via Registry Modification",
"value": "eql/eql"
},
{
"name": "Suspicious Execution via Windows Subsystem for Linux",
"value": "eql/eql"
},
{
"name": "Potential PowerShell HackTool Script by Function Names",
"value": "query/kuery"
},
{
"name": "Potential Credential Access via Memory Dump File Creation",
"value": "eql/eql"
},
{
"name": "Memory Dump File with Unusual Extension",
"value": "eql/eql"
}
],
"links": [
{
"label": "Potential Secret Scanning via Gitleaks",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_gitleaks_execution.toml"
},
{
"label": "Credential Access via TruffleHog Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_trufflehog_execution.toml"
},
{
"label": "Web Server Potential Command Injection Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/persistence_web_server_potential_command_injection.toml"
},
{
"label": "Potential Linux Credential Dumping via Unshadow",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_credential_dumping.toml"
},
{
"label": "Linux init (PID 1) Secret Dump via GDB",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_gdb_init_process_hooking.toml"
},
{
"label": "Linux Process Hooking via GDB",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_gdb_process_hooking.toml"
},
{
"label": "Manual Memory Dumping via Proc Filesystem",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_manual_memory_dumping.toml"
},
{
"label": "Potential Linux Credential Dumping via Proc Filesystem",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_proc_credential_dumping.toml"
},
{
"label": "Suspicious /proc/maps Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_proc_maps_read.toml"
},
{
"label": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml"
},
{
"label": "Potential Suspicious File Edit",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_suspicious_file_opened_through_editor.toml"
},
{
"label": "Potential Unauthorized Access via Wildcard Injection Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml"
},
{
"label": "Potential Privilege Escalation via Linux DAC permissions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_dac_permissions.toml"
},
{
"label": "Suspicious Symbolic Link Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml"
},
{
"label": "Potential Shadow File Read via Command Line Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_shadow_file_read.toml"
},
{
"label": "Dumping Account Hashes via Built-In Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_dumping_hashes_bi_cmds.toml"
},
{
"label": "Kerberos Cached Credentials Dumping",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_kerberosdump_kcc.toml"
},
{
"label": "Credential Dumping - Detected - Elastic Endgame",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/promotions/credential_access_endgame_cred_dumping_detected.toml"
},
{
"label": "Credential Dumping - Prevented - Elastic Endgame",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml"
},
{
"label": "Potential Credential Access via Windows Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_cmdline_dump_tool.toml"
},
{
"label": "NTDS or SAM Database File Copied",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml"
},
{
"label": "Potential Credential Access via Trusted Developer Utility",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_credential_dumping_msbuild.toml"
},
{
"label": "First Time Seen Account Performing DCSync",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dcsync_newterm_subjectuser.toml"
},
{
"label": "Potential Credential Access via DCSync",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dcsync_replication_rights.toml"
},
{
"label": "Potential Active Directory Replication Account Backdoor",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dcsync_user_backdoor.toml"
},
{
"label": "Creation or Modification of Domain Backup DPAPI private key",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml"
},
{
"label": "Credential Acquisition via Registry Hive Dumping",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dump_registry_hives.toml"
},
{
"label": "Full User-Mode Dumps Enabled System-Wide",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_generic_localdumps.toml"
},
{
"label": "Microsoft IIS Service Account Password Dumped",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml"
},
{
"label": "Microsoft IIS Connection Strings Decryption",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_iis_connectionstrings_dumping.toml"
},
{
"label": "Untrusted DLL Loaded by Azure AD Connect Authentication Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml"
},
{
"label": "Kirbi File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kirbi_file.toml"
},
{
"label": "Access to a Sensitive LDAP Attribute",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_ldap_attributes.toml"
},
{
"label": "Suspicious LSASS Access via MalSecLogon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_lsass_handle_via_malseclogon.toml"
},
{
"label": "Suspicious Module Loaded by LSASS",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_lsass_loaded_susp_dll.toml"
},
{
"label": "LSASS Memory Dump Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_lsass_memdump_file_created.toml"
},
{
"label": "LSASS Memory Dump Handle Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_lsass_memdump_handle_access.toml"
},
{
"label": "LSASS Process Access via Windows API",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_lsass_openprocess_api.toml"
},
{
"label": "Mimikatz Memssp Log File Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_memssp_default_logs.toml"
},
{
"label": "Potential Invoke-Mimikatz PowerShell Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_powershell_module.toml"
},
{
"label": "Modification of WDigest Security Provider",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mod_wdigest_security_provider.toml"
},
{
"label": "Windows Registry File Creation in SMB Share",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_moving_registry_hive_via_smb.toml"
},
{
"label": "PowerShell Invoke-NinjaCopy script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_invoke_ninjacopy.toml"
},
{
"label": "PowerShell Kerberos Ticket Dump",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_kerb_ticket_dump.toml"
},
{
"label": "PowerShell MiniDump Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_minidump.toml"
},
{
"label": "PowerShell Script with Veeam Credential Access Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_veeam_sql.toml"
},
{
"label": "Potential Credential Access via DuplicateHandle in LSASS",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml"
},
{
"label": "Sensitive Registry Hive Access via RegBack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_regback_sam_security_hives.toml"
},
{
"label": "Potential Remote Credential Access via Registry",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_remote_sam_secretsdump.toml"
},
{
"label": "Multiple Vault Web Credentials Read",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_saved_creds_vault_winlog.toml"
},
{
"label": "Searching for Saved Credentials via VaultCmd",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_saved_creds_vaultcmd.toml"
},
{
"label": "Potential Credential Access via Renamed COM+ Services DLL",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_comsvcs_imageload.toml"
},
{
"label": "Suspicious Lsass Process Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_lsass_access_generic.toml"
},
{
"label": "Potential Credential Access via LSASS Memory Dump",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_lsass_access_memdump.toml"
},
{
"label": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml"
},
{
"label": "Suspicious Remote Registry Access via SeBackupPrivilege",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml"
},
{
"label": "Symbolic Link to Shadow Copy Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml"
},
{
"label": "Veeam Backup Library Loaded by Unusual Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_veeam_backup_dll_imageload.toml"
},
{
"label": "Potential Veeam Credential Access Command",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_veeam_commands.toml"
},
{
"label": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml"
},
{
"label": "NTDS Dump via Wbadmin",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_wbadmin_ntds.toml"
},
{
"label": "Wireless Credential Dumping using Netsh Command",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_wireless_creds_dumping.toml"
},
{
"label": "Disabling Lsa Protection via Registry Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml"
},
{
"label": "Suspicious Execution via Windows Subsystem for Linux",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_wsl_bash_exec.toml"
},
{
"label": "Potential PowerShell HackTool Script by Function Names",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_posh_hacktool_functions.toml"
},
{
"label": "Potential Credential Access via Memory Dump File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/credential_access_mdmp_file_creation.toml"
},
{
"label": "Memory Dump File with Unusual Extension",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/credential_access_mdmp_file_unusual_extension.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1528",
"tactic": "credential-access",
"score": 22,
"metadata": [
{
"name": "Multi-Cloud CLI Token and Credential Access Commands",
"value": "esql/esql"
},
{
"name": "Potential Impersonation Attempt via Kubectl",
"value": "eql/eql"
},
{
"name": "Service Account Token or Certificate Access Followed by Kubernetes API Request",
"value": "eql/eql"
},
{
"name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins",
"value": "esql/esql"
},
{
"name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access",
"value": "eql/eql"
},
{
"name": "Entra ID Concurrent Sign-in with Suspicious Properties",
"value": "esql/esql"
},
{
"name": "Entra ID Illicit Consent Grant via Registered Application",
"value": "esql/esql"
},
{
"name": "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource",
"value": "new_terms/kuery"
},
{
"name": "Entra ID OAuth Phishing via First-Party Microsoft Application",
"value": "query/kuery"
},
{
"name": "Entra ID User Sign-in with Unusual Client",
"value": "new_terms/kuery"
},
{
"name": "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)",
"value": "esql/esql"
},
{
"name": "Microsoft Graph Request User Impersonation by Unusual Client",
"value": "new_terms/kuery"
},
{
"name": "Entra ID OAuth PRT Issuance to Non-Managed Device Detected",
"value": "eql/eql"
},
{
"name": "Entra ID User Added as Registered Application Owner",
"value": "query/kuery"
},
{
"name": "New GitHub Personal Access Token (PAT) Added",
"value": "eql/eql"
},
{
"name": "M365 Identity OAuth Flow by User Sign-in to Device Registration",
"value": "eql/eql"
},
{
"name": "M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs",
"value": "esql/esql"
},
{
"name": "M365 Identity OAuth Illicit Consent Grant by Rare Client and User",
"value": "new_terms/kuery"
},
{
"name": "M365 Identity Unusual SSO Authentication Errors for User",
"value": "new_terms/kuery"
},
{
"name": "GitHub Authentication Token Access via Node.js",
"value": "eql/eql"
},
{
"name": "Kubernetes and Cloud Credential Path Access via Process Arguments",
"value": "query/kuery"
},
{
"name": "Kubernetes Service Account Secret Access",
"value": "eql/eql"
}
],
"links": [
{
"label": "Multi-Cloud CLI Token and Credential Access Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_multi_cloud_cli_token_harvesting.toml"
},
{
"label": "Potential Impersonation Attempt via Kubectl",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_potential_kubectl_impersonation.toml"
},
{
"label": "Service Account Token or Certificate Access Followed by Kubernetes API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml"
},
{
"label": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml"
},
{
"label": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml"
},
{
"label": "Entra ID Concurrent Sign-in with Suspicious Properties",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml"
},
{
"label": "Entra ID Illicit Consent Grant via Registered Application",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml"
},
{
"label": "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml"
},
{
"label": "Entra ID OAuth Phishing via First-Party Microsoft Application",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml"
},
{
"label": "Entra ID User Sign-in with Unusual Client",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml"
},
{
"label": "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml"
},
{
"label": "Microsoft Graph Request User Impersonation by Unusual Client",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml"
},
{
"label": "Entra ID OAuth PRT Issuance to Non-Managed Device Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml"
},
{
"label": "Entra ID User Added as Registered Application Owner",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml"
},
{
"label": "New GitHub Personal Access Token (PAT) Added",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/github/persistence_new_pat_created.toml"
},
{
"label": "M365 Identity OAuth Flow by User Sign-in to Device Registration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml"
},
{
"label": "M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml"
},
{
"label": "M365 Identity OAuth Illicit Consent Grant by Rare Client and User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml"
},
{
"label": "M365 Identity Unusual SSO Authentication Errors for User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml"
},
{
"label": "GitHub Authentication Token Access via Node.js",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_gh_auth_via_nodejs.toml"
},
{
"label": "Kubernetes and Cloud Credential Path Access via Process Arguments",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_kubernetes_and_cloud_credential_paths_via_process_args.toml"
},
{
"label": "Kubernetes Service Account Secret Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_kubernetes_service_account_secret_access.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1555.006",
"tactic": "credential-access",
"score": 8,
"metadata": [
{
"name": "Multiple Cloud Secrets Accessed by Source Address",
"value": "esql/esql"
},
{
"name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"value": "new_terms/kuery"
},
{
"name": "AWS Secrets Manager Rapid Secrets Retrieval",
"value": "threshold/kuery"
},
{
"name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"value": "new_terms/kuery"
},
{
"name": "AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity",
"value": "esql/esql"
},
{
"name": "Azure Storage Account Keys Accessed by Privileged User",
"value": "new_terms/kuery"
},
{
"name": "Azure Key Vault Excessive Secret or Key Retrieved",
"value": "esql/esql"
},
{
"name": "Azure Key Vault Unusual Secret Key Usage",
"value": "new_terms/kuery"
}
],
"links": [
{
"label": "Multiple Cloud Secrets Accessed by Source Address",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml"
},
{
"label": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml"
},
{
"label": "AWS Secrets Manager Rapid Secrets Retrieval",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml"
},
{
"label": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml"
},
{
"label": "AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/lateral_movement_k8_assumed_web_identity_session_with_multi_phase_api_use.toml"
},
{
"label": "Azure Storage Account Keys Accessed by Privileged User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml"
},
{
"label": "Azure Key Vault Excessive Secret or Key Retrieved",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml"
},
{
"label": "Azure Key Vault Unusual Secret Key Usage",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1552.007",
"tactic": "credential-access",
"score": 12,
"metadata": [
{
"name": "Kubernetes Direct API Request via Curl or Wget",
"value": "eql/eql"
},
{
"name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access",
"value": "eql/eql"
},
{
"name": "Azure Arc Cluster Credential Access by Identity from Unusual Source",
"value": "new_terms/kuery"
},
{
"name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy",
"value": "esql/esql"
},
{
"name": "Kubernetes Secret Access via Unusual User Agent",
"value": "new_terms/kuery"
},
{
"name": "Kubernetes Rapid Secret GET Activity Against Multiple Objects",
"value": "esql/esql"
},
{
"name": "Kubernetes Pod Exec Sensitive File or Credential Path Access",
"value": "esql/esql"
},
{
"name": "Kubernetes Secret get or list with Suspicious User Agent",
"value": "query/kuery"
},
{
"name": "Kubernetes Secret get or list from Node or Pod Service Account",
"value": "query/kuery"
},
{
"name": "Kubernetes Secrets List Across Cluster or Sensitive Namespaces",
"value": "query/kuery"
},
{
"name": "Kubernetes Service Account Token Created via TokenRequest API",
"value": "query/kuery"
},
{
"name": "Sensitive Identity File Open by Suspicious Process via Auditd",
"value": "query/kuery"
}
],
"links": [
{
"label": "Kubernetes Direct API Request via Curl or Wget",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_kubernetes_direct_api_request_via_curl_or_wget.toml"
},
{
"label": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml"
},
{
"label": "Azure Arc Cluster Credential Access by Identity from Unusual Source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml"
},
{
"label": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml"
},
{
"label": "Kubernetes Secret Access via Unusual User Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_get_secrets_access.toml"
},
{
"label": "Kubernetes Rapid Secret GET Activity Against Multiple Objects",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_multiple_secret_retrieval_burst.toml"
},
{
"label": "Kubernetes Pod Exec Sensitive File or Credential Path Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_pod_exec_sensitive_file_access.toml"
},
{
"label": "Kubernetes Secret get or list with Suspicious User Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_secret_access_scripting_http_clients.toml"
},
{
"label": "Kubernetes Secret get or list from Node or Pod Service Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_secret_read_by_node_or_pod_service_account.toml"
},
{
"label": "Kubernetes Secrets List Across Cluster or Sensitive Namespaces",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml"
},
{
"label": "Kubernetes Service Account Token Created via TokenRequest API",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_service_account_token_created_via_tokenrequest.toml"
},
{
"label": "Sensitive Identity File Open by Suspicious Process via Auditd",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_auditd_sensitive_cloud_and_host_identity_file_open.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1003.008",
"tactic": "credential-access",
"score": 10,
"metadata": [
{
"name": "Web Server Potential Command Injection Request",
"value": "esql/esql"
},
{
"name": "Potential Linux Credential Dumping via Unshadow",
"value": "eql/eql"
},
{
"name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"value": "eql/eql"
},
{
"name": "Potential Suspicious File Edit",
"value": "eql/eql"
},
{
"name": "Potential Unauthorized Access via Wildcard Injection Detected",
"value": "eql/eql"
},
{
"name": "Potential Privilege Escalation via Linux DAC permissions",
"value": "new_terms/kuery"
},
{
"name": "Suspicious Symbolic Link Created",
"value": "eql/eql"
},
{
"name": "Potential Shadow File Read via Command Line Utilities",
"value": "new_terms/kuery"
},
{
"name": "Dumping Account Hashes via Built-In Commands",
"value": "eql/eql"
},
{
"name": "Suspicious Execution via Windows Subsystem for Linux",
"value": "eql/eql"
}
],
"links": [
{
"label": "Web Server Potential Command Injection Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/persistence_web_server_potential_command_injection.toml"
},
{
"label": "Potential Linux Credential Dumping via Unshadow",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_credential_dumping.toml"
},
{
"label": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml"
},
{
"label": "Potential Suspicious File Edit",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_suspicious_file_opened_through_editor.toml"
},
{
"label": "Potential Unauthorized Access via Wildcard Injection Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml"
},
{
"label": "Potential Privilege Escalation via Linux DAC permissions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_dac_permissions.toml"
},
{
"label": "Suspicious Symbolic Link Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml"
},
{
"label": "Potential Shadow File Read via Command Line Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_shadow_file_read.toml"
},
{
"label": "Dumping Account Hashes via Built-In Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_dumping_hashes_bi_cmds.toml"
},
{
"label": "Suspicious Execution via Windows Subsystem for Linux",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_wsl_bash_exec.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1110",
"tactic": "credential-access",
"score": 39,
"metadata": [
{
"name": "Web Server Suspicious User Agent Requests",
"value": "esql/esql"
},
{
"name": "AWS Management Console Brute Force of Root User Identity",
"value": "threshold/kuery"
},
{
"name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"value": "threshold/kuery"
},
{
"name": "Entra ID User Sign-in Brute Force Attempted",
"value": "esql/esql"
},
{
"name": "Entra ID Excessive Account Lockouts Detected",
"value": "threshold/kuery"
},
{
"name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)",
"value": "esql/esql"
},
{
"name": "Entra ID MFA TOTP Brute Force Attempted",
"value": "esql/esql"
},
{
"name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"value": "query/kuery"
},
{
"name": "Entra ID Protection - Risk Detection - Sign-in Risk",
"value": "query/kuery"
},
{
"name": "Entra ID Protection - Risk Detection - User Risk",
"value": "query/kuery"
},
{
"name": "Entra ID User Sign-in with Unusual Authentication Type",
"value": "new_terms/kuery"
},
{
"name": "M365 Identity User Brute Force Attempted",
"value": "esql/esql"
},
{
"name": "M365 Identity User Account Lockouts",
"value": "esql/esql"
},
{
"name": "Attempts to Brute Force an Okta User Account",
"value": "threshold/kuery"
},
{
"name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"value": "threshold/kuery"
},
{
"name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"value": "esql/esql"
},
{
"name": "Potential Okta Brute Force (Device Token Rotation)",
"value": "esql/esql"
},
{
"name": "Potential Okta Brute Force (Multi-Source)",
"value": "esql/esql"
},
{
"name": "Potential Okta Credential Stuffing (Single Source)",
"value": "esql/esql"
},
{
"name": "Potential Okta Password Spray (Multi-Source)",
"value": "esql/esql"
},
{
"name": "Potential Okta Password Spray (Single Source)",
"value": "esql/esql"
},
{
"name": "Okta Successful Login After Credential Attack",
"value": "esql/esql"
},
{
"name": "Potential Linux Local Account Brute Force Detected",
"value": "esql/esql"
},
{
"name": "Potential External Linux SSH Brute Force Detected",
"value": "eql/eql"
},
{
"name": "Potential Internal Linux SSH Brute Force Detected",
"value": "eql/eql"
},
{
"name": "Potential Password Spraying Attack via SSH",
"value": "esql/esql"
},
{
"name": "Potential Successful SSH Brute Force Attack",
"value": "eql/eql"
},
{
"name": "Potential Linux Hack Tool Launched",
"value": "eql/eql"
},
{
"name": "Potential Malware-Driven SSH Brute Force Attempt",
"value": "esql/esql"
},
{
"name": "Potential macOS SSH Brute Force Detected",
"value": "threshold/kuery"
},
{
"name": "Spike in Failed Logon Events",
"value": "machine_learning/None"
},
{
"name": "Spike in Logon Events",
"value": "machine_learning/None"
},
{
"name": "Spike in Successful Logon Events from a Source IP",
"value": "machine_learning/None"
},
{
"name": "Unusual Login Activity",
"value": "machine_learning/None"
},
{
"name": "Privileged Accounts Brute Force",
"value": "esql/esql"
},
{
"name": "Multiple Logon Failure Followed by Logon Success",
"value": "eql/eql"
},
{
"name": "Multiple Logon Failure from the same Source Address",
"value": "esql/esql"
},
{
"name": "M365 Entra ID Risk Detection Signal",
"value": "query/kuery"
},
{
"name": "Okta Admin Console Login Failure",
"value": "query/kuery"
}
],
"links": [
{
"label": "Web Server Suspicious User Agent Requests",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml"
},
{
"label": "AWS Management Console Brute Force of Root User Identity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml"
},
{
"label": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml"
},
{
"label": "Entra ID User Sign-in Brute Force Attempted",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml"
},
{
"label": "Entra ID Excessive Account Lockouts Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml"
},
{
"label": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml"
},
{
"label": "Entra ID MFA TOTP Brute Force Attempted",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml"
},
{
"label": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml"
},
{
"label": "Entra ID Protection - Risk Detection - Sign-in Risk",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml"
},
{
"label": "Entra ID Protection - Risk Detection - User Risk",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml"
},
{
"label": "Entra ID User Sign-in with Unusual Authentication Type",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml"
},
{
"label": "M365 Identity User Brute Force Attempted",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml"
},
{
"label": "M365 Identity User Account Lockouts",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml"
},
{
"label": "Attempts to Brute Force an Okta User Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml"
},
{
"label": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml"
},
{
"label": "Multiple Okta User Authentication Events with Same Device Token Hash",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml"
},
{
"label": "Potential Okta Brute Force (Device Token Rotation)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml"
},
{
"label": "Potential Okta Brute Force (Multi-Source)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_brute_force_multi_source.toml"
},
{
"label": "Potential Okta Credential Stuffing (Single Source)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_credential_stuffing_single_source.toml"
},
{
"label": "Potential Okta Password Spray (Multi-Source)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_password_spray_multi_source.toml"
},
{
"label": "Potential Okta Password Spray (Single Source)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_password_spray_single_source.toml"
},
{
"label": "Okta Successful Login After Credential Attack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_successful_login_after_credential_attack.toml"
},
{
"label": "Potential Linux Local Account Brute Force Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml"
},
{
"label": "Potential External Linux SSH Brute Force Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml"
},
{
"label": "Potential Internal Linux SSH Brute Force Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml"
},
{
"label": "Potential Password Spraying Attack via SSH",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_password_spraying_attack.toml"
},
{
"label": "Potential Successful SSH Brute Force Attack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml"
},
{
"label": "Potential Linux Hack Tool Launched",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_potential_hack_tool_executed.toml"
},
{
"label": "Potential Malware-Driven SSH Brute Force Attempt",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/impact_potential_bruteforce_malware_infection.toml"
},
{
"label": "Potential macOS SSH Brute Force Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml"
},
{
"label": "Spike in Failed Logon Events",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml"
},
{
"label": "Spike in Logon Events",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml"
},
{
"label": "Spike in Successful Logon Events from a Source IP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml"
},
{
"label": "Unusual Login Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_suspicious_login_activity.toml"
},
{
"label": "Privileged Accounts Brute Force",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_bruteforce_admin_account.toml"
},
{
"label": "Multiple Logon Failure Followed by Logon Success",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml"
},
{
"label": "Multiple Logon Failure from the same Source Address",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml"
},
{
"label": "M365 Entra ID Risk Detection Signal",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/credential_access_entra_id_risk_detection_signal.toml"
},
{
"label": "Okta Admin Console Login Failure",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/initial_access_okta_admin_console_login_failure.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1552.005",
"tactic": "credential-access",
"score": 11,
"metadata": [
{
"name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role",
"value": "new_terms/kuery"
},
{
"name": "AWS EC2 User Data Retrieval for EC2 Instance",
"value": "new_terms/kuery"
},
{
"name": "AWS EC2 Instance Console Login via Assumed Role",
"value": "eql/eql"
},
{
"name": "Azure Storage Account Key Regenerated",
"value": "query/kuery"
},
{
"name": "Azure Event Hub Authorization Rule Created or Updated",
"value": "query/kuery"
},
{
"name": "Kubernetes Pod Exec Cloud Instance Metadata Access",
"value": "esql/esql"
},
{
"name": "Unusual Instance Metadata Service (IMDS) API Request",
"value": "eql/eql"
},
{
"name": "Unusual Linux Process Calling the Metadata Service",
"value": "machine_learning/None"
},
{
"name": "Unusual Linux User Calling the Metadata Service",
"value": "machine_learning/None"
},
{
"name": "Unusual Windows Process Calling the Metadata Service",
"value": "machine_learning/None"
},
{
"name": "Unusual Windows User Calling the Metadata Service",
"value": "machine_learning/None"
}
],
"links": [
{
"label": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml"
},
{
"label": "AWS EC2 User Data Retrieval for EC2 Instance",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml"
},
{
"label": "AWS EC2 Instance Console Login via Assumed Role",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml"
},
{
"label": "Azure Storage Account Key Regenerated",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml"
},
{
"label": "Azure Event Hub Authorization Rule Created or Updated",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_event_hub_created_or_updated.toml"
},
{
"label": "Kubernetes Pod Exec Cloud Instance Metadata Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_pod_exec_cloud_instance_metadata.toml"
},
{
"label": "Unusual Instance Metadata Service (IMDS) API Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml"
},
{
"label": "Unusual Linux Process Calling the Metadata Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml"
},
{
"label": "Unusual Linux User Calling the Metadata Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml"
},
{
"label": "Unusual Windows Process Calling the Metadata Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml"
},
{
"label": "Unusual Windows User Calling the Metadata Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1110.001",
"tactic": "credential-access",
"score": 21,
"metadata": [
{
"name": "AWS Management Console Brute Force of Root User Identity",
"value": "threshold/kuery"
},
{
"name": "Entra ID User Sign-in Brute Force Attempted",
"value": "esql/esql"
},
{
"name": "Entra ID Excessive Account Lockouts Detected",
"value": "threshold/kuery"
},
{
"name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)",
"value": "esql/esql"
},
{
"name": "Entra ID MFA TOTP Brute Force Attempted",
"value": "esql/esql"
},
{
"name": "M365 Identity User Brute Force Attempted",
"value": "esql/esql"
},
{
"name": "M365 Identity User Account Lockouts",
"value": "esql/esql"
},
{
"name": "Attempts to Brute Force an Okta User Account",
"value": "threshold/kuery"
},
{
"name": "Potential Okta Brute Force (Device Token Rotation)",
"value": "esql/esql"
},
{
"name": "Potential Okta Brute Force (Multi-Source)",
"value": "esql/esql"
},
{
"name": "Okta Successful Login After Credential Attack",
"value": "esql/esql"
},
{
"name": "Potential Linux Local Account Brute Force Detected",
"value": "esql/esql"
},
{
"name": "Potential External Linux SSH Brute Force Detected",
"value": "eql/eql"
},
{
"name": "Potential Internal Linux SSH Brute Force Detected",
"value": "eql/eql"
},
{
"name": "Potential Password Spraying Attack via SSH",
"value": "esql/esql"
},
{
"name": "Potential Successful SSH Brute Force Attack",
"value": "eql/eql"
},
{
"name": "Potential Linux Hack Tool Launched",
"value": "eql/eql"
},
{
"name": "Spike in Failed Logon Events",
"value": "machine_learning/None"
},
{
"name": "Privileged Accounts Brute Force",
"value": "esql/esql"
},
{
"name": "Multiple Logon Failure Followed by Logon Success",
"value": "eql/eql"
},
{
"name": "Multiple Logon Failure from the same Source Address",
"value": "esql/esql"
}
],
"links": [
{
"label": "AWS Management Console Brute Force of Root User Identity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml"
},
{
"label": "Entra ID User Sign-in Brute Force Attempted",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml"
},
{
"label": "Entra ID Excessive Account Lockouts Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml"
},
{
"label": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml"
},
{
"label": "Entra ID MFA TOTP Brute Force Attempted",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml"
},
{
"label": "M365 Identity User Brute Force Attempted",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml"
},
{
"label": "M365 Identity User Account Lockouts",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml"
},
{
"label": "Attempts to Brute Force an Okta User Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml"
},
{
"label": "Potential Okta Brute Force (Device Token Rotation)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml"
},
{
"label": "Potential Okta Brute Force (Multi-Source)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_brute_force_multi_source.toml"
},
{
"label": "Okta Successful Login After Credential Attack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_successful_login_after_credential_attack.toml"
},
{
"label": "Potential Linux Local Account Brute Force Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml"
},
{
"label": "Potential External Linux SSH Brute Force Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml"
},
{
"label": "Potential Internal Linux SSH Brute Force Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml"
},
{
"label": "Potential Password Spraying Attack via SSH",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_password_spraying_attack.toml"
},
{
"label": "Potential Successful SSH Brute Force Attack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml"
},
{
"label": "Potential Linux Hack Tool Launched",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_potential_hack_tool_executed.toml"
},
{
"label": "Spike in Failed Logon Events",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml"
},
{
"label": "Privileged Accounts Brute Force",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_bruteforce_admin_account.toml"
},
{
"label": "Multiple Logon Failure Followed by Logon Success",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml"
},
{
"label": "Multiple Logon Failure from the same Source Address",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1040",
"tactic": "credential-access",
"score": 4,
"metadata": [
{
"name": "AWS EC2 Full Network Packet Capture Detected",
"value": "query/kuery"
},
{
"name": "Azure VNet Full Network Packet Capture Enabled",
"value": "query/kuery"
},
{
"name": "Suspicious Network Tool Launch Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious Network Tool Launched Inside A Container",
"value": "eql/eql"
}
],
"links": [
{
"label": "AWS EC2 Full Network Packet Capture Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml"
},
{
"label": "Azure VNet Full Network Packet Capture Enabled",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml"
},
{
"label": "Suspicious Network Tool Launch Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml"
},
{
"label": "Suspicious Network Tool Launched Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1552.004",
"tactic": "credential-access",
"score": 10,
"metadata": [
{
"name": "AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization",
"value": "new_terms/kuery"
},
{
"name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Kubelet Certificate File Access Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"value": "eql/eql"
},
{
"name": "Private Key Searching Activity",
"value": "eql/eql"
},
{
"name": "Potential Privilege Escalation via Linux DAC permissions",
"value": "new_terms/kuery"
},
{
"name": "Creation or Modification of Domain Backup DPAPI private key",
"value": "eql/eql"
},
{
"name": "Access to a Sensitive LDAP Attribute",
"value": "eql/eql"
},
{
"name": "Suspicious CertUtil Commands",
"value": "eql/eql"
},
{
"name": "Attempted Private Key Access",
"value": "eql/eql"
}
],
"links": [
{
"label": "AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_new_terms_ec2_create_keypair_unusual_source_as.toml"
},
{
"label": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml"
},
{
"label": "Kubelet Certificate File Access Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml"
},
{
"label": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml"
},
{
"label": "Private Key Searching Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_private_key_password_searching_activity.toml"
},
{
"label": "Potential Privilege Escalation via Linux DAC permissions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_dac_permissions.toml"
},
{
"label": "Creation or Modification of Domain Backup DPAPI private key",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml"
},
{
"label": "Access to a Sensitive LDAP Attribute",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_ldap_attributes.toml"
},
{
"label": "Suspicious CertUtil Commands",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_suspicious_certutil_commands.toml"
},
{
"label": "Attempted Private Key Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/credential_access_win_private_key_access.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1110.003",
"tactic": "credential-access",
"score": 26,
"metadata": [
{
"name": "Entra ID User Sign-in Brute Force Attempted",
"value": "esql/esql"
},
{
"name": "Entra ID Excessive Account Lockouts Detected",
"value": "threshold/kuery"
},
{
"name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)",
"value": "esql/esql"
},
{
"name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"value": "query/kuery"
},
{
"name": "Entra ID Protection - Risk Detection - Sign-in Risk",
"value": "query/kuery"
},
{
"name": "Entra ID Protection - Risk Detection - User Risk",
"value": "query/kuery"
},
{
"name": "Entra ID User Sign-in with Unusual Authentication Type",
"value": "new_terms/kuery"
},
{
"name": "M365 Identity User Brute Force Attempted",
"value": "esql/esql"
},
{
"name": "M365 Identity User Account Lockouts",
"value": "esql/esql"
},
{
"name": "Attempts to Brute Force an Okta User Account",
"value": "threshold/kuery"
},
{
"name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"value": "threshold/kuery"
},
{
"name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"value": "esql/esql"
},
{
"name": "Potential Okta Password Spray (Multi-Source)",
"value": "esql/esql"
},
{
"name": "Potential Okta Password Spray (Single Source)",
"value": "esql/esql"
},
{
"name": "Okta Successful Login After Credential Attack",
"value": "esql/esql"
},
{
"name": "Potential External Linux SSH Brute Force Detected",
"value": "eql/eql"
},
{
"name": "Potential Internal Linux SSH Brute Force Detected",
"value": "eql/eql"
},
{
"name": "Potential Password Spraying Attack via SSH",
"value": "esql/esql"
},
{
"name": "Potential Successful SSH Brute Force Attack",
"value": "eql/eql"
},
{
"name": "Spike in Failed Logon Events",
"value": "machine_learning/None"
},
{
"name": "Spike in Logon Events",
"value": "machine_learning/None"
},
{
"name": "Spike in Successful Logon Events from a Source IP",
"value": "machine_learning/None"
},
{
"name": "Privileged Accounts Brute Force",
"value": "esql/esql"
},
{
"name": "Multiple Logon Failure Followed by Logon Success",
"value": "eql/eql"
},
{
"name": "Multiple Logon Failure from the same Source Address",
"value": "esql/esql"
},
{
"name": "M365 Entra ID Risk Detection Signal",
"value": "query/kuery"
}
],
"links": [
{
"label": "Entra ID User Sign-in Brute Force Attempted",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml"
},
{
"label": "Entra ID Excessive Account Lockouts Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml"
},
{
"label": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml"
},
{
"label": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml"
},
{
"label": "Entra ID Protection - Risk Detection - Sign-in Risk",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml"
},
{
"label": "Entra ID Protection - Risk Detection - User Risk",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml"
},
{
"label": "Entra ID User Sign-in with Unusual Authentication Type",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml"
},
{
"label": "M365 Identity User Brute Force Attempted",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml"
},
{
"label": "M365 Identity User Account Lockouts",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml"
},
{
"label": "Attempts to Brute Force an Okta User Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml"
},
{
"label": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml"
},
{
"label": "Multiple Okta User Authentication Events with Same Device Token Hash",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml"
},
{
"label": "Potential Okta Password Spray (Multi-Source)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_password_spray_multi_source.toml"
},
{
"label": "Potential Okta Password Spray (Single Source)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_password_spray_single_source.toml"
},
{
"label": "Okta Successful Login After Credential Attack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_successful_login_after_credential_attack.toml"
},
{
"label": "Potential External Linux SSH Brute Force Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml"
},
{
"label": "Potential Internal Linux SSH Brute Force Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml"
},
{
"label": "Potential Password Spraying Attack via SSH",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_password_spraying_attack.toml"
},
{
"label": "Potential Successful SSH Brute Force Attack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml"
},
{
"label": "Spike in Failed Logon Events",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml"
},
{
"label": "Spike in Logon Events",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml"
},
{
"label": "Spike in Successful Logon Events from a Source IP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml"
},
{
"label": "Privileged Accounts Brute Force",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_bruteforce_admin_account.toml"
},
{
"label": "Multiple Logon Failure Followed by Logon Success",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml"
},
{
"label": "Multiple Logon Failure from the same Source Address",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml"
},
{
"label": "M365 Entra ID Risk Detection Signal",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/credential_access_entra_id_risk_detection_signal.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1110.004",
"tactic": "credential-access",
"score": 9,
"metadata": [
{
"name": "Entra ID User Sign-in Brute Force Attempted",
"value": "esql/esql"
},
{
"name": "Entra ID Excessive Account Lockouts Detected",
"value": "threshold/kuery"
},
{
"name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)",
"value": "esql/esql"
},
{
"name": "M365 Identity User Brute Force Attempted",
"value": "esql/esql"
},
{
"name": "M365 Identity User Account Lockouts",
"value": "esql/esql"
},
{
"name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"value": "threshold/kuery"
},
{
"name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"value": "esql/esql"
},
{
"name": "Potential Okta Credential Stuffing (Single Source)",
"value": "esql/esql"
},
{
"name": "Okta Successful Login After Credential Attack",
"value": "esql/esql"
}
],
"links": [
{
"label": "Entra ID User Sign-in Brute Force Attempted",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml"
},
{
"label": "Entra ID Excessive Account Lockouts Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml"
},
{
"label": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml"
},
{
"label": "M365 Identity User Brute Force Attempted",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml"
},
{
"label": "M365 Identity User Account Lockouts",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml"
},
{
"label": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml"
},
{
"label": "Multiple Okta User Authentication Events with Same Device Token Hash",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml"
},
{
"label": "Potential Okta Credential Stuffing (Single Source)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_credential_stuffing_single_source.toml"
},
{
"label": "Okta Successful Login After Credential Attack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_successful_login_after_credential_attack.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1556",
"tactic": "credential-access",
"score": 23,
"metadata": [
{
"name": "Entra ID Protection - Risk Detection - Sign-in Risk",
"value": "query/kuery"
},
{
"name": "Entra ID Protection - Risk Detection - User Risk",
"value": "query/kuery"
},
{
"name": "Entra ID MFA Disabled for User",
"value": "query/kuery"
},
{
"name": "Potential Persistence via File Modification",
"value": "eql/eql"
},
{
"name": "Google Workspace MFA Enforcement Disabled",
"value": "query/kuery"
},
{
"name": "Google Workspace 2SV Policy Disabled",
"value": "query/kuery"
},
{
"name": "Attempt to Delete an Okta Policy",
"value": "query/kuery"
},
{
"name": "Potential OpenSSH Backdoor Logging Activity",
"value": "eql/eql"
},
{
"name": "Potential SSH Password Grabbing via strace",
"value": "eql/eql"
},
{
"name": "Pluggable Authentication Module (PAM) Version Discovery",
"value": "eql/eql"
},
{
"name": "Renaming of OpenSSH Binaries",
"value": "query/kuery"
},
{
"name": "Pluggable Authentication Module or Configuration Creation",
"value": "eql/eql"
},
{
"name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"value": "eql/eql"
},
{
"name": "Potential Backdoor Execution Through PAM_EXEC",
"value": "eql/eql"
},
{
"name": "Pluggable Authentication Module (PAM) Source Download",
"value": "eql/eql"
},
{
"name": "Polkit Policy Creation",
"value": "eql/eql"
},
{
"name": "Potential Execution via SSH Backdoor",
"value": "eql/eql"
},
{
"name": "Authentication via Unusual PAM Grantor",
"value": "new_terms/kuery"
},
{
"name": "Authorization Plugin Modification",
"value": "eql/eql"
},
{
"name": "Untrusted DLL Loaded by Azure AD Connect Authentication Agent",
"value": "eql/eql"
},
{
"name": "Mimikatz Memssp Log File Detected",
"value": "eql/eql"
},
{
"name": "Network Logon Provider Registry Modification",
"value": "eql/eql"
},
{
"name": "Potential Shadow Credentials added to AD Object",
"value": "query/kuery"
}
],
"links": [
{
"label": "Entra ID Protection - Risk Detection - Sign-in Risk",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml"
},
{
"label": "Entra ID Protection - Risk Detection - User Risk",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml"
},
{
"label": "Entra ID MFA Disabled for User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml"
},
{
"label": "Potential Persistence via File Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/fim/persistence_suspicious_file_modifications.toml"
},
{
"label": "Google Workspace MFA Enforcement Disabled",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml"
},
{
"label": "Google Workspace 2SV Policy Disabled",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml"
},
{
"label": "Attempt to Delete an Okta Policy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml"
},
{
"label": "Potential OpenSSH Backdoor Logging Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_ssh_backdoor_log.toml"
},
{
"label": "Potential SSH Password Grabbing via strace",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml"
},
{
"label": "Pluggable Authentication Module (PAM) Version Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_pam_version_discovery.toml"
},
{
"label": "Renaming of OpenSSH Binaries",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_credential_access_modify_ssh_binaries.toml"
},
{
"label": "Pluggable Authentication Module or Configuration Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_creation.toml"
},
{
"label": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml"
},
{
"label": "Potential Backdoor Execution Through PAM_EXEC",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml"
},
{
"label": "Pluggable Authentication Module (PAM) Source Download",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_source_download.toml"
},
{
"label": "Polkit Policy Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_polkit_policy_creation.toml"
},
{
"label": "Potential Execution via SSH Backdoor",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml"
},
{
"label": "Authentication via Unusual PAM Grantor",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_unusual_pam_grantor.toml"
},
{
"label": "Authorization Plugin Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_credential_access_authorization_plugin_creation.toml"
},
{
"label": "Untrusted DLL Loaded by Azure AD Connect Authentication Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml"
},
{
"label": "Mimikatz Memssp Log File Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_memssp_default_logs.toml"
},
{
"label": "Network Logon Provider Registry Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_persistence_network_logon_provider_modification.toml"
},
{
"label": "Potential Shadow Credentials added to AD Object",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_shadow_credentials.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1621",
"tactic": "credential-access",
"score": 3,
"metadata": [
{
"name": "Entra ID User Reported Suspicious Activity",
"value": "query/kuery"
},
{
"name": "Potential Okta MFA Bombing via Push Notifications",
"value": "eql/eql"
},
{
"name": "Potentially Successful Okta MFA Bombing via Push Notifications",
"value": "eql/eql"
}
],
"links": [
{
"label": "Entra ID User Reported Suspicious Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml"
},
{
"label": "Potential Okta MFA Bombing via Push Notifications",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml"
},
{
"label": "Potentially Successful Okta MFA Bombing via Push Notifications",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1556.006",
"tactic": "credential-access",
"score": 3,
"metadata": [
{
"name": "Entra ID MFA Disabled for User",
"value": "query/kuery"
},
{
"name": "Google Workspace MFA Enforcement Disabled",
"value": "query/kuery"
},
{
"name": "Attempt to Delete an Okta Policy",
"value": "query/kuery"
}
],
"links": [
{
"label": "Entra ID MFA Disabled for User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml"
},
{
"label": "Google Workspace MFA Enforcement Disabled",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml"
},
{
"label": "Attempt to Delete an Okta Policy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1606",
"tactic": "credential-access",
"score": 2,
"metadata": [
{
"name": "M365 Identity Unusual SSO Authentication Errors for User",
"value": "new_terms/kuery"
},
{
"name": "FortiGate FortiCloud SSO Login from Unusual Source",
"value": "esql/esql"
}
],
"links": [
{
"label": "M365 Identity Unusual SSO Authentication Errors for User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml"
},
{
"label": "FortiGate FortiCloud SSO Login from Unusual Source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1606.002",
"tactic": "credential-access",
"score": 2,
"metadata": [
{
"name": "M365 Identity Unusual SSO Authentication Errors for User",
"value": "new_terms/kuery"
},
{
"name": "FortiGate FortiCloud SSO Login from Unusual Source",
"value": "esql/esql"
}
],
"links": [
{
"label": "M365 Identity Unusual SSO Authentication Errors for User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml"
},
{
"label": "FortiGate FortiCloud SSO Login from Unusual Source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1111",
"tactic": "credential-access",
"score": 1,
"metadata": [
{
"name": "Attempted Bypass of Okta MFA",
"value": "query/kuery"
}
],
"links": [
{
"label": "Attempted Bypass of Okta MFA",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1003.007",
"tactic": "credential-access",
"score": 5,
"metadata": [
{
"name": "Linux init (PID 1) Secret Dump via GDB",
"value": "eql/eql"
},
{
"name": "Linux Process Hooking via GDB",
"value": "eql/eql"
},
{
"name": "Manual Memory Dumping via Proc Filesystem",
"value": "eql/eql"
},
{
"name": "Potential Linux Credential Dumping via Proc Filesystem",
"value": "eql/eql"
},
{
"name": "Suspicious /proc/maps Discovery",
"value": "eql/eql"
}
],
"links": [
{
"label": "Linux init (PID 1) Secret Dump via GDB",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_gdb_init_process_hooking.toml"
},
{
"label": "Linux Process Hooking via GDB",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_gdb_process_hooking.toml"
},
{
"label": "Manual Memory Dumping via Proc Filesystem",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_manual_memory_dumping.toml"
},
{
"label": "Potential Linux Credential Dumping via Proc Filesystem",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_proc_credential_dumping.toml"
},
{
"label": "Suspicious /proc/maps Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_proc_maps_read.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1212",
"tactic": "credential-access",
"score": 3,
"metadata": [
{
"name": "Manual Memory Dumping via Proc Filesystem",
"value": "eql/eql"
},
{
"name": "Potential Linux Credential Dumping via Proc Filesystem",
"value": "eql/eql"
},
{
"name": "Potential Local NTLM Relay via HTTP",
"value": "eql/eql"
}
],
"links": [
{
"label": "Manual Memory Dumping via Proc Filesystem",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_manual_memory_dumping.toml"
},
{
"label": "Potential Linux Credential Dumping via Proc Filesystem",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_proc_credential_dumping.toml"
},
{
"label": "Potential Local NTLM Relay via HTTP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1056",
"tactic": "credential-access",
"score": 4,
"metadata": [
{
"name": "Potential SSH Password Grabbing via strace",
"value": "eql/eql"
},
{
"name": "Potential Sudo Hijacking",
"value": "eql/eql"
},
{
"name": "Suspicious pbpaste High Volume Activity",
"value": "eql/eql"
},
{
"name": "Prompt for Credentials with Osascript",
"value": "eql/eql"
}
],
"links": [
{
"label": "Potential SSH Password Grabbing via strace",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml"
},
{
"label": "Potential Sudo Hijacking",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_sudo_hijacking.toml"
},
{
"label": "Suspicious pbpaste High Volume Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_high_volume_of_pbpaste.toml"
},
{
"label": "Prompt for Credentials with Osascript",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_promt_for_pwd_via_osascript.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1110.002",
"tactic": "credential-access",
"score": 1,
"metadata": [
{
"name": "Potential Linux Hack Tool Launched",
"value": "eql/eql"
}
],
"links": [
{
"label": "Potential Linux Hack Tool Launched",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_potential_hack_tool_executed.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1556.003",
"tactic": "credential-access",
"score": 4,
"metadata": [
{
"name": "Pluggable Authentication Module or Configuration Creation",
"value": "eql/eql"
},
{
"name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"value": "eql/eql"
},
{
"name": "Pluggable Authentication Module (PAM) Source Download",
"value": "eql/eql"
},
{
"name": "Authentication via Unusual PAM Grantor",
"value": "new_terms/kuery"
}
],
"links": [
{
"label": "Pluggable Authentication Module or Configuration Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_creation.toml"
},
{
"label": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml"
},
{
"label": "Pluggable Authentication Module (PAM) Source Download",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_source_download.toml"
},
{
"label": "Authentication via Unusual PAM Grantor",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_unusual_pam_grantor.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1555.001",
"tactic": "credential-access",
"score": 5,
"metadata": [
{
"name": "Keychain CommandLine Interaction via Unsigned or Untrusted Process",
"value": "eql/eql"
},
{
"name": "Dumping of Keychain Content via Security Command",
"value": "eql/eql"
},
{
"name": "Keychain Password Retrieval via Command Line",
"value": "eql/eql"
},
{
"name": "First Time Python Accessed Sensitive Credential Files",
"value": "new_terms/kuery"
},
{
"name": "SystemKey Access via Command Line",
"value": "eql/eql"
}
],
"links": [
{
"label": "Keychain CommandLine Interaction via Unsigned or Untrusted Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_credentials_keychains.toml"
},
{
"label": "Dumping of Keychain Content via Security Command",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_dumping_keychain_security.toml"
},
{
"label": "Keychain Password Retrieval via Command Line",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml"
},
{
"label": "First Time Python Accessed Sensitive Credential Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml"
},
{
"label": "SystemKey Access via Command Line",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_systemkey_dumping.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1558",
"tactic": "credential-access",
"score": 15,
"metadata": [
{
"name": "Kerberos Cached Credentials Dumping",
"value": "eql/eql"
},
{
"name": "First Time Python Accessed Sensitive Credential Files",
"value": "new_terms/kuery"
},
{
"name": "Potential Kerberos Attack via Bifrost",
"value": "eql/eql"
},
{
"name": "Kerberos Pre-authentication Disabled for User",
"value": "eql/eql"
},
{
"name": "Kerberos Traffic from Unusual Process",
"value": "eql/eql"
},
{
"name": "Kirbi File Creation",
"value": "eql/eql"
},
{
"name": "Potential Invoke-Mimikatz PowerShell Script",
"value": "query/kuery"
},
{
"name": "PowerShell Kerberos Ticket Dump",
"value": "query/kuery"
},
{
"name": "PowerShell Kerberos Ticket Request",
"value": "query/kuery"
},
{
"name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal",
"value": "query/kuery"
},
{
"name": "User account exposed to Kerberoasting",
"value": "query/kuery"
},
{
"name": "Potential PowerShell HackTool Script by Function Names",
"value": "query/kuery"
},
{
"name": "Suspicious Kerberos Authentication Ticket Request",
"value": "eql/eql"
},
{
"name": "KRBTGT Delegation Backdoor",
"value": "eql/eql"
},
{
"name": "Service Creation via Local Kerberos Authentication",
"value": "eql/eql"
}
],
"links": [
{
"label": "Kerberos Cached Credentials Dumping",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_kerberosdump_kcc.toml"
},
{
"label": "First Time Python Accessed Sensitive Credential Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml"
},
{
"label": "Potential Kerberos Attack via Bifrost",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml"
},
{
"label": "Kerberos Pre-authentication Disabled for User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_disable_kerberos_preauth.toml"
},
{
"label": "Kerberos Traffic from Unusual Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kerberoasting_unusual_process.toml"
},
{
"label": "Kirbi File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kirbi_file.toml"
},
{
"label": "Potential Invoke-Mimikatz PowerShell Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_powershell_module.toml"
},
{
"label": "PowerShell Kerberos Ticket Dump",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_kerb_ticket_dump.toml"
},
{
"label": "PowerShell Kerberos Ticket Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_request_ticket.toml"
},
{
"label": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml"
},
{
"label": "User account exposed to Kerberoasting",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_spn_attribute_modified.toml"
},
{
"label": "Potential PowerShell HackTool Script by Function Names",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_posh_hacktool_functions.toml"
},
{
"label": "Suspicious Kerberos Authentication Ticket Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml"
},
{
"label": "KRBTGT Delegation Backdoor",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml"
},
{
"label": "Service Creation via Local Kerberos Authentication",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/privilege_escalation_krbrelayup_service_creation.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1558.003",
"tactic": "credential-access",
"score": 7,
"metadata": [
{
"name": "Kerberos Cached Credentials Dumping",
"value": "eql/eql"
},
{
"name": "Potential Kerberos Attack via Bifrost",
"value": "eql/eql"
},
{
"name": "Kerberos Traffic from Unusual Process",
"value": "eql/eql"
},
{
"name": "PowerShell Kerberos Ticket Request",
"value": "query/kuery"
},
{
"name": "User account exposed to Kerberoasting",
"value": "query/kuery"
},
{
"name": "Potential PowerShell HackTool Script by Function Names",
"value": "query/kuery"
},
{
"name": "Suspicious Kerberos Authentication Ticket Request",
"value": "eql/eql"
}
],
"links": [
{
"label": "Kerberos Cached Credentials Dumping",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_kerberosdump_kcc.toml"
},
{
"label": "Potential Kerberos Attack via Bifrost",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml"
},
{
"label": "Kerberos Traffic from Unusual Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kerberoasting_unusual_process.toml"
},
{
"label": "PowerShell Kerberos Ticket Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_request_ticket.toml"
},
{
"label": "User account exposed to Kerberoasting",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_spn_attribute_modified.toml"
},
{
"label": "Potential PowerShell HackTool Script by Function Names",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_posh_hacktool_functions.toml"
},
{
"label": "Suspicious Kerberos Authentication Ticket Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1558.005",
"tactic": "credential-access",
"score": 3,
"metadata": [
{
"name": "Kerberos Cached Credentials Dumping",
"value": "eql/eql"
},
{
"name": "First Time Python Accessed Sensitive Credential Files",
"value": "new_terms/kuery"
},
{
"name": "Potential Kerberos Attack via Bifrost",
"value": "eql/eql"
}
],
"links": [
{
"label": "Kerberos Cached Credentials Dumping",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_kerberosdump_kcc.toml"
},
{
"label": "First Time Python Accessed Sensitive Credential Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml"
},
{
"label": "Potential Kerberos Attack via Bifrost",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1555.003",
"tactic": "credential-access",
"score": 3,
"metadata": [
{
"name": "Keychain Password Retrieval via Command Line",
"value": "eql/eql"
},
{
"name": "Suspicious Web Browser Sensitive File Access",
"value": "eql/eql"
},
{
"name": "Browser Process Spawned from an Unusual Parent",
"value": "eql/eql"
}
],
"links": [
{
"label": "Keychain Password Retrieval via Command Line",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml"
},
{
"label": "Suspicious Web Browser Sensitive File Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml"
},
{
"label": "Browser Process Spawned from an Unusual Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_browsers_unusual_parent.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1557",
"tactic": "credential-access",
"score": 14,
"metadata": [
{
"name": "WebProxy Settings Modification",
"value": "eql/eql"
},
{
"name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"value": "eql/eql"
},
{
"name": "Potential WPAD Spoofing via DNS Record Creation",
"value": "eql/eql"
},
{
"name": "Creation of a DNS-Named Record",
"value": "eql/eql"
},
{
"name": "Potential Computer Account NTLM Relay Activity",
"value": "eql/eql"
},
{
"name": "Potential Kerberos Relay Attack against a Computer Account",
"value": "eql/eql"
},
{
"name": "Potential NTLM Relay Attack against a Computer Account",
"value": "eql/eql"
},
{
"name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
"value": "query/kuery"
},
{
"name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query",
"value": "eql/eql"
},
{
"name": "Potential Machine Account Relay Attack via SMB",
"value": "eql/eql"
},
{
"name": "Potential PowerShell Pass-the-Hash/Relay Script",
"value": "query/kuery"
},
{
"name": "Potential Local NTLM Relay via HTTP",
"value": "eql/eql"
},
{
"name": "DNS Global Query Block List Modified or Disabled",
"value": "eql/eql"
},
{
"name": "Service Creation via Local Kerberos Authentication",
"value": "eql/eql"
}
],
"links": [
{
"label": "WebProxy Settings Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_mitm_localhost_webproxy.toml"
},
{
"label": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_adidns_wildcard.toml"
},
{
"label": "Potential WPAD Spoofing via DNS Record Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_adidns_wpad_record.toml"
},
{
"label": "Creation of a DNS-Named Record",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dnsnode_creation.toml"
},
{
"label": "Potential Computer Account NTLM Relay Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dollar_account_relay.toml"
},
{
"label": "Potential Kerberos Relay Attack against a Computer Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dollar_account_relay_kerberos.toml"
},
{
"label": "Potential NTLM Relay Attack against a Computer Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dollar_account_relay_ntlm.toml"
},
{
"label": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kerberos_coerce.toml"
},
{
"label": "Potential Kerberos SPN Spoofing via Suspicious DNS Query",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kerberos_coerce_dns.toml"
},
{
"label": "Potential Machine Account Relay Attack via SMB",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_machine_account_smb_relay.toml"
},
{
"label": "Potential PowerShell Pass-the-Hash/Relay Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_relay_tools.toml"
},
{
"label": "Potential Local NTLM Relay via HTTP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml"
},
{
"label": "DNS Global Query Block List Modified or Disabled",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml"
},
{
"label": "Service Creation via Local Kerberos Authentication",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/privilege_escalation_krbrelayup_service_creation.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1056.002",
"tactic": "credential-access",
"score": 1,
"metadata": [
{
"name": "Prompt for Credentials with Osascript",
"value": "eql/eql"
}
],
"links": [
{
"label": "Prompt for Credentials with Osascript",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_promt_for_pwd_via_osascript.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1003.001",
"tactic": "credential-access",
"score": 23,
"metadata": [
{
"name": "Credential Dumping - Detected - Elastic Endgame",
"value": "query/kuery"
},
{
"name": "Credential Dumping - Prevented - Elastic Endgame",
"value": "query/kuery"
},
{
"name": "Potential Credential Access via Windows Utilities",
"value": "eql/eql"
},
{
"name": "Full User-Mode Dumps Enabled System-Wide",
"value": "eql/eql"
},
{
"name": "Suspicious LSASS Access via MalSecLogon",
"value": "eql/eql"
},
{
"name": "Suspicious Module Loaded by LSASS",
"value": "eql/eql"
},
{
"name": "LSASS Memory Dump Creation",
"value": "eql/eql"
},
{
"name": "LSASS Memory Dump Handle Access",
"value": "new_terms/kuery"
},
{
"name": "LSASS Process Access via Windows API",
"value": "esql/esql"
},
{
"name": "Potential Invoke-Mimikatz PowerShell Script",
"value": "query/kuery"
},
{
"name": "Modification of WDigest Security Provider",
"value": "eql/eql"
},
{
"name": "PowerShell Kerberos Ticket Dump",
"value": "query/kuery"
},
{
"name": "PowerShell MiniDump Script",
"value": "query/kuery"
},
{
"name": "Potential Credential Access via DuplicateHandle in LSASS",
"value": "eql/eql"
},
{
"name": "Potential Credential Access via Renamed COM+ Services DLL",
"value": "eql/eql"
},
{
"name": "Suspicious Lsass Process Access",
"value": "eql/eql"
},
{
"name": "Potential Credential Access via LSASS Memory Dump",
"value": "eql/eql"
},
{
"name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"value": "threshold/kuery"
},
{
"name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"value": "eql/eql"
},
{
"name": "Disabling Lsa Protection via Registry Modification",
"value": "eql/eql"
},
{
"name": "Potential PowerShell HackTool Script by Function Names",
"value": "query/kuery"
},
{
"name": "Potential Credential Access via Memory Dump File Creation",
"value": "eql/eql"
},
{
"name": "Memory Dump File with Unusual Extension",
"value": "eql/eql"
}
],
"links": [
{
"label": "Credential Dumping - Detected - Elastic Endgame",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/promotions/credential_access_endgame_cred_dumping_detected.toml"
},
{
"label": "Credential Dumping - Prevented - Elastic Endgame",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml"
},
{
"label": "Potential Credential Access via Windows Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_cmdline_dump_tool.toml"
},
{
"label": "Full User-Mode Dumps Enabled System-Wide",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_generic_localdumps.toml"
},
{
"label": "Suspicious LSASS Access via MalSecLogon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_lsass_handle_via_malseclogon.toml"
},
{
"label": "Suspicious Module Loaded by LSASS",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_lsass_loaded_susp_dll.toml"
},
{
"label": "LSASS Memory Dump Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_lsass_memdump_file_created.toml"
},
{
"label": "LSASS Memory Dump Handle Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_lsass_memdump_handle_access.toml"
},
{
"label": "LSASS Process Access via Windows API",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_lsass_openprocess_api.toml"
},
{
"label": "Potential Invoke-Mimikatz PowerShell Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_powershell_module.toml"
},
{
"label": "Modification of WDigest Security Provider",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mod_wdigest_security_provider.toml"
},
{
"label": "PowerShell Kerberos Ticket Dump",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_kerb_ticket_dump.toml"
},
{
"label": "PowerShell MiniDump Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_minidump.toml"
},
{
"label": "Potential Credential Access via DuplicateHandle in LSASS",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml"
},
{
"label": "Potential Credential Access via Renamed COM+ Services DLL",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_comsvcs_imageload.toml"
},
{
"label": "Suspicious Lsass Process Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_lsass_access_generic.toml"
},
{
"label": "Potential Credential Access via LSASS Memory Dump",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_lsass_access_memdump.toml"
},
{
"label": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml"
},
{
"label": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml"
},
{
"label": "Disabling Lsa Protection via Registry Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml"
},
{
"label": "Potential PowerShell HackTool Script by Function Names",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_posh_hacktool_functions.toml"
},
{
"label": "Potential Credential Access via Memory Dump File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/credential_access_mdmp_file_creation.toml"
},
{
"label": "Memory Dump File with Unusual Extension",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/credential_access_mdmp_file_unusual_extension.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1003.003",
"tactic": "credential-access",
"score": 6,
"metadata": [
{
"name": "Potential Credential Access via Windows Utilities",
"value": "eql/eql"
},
{
"name": "NTDS or SAM Database File Copied",
"value": "eql/eql"
},
{
"name": "Creation or Modification of Domain Backup DPAPI private key",
"value": "eql/eql"
},
{
"name": "PowerShell Invoke-NinjaCopy script",
"value": "query/kuery"
},
{
"name": "Symbolic Link to Shadow Copy Created",
"value": "eql/eql"
},
{
"name": "NTDS Dump via Wbadmin",
"value": "eql/eql"
}
],
"links": [
{
"label": "Potential Credential Access via Windows Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_cmdline_dump_tool.toml"
},
{
"label": "NTDS or SAM Database File Copied",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml"
},
{
"label": "Creation or Modification of Domain Backup DPAPI private key",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml"
},
{
"label": "PowerShell Invoke-NinjaCopy script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_invoke_ninjacopy.toml"
},
{
"label": "Symbolic Link to Shadow Copy Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml"
},
{
"label": "NTDS Dump via Wbadmin",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_wbadmin_ntds.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1003.002",
"tactic": "credential-access",
"score": 11,
"metadata": [
{
"name": "NTDS or SAM Database File Copied",
"value": "eql/eql"
},
{
"name": "Potential Credential Access via Trusted Developer Utility",
"value": "eql/eql"
},
{
"name": "Credential Acquisition via Registry Hive Dumping",
"value": "eql/eql"
},
{
"name": "Potential Invoke-Mimikatz PowerShell Script",
"value": "query/kuery"
},
{
"name": "Windows Registry File Creation in SMB Share",
"value": "eql/eql"
},
{
"name": "PowerShell Invoke-NinjaCopy script",
"value": "query/kuery"
},
{
"name": "Sensitive Registry Hive Access via RegBack",
"value": "eql/eql"
},
{
"name": "Potential Remote Credential Access via Registry",
"value": "eql/eql"
},
{
"name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"value": "eql/eql"
},
{
"name": "Symbolic Link to Shadow Copy Created",
"value": "eql/eql"
},
{
"name": "NTDS Dump via Wbadmin",
"value": "eql/eql"
}
],
"links": [
{
"label": "NTDS or SAM Database File Copied",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml"
},
{
"label": "Potential Credential Access via Trusted Developer Utility",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_credential_dumping_msbuild.toml"
},
{
"label": "Credential Acquisition via Registry Hive Dumping",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dump_registry_hives.toml"
},
{
"label": "Potential Invoke-Mimikatz PowerShell Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_powershell_module.toml"
},
{
"label": "Windows Registry File Creation in SMB Share",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_moving_registry_hive_via_smb.toml"
},
{
"label": "PowerShell Invoke-NinjaCopy script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_invoke_ninjacopy.toml"
},
{
"label": "Sensitive Registry Hive Access via RegBack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_regback_sam_security_hives.toml"
},
{
"label": "Potential Remote Credential Access via Registry",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_remote_sam_secretsdump.toml"
},
{
"label": "Suspicious Remote Registry Access via SeBackupPrivilege",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml"
},
{
"label": "Symbolic Link to Shadow Copy Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml"
},
{
"label": "NTDS Dump via Wbadmin",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_wbadmin_ntds.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1555.004",
"tactic": "credential-access",
"score": 4,
"metadata": [
{
"name": "Potential Credential Access via Trusted Developer Utility",
"value": "eql/eql"
},
{
"name": "Potential Invoke-Mimikatz PowerShell Script",
"value": "query/kuery"
},
{
"name": "Multiple Vault Web Credentials Read",
"value": "eql/eql"
},
{
"name": "Searching for Saved Credentials via VaultCmd",
"value": "eql/eql"
}
],
"links": [
{
"label": "Potential Credential Access via Trusted Developer Utility",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_credential_dumping_msbuild.toml"
},
{
"label": "Potential Invoke-Mimikatz PowerShell Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_powershell_module.toml"
},
{
"label": "Multiple Vault Web Credentials Read",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_saved_creds_vault_winlog.toml"
},
{
"label": "Searching for Saved Credentials via VaultCmd",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_saved_creds_vaultcmd.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1003.006",
"tactic": "credential-access",
"score": 5,
"metadata": [
{
"name": "First Time Seen Account Performing DCSync",
"value": "new_terms/kuery"
},
{
"name": "Potential Credential Access via DCSync",
"value": "new_terms/kuery"
},
{
"name": "Potential Active Directory Replication Account Backdoor",
"value": "query/kuery"
},
{
"name": "Potential Invoke-Mimikatz PowerShell Script",
"value": "query/kuery"
},
{
"name": "Potential PowerShell HackTool Script by Function Names",
"value": "query/kuery"
}
],
"links": [
{
"label": "First Time Seen Account Performing DCSync",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dcsync_newterm_subjectuser.toml"
},
{
"label": "Potential Credential Access via DCSync",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dcsync_replication_rights.toml"
},
{
"label": "Potential Active Directory Replication Account Backdoor",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dcsync_user_backdoor.toml"
},
{
"label": "Potential Invoke-Mimikatz PowerShell Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_powershell_module.toml"
},
{
"label": "Potential PowerShell HackTool Script by Function Names",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_posh_hacktool_functions.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1558.004",
"tactic": "credential-access",
"score": 2,
"metadata": [
{
"name": "Kerberos Pre-authentication Disabled for User",
"value": "eql/eql"
},
{
"name": "Suspicious Kerberos Authentication Ticket Request",
"value": "eql/eql"
}
],
"links": [
{
"label": "Kerberos Pre-authentication Disabled for User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_disable_kerberos_preauth.toml"
},
{
"label": "Suspicious Kerberos Authentication Ticket Request",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1557.001",
"tactic": "credential-access",
"score": 8,
"metadata": [
{
"name": "Creation of a DNS-Named Record",
"value": "eql/eql"
},
{
"name": "Potential Computer Account NTLM Relay Activity",
"value": "eql/eql"
},
{
"name": "Potential Kerberos Relay Attack against a Computer Account",
"value": "eql/eql"
},
{
"name": "Potential NTLM Relay Attack against a Computer Account",
"value": "eql/eql"
},
{
"name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
"value": "query/kuery"
},
{
"name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query",
"value": "eql/eql"
},
{
"name": "Potential Machine Account Relay Attack via SMB",
"value": "eql/eql"
},
{
"name": "Potential PowerShell Pass-the-Hash/Relay Script",
"value": "query/kuery"
}
],
"links": [
{
"label": "Creation of a DNS-Named Record",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dnsnode_creation.toml"
},
{
"label": "Potential Computer Account NTLM Relay Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dollar_account_relay.toml"
},
{
"label": "Potential Kerberos Relay Attack against a Computer Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dollar_account_relay_kerberos.toml"
},
{
"label": "Potential NTLM Relay Attack against a Computer Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dollar_account_relay_ntlm.toml"
},
{
"label": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kerberos_coerce.toml"
},
{
"label": "Potential Kerberos SPN Spoofing via Suspicious DNS Query",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kerberos_coerce_dns.toml"
},
{
"label": "Potential Machine Account Relay Attack via SMB",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_machine_account_smb_relay.toml"
},
{
"label": "Potential PowerShell Pass-the-Hash/Relay Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_relay_tools.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1003.004",
"tactic": "credential-access",
"score": 5,
"metadata": [
{
"name": "Credential Acquisition via Registry Hive Dumping",
"value": "eql/eql"
},
{
"name": "Potential Invoke-Mimikatz PowerShell Script",
"value": "query/kuery"
},
{
"name": "PowerShell Invoke-NinjaCopy script",
"value": "query/kuery"
},
{
"name": "Sensitive Registry Hive Access via RegBack",
"value": "eql/eql"
},
{
"name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"value": "eql/eql"
}
],
"links": [
{
"label": "Credential Acquisition via Registry Hive Dumping",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_dump_registry_hives.toml"
},
{
"label": "Potential Invoke-Mimikatz PowerShell Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_powershell_module.toml"
},
{
"label": "PowerShell Invoke-NinjaCopy script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_invoke_ninjacopy.toml"
},
{
"label": "Sensitive Registry Hive Access via RegBack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_regback_sam_security_hives.toml"
},
{
"label": "Suspicious Remote Registry Access via SeBackupPrivilege",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1556.007",
"tactic": "credential-access",
"score": 1,
"metadata": [
{
"name": "Untrusted DLL Loaded by Azure AD Connect Authentication Agent",
"value": "eql/eql"
}
],
"links": [
{
"label": "Untrusted DLL Loaded by Azure AD Connect Authentication Agent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1649",
"tactic": "credential-access",
"score": 2,
"metadata": [
{
"name": "Access to a Sensitive LDAP Attribute",
"value": "eql/eql"
},
{
"name": "Potential Invoke-Mimikatz PowerShell Script",
"value": "query/kuery"
}
],
"links": [
{
"label": "Access to a Sensitive LDAP Attribute",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_ldap_attributes.toml"
},
{
"label": "Potential Invoke-Mimikatz PowerShell Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_powershell_module.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1003.005",
"tactic": "credential-access",
"score": 3,
"metadata": [
{
"name": "Potential Invoke-Mimikatz PowerShell Script",
"value": "query/kuery"
},
{
"name": "PowerShell Invoke-NinjaCopy script",
"value": "query/kuery"
},
{
"name": "Sensitive Registry Hive Access via RegBack",
"value": "eql/eql"
}
],
"links": [
{
"label": "Potential Invoke-Mimikatz PowerShell Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_mimikatz_powershell_module.toml"
},
{
"label": "PowerShell Invoke-NinjaCopy script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_invoke_ninjacopy.toml"
},
{
"label": "Sensitive Registry Hive Access via RegBack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_regback_sam_security_hives.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1556.008",
"tactic": "credential-access",
"score": 1,
"metadata": [
{
"name": "Network Logon Provider Registry Modification",
"value": "eql/eql"
}
],
"links": [
{
"label": "Network Logon Provider Registry Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_persistence_network_logon_provider_modification.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1552.006",
"tactic": "credential-access",
"score": 2,
"metadata": [
{
"name": "Potential PowerShell HackTool Script by Function Names",
"value": "query/kuery"
},
{
"name": "PowerShell Script with Password Policy Discovery Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Potential PowerShell HackTool Script by Function Names",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_posh_hacktool_functions.toml"
},
{
"label": "PowerShell Script with Password Policy Discovery Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_posh_password_policy.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1005",
"tactic": "collection",
"score": 32,
"metadata": [
{
"name": "GenAI Process Accessing Sensitive Files",
"value": "eql/eql"
},
{
"name": "Credential Access via TruffleHog Execution",
"value": "eql/eql"
},
{
"name": "Web Server Local File Inclusion Activity",
"value": "esql/esql"
},
{
"name": "AWS EC2 Export Task",
"value": "query/kuery"
},
{
"name": "Sensitive File Compression Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Service Account Token or Certificate Read Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Service Account Namespace Read Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "AWS Credentials Searched For Inside A Container",
"value": "eql/eql"
},
{
"name": "Sensitive Files Compression",
"value": "new_terms/kuery"
},
{
"name": "Sensitive Files Compression Inside A Container",
"value": "eql/eql"
},
{
"name": "Potential Linux Credential Dumping via Unshadow",
"value": "eql/eql"
},
{
"name": "Linux init (PID 1) Secret Dump via GDB",
"value": "eql/eql"
},
{
"name": "Kubernetes Service Account Secret Access",
"value": "eql/eql"
},
{
"name": "Manual Memory Dumping via Proc Filesystem",
"value": "eql/eql"
},
{
"name": "Kernel Seeking Activity",
"value": "eql/eql"
},
{
"name": "Potential Data Exfiltration Through Wget",
"value": "eql/eql"
},
{
"name": "Potential Suspicious DebugFS Root Device Access",
"value": "eql/eql"
},
{
"name": "Sensitive File Access followed by Compression",
"value": "eql/eql"
},
{
"name": "Suspicious Web Browser Sensitive File Access",
"value": "eql/eql"
},
{
"name": "SystemKey Access via Command Line",
"value": "eql/eql"
},
{
"name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"value": "eql/eql"
},
{
"name": "Suspicious TCC Access Granted for User Folders",
"value": "esql/esql"
},
{
"name": "TCC Bypass via Mounted APFS Snapshot Access",
"value": "eql/eql"
},
{
"name": "Exporting Exchange Mailbox via PowerShell",
"value": "eql/eql"
},
{
"name": "Exchange Mailbox Export via PowerShell",
"value": "query/kuery"
},
{
"name": "Encrypting Files with WinRar or 7z",
"value": "eql/eql"
},
{
"name": "Unusual Web Config File Access",
"value": "new_terms/kuery"
},
{
"name": "M365 Purview DLP Signal",
"value": "query/kuery"
},
{
"name": "Accessing Outlook Data Files",
"value": "eql/eql"
},
{
"name": "Attempted Private Key Access",
"value": "eql/eql"
},
{
"name": "Potential Memory Seeking Activity",
"value": "eql/eql"
}
],
"links": [
{
"label": "GenAI Process Accessing Sensitive Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml"
},
{
"label": "Credential Access via TruffleHog Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_trufflehog_execution.toml"
},
{
"label": "Web Server Local File Inclusion Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml"
},
{
"label": "AWS EC2 Export Task",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_export_task.toml"
},
{
"label": "Sensitive File Compression Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml"
},
{
"label": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml"
},
{
"label": "Service Account Token or Certificate Read Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml"
},
{
"label": "Service Account Namespace Read Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml"
},
{
"label": "AWS Credentials Searched For Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_aws_creds_search_inside_container.toml"
},
{
"label": "Sensitive Files Compression",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_collection_sensitive_files.toml"
},
{
"label": "Sensitive Files Compression Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml"
},
{
"label": "Potential Linux Credential Dumping via Unshadow",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_credential_dumping.toml"
},
{
"label": "Linux init (PID 1) Secret Dump via GDB",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_gdb_init_process_hooking.toml"
},
{
"label": "Kubernetes Service Account Secret Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_kubernetes_service_account_secret_access.toml"
},
{
"label": "Manual Memory Dumping via Proc Filesystem",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_manual_memory_dumping.toml"
},
{
"label": "Kernel Seeking Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_kernel_seeking.toml"
},
{
"label": "Potential Data Exfiltration Through Wget",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/exfiltration_potential_wget_data_exfiltration.toml"
},
{
"label": "Potential Suspicious DebugFS Root Device Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml"
},
{
"label": "Sensitive File Access followed by Compression",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/collection_sensitive_file_access_followed_by_compression.toml"
},
{
"label": "Suspicious Web Browser Sensitive File Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml"
},
{
"label": "SystemKey Access via Command Line",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_systemkey_dumping.toml"
},
{
"label": "Potential Privacy Control Bypass via Localhost Secure Copy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml"
},
{
"label": "Suspicious TCC Access Granted for User Folders",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml"
},
{
"label": "TCC Bypass via Mounted APFS Snapshot Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml"
},
{
"label": "Exporting Exchange Mailbox via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_email_powershell_exchange_mailbox.toml"
},
{
"label": "Exchange Mailbox Export via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_mailbox_export_winlog.toml"
},
{
"label": "Encrypting Files with WinRar or 7z",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_winrar_encryption.toml"
},
{
"label": "Unusual Web Config File Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_web_config_file_access.toml"
},
{
"label": "M365 Purview DLP Signal",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_microsoft_purview_dlp_signal.toml"
},
{
"label": "Accessing Outlook Data Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_outlook_email_archive.toml"
},
{
"label": "Attempted Private Key Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/credential_access_win_private_key_access.toml"
},
{
"label": "Potential Memory Seeking Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_potential_memory_seeking_activity.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1213",
"tactic": "collection",
"score": 19,
"metadata": [
{
"name": "Potential Secret Scanning via Gitleaks",
"value": "eql/eql"
},
{
"name": "AWS Secrets Manager Rapid Secrets Retrieval",
"value": "threshold/kuery"
},
{
"name": "AWS DynamoDB Scan by Unusual User",
"value": "new_terms/kuery"
},
{
"name": "AWS DynamoDB Table Exported to S3",
"value": "new_terms/kuery"
},
{
"name": "AWS RDS Snapshot Export",
"value": "query/kuery"
},
{
"name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client",
"value": "new_terms/kuery"
},
{
"name": "Azure Key Vault Excessive Secret or Key Retrieved",
"value": "esql/esql"
},
{
"name": "High Number of Cloned GitHub Repos From PAT",
"value": "threshold/kuery"
},
{
"name": "GitHub Exfiltration via High Number of Repository Clones by User",
"value": "esql/esql"
},
{
"name": "Github Activity on a Private Repository from an Unusual IP",
"value": "new_terms/kuery"
},
{
"name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy",
"value": "esql/esql"
},
{
"name": "M365 SharePoint/OneDrive File Access via PowerShell",
"value": "new_terms/kuery"
},
{
"name": "M365 SharePoint Search for Sensitive Content",
"value": "eql/eql"
},
{
"name": "Potential Database Dumping Activity",
"value": "eql/eql"
},
{
"name": "Access to a Sensitive LDAP Attribute",
"value": "eql/eql"
},
{
"name": "PowerShell Script with Veeam Credential Access Capabilities",
"value": "query/kuery"
},
{
"name": "Potential Veeam Credential Access Command",
"value": "eql/eql"
},
{
"name": "First Occurrence of GitHub User Interaction with Private Repo",
"value": "new_terms/kuery"
},
{
"name": "First Occurrence of GitHub Repo Interaction From a New IP",
"value": "new_terms/kuery"
}
],
"links": [
{
"label": "Potential Secret Scanning via Gitleaks",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_gitleaks_execution.toml"
},
{
"label": "AWS Secrets Manager Rapid Secrets Retrieval",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml"
},
{
"label": "AWS DynamoDB Scan by Unusual User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml"
},
{
"label": "AWS DynamoDB Table Exported to S3",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml"
},
{
"label": "AWS RDS Snapshot Export",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_rds_snapshot_export.toml"
},
{
"label": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml"
},
{
"label": "Azure Key Vault Excessive Secret or Key Retrieved",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml"
},
{
"label": "High Number of Cloned GitHub Repos From PAT",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml"
},
{
"label": "GitHub Exfiltration via High Number of Repository Clones by User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml"
},
{
"label": "Github Activity on a Private Repository from an Unusual IP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml"
},
{
"label": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml"
},
{
"label": "M365 SharePoint/OneDrive File Access via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml"
},
{
"label": "M365 SharePoint Search for Sensitive Content",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml"
},
{
"label": "Potential Database Dumping Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/exfiltration_potential_database_dumping.toml"
},
{
"label": "Access to a Sensitive LDAP Attribute",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_ldap_attributes.toml"
},
{
"label": "PowerShell Script with Veeam Credential Access Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_posh_veeam_sql.toml"
},
{
"label": "Potential Veeam Credential Access Command",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_veeam_commands.toml"
},
{
"label": "First Occurrence of GitHub User Interaction with Private Repo",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/execution_github_new_repo_interaction_for_user.toml"
},
{
"label": "First Occurrence of GitHub Repo Interaction From a New IP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/execution_github_repo_interaction_from_new_ip.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1213.003",
"tactic": "collection",
"score": 6,
"metadata": [
{
"name": "Potential Secret Scanning via Gitleaks",
"value": "eql/eql"
},
{
"name": "High Number of Cloned GitHub Repos From PAT",
"value": "threshold/kuery"
},
{
"name": "GitHub Exfiltration via High Number of Repository Clones by User",
"value": "esql/esql"
},
{
"name": "Github Activity on a Private Repository from an Unusual IP",
"value": "new_terms/kuery"
},
{
"name": "First Occurrence of GitHub User Interaction with Private Repo",
"value": "new_terms/kuery"
},
{
"name": "First Occurrence of GitHub Repo Interaction From a New IP",
"value": "new_terms/kuery"
}
],
"links": [
{
"label": "Potential Secret Scanning via Gitleaks",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_gitleaks_execution.toml"
},
{
"label": "High Number of Cloned GitHub Repos From PAT",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml"
},
{
"label": "GitHub Exfiltration via High Number of Repository Clones by User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml"
},
{
"label": "Github Activity on a Private Repository from an Unusual IP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml"
},
{
"label": "First Occurrence of GitHub User Interaction with Private Repo",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/execution_github_new_repo_interaction_for_user.toml"
},
{
"label": "First Occurrence of GitHub Repo Interaction From a New IP",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/execution_github_repo_interaction_from_new_ip.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1074",
"tactic": "collection",
"score": 11,
"metadata": [
{
"name": "Data Encrypted via OpenSSL Utility",
"value": "eql/eql"
},
{
"name": "AWS RDS DB Instance Restored",
"value": "query/kuery"
},
{
"name": "AWS EC2 Full Network Packet Capture Detected",
"value": "query/kuery"
},
{
"name": "Google Drive Ownership Transferred via Google Workspace",
"value": "query/kuery"
},
{
"name": "Potential OpenSSH Backdoor Logging Activity",
"value": "eql/eql"
},
{
"name": "Discovery Command Output Written to Suspicious File",
"value": "eql/eql"
},
{
"name": "Sensitive File Access followed by Compression",
"value": "eql/eql"
},
{
"name": "Exchange Mailbox Export via PowerShell",
"value": "query/kuery"
},
{
"name": "Remote File Copy to a Hidden Share",
"value": "eql/eql"
},
{
"name": "File Compressed or Archived into Common Format by Unsigned Process",
"value": "eql/eql"
},
{
"name": "File Staged in Root Folder of Recycle Bin",
"value": "eql/eql"
}
],
"links": [
{
"label": "Data Encrypted via OpenSSL Utility",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_data_encrypted_via_openssl.toml"
},
{
"label": "AWS RDS DB Instance Restored",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_rds_instance_restored.toml"
},
{
"label": "AWS EC2 Full Network Packet Capture Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml"
},
{
"label": "Google Drive Ownership Transferred via Google Workspace",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml"
},
{
"label": "Potential OpenSSH Backdoor Logging Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_ssh_backdoor_log.toml"
},
{
"label": "Discovery Command Output Written to Suspicious File",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/collection_discovery_output_written_to_suspicious_file.toml"
},
{
"label": "Sensitive File Access followed by Compression",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/collection_sensitive_file_access_followed_by_compression.toml"
},
{
"label": "Exchange Mailbox Export via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_mailbox_export_winlog.toml"
},
{
"label": "Remote File Copy to a Hidden Share",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml"
},
{
"label": "File Compressed or Archived into Common Format by Unsigned Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_common_compressed_archived_file.toml"
},
{
"label": "File Staged in Root Folder of Recycle Bin",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_files_staged_in_recycle_bin_root.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1074.001",
"tactic": "collection",
"score": 7,
"metadata": [
{
"name": "Data Encrypted via OpenSSL Utility",
"value": "eql/eql"
},
{
"name": "Potential OpenSSH Backdoor Logging Activity",
"value": "eql/eql"
},
{
"name": "Discovery Command Output Written to Suspicious File",
"value": "eql/eql"
},
{
"name": "Sensitive File Access followed by Compression",
"value": "eql/eql"
},
{
"name": "Exchange Mailbox Export via PowerShell",
"value": "query/kuery"
},
{
"name": "File Compressed or Archived into Common Format by Unsigned Process",
"value": "eql/eql"
},
{
"name": "File Staged in Root Folder of Recycle Bin",
"value": "eql/eql"
}
],
"links": [
{
"label": "Data Encrypted via OpenSSL Utility",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_data_encrypted_via_openssl.toml"
},
{
"label": "Potential OpenSSH Backdoor Logging Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_ssh_backdoor_log.toml"
},
{
"label": "Discovery Command Output Written to Suspicious File",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/collection_discovery_output_written_to_suspicious_file.toml"
},
{
"label": "Sensitive File Access followed by Compression",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/collection_sensitive_file_access_followed_by_compression.toml"
},
{
"label": "Exchange Mailbox Export via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_mailbox_export_winlog.toml"
},
{
"label": "File Compressed or Archived into Common Format by Unsigned Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_common_compressed_archived_file.toml"
},
{
"label": "File Staged in Root Folder of Recycle Bin",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_files_staged_in_recycle_bin_root.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1560",
"tactic": "collection",
"score": 9,
"metadata": [
{
"name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity",
"value": "eql/eql"
},
{
"name": "Sensitive File Compression Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Sensitive Files Compression",
"value": "new_terms/kuery"
},
{
"name": "Sensitive Files Compression Inside A Container",
"value": "eql/eql"
},
{
"name": "Sensitive File Access followed by Compression",
"value": "eql/eql"
},
{
"name": "Encrypting Files with WinRar or 7z",
"value": "eql/eql"
},
{
"name": "Compression DLL Loaded by Unusual Process",
"value": "eql/eql"
},
{
"name": "File Compressed or Archived into Common Format by Unsigned Process",
"value": "eql/eql"
},
{
"name": "PowerShell Script with Archive Compression Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "GenAI Process Performing Encoding/Chunking Prior to Network Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml"
},
{
"label": "Sensitive File Compression Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml"
},
{
"label": "Sensitive Files Compression",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_collection_sensitive_files.toml"
},
{
"label": "Sensitive Files Compression Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml"
},
{
"label": "Sensitive File Access followed by Compression",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/collection_sensitive_file_access_followed_by_compression.toml"
},
{
"label": "Encrypting Files with WinRar or 7z",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_winrar_encryption.toml"
},
{
"label": "Compression DLL Loaded by Unusual Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_archive_data_zip_imageload.toml"
},
{
"label": "File Compressed or Archived into Common Format by Unsigned Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_common_compressed_archived_file.toml"
},
{
"label": "PowerShell Script with Archive Compression Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_posh_compression.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1560.001",
"tactic": "collection",
"score": 7,
"metadata": [
{
"name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity",
"value": "eql/eql"
},
{
"name": "Sensitive File Compression Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Sensitive Files Compression",
"value": "new_terms/kuery"
},
{
"name": "Sensitive Files Compression Inside A Container",
"value": "eql/eql"
},
{
"name": "Encrypting Files with WinRar or 7z",
"value": "eql/eql"
},
{
"name": "File Compressed or Archived into Common Format by Unsigned Process",
"value": "eql/eql"
},
{
"name": "PowerShell Script with Archive Compression Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "GenAI Process Performing Encoding/Chunking Prior to Network Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml"
},
{
"label": "Sensitive File Compression Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml"
},
{
"label": "Sensitive Files Compression",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_collection_sensitive_files.toml"
},
{
"label": "Sensitive Files Compression Inside A Container",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml"
},
{
"label": "Encrypting Files with WinRar or 7z",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_winrar_encryption.toml"
},
{
"label": "File Compressed or Archived into Common Format by Unsigned Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_common_compressed_archived_file.toml"
},
{
"label": "PowerShell Script with Archive Compression Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_posh_compression.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1560.002",
"tactic": "collection",
"score": 3,
"metadata": [
{
"name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity",
"value": "eql/eql"
},
{
"name": "Compression DLL Loaded by Unusual Process",
"value": "eql/eql"
},
{
"name": "PowerShell Script with Archive Compression Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "GenAI Process Performing Encoding/Chunking Prior to Network Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml"
},
{
"label": "Compression DLL Loaded by Unusual Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_archive_data_zip_imageload.toml"
},
{
"label": "PowerShell Script with Archive Compression Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_posh_compression.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1530",
"tactic": "collection",
"score": 21,
"metadata": [
{
"name": "AWS CloudTrail Log Created",
"value": "query/kuery"
},
{
"name": "AWS S3 Unauthenticated Bucket Access by Rare Source",
"value": "new_terms/kuery"
},
{
"name": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal",
"value": "esql/esql"
},
{
"name": "AWS DynamoDB Scan by Unusual User",
"value": "new_terms/kuery"
},
{
"name": "AWS EC2 Export Task",
"value": "query/kuery"
},
{
"name": "AWS S3 Bucket Policy Added to Share with External Account",
"value": "eql/eql"
},
{
"name": "AWS S3 Bucket Policy Added to Allow Public Access",
"value": "eql/eql"
},
{
"name": "AWS API Activity from Uncommon S3 Client by Rare User",
"value": "new_terms/kuery"
},
{
"name": "AWS SNS Rare Protocol Subscription by User",
"value": "new_terms/kuery"
},
{
"name": "AWS S3 Bucket Enumeration or Brute Force",
"value": "threshold/kuery"
},
{
"name": "AWS CloudTrail Log Updated",
"value": "query/kuery"
},
{
"name": "Azure Storage Account Blob Public Access Enabled",
"value": "new_terms/kuery"
},
{
"name": "Azure Storage Blob Retrieval via AzCopy",
"value": "new_terms/kuery"
},
{
"name": "GCP Pub/Sub Subscription Creation",
"value": "query/kuery"
},
{
"name": "GCP Pub/Sub Topic Creation",
"value": "query/kuery"
},
{
"name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"value": "eql/eql"
},
{
"name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy",
"value": "esql/esql"
},
{
"name": "M365 OneDrive/SharePoint Excessive File Downloads",
"value": "esql/esql"
},
{
"name": "M365 SharePoint/OneDrive File Access via PowerShell",
"value": "new_terms/kuery"
},
{
"name": "M365 SharePoint Search for Sensitive Content",
"value": "eql/eql"
},
{
"name": "M365 Purview DLP Signal",
"value": "query/kuery"
}
],
"links": [
{
"label": "AWS CloudTrail Log Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/collection_cloudtrail_logging_created.toml"
},
{
"label": "AWS S3 Unauthenticated Bucket Access by Rare Source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml"
},
{
"label": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_s3_rapid_bucket_posture_api_calls.toml"
},
{
"label": "AWS DynamoDB Scan by Unusual User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml"
},
{
"label": "AWS EC2 Export Task",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_export_task.toml"
},
{
"label": "AWS S3 Bucket Policy Added to Share with External Account",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml"
},
{
"label": "AWS S3 Bucket Policy Added to Allow Public Access",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml"
},
{
"label": "AWS API Activity from Uncommon S3 Client by Rare User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml"
},
{
"label": "AWS SNS Rare Protocol Subscription by User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml"
},
{
"label": "AWS S3 Bucket Enumeration or Brute Force",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml"
},
{
"label": "AWS CloudTrail Log Updated",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_cloudtrail_logging_updated.toml"
},
{
"label": "Azure Storage Account Blob Public Access Enabled",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/collection_azure_storage_account_blob_public_access_enabled.toml"
},
{
"label": "Azure Storage Blob Retrieval via AzCopy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml"
},
{
"label": "GCP Pub/Sub Subscription Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml"
},
{
"label": "GCP Pub/Sub Topic Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml"
},
{
"label": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml"
},
{
"label": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml"
},
{
"label": "M365 OneDrive/SharePoint Excessive File Downloads",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml"
},
{
"label": "M365 SharePoint/OneDrive File Access via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml"
},
{
"label": "M365 SharePoint Search for Sensitive Content",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml"
},
{
"label": "M365 Purview DLP Signal",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_microsoft_purview_dlp_signal.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1213.006",
"tactic": "collection",
"score": 2,
"metadata": [
{
"name": "AWS Secrets Manager Rapid Secrets Retrieval",
"value": "threshold/kuery"
},
{
"name": "AWS RDS Snapshot Export",
"value": "query/kuery"
}
],
"links": [
{
"label": "AWS Secrets Manager Rapid Secrets Retrieval",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml"
},
{
"label": "AWS RDS Snapshot Export",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_rds_snapshot_export.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1074.002",
"tactic": "collection",
"score": 3,
"metadata": [
{
"name": "AWS RDS DB Instance Restored",
"value": "query/kuery"
},
{
"name": "Google Drive Ownership Transferred via Google Workspace",
"value": "query/kuery"
},
{
"name": "Remote File Copy to a Hidden Share",
"value": "eql/eql"
}
],
"links": [
{
"label": "AWS RDS DB Instance Restored",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_rds_instance_restored.toml"
},
{
"label": "Google Drive Ownership Transferred via Google Workspace",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml"
},
{
"label": "Remote File Copy to a Hidden Share",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1119",
"tactic": "collection",
"score": 3,
"metadata": [
{
"name": "AWS EC2 Export Task",
"value": "query/kuery"
},
{
"name": "GCP Pub/Sub Subscription Creation",
"value": "query/kuery"
},
{
"name": "Potential Database Dumping Activity",
"value": "eql/eql"
}
],
"links": [
{
"label": "AWS EC2 Export Task",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_export_task.toml"
},
{
"label": "GCP Pub/Sub Subscription Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml"
},
{
"label": "Potential Database Dumping Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/exfiltration_potential_database_dumping.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1557",
"tactic": "collection",
"score": 3,
"metadata": [
{
"name": "AWS Route 53 Private Hosted Zone Associated With a VPC",
"value": "query/kuery"
},
{
"name": "WebProxy Settings Modification",
"value": "eql/eql"
},
{
"name": "Creation or Modification of Root Certificate",
"value": "eql/eql"
}
],
"links": [
{
"label": "AWS Route 53 Private Hosted Zone Associated With a VPC",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml"
},
{
"label": "WebProxy Settings Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_mitm_localhost_webproxy.toml"
},
{
"label": "Creation or Modification of Root Certificate",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_create_mod_root_certificate.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1213.002",
"tactic": "collection",
"score": 3,
"metadata": [
{
"name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client",
"value": "new_terms/kuery"
},
{
"name": "M365 SharePoint/OneDrive File Access via PowerShell",
"value": "new_terms/kuery"
},
{
"name": "M365 SharePoint Search for Sensitive Content",
"value": "eql/eql"
}
],
"links": [
{
"label": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml"
},
{
"label": "M365 SharePoint/OneDrive File Access via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml"
},
{
"label": "M365 SharePoint Search for Sensitive Content",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1114",
"tactic": "collection",
"score": 13,
"metadata": [
{
"name": "Microsoft Graph Request Email Access by Unusual User and Client",
"value": "new_terms/kuery"
},
{
"name": "Google Workspace Custom Gmail Route Created or Modified",
"value": "query/kuery"
},
{
"name": "M365 Exchange Mailbox Items Accessed Excessively",
"value": "query/kuery"
},
{
"name": "M365 Exchange Mailbox Accessed by Unusual Client",
"value": "new_terms/kuery"
},
{
"name": "M365 Exchange Inbox Forwarding Rule Created",
"value": "eql/eql"
},
{
"name": "M365 Exchange Mail Flow Transport Rule Created",
"value": "query/kuery"
},
{
"name": "Suspicious Inter-Process Communication via Outlook",
"value": "eql/eql"
},
{
"name": "Exporting Exchange Mailbox via PowerShell",
"value": "eql/eql"
},
{
"name": "Exchange Mailbox Export via PowerShell",
"value": "query/kuery"
},
{
"name": "PowerShell Mailbox Collection Script",
"value": "query/kuery"
},
{
"name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"value": "eql/eql"
},
{
"name": "M365 Purview DLP Signal",
"value": "query/kuery"
},
{
"name": "Accessing Outlook Data Files",
"value": "eql/eql"
}
],
"links": [
{
"label": "Microsoft Graph Request Email Access by Unusual User and Client",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml"
},
{
"label": "Google Workspace Custom Gmail Route Created or Modified",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml"
},
{
"label": "M365 Exchange Mailbox Items Accessed Excessively",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml"
},
{
"label": "M365 Exchange Mailbox Accessed by Unusual Client",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml"
},
{
"label": "M365 Exchange Inbox Forwarding Rule Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_exchange_new_inbox_rule.toml"
},
{
"label": "M365 Exchange Mail Flow Transport Rule Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml"
},
{
"label": "Suspicious Inter-Process Communication via Outlook",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_email_outlook_mailbox_via_com.toml"
},
{
"label": "Exporting Exchange Mailbox via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_email_powershell_exchange_mailbox.toml"
},
{
"label": "Exchange Mailbox Export via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_mailbox_export_winlog.toml"
},
{
"label": "PowerShell Mailbox Collection Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_posh_mailbox.toml"
},
{
"label": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml"
},
{
"label": "M365 Purview DLP Signal",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_microsoft_purview_dlp_signal.toml"
},
{
"label": "Accessing Outlook Data Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_outlook_email_archive.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1114.002",
"tactic": "collection",
"score": 7,
"metadata": [
{
"name": "Microsoft Graph Request Email Access by Unusual User and Client",
"value": "new_terms/kuery"
},
{
"name": "M365 Exchange Mailbox Items Accessed Excessively",
"value": "query/kuery"
},
{
"name": "M365 Exchange Mailbox Accessed by Unusual Client",
"value": "new_terms/kuery"
},
{
"name": "Exporting Exchange Mailbox via PowerShell",
"value": "eql/eql"
},
{
"name": "Exchange Mailbox Export via PowerShell",
"value": "query/kuery"
},
{
"name": "PowerShell Mailbox Collection Script",
"value": "query/kuery"
},
{
"name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"value": "eql/eql"
}
],
"links": [
{
"label": "Microsoft Graph Request Email Access by Unusual User and Client",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml"
},
{
"label": "M365 Exchange Mailbox Items Accessed Excessively",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml"
},
{
"label": "M365 Exchange Mailbox Accessed by Unusual Client",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml"
},
{
"label": "Exporting Exchange Mailbox via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_email_powershell_exchange_mailbox.toml"
},
{
"label": "Exchange Mailbox Export via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_mailbox_export_winlog.toml"
},
{
"label": "PowerShell Mailbox Collection Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_posh_mailbox.toml"
},
{
"label": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1114.003",
"tactic": "collection",
"score": 3,
"metadata": [
{
"name": "Google Workspace Custom Gmail Route Created or Modified",
"value": "query/kuery"
},
{
"name": "M365 Exchange Inbox Forwarding Rule Created",
"value": "eql/eql"
},
{
"name": "M365 Exchange Mail Flow Transport Rule Created",
"value": "query/kuery"
}
],
"links": [
{
"label": "Google Workspace Custom Gmail Route Created or Modified",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml"
},
{
"label": "M365 Exchange Inbox Forwarding Rule Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_exchange_new_inbox_rule.toml"
},
{
"label": "M365 Exchange Mail Flow Transport Rule Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1039",
"tactic": "collection",
"score": 5,
"metadata": [
{
"name": "Unusual Remote File Size",
"value": "machine_learning/None"
},
{
"name": "PowerShell Share Enumeration Script",
"value": "query/kuery"
},
{
"name": "PowerShell Suspicious Discovery Related Windows API Functions",
"value": "query/kuery"
},
{
"name": "Potential Network Share Discovery",
"value": "eql/eql"
},
{
"name": "Windows Network Enumeration",
"value": "eql/eql"
}
],
"links": [
{
"label": "Unusual Remote File Size",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml"
},
{
"label": "PowerShell Share Enumeration Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_invoke_sharefinder.toml"
},
{
"label": "PowerShell Suspicious Discovery Related Windows API Functions",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_posh_suspicious_api_functions.toml"
},
{
"label": "Potential Network Share Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_net_share_discovery_winlog.toml"
},
{
"label": "Windows Network Enumeration",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/discovery_net_view.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1115",
"tactic": "collection",
"score": 4,
"metadata": [
{
"name": "Linux Clipboard Activity Detected",
"value": "new_terms/kuery"
},
{
"name": "Pbpaste Execution via Unusual Parent Process",
"value": "eql/eql"
},
{
"name": "Suspicious pbpaste High Volume Activity",
"value": "eql/eql"
},
{
"name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Linux Clipboard Activity Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/collection_linux_clipboard_activity.toml"
},
{
"label": "Pbpaste Execution via Unusual Parent Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/collection_pbpaste_execution_via_unusual_parent.toml"
},
{
"label": "Suspicious pbpaste High Volume Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/credential_access_high_volume_of_pbpaste.toml"
},
{
"label": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_posh_clipboard_capture.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1123",
"tactic": "collection",
"score": 2,
"metadata": [
{
"name": "Linux Audio Recording Activity Detected",
"value": "new_terms/kuery"
},
{
"name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Linux Audio Recording Activity Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/collection_potential_audio_recording_activity.toml"
},
{
"label": "PowerShell Suspicious Script with Audio Capture Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_posh_audio_capture.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1113",
"tactic": "collection",
"score": 3,
"metadata": [
{
"name": "Linux Video Recording or Screenshot Activity Detected",
"value": "new_terms/kuery"
},
{
"name": "PowerShell Suspicious Script with Screenshot Capabilities",
"value": "query/kuery"
},
{
"name": "Potential Remote Desktop Shadowing Activity",
"value": "eql/eql"
}
],
"links": [
{
"label": "Linux Video Recording or Screenshot Activity Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/collection_potential_video_recording_or_screenshot_activity.toml"
},
{
"label": "PowerShell Suspicious Script with Screenshot Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_posh_screen_grabber.toml"
},
{
"label": "Potential Remote Desktop Shadowing Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_evasion_rdp_shadowing.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1125",
"tactic": "collection",
"score": 2,
"metadata": [
{
"name": "Linux Video Recording or Screenshot Activity Detected",
"value": "new_terms/kuery"
},
{
"name": "PowerShell Script with Webcam Video Capture Capabilities",
"value": "query/kuery"
}
],
"links": [
{
"label": "Linux Video Recording or Screenshot Activity Detected",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/collection_potential_video_recording_or_screenshot_activity.toml"
},
{
"label": "PowerShell Script with Webcam Video Capture Capabilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_posh_webcam_video_capture.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1185",
"tactic": "collection",
"score": 2,
"metadata": [
{
"name": "Manual Loading of a Suspicious Chromium Extension",
"value": "eql/eql"
},
{
"name": "Browser Process Spawned from an Unusual Parent",
"value": "eql/eql"
}
],
"links": [
{
"label": "Manual Loading of a Suspicious Chromium Extension",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_manual_chromium_extension_loading.toml"
},
{
"label": "Browser Process Spawned from an Unusual Parent",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_browsers_unusual_parent.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1602",
"tactic": "collection",
"score": 1,
"metadata": [
{
"name": "FortiGate Configuration File Downloaded",
"value": "eql/eql"
}
],
"links": [
{
"label": "FortiGate Configuration File Downloaded",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/collection_fortigate_config_download.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1602.002",
"tactic": "collection",
"score": 1,
"metadata": [
{
"name": "FortiGate Configuration File Downloaded",
"value": "eql/eql"
}
],
"links": [
{
"label": "FortiGate Configuration File Downloaded",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/network/collection_fortigate_config_download.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1114.001",
"tactic": "collection",
"score": 5,
"metadata": [
{
"name": "Suspicious Inter-Process Communication via Outlook",
"value": "eql/eql"
},
{
"name": "Exporting Exchange Mailbox via PowerShell",
"value": "eql/eql"
},
{
"name": "Exchange Mailbox Export via PowerShell",
"value": "query/kuery"
},
{
"name": "PowerShell Mailbox Collection Script",
"value": "query/kuery"
},
{
"name": "Accessing Outlook Data Files",
"value": "eql/eql"
}
],
"links": [
{
"label": "Suspicious Inter-Process Communication via Outlook",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_email_outlook_mailbox_via_com.toml"
},
{
"label": "Exporting Exchange Mailbox via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_email_powershell_exchange_mailbox.toml"
},
{
"label": "Exchange Mailbox Export via PowerShell",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_mailbox_export_winlog.toml"
},
{
"label": "PowerShell Mailbox Collection Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_posh_mailbox.toml"
},
{
"label": "Accessing Outlook Data Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/collection_outlook_email_archive.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1056",
"tactic": "collection",
"score": 1,
"metadata": [
{
"name": "PowerShell Keylogging Script",
"value": "query/kuery"
}
],
"links": [
{
"label": "PowerShell Keylogging Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_posh_keylogger.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1056.001",
"tactic": "collection",
"score": 1,
"metadata": [
{
"name": "PowerShell Keylogging Script",
"value": "query/kuery"
}
],
"links": [
{
"label": "PowerShell Keylogging Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/collection_posh_keylogger.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1037",
"tactic": "persistence",
"score": 24,
"metadata": [
{
"name": "GenAI Process Accessing Sensitive Files",
"value": "eql/eql"
},
{
"name": "Modification of Persistence Relevant Files Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious Echo or Printf Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Potential Persistence via File Modification",
"value": "eql/eql"
},
{
"name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"value": "new_terms/kuery"
},
{
"name": "Pod or Container Creation with Suspicious Command-Line",
"value": "eql/eql"
},
{
"name": "Chkconfig Service Add",
"value": "eql/eql"
},
{
"name": "System V Init Script Created",
"value": "eql/eql"
},
{
"name": "Message-of-the-Day (MOTD) File Creation",
"value": "eql/eql"
},
{
"name": "Process Spawned from Message-of-the-Day (MOTD)",
"value": "eql/eql"
},
{
"name": "Executable Bit Set for Potential Persistence Script",
"value": "eql/eql"
},
{
"name": "Suspicious rc.local Error Message",
"value": "query/kuery"
},
{
"name": "Potential Execution of rc.local Script",
"value": "eql/eql"
},
{
"name": "rc.local/rc.common File Creation",
"value": "eql/eql"
},
{
"name": "Potential Suspicious File Edit",
"value": "eql/eql"
},
{
"name": "Systemd-udevd Rule File Creation",
"value": "eql/eql"
},
{
"name": "Unusual Exim4 Child Process",
"value": "new_terms/kuery"
},
{
"name": "Persistence via Folder Action Script",
"value": "eql/eql"
},
{
"name": "Persistence via Login or Logout Hook",
"value": "eql/eql"
},
{
"name": "Potential Persistence via Login Hook",
"value": "query/kuery"
},
{
"name": "Suspicious StartupItem Plist Creation",
"value": "eql/eql"
},
{
"name": "Potential Persistence via Atom Init Script Modification",
"value": "eql/eql"
},
{
"name": "Uncommon Registry Persistence Change",
"value": "eql/eql"
},
{
"name": "Startup/Logon Script added to Group Policy Object",
"value": "eql/eql"
}
],
"links": [
{
"label": "GenAI Process Accessing Sensitive Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml"
},
{
"label": "Modification of Persistence Relevant Files Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml"
},
{
"label": "Suspicious Echo or Printf Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml"
},
{
"label": "Potential Persistence via File Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/fim/persistence_suspicious_file_modifications.toml"
},
{
"label": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml"
},
{
"label": "Pod or Container Creation with Suspicious Command-Line",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml"
},
{
"label": "Chkconfig Service Add",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_chkconfig_service_add.toml"
},
{
"label": "System V Init Script Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_init_d_file_creation.toml"
},
{
"label": "Message-of-the-Day (MOTD) File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_message_of_the_day_creation.toml"
},
{
"label": "Process Spawned from Message-of-the-Day (MOTD)",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_message_of_the_day_execution.toml"
},
{
"label": "Executable Bit Set for Potential Persistence Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml"
},
{
"label": "Suspicious rc.local Error Message",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_rc_local_error_via_syslog.toml"
},
{
"label": "Potential Execution of rc.local Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_rc_local_service_already_running.toml"
},
{
"label": "rc.local/rc.common File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_rc_script_creation.toml"
},
{
"label": "Potential Suspicious File Edit",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_suspicious_file_opened_through_editor.toml"
},
{
"label": "Systemd-udevd Rule File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_udev_rule_creation.toml"
},
{
"label": "Unusual Exim4 Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_unusual_exim4_child_process.toml"
},
{
"label": "Persistence via Folder Action Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_folder_action_scripts_runtime.toml"
},
{
"label": "Persistence via Login or Logout Hook",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_login_logout_hooks_defaults.toml"
},
{
"label": "Potential Persistence via Login Hook",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_loginwindow_plist_modification.toml"
},
{
"label": "Suspicious StartupItem Plist Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_startup_item_plist_creation.toml"
},
{
"label": "Potential Persistence via Atom Init Script Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_via_atom_init_file_modification.toml"
},
{
"label": "Uncommon Registry Persistence Change",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_registry_uncommon.toml"
},
{
"label": "Startup/Logon Script added to Group Policy Object",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/privilege_escalation_group_policy_iniscript.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1037.004",
"tactic": "persistence",
"score": 10,
"metadata": [
{
"name": "GenAI Process Accessing Sensitive Files",
"value": "eql/eql"
},
{
"name": "Potential Persistence via File Modification",
"value": "eql/eql"
},
{
"name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"value": "new_terms/kuery"
},
{
"name": "Pod or Container Creation with Suspicious Command-Line",
"value": "eql/eql"
},
{
"name": "System V Init Script Created",
"value": "eql/eql"
},
{
"name": "Executable Bit Set for Potential Persistence Script",
"value": "eql/eql"
},
{
"name": "Suspicious rc.local Error Message",
"value": "query/kuery"
},
{
"name": "Potential Execution of rc.local Script",
"value": "eql/eql"
},
{
"name": "rc.local/rc.common File Creation",
"value": "eql/eql"
},
{
"name": "Potential Suspicious File Edit",
"value": "eql/eql"
}
],
"links": [
{
"label": "GenAI Process Accessing Sensitive Files",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml"
},
{
"label": "Potential Persistence via File Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/fim/persistence_suspicious_file_modifications.toml"
},
{
"label": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml"
},
{
"label": "Pod or Container Creation with Suspicious Command-Line",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml"
},
{
"label": "System V Init Script Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_init_d_file_creation.toml"
},
{
"label": "Executable Bit Set for Potential Persistence Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml"
},
{
"label": "Suspicious rc.local Error Message",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_rc_local_error_via_syslog.toml"
},
{
"label": "Potential Execution of rc.local Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_rc_local_service_already_running.toml"
},
{
"label": "rc.local/rc.common File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_rc_script_creation.toml"
},
{
"label": "Potential Suspicious File Edit",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_suspicious_file_opened_through_editor.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1546",
"tactic": "persistence",
"score": 62,
"metadata": [
{
"name": "Unusual Process Modifying GenAI Configuration File",
"value": "new_terms/kuery"
},
{
"name": "Bash Shell Profile Modification",
"value": "query/kuery"
},
{
"name": "Trap Signals Execution",
"value": "eql/eql"
},
{
"name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
"value": "eql/eql"
},
{
"name": "Azure Automation Webhook Created",
"value": "query/kuery"
},
{
"name": "Modification of Persistence Relevant Files Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious Echo or Printf Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Potential release_agent Container Escape Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Potential Persistence via File Modification",
"value": "eql/eql"
},
{
"name": "GitHub Actions Workflow Modification Blocked",
"value": "esql/esql"
},
{
"name": "Kubernetes Admission Webhook Created or Modified",
"value": "query/kuery"
},
{
"name": "Pod or Container Creation with Suspicious Command-Line",
"value": "eql/eql"
},
{
"name": "Suspicious APT Package Manager Execution",
"value": "eql/eql"
},
{
"name": "APT Package Manager Configuration File Creation",
"value": "eql/eql"
},
{
"name": "Suspicious APT Package Manager Network Connection",
"value": "eql/eql"
},
{
"name": "D-Bus Service Created",
"value": "eql/eql"
},
{
"name": "DNF Package Manager Plugin File Creation",
"value": "eql/eql"
},
{
"name": "DPKG Package Installed by Unusual Parent Process",
"value": "new_terms/kuery"
},
{
"name": "Unusual DPKG Execution",
"value": "eql/eql"
},
{
"name": "Git Hook Command Execution",
"value": "eql/eql"
},
{
"name": "Git Hook Created or Modified",
"value": "eql/eql"
},
{
"name": "Git Hook Egress Network Connection",
"value": "eql/eql"
},
{
"name": "Git Hook Child Process",
"value": "eql/eql"
},
{
"name": "NetworkManager Dispatcher Script Creation",
"value": "eql/eql"
},
{
"name": "Executable Bit Set for Potential Persistence Script",
"value": "eql/eql"
},
{
"name": "Python Path File (pth) Creation",
"value": "eql/eql"
},
{
"name": "RPM Package Installed by Unusual Parent Process",
"value": "new_terms/kuery"
},
{
"name": "Shell Configuration Creation",
"value": "eql/eql"
},
{
"name": "Python Site or User Customize File Creation",
"value": "eql/eql"
},
{
"name": "Network Connection Initiated by Suspicious SSHD Child Process",
"value": "eql/eql"
},
{
"name": "Potential Suspicious File Edit",
"value": "eql/eql"
},
{
"name": "Systemd Generator Created",
"value": "eql/eql"
},
{
"name": "Systemd-udevd Rule File Creation",
"value": "eql/eql"
},
{
"name": "Unusual SSHD Child Process",
"value": "new_terms/kuery"
},
{
"name": "Yum Package Manager Plugin File Creation",
"value": "eql/eql"
},
{
"name": "Docker Release File Creation",
"value": "eql/eql"
},
{
"name": "Suspicious Apple Mail Rule Plist Modification",
"value": "eql/eql"
},
{
"name": "Curl Execution via Shell Profile",
"value": "eql/eql"
},
{
"name": "Emond Rules Creation or Modification",
"value": "eql/eql"
},
{
"name": "Suspicious Emond Child Process",
"value": "eql/eql"
},
{
"name": "Persistence via Folder Action Script",
"value": "eql/eql"
},
{
"name": "Unexpected Child Process of macOS Screensaver Engine",
"value": "eql/eql"
},
{
"name": "Screensaver Plist File Modified by Unexpected Process",
"value": "eql/eql"
},
{
"name": "Suspicious Calendar File Modification",
"value": "eql/eql"
},
{
"name": "Suspicious File Creation via Pkg Install Script",
"value": "eql/eql"
},
{
"name": "Potential Persistence via Atom Init Script Modification",
"value": "eql/eql"
},
{
"name": "Suspicious WerFault Child Process",
"value": "eql/eql"
},
{
"name": "Potential RemoteMonologue Attack",
"value": "eql/eql"
},
{
"name": "Mofcomp Activity",
"value": "eql/eql"
},
{
"name": "Installation of Custom Shim Databases",
"value": "eql/eql"
},
{
"name": "Registry Persistence via AppCert DLL",
"value": "eql/eql"
},
{
"name": "Registry Persistence via AppInit DLL",
"value": "eql/eql"
},
{
"name": "Image File Execution Options Injection",
"value": "eql/eql"
},
{
"name": "Netsh Helper DLL",
"value": "eql/eql"
},
{
"name": "Persistence via PowerShell profile",
"value": "eql/eql"
},
{
"name": "Potential Modification of Accessibility Binaries",
"value": "eql/eql"
},
{
"name": "Uncommon Registry Persistence Change",
"value": "eql/eql"
},
{
"name": "Component Object Model Hijacking",
"value": "eql/eql"
},
{
"name": "Suspicious WMI Event Subscription Created",
"value": "eql/eql"
},
{
"name": "Potential Application Shimming via Sdbinst",
"value": "eql/eql"
},
{
"name": "Persistence via WMI Event Subscription",
"value": "eql/eql"
},
{
"name": "Werfault ReflectDebugger Persistence",
"value": "eql/eql"
}
],
"links": [
{
"label": "Unusual Process Modifying GenAI Configuration File",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_genai_config_modification.toml"
},
{
"label": "Bash Shell Profile Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/persistence_shell_profile_modification.toml"
},
{
"label": "Trap Signals Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/privilege_escalation_trap_execution.toml"
},
{
"label": "AWS Lambda Function Policy Updated to Allow Public Invocation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml"
},
{
"label": "Azure Automation Webhook Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_automation_webhook_created.toml"
},
{
"label": "Modification of Persistence Relevant Files Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml"
},
{
"label": "Suspicious Echo or Printf Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml"
},
{
"label": "Potential release_agent Container Escape Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml"
},
{
"label": "Potential Persistence via File Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/fim/persistence_suspicious_file_modifications.toml"
},
{
"label": "GitHub Actions Workflow Modification Blocked",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml"
},
{
"label": "Kubernetes Admission Webhook Created or Modified",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/persistence_kubernetes_admission_webhook_created_or_modified.toml"
},
{
"label": "Pod or Container Creation with Suspicious Command-Line",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml"
},
{
"label": "Suspicious APT Package Manager Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_apt_package_manager_execution.toml"
},
{
"label": "APT Package Manager Configuration File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_apt_package_manager_file_creation.toml"
},
{
"label": "Suspicious APT Package Manager Network Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_apt_package_manager_netcon.toml"
},
{
"label": "D-Bus Service Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_dbus_service_creation.toml"
},
{
"label": "DNF Package Manager Plugin File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml"
},
{
"label": "DPKG Package Installed by Unusual Parent Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml"
},
{
"label": "Unusual DPKG Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_dpkg_unusual_execution.toml"
},
{
"label": "Git Hook Command Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_git_hook_execution.toml"
},
{
"label": "Git Hook Created or Modified",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_git_hook_file_creation.toml"
},
{
"label": "Git Hook Egress Network Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_git_hook_netcon.toml"
},
{
"label": "Git Hook Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_git_hook_process_execution.toml"
},
{
"label": "NetworkManager Dispatcher Script Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_network_manager_dispatcher_persistence.toml"
},
{
"label": "Executable Bit Set for Potential Persistence Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml"
},
{
"label": "Python Path File (pth) Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pth_file_creation.toml"
},
{
"label": "RPM Package Installed by Unusual Parent Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml"
},
{
"label": "Shell Configuration Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_shell_configuration_modification.toml"
},
{
"label": "Python Site or User Customize File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_site_and_user_customize_file_creation.toml"
},
{
"label": "Network Connection Initiated by Suspicious SSHD Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_ssh_netcon.toml"
},
{
"label": "Potential Suspicious File Edit",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_suspicious_file_opened_through_editor.toml"
},
{
"label": "Systemd Generator Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_systemd_generator_creation.toml"
},
{
"label": "Systemd-udevd Rule File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_udev_rule_creation.toml"
},
{
"label": "Unusual SSHD Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_unusual_sshd_child_process.toml"
},
{
"label": "Yum Package Manager Plugin File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml"
},
{
"label": "Docker Release File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_docker_release_file_creation.toml"
},
{
"label": "Suspicious Apple Mail Rule Plist Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_apple_mail_rule_modification.toml"
},
{
"label": "Curl Execution via Shell Profile",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_curl_execution_via_shell_profile.toml"
},
{
"label": "Emond Rules Creation or Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_emond_rules_file_creation.toml"
},
{
"label": "Suspicious Emond Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_emond_rules_process_execution.toml"
},
{
"label": "Persistence via Folder Action Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_folder_action_scripts_runtime.toml"
},
{
"label": "Unexpected Child Process of macOS Screensaver Engine",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml"
},
{
"label": "Screensaver Plist File Modified by Unexpected Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_screensaver_plist_file_modification.toml"
},
{
"label": "Suspicious Calendar File Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_suspicious_calendar_modification.toml"
},
{
"label": "Suspicious File Creation via Pkg Install Script",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml"
},
{
"label": "Potential Persistence via Atom Init Script Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_via_atom_init_file_modification.toml"
},
{
"label": "Suspicious WerFault Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml"
},
{
"label": "Potential RemoteMonologue Attack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_regmod_remotemonologue.toml"
},
{
"label": "Mofcomp Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_mofcomp.toml"
},
{
"label": "Installation of Custom Shim Databases",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_app_compat_shim.toml"
},
{
"label": "Registry Persistence via AppCert DLL",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_appcertdlls_registry.toml"
},
{
"label": "Registry Persistence via AppInit DLL",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_appinitdlls_registry.toml"
},
{
"label": "Image File Execution Options Injection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_evasion_registry_ifeo_injection.toml"
},
{
"label": "Netsh Helper DLL",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_netsh_helper_dll.toml"
},
{
"label": "Persistence via PowerShell profile",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_powershell_profiles.toml"
},
{
"label": "Potential Modification of Accessibility Binaries",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_priv_escalation_via_accessibility_features.toml"
},
{
"label": "Uncommon Registry Persistence Change",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_registry_uncommon.toml"
},
{
"label": "Component Object Model Hijacking",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_suspicious_com_hijack_registry.toml"
},
{
"label": "Suspicious WMI Event Subscription Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_sysmon_wmi_event_subscription.toml"
},
{
"label": "Potential Application Shimming via Sdbinst",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_via_application_shimming.toml"
},
{
"label": "Persistence via WMI Event Subscription",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml"
},
{
"label": "Werfault ReflectDebugger Persistence",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_werfault_reflectdebugger.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1554",
"tactic": "persistence",
"score": 14,
"metadata": [
{
"name": "Unusual Process Modifying GenAI Configuration File",
"value": "new_terms/kuery"
},
{
"name": "Potential OpenSSH Backdoor Logging Activity",
"value": "eql/eql"
},
{
"name": "Potential SSH Password Grabbing via strace",
"value": "eql/eql"
},
{
"name": "Renaming of OpenSSH Binaries",
"value": "query/kuery"
},
{
"name": "Unusual Exim4 Child Process",
"value": "new_terms/kuery"
},
{
"name": "Sublime Plugin or Application Script Modification",
"value": "eql/eql"
},
{
"name": "Suspicious Communication App Child Process",
"value": "eql/eql"
},
{
"name": "Potential Masquerading as Communication Apps",
"value": "eql/eql"
},
{
"name": "Deprecated - Adobe Hijack Persistence",
"value": "eql/eql"
},
{
"name": "Potential Masquerading as Browser Process",
"value": "eql/eql"
},
{
"name": "Potential Masquerading as VLC DLL",
"value": "eql/eql"
},
{
"name": "Potential Masquerading as System32 DLL",
"value": "eql/eql"
},
{
"name": "Potential Masquerading as System32 Executable",
"value": "eql/eql"
},
{
"name": "Suspicious Outlook Child Process",
"value": "eql/eql"
}
],
"links": [
{
"label": "Unusual Process Modifying GenAI Configuration File",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_genai_config_modification.toml"
},
{
"label": "Potential OpenSSH Backdoor Logging Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_ssh_backdoor_log.toml"
},
{
"label": "Potential SSH Password Grabbing via strace",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml"
},
{
"label": "Renaming of OpenSSH Binaries",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_credential_access_modify_ssh_binaries.toml"
},
{
"label": "Unusual Exim4 Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_unusual_exim4_child_process.toml"
},
{
"label": "Sublime Plugin or Application Script Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml"
},
{
"label": "Suspicious Communication App Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml"
},
{
"label": "Potential Masquerading as Communication Apps",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_masquerading_communication_apps.toml"
},
{
"label": "Deprecated - Adobe Hijack Persistence",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_adobe_hijack_persistence.toml"
},
{
"label": "Potential Masquerading as Browser Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/defense_evasion_masquerading_browsers.toml"
},
{
"label": "Potential Masquerading as VLC DLL",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/defense_evasion_masquerading_vlc_dll.toml"
},
{
"label": "Potential Masquerading as System32 DLL",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/defense_evasion_masquerading_windows_dll.toml"
},
{
"label": "Potential Masquerading as System32 Executable",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/defense_evasion_masquerading_windows_system32_exe.toml"
},
{
"label": "Suspicious Outlook Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/defense_evasion_outlook_suspicious_child.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1543",
"tactic": "persistence",
"score": 76,
"metadata": [
{
"name": "Node.js Pre or Post-Install Script Execution",
"value": "eql/eql"
},
{
"name": "Modification of Persistence Relevant Files Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious Echo or Printf Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Potential Persistence via File Modification",
"value": "eql/eql"
},
{
"name": "Pluggable Authentication Module (PAM) Version Discovery",
"value": "eql/eql"
},
{
"name": "Suspicious Mining Process Creation Event",
"value": "eql/eql"
},
{
"name": "Unusual Pkexec Execution",
"value": "new_terms/kuery"
},
{
"name": "Suspicious APT Package Manager Execution",
"value": "eql/eql"
},
{
"name": "APT Package Manager Configuration File Creation",
"value": "eql/eql"
},
{
"name": "Suspicious APT Package Manager Network Connection",
"value": "eql/eql"
},
{
"name": "Boot File Copy",
"value": "eql/eql"
},
{
"name": "Chkconfig Service Add",
"value": "eql/eql"
},
{
"name": "Renaming of OpenSSH Binaries",
"value": "query/kuery"
},
{
"name": "D-Bus Service Created",
"value": "eql/eql"
},
{
"name": "Unusual D-Bus Daemon Child Process",
"value": "eql/eql"
},
{
"name": "DNF Package Manager Plugin File Creation",
"value": "eql/eql"
},
{
"name": "DPKG Package Installed by Unusual Parent Process",
"value": "new_terms/kuery"
},
{
"name": "Unusual DPKG Execution",
"value": "eql/eql"
},
{
"name": "Dracut Module Creation",
"value": "eql/eql"
},
{
"name": "Initramfs Extraction via CPIO",
"value": "eql/eql"
},
{
"name": "Git Hook Command Execution",
"value": "eql/eql"
},
{
"name": "Git Hook Created or Modified",
"value": "eql/eql"
},
{
"name": "Git Hook Egress Network Connection",
"value": "eql/eql"
},
{
"name": "Git Hook Child Process",
"value": "eql/eql"
},
{
"name": "GRUB Configuration File Creation",
"value": "eql/eql"
},
{
"name": "GRUB Configuration Generation through Built-in Utilities",
"value": "eql/eql"
},
{
"name": "Kubernetes Sensitive Configuration File Activity",
"value": "eql/eql"
},
{
"name": "NetworkManager Dispatcher Script Creation",
"value": "eql/eql"
},
{
"name": "Pluggable Authentication Module or Configuration Creation",
"value": "eql/eql"
},
{
"name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"value": "eql/eql"
},
{
"name": "Potential Backdoor Execution Through PAM_EXEC",
"value": "eql/eql"
},
{
"name": "Pluggable Authentication Module (PAM) Source Download",
"value": "eql/eql"
},
{
"name": "Polkit Policy Creation",
"value": "eql/eql"
},
{
"name": "RPM Package Installed by Unusual Parent Process",
"value": "new_terms/kuery"
},
{
"name": "Potential Suspicious File Edit",
"value": "eql/eql"
},
{
"name": "Potential Execution via SSH Backdoor",
"value": "eql/eql"
},
{
"name": "Systemd Generator Created",
"value": "eql/eql"
},
{
"name": "Suspicious Network Connection via systemd",
"value": "eql/eql"
},
{
"name": "Systemd Service Created",
"value": "eql/eql"
},
{
"name": "Systemd Service Started by Unusual Parent Process",
"value": "new_terms/kuery"
},
{
"name": "Systemd Shell Execution During Boot",
"value": "eql/eql"
},
{
"name": "Initramfs Unpacking via unmkinitramfs",
"value": "eql/eql"
},
{
"name": "Authentication via Unusual PAM Grantor",
"value": "new_terms/kuery"
},
{
"name": "Yum Package Manager Plugin File Creation",
"value": "eql/eql"
},
{
"name": "Launch Service Creation and Immediate Loading",
"value": "eql/eql"
},
{
"name": "Suspicious Hidden Child Process of Launchd",
"value": "eql/eql"
},
{
"name": "Persistence via Docker Shortcut Modification",
"value": "eql/eql"
},
{
"name": "Creation of Hidden Launch Agent or Daemon",
"value": "eql/eql"
},
{
"name": "Finder Sync Plugin Registered and Enabled",
"value": "eql/eql"
},
{
"name": "Persistence via a Hidden Plist Filename",
"value": "eql/eql"
},
{
"name": "First Time Python Created a LaunchAgent or LaunchDaemon",
"value": "new_terms/kuery"
},
{
"name": "Persistence via Suspicious Launch Agent or Launch Daemon",
"value": "eql/eql"
},
{
"name": "Anomalous Process For a Linux Population",
"value": "machine_learning/None"
},
{
"name": "Unusual Process For a Linux Host",
"value": "machine_learning/None"
},
{
"name": "Unusual Process For a Windows Host",
"value": "machine_learning/None"
},
{
"name": "Unusual Windows Path Activity",
"value": "machine_learning/None"
},
{
"name": "Anomalous Process For a Windows Population",
"value": "machine_learning/None"
},
{
"name": "Anomalous Windows Process Creation",
"value": "machine_learning/None"
},
{
"name": "Unusual Windows Service",
"value": "machine_learning/None"
},
{
"name": "Suspicious ScreenConnect Client Child Process",
"value": "eql/eql"
},
{
"name": "Network Logon Provider Registry Modification",
"value": "eql/eql"
},
{
"name": "Service DACL Modification via sc.exe",
"value": "eql/eql"
},
{
"name": "Service Command Lateral Movement",
"value": "eql/eql"
},
{
"name": "Remote Windows Service Installed",
"value": "eql/eql"
},
{
"name": "Unsigned DLL Loaded by Svchost",
"value": "eql/eql"
},
{
"name": "Suspicious Service was Installed in the System",
"value": "eql/eql"
},
{
"name": "Unusual Persistence via Services Registry",
"value": "eql/eql"
},
{
"name": "Suspicious ImagePath Service Creation",
"value": "eql/eql"
},
{
"name": "System Shells via Services",
"value": "eql/eql"
},
{
"name": "Persistence via Update Orchestrator Service Hijack",
"value": "eql/eql"
},
{
"name": "Persistence via WMI Standard Registry Provider",
"value": "eql/eql"
},
{
"name": "First Time Seen Driver Loaded",
"value": "new_terms/kuery"
},
{
"name": "Creation or Modification of a new GPO Scheduled Task or Service",
"value": "eql/eql"
},
{
"name": "Service Path Modification",
"value": "eql/eql"
},
{
"name": "Service Path Modification via sc.exe",
"value": "eql/eql"
},
{
"name": "Execution of an Unsigned Service",
"value": "new_terms/kuery"
}
],
"links": [
{
"label": "Node.js Pre or Post-Install Script Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml"
},
{
"label": "Modification of Persistence Relevant Files Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml"
},
{
"label": "Suspicious Echo or Printf Execution Detected via Defend for Containers",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml"
},
{
"label": "Potential Persistence via File Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/fim/persistence_suspicious_file_modifications.toml"
},
{
"label": "Pluggable Authentication Module (PAM) Version Discovery",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_pam_version_discovery.toml"
},
{
"label": "Suspicious Mining Process Creation Event",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_mining_process_creation_events.toml"
},
{
"label": "Unusual Pkexec Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_unusual_pkexec_execution.toml"
},
{
"label": "Suspicious APT Package Manager Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_apt_package_manager_execution.toml"
},
{
"label": "APT Package Manager Configuration File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_apt_package_manager_file_creation.toml"
},
{
"label": "Suspicious APT Package Manager Network Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_apt_package_manager_netcon.toml"
},
{
"label": "Boot File Copy",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_boot_file_copy.toml"
},
{
"label": "Chkconfig Service Add",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_chkconfig_service_add.toml"
},
{
"label": "Renaming of OpenSSH Binaries",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_credential_access_modify_ssh_binaries.toml"
},
{
"label": "D-Bus Service Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_dbus_service_creation.toml"
},
{
"label": "Unusual D-Bus Daemon Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml"
},
{
"label": "DNF Package Manager Plugin File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml"
},
{
"label": "DPKG Package Installed by Unusual Parent Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml"
},
{
"label": "Unusual DPKG Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_dpkg_unusual_execution.toml"
},
{
"label": "Dracut Module Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_dracut_module_creation.toml"
},
{
"label": "Initramfs Extraction via CPIO",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_extract_initramfs_via_cpio.toml"
},
{
"label": "Git Hook Command Execution",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_git_hook_execution.toml"
},
{
"label": "Git Hook Created or Modified",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_git_hook_file_creation.toml"
},
{
"label": "Git Hook Egress Network Connection",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_git_hook_netcon.toml"
},
{
"label": "Git Hook Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_git_hook_process_execution.toml"
},
{
"label": "GRUB Configuration File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_grub_configuration_creation.toml"
},
{
"label": "GRUB Configuration Generation through Built-in Utilities",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_grub_makeconfig.toml"
},
{
"label": "Kubernetes Sensitive Configuration File Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_kubernetes_sensitive_file_activity.toml"
},
{
"label": "NetworkManager Dispatcher Script Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_network_manager_dispatcher_persistence.toml"
},
{
"label": "Pluggable Authentication Module or Configuration Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_creation.toml"
},
{
"label": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml"
},
{
"label": "Potential Backdoor Execution Through PAM_EXEC",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml"
},
{
"label": "Pluggable Authentication Module (PAM) Source Download",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_pluggable_authentication_module_source_download.toml"
},
{
"label": "Polkit Policy Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_polkit_policy_creation.toml"
},
{
"label": "RPM Package Installed by Unusual Parent Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml"
},
{
"label": "Potential Suspicious File Edit",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_suspicious_file_opened_through_editor.toml"
},
{
"label": "Potential Execution via SSH Backdoor",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml"
},
{
"label": "Systemd Generator Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_systemd_generator_creation.toml"
},
{
"label": "Suspicious Network Connection via systemd",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_systemd_netcon.toml"
},
{
"label": "Systemd Service Created",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_systemd_service_creation.toml"
},
{
"label": "Systemd Service Started by Unusual Parent Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_systemd_service_started.toml"
},
{
"label": "Systemd Shell Execution During Boot",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_systemd_shell_execution.toml"
},
{
"label": "Initramfs Unpacking via unmkinitramfs",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml"
},
{
"label": "Authentication via Unusual PAM Grantor",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_unusual_pam_grantor.toml"
},
{
"label": "Yum Package Manager Plugin File Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml"
},
{
"label": "Launch Service Creation and Immediate Loading",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_creation_change_launch_agents_file.toml"
},
{
"label": "Suspicious Hidden Child Process of Launchd",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml"
},
{
"label": "Persistence via Docker Shortcut Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_docker_shortcuts_plist_modification.toml"
},
{
"label": "Creation of Hidden Launch Agent or Daemon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml"
},
{
"label": "Finder Sync Plugin Registered and Enabled",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_finder_sync_plugin_pluginkit.toml"
},
{
"label": "Persistence via a Hidden Plist Filename",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_hidden_plist_filename.toml"
},
{
"label": "First Time Python Created a LaunchAgent or LaunchDaemon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml"
},
{
"label": "Persistence via Suspicious Launch Agent or Launch Daemon",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml"
},
{
"label": "Anomalous Process For a Linux Population",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml"
},
{
"label": "Unusual Process For a Linux Host",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/persistence_ml_rare_process_by_host_linux.toml"
},
{
"label": "Unusual Process For a Windows Host",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/persistence_ml_rare_process_by_host_windows.toml"
},
{
"label": "Unusual Windows Path Activity",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/persistence_ml_windows_anomalous_path_activity.toml"
},
{
"label": "Anomalous Process For a Windows Population",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml"
},
{
"label": "Anomalous Windows Process Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/persistence_ml_windows_anomalous_process_creation.toml"
},
{
"label": "Unusual Windows Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/ml/persistence_ml_windows_anomalous_service.toml"
},
{
"label": "Suspicious ScreenConnect Client Child Process",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_screenconnect_childproc.toml"
},
{
"label": "Network Logon Provider Registry Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_persistence_network_logon_provider_modification.toml"
},
{
"label": "Service DACL Modification via sc.exe",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_sc_sdset.toml"
},
{
"label": "Service Command Lateral Movement",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_cmd_service.toml"
},
{
"label": "Remote Windows Service Installed",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_remote_service_installed_winlog.toml"
},
{
"label": "Unsigned DLL Loaded by Svchost",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_service_dll_unsigned.toml"
},
{
"label": "Suspicious Service was Installed in the System",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_service_windows_service_winlog.toml"
},
{
"label": "Unusual Persistence via Services Registry",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_services_registry.toml"
},
{
"label": "Suspicious ImagePath Service Creation",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_suspicious_service_created_registry.toml"
},
{
"label": "System Shells via Services",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_system_shells_via_services.toml"
},
{
"label": "Persistence via Update Orchestrator Service Hijack",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_via_update_orchestrator_service_hijack.toml"
},
{
"label": "Persistence via WMI Standard Registry Provider",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_via_wmi_stdregprov_run_services.toml"
},
{
"label": "First Time Seen Driver Loaded",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/privilege_escalation_driver_newterm_imphash.toml"
},
{
"label": "Creation or Modification of a new GPO Scheduled Task or Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml"
},
{
"label": "Service Path Modification",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/defense_evasion_service_path_registry.toml"
},
{
"label": "Service Path Modification via sc.exe",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/defense_evasion_services_exe_path.toml"
},
{
"label": "Execution of an Unsigned Service",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/execution_unsigned_service_executable.toml"
}
],
"color": "",
"comment": "",
"enabled": true,
"showSubtechniques": false
},
{
"techniqueID": "T1574",
"tactic": "persistence",
"score": 45,
"metadata": [
{
"name": "Node.js Pre or Post-Install Script Execution",
"value": "eql/eql"
},
{
"name": "Dynamic Linker Modification Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Suspicious Echo or Printf Execution Detected via Defend for Containers",
"value": "eql/eql"
},
{
"name": "Potential Persistence via File Modification",
"value": "eql/eql"
},
{
"name": "Dynamic Linker Creation",
"value": "eql/eql"
},
{
"name": "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments",
"value": "new_terms/kuery"
},
{
"name": "Dynamic Linker (ld.so) Creation",
"value": "eql/eql"
},
{
"name": "Unusual Preload Environment Variable Process Execution",
"value": "new_terms/kuery"
},
{
"name": "Pod or