Elastic non-Windows coverage
1,299 non-Windows Elastic detection rules across 14 platforms, grouped by MITRE ATT&CK technique within each platform. The Windows coverage matrix lives at /rules/elastic/; this page reorganizes the same corpus along platform × technique because non-Windows rules have no catalog event IDs to plot.
For coverage organized by each platform's native action vocabulary across all vendors, see the platform matrices: AWS, Azure AD, GCP, M365, Okta. This page is the vendor-organized browse of the same rules.
Linux
Reconnaissance
Active Scanning T1595 2 rules
Resource Development
Obtain Capabilities: Malware T1588.001 1 rule
- Anomalous Linux Compiler Activity production
Initial Access
Exploit Public-Facing Application T1190 18 rules
- Deprecated - Unusual Command Execution from Web Server Parent production
- Deprecated - Unusual Process Spawned from Web Server Parent production
- Ollama API Accessed from External Network production
- Potential Buffer Overflow Attack Detected production
- Potential Code Execution via Postgresql production
- Potential JAVA/JNDI Exploitation Attempt production
- Potential Linux Hack Tool Launched production
- Potential Telnet Authentication Bypass (CVE-2026-24061) production
- Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation production
- Suspicious Child Execution via Web Server production
- Suspicious Command Execution via Web Server production
- Telnet Authentication Bypass via User Environment Variable production
- Unusual Child Execution via Web Server production
- Unusual Command Execution via Web Server production
- Unusual Exim4 Child Process production
- Unusual File Creation by Web Server production
- Web Server Exploitation Detected via Defend for Containers production
- Zoom Meeting with no Passcode production
Supply Chain Compromise: Compromise Software Supply Chain T1195.002 6 rules
- DPKG Package Installed by Unusual Parent Process production
- Elastic Defend Alert from GenAI Utility or Descendant production
- Elastic Defend Alert from Package Manager Install Ancestry production
- Ollama DNS Query to Untrusted Domain production
- RPM Package Installed by Unusual Parent Process production
- Unusual DPKG Execution production
Execution
Command and Scripting Interpreter: Unix Shell T1059.004 109 rules
- AWS EC2 LOLBin Execution via SSM SendCommand production
- Azure Run Command Script Child Process production
- Base64 Decoded Payload Piped to Interpreter production
- Boot File Copy production
- BPF filter applied using TC production
- Cupsd or Foomatic-rip Shell Execution production
- Curl or Wget Egress Network Connection via LoLBin production
- Decoded Payload Piped to Interpreter Detected via Defend for Containers production
- Deprecated - Uncommon Destination Port Connection by Web Server production
- Deprecated - Unusual Command Execution from Web Server Parent production
- Deprecated - Unusual Process Spawned from Web Server Parent production
- Direct Interactive Kubernetes API Request by Common Utilities production
- Direct Interactive Kubernetes API Request by Unusual Utilities production
- Direct Interactive Kubernetes API Request Detected via Defend for Containers production
- Dracut Module Creation production
- Dynamic Linker (ld.so) Creation production
- Egress Connection from Entrypoint in Container production
- Encoded Payload Detected via Defend for Containers production
- Execution via OpenClaw Agent production
- File Creation and Execution Detected via Defend for Containers production
- File Creation by Cups or Foomatic-rip Child production
- File Creation in /var/log via Suspicious Process production
- File Creation, Execution and Self-Deletion in Suspicious Directory production
- File Download Detected via Defend for Containers production
- File Transfer or Listener Established via Netcat production
- File Transfer Utility Launched from Unusual Parent production
- Forbidden Direct Interactive Kubernetes API Request production
- Git Hook Child Process production
- Git Hook Command Execution production
- Git Hook Created or Modified production
- Git Hook Egress Network Connection production
- GitHub Authentication Token Access via Node.js production
- Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers production
- Initramfs Unpacking via unmkinitramfs production
- Interactive Exec Into Container Detected via Defend for Containers production
- Interactive Shell Launched via Unusual Parent Process in a Container production
- Interactive Shell Spawn Detected via Defend for Containers production
- Interactive Terminal Spawned via Perl production
- Interactive Terminal Spawned via Python production
- Kill Command Execution production
- Linux Restricted Shell Breakout via Linux Binary(s) production
- Manual Dracut Execution production
- Memory Swap Modification production
- Multi-Base64 Decoding Attempt from Suspicious Location production
- Netcat File Transfer or Listener Detected via Defend for Containers production
- Netcat Listener Established via rlwrap production
- Network Connection by Cups or Foomatic-rip Child production
- Network Connection from Binary with RWX Memory Region production
- Network Connection via Recently Compiled Executable production
- Network Connections Initiated Through XDG Autostart Entry production
- NetworkManager Dispatcher Script Creation production
- Openssl Client or Server Activity production
- Payload Execution via Shell Pipe Detected by Defend for Containers production
- Pod or Container Creation with Suspicious Command-Line production
- Potential Code Execution via Postgresql production
- Potential Direct Kubelet Access via Process Arguments production
- Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers production
- Potential Execution via SSH Backdoor production
- Potential Hex Payload Execution via Command-Line production
- Potential Hex Payload Execution via Common Utility production
- Potential JAVA/JNDI Exploitation Attempt production
- Potential Kubeletctl Execution production
- Potential Kubeletctl Execution Detected via Defend for Containers production
- Potential Malware-Driven SSH Brute Force Attempt production
- Potential Meterpreter Reverse Shell production
- Potential Reverse Shell production
- Potential Reverse Shell via Background Process production
- Potential Reverse Shell via Child production
- Potential Reverse Shell via Java production
- Potential Reverse Shell via Suspicious Binary production
- Potential Reverse Shell via Suspicious Child Process production
- Potential Reverse Shell via UDP production
- Potential Shell via Wildcard Injection Detected production
- Potential Upgrade of Non-interactive Shell production
- Printer User (lp) Shell Execution production
- Privileged Docker Container Creation production
- Process Backgrounded by Unusual Parent production
- Process Spawned from Message-of-the-Day (MOTD) production
- Process Started with Executable Stack production
- Proxy Shell Execution via Busybox production
- Python Path File (pth) Creation production
- Python Site or User Customize File Creation production
- Root Network Connection via GDB CAP_SYS_PTRACE production
- Service Account Token or Certificate Access Followed by Kubernetes API Request production
- Simple HTTP Web Server Connection production
- Simple HTTP Web Server Creation production
- Suspicious APT Package Manager Execution production
- Suspicious APT Package Manager Network Connection production
- Suspicious Content Extracted or Decompressed via Funzip production
- Suspicious Echo or Printf Execution Detected via Defend for Containers production
- Suspicious Interpreter Execution Detected via Defend for Containers production
- Suspicious Mining Process Creation Event production
- Suspicious Named Pipe Creation production
- Suspicious Path Invocation from Command Line production
- Suspicious Process Execution Detected via Defend for Containers production
- Suspicious System Commands Executed by Previously Unknown Executable production
- System Path File Creation and Execution Detected via Defend for Containers production
- Systemd Shell Execution During Boot production
- Unknown Execution of Binary with RWX Memory Region production
- Unusual Base64 Encoding/Decoding Activity production
- Unusual Child Execution via Web Server production
- Unusual Command Execution via Web Server production
- Unusual D-Bus Daemon Child Process production
- Unusual Execution from Kernel Thread (kthreadd) Parent production
- Unusual File Creation by Web Server production
- Unusual Interactive Shell Launched from System User production
- Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments production
- Unusual Pkexec Execution production
- Web Server Exploitation Detected via Defend for Containers production
Command and Scripting Interpreter: Python T1059.006 23 rules
- Base64 Decoded Payload Piped to Interpreter production
- Decoded Payload Piped to Interpreter Detected via Defend for Containers production
- Deprecated - EggShell Backdoor Execution production
- Deprecated - Unusual Process Spawned from Web Server Parent production
- Encoded Payload Detected via Defend for Containers production
- Execution via OpenClaw Agent production
- Interactive Terminal Spawned via Python production
- Long Base64 Encoded Command via Scripting Interpreter production
- Payload Execution via Shell Pipe Detected by Defend for Containers production
- Potential Hex Payload Execution via Common Utility production
- Potential JAVA/JNDI Exploitation Attempt production
- Potential Privilege Escalation via Python cap_setuid production
- Potential Reverse Shell via Suspicious Child Process production
- Potential Reverse Shell via UDP production
- Process Spawned from Message-of-the-Day (MOTD) production
- Python Path File (pth) Creation production
- Python Site or User Customize File Creation production
- Simple HTTP Web Server Connection production
- Simple HTTP Web Server Creation production
- Suspicious APT Package Manager Execution production
- Suspicious Interpreter Execution Detected via Defend for Containers production
- Unusual Base64 Encoding/Decoding Activity production
- Web Server Spawned via Python production
Container Administration Command T1609 15 rules
- Container Management Utility Execution Detected via Defend for Containers production
- Container Management Utility Run Inside A Container production
- Container Runtime CLI Execution with Suspicious Arguments production
- Direct Interactive Kubernetes API Request by Common Utilities production
- Direct Interactive Kubernetes API Request by Unusual Utilities production
- Direct Interactive Kubernetes API Request Detected via Defend for Containers production
- Docker Socket Enumeration production
- Forbidden Direct Interactive Kubernetes API Request production
- Interactive Exec Into Container Detected via Defend for Containers production
- Kubectl Apply Pod from URL production
- Pod or Container Creation with Suspicious Command-Line production
- Potential Kubeletctl Execution production
- Potential Kubeletctl Execution Detected via Defend for Containers production
- Privileged Docker Container Creation production
- Suspicious Container Runtime CLI Execution production
Command and Scripting Interpreter T1059 14 rules
- Binary Executed from Shared Memory Directory production
- File Execution Permission Modification Detected via Defend for Containers production
- GenAI or MCP Server Child Process Execution production
- Potential Backdoor Execution Through PAM_EXEC production
- Potential Reverse Shell Activity via Terminal production
- Potentially Suspicious Process Started via tmux or screen production
- Process Started from Process ID (PID) File production
- Suspicious Child Execution via Web Server production
- Suspicious Command Execution via Web Server production
- Suspicious Data Encryption via OpenSSL Utility production
- Suspicious File Made Executable via Chmod Inside A Container production
- Suspicious Network Connection via systemd production
- System Binary Path File Permission Modification production
- Unusual Exim4 Child Process production
User Execution: Malicious File T1204.002 13 rules
- Base64 Decoded Payload Piped to Interpreter production
- Decoded Payload Piped to Interpreter Detected via Defend for Containers production
- Elastic Defend Alert Followed by Telemetry Loss production
- Encoded Payload Detected via Defend for Containers production
- Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers production
- Malicious File - Detected - Elastic Defend production
- Malicious File - Prevented - Elastic Defend production
- Masquerading Space After Filename production
- Multi-Base64 Decoding Attempt from Suspicious Location production
- Potential Hex Payload Execution via Command-Line production
- Potential Hex Payload Execution via Common Utility production
- Potential Widespread Malware Infection Across Multiple Hosts production
- Unusual Base64 Encoding/Decoding Activity production
Exploitation for Client Execution T1203 9 rules
- Cupsd or Foomatic-rip Shell Execution production
- File Creation by Cups or Foomatic-rip Child production
- Network Connection by Cups or Foomatic-rip Child production
- Potential JAVA/JNDI Exploitation Attempt production
- Potential Shell via Wildcard Injection Detected production
- Printer User (lp) Shell Execution production
- Segfault Detected production
- Segfault from Sensitive Process Detected production
- Suspicious Execution from Foomatic-rip or Cupsd Parent production
Scheduled Task/Job: Cron T1053.003 8 rules
- Cron Job Created or Modified production
- Executable Bit Set for Potential Persistence Script production
- Modification of Persistence Relevant Files Detected via Defend for Containers production
- Pod or Container Creation with Suspicious Command-Line production
- Potential Persistence via File Modification production
- Suspicious Echo or Printf Execution Detected via Defend for Containers production
- Suspicious Execution from Foomatic-rip or Cupsd Parent production
- Suspicious Network Activity to the Internet by Previously Unknown Executable production
Command and Scripting Interpreter: Lua T1059.011 7 rules
- Base64 Decoded Payload Piped to Interpreter production
- Decoded Payload Piped to Interpreter Detected via Defend for Containers production
- Deprecated - Unusual Process Spawned from Web Server Parent production
- Potential Hex Payload Execution via Common Utility production
- Potential Reverse Shell via UDP production
- Process Spawned from Message-of-the-Day (MOTD) production
- Suspicious Interpreter Execution Detected via Defend for Containers production
Deploy Container T1610 7 rules
- Direct Interactive Kubernetes API Request by Unusual Utilities production
- Kubectl Apply Pod from URL production
- Kubernetes Sensitive Configuration File Activity production
- Pod or Container Creation with Suspicious Command-Line production
- Potential Privilege Escalation through Writable Docker Socket production
- Potential Privilege Escalation via Container Misconfiguration production
- Privileged Docker Container Creation production
Command and Scripting Interpreter: PowerShell T1059.001 5 rules
- Azure Run Command Correlated with Process Execution production
- Azure Run Command Script Child Process production
- Command Line Obfuscation via Whitespace Padding production
- Execution via OpenClaw Agent production
- Long Base64 Encoded Command via Scripting Interpreter production
Scheduled Task/Job: At T1053.002 4 rules
Command and Scripting Interpreter: JavaScript T1059.007 4 rules
- Deprecated - Unusual Process Spawned from Web Server Parent production
- Execution via OpenClaw Agent production
- Long Base64 Encoded Command via Scripting Interpreter production
- Potential JAVA/JNDI Exploitation Attempt production
Native API T1106 3 rules
Cloud Administration Command T1651 3 rules
- AWS EC2 LOLBin Execution via SSM SendCommand production
- Azure Run Command Correlated with Process Execution production
- Azure Run Command Script Child Process production
Scheduled Task/Job: Container Orchestration Job T1053.007 2 rules
- Kubernetes Sensitive Configuration File Activity production
- Kubernetes Static Pod Manifest File Access production
Inter-Process Communication T1559 2 rules
- Unix Socket Connection production
- Unusual D-Bus Daemon Child Process production
Command and Scripting Interpreter: AppleScript T1059.002 1 rule
- Execution via OpenClaw Agent production
Command and Scripting Interpreter: Windows Command Shell T1059.003 1 rule
- Execution via OpenClaw Agent production
Shared Modules T1129 1 rule
Persistence
Create or Modify System Process T1543 34 rules
- APT Package Manager Configuration File Creation production
- Authentication via Unusual PAM Grantor production
- Boot File Copy production
- Chkconfig Service Add production
- D-Bus Service Created production
- DNF Package Manager Plugin File Creation production
- DPKG Package Installed by Unusual Parent Process production
- Dracut Module Creation production
- Git Hook Child Process production
- Git Hook Command Execution production
- Git Hook Created or Modified production
- Git Hook Egress Network Connection production
- GRUB Configuration File Creation production
- GRUB Configuration Generation through Built-in Utilities production
- Initramfs Extraction via CPIO production
- Initramfs Unpacking via unmkinitramfs production
- Namespace Manipulation Using Unshare production
- Namespace Manipulation Using Unshare in a Container production
- NetworkManager Dispatcher Script Creation production
- Pluggable Authentication Module (PAM) Creation in Unusual Directory production
- Pluggable Authentication Module (PAM) Source Download production
- Pluggable Authentication Module (PAM) Version Discovery production
- Pluggable Authentication Module or Configuration Creation production
- Polkit Policy Creation production
- Potential Backdoor Execution Through PAM_EXEC production
- Potential Execution via SSH Backdoor production
- Renaming of OpenSSH Binaries production
- RPM Package Installed by Unusual Parent Process production
- Suspicious APT Package Manager Execution production
- Suspicious APT Package Manager Network Connection production
- Unusual D-Bus Daemon Child Process production
- Unusual DPKG Execution production
- Unusual Pkexec Execution production
- Yum Package Manager Plugin File Creation production
Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.006 14 rules
- BPF Program or Map Load via bpftool production
- Kernel Driver Load production
- Kernel Driver Load by non-root User production
- Kernel Load or Unload via Kexec Detected production
- Kernel Module Load from Unusual Location production
- Kernel Module Load via Built-in Utility production
- Kernel Module Removal production
- Kernel Object File Creation production
- Loadable Kernel Module Configuration File Creation production
- Potential Persistence via File Modification production
- Suspicious Modprobe File Event production
- Suspicious Usage of bpf_probe_write_user Helper production
- Tainted Kernel Module Load production
- Tainted Out-Of-Tree Kernel Module Load production
Server Software Component: Web Shell T1505.003 12 rules
- Deprecated - Uncommon Destination Port Connection by Web Server production
- Deprecated - Unusual Command Execution from Web Server Parent production
- Deprecated - Unusual Process Spawned from Web Server Parent production
- Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation production
- Simple HTTP Web Server Connection production
- Simple HTTP Web Server Creation production
- Suspicious Child Execution via Web Server production
- Suspicious Command Execution via Web Server production
- Unusual Child Execution via Web Server production
- Unusual Command Execution via Web Server production
- Unusual File Creation by Web Server production
- Web Server Exploitation Detected via Defend for Containers production
Create or Modify System Process: Systemd Service T1543.002 10 rules
- Modification of Persistence Relevant Files Detected via Defend for Containers production
- Potential Persistence via File Modification production
- Potential Suspicious File Edit production
- Suspicious Mining Process Creation Event production
- Suspicious Network Connection via systemd production
- Systemd Generator Created production
- Systemd Service Created production
- Systemd Service Started by Unusual Parent Process production
- Systemd Shell Execution During Boot production
- Unusual Process For a Linux Host production
Boot or Logon Initialization Scripts: RC Scripts T1037.004 9 rules
- Executable Bit Set for Potential Persistence Script production
- Pod or Container Creation with Suspicious Command-Line production
- Potential Execution of rc.local Script production
- Potential Persistence via File Modification production
- Potential Suspicious File Edit production
- rc.local/rc.common File Creation production
- Suspicious Network Activity to the Internet by Previously Unknown Executable production
- Suspicious rc.local Error Message production
- System V Init Script Created production
Create Account: Local Account T1136.001 8 rules
- Linux Group Creation production
- Linux User Account Creation production
- Linux User Added to Privileged Group production
- OpenSSL Password Hash Generation production
- Potential Linux Backdoor User Account Creation production
- Potential Persistence via File Modification production
- Shadow File Modification by Unusual Process production
- Suspicious Passwd File Event Action production
Boot or Logon Initialization Scripts T1037 7 rules
- Chkconfig Service Add production
- Message-of-the-Day (MOTD) File Creation production
- Modification of Persistence Relevant Files Detected via Defend for Containers production
- Process Spawned from Message-of-the-Day (MOTD) production
- Suspicious Echo or Printf Execution Detected via Defend for Containers production
- Systemd-udevd Rule File Creation production
- Unusual Exim4 Child Process production
Account Manipulation: SSH Authorized Keys T1098.004 7 rules
- Pod or Container Creation with Suspicious Command-Line production
- Potential Persistence via File Modification production
- SSH Authorized Key File Activity Detected via Defend for Containers production
- SSH Authorized Keys File Activity production
- SSH Key Generated via ssh-keygen production
- Suspicious Echo or Printf Execution Detected via Defend for Containers production
- Unusual Login via System User production
Account Manipulation T1098 5 rules
- Linux User Account Credential Modification production
- OpenSSL Password Hash Generation production
- Potential Linux Backdoor User Account Creation production
- Potential Suspicious File Edit production
- Shadow File Modification by Unusual Process production
External Remote Services T1133 5 rules
- Ollama API Accessed from External Network production
- Successful SSH Authentication from Unusual SSH Public Key production
- Successful SSH Authentication from Unusual User production
- Unusual SSHD Child Process production
- Zoom Meeting with no Passcode production
Boot or Logon Autostart Execution: XDG Autostart Entries T1547.013 5 rules
- Executable Bit Set for Potential Persistence Script production
- KDE AutoStart Script or Desktop File Creation production
- Network Connections Initiated Through XDG Autostart Entry production
- Pod or Container Creation with Suspicious Command-Line production
- Potential Persistence via File Modification production
Compromise Host Software Binary T1554 4 rules
- Potential OpenSSH Backdoor Logging Activity production
- Potential SSH Password Grabbing via strace production
- Renaming of OpenSSH Binaries production
- Unusual Exim4 Child Process production
Event Triggered Execution: Udev Rules T1546.017 3 rules
- Executable Bit Set for Potential Persistence Script production
- Potential Persistence via File Modification production
- Systemd-udevd Rule File Creation production
Account Manipulation: Additional Local or Domain Groups T1098.007 2 rules
- Linux Group Creation production
- Linux User Added to Privileged Group production
Create or Modify System Process: Container Service T1543.005 2 rules
- Kubernetes Sensitive Configuration File Activity production
- Kubernetes Static Pod Manifest File Access production
Event Triggered Execution: Python Startup Hooks T1546.018 2 rules
- Python Path File (pth) Creation production
- Python Site or User Customize File Creation production
Create or Modify System Process: Windows Service T1543.003 1 rule
- Anomalous Process For a Linux Population production
Boot or Logon Autostart Execution T1547 1 rule
- Suspicious File Creation via Kworker production
Privilege Escalation
Exploitation for Privilege Escalation T1068 29 rules
- Anomalous Linux Compiler Activity production
- Deprecated - Sudo Heap-Based Buffer Overflow Attempt production
- Potential Buffer Overflow Attack Detected production
- Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket production
- Potential CVE-2025-32463 Nsswitch File Creation production
- Potential CVE-2025-32463 Sudo Chroot Execution Attempt production
- Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt production
- Potential Privilege Escalation via CVE-2023-4911 production
- Potential Privilege Escalation via Enlightenment production
- Potential Privilege Escalation via Linux DAC permissions production
- Potential Privilege Escalation via PKEXEC production
- Potential Privilege Escalation via Python cap_setuid production
- Potential Privilege Escalation via Recently Compiled Executable production
- Potential Privilege Escalation via SUID/SGID Proxy Execution production
- Potential Privilege Escalation via unshare and UID Change production
- Potential Privilege Escalation via unshare Followed by Root Process production
- Potential Shadow File Read via Command Line Utilities production
- Potential Shell via Wildcard Injection Detected production
- Potential snap-confine Privilege Escalation via CVE-2026-3888 production
- Potential Sudo Privilege Escalation via CVE-2019-14287 production
- Potential Telnet Authentication Bypass (CVE-2026-24061) production
- Potential Unauthorized Access via Wildcard Injection Detected production
- Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities production
- Privilege Escalation via CAP_SETUID/SETGID Capabilities production
- Privilege Escalation via GDB CAP_SYS_PTRACE production
- Privilege Escalation via SUID/SGID production
- Root Network Connection via GDB CAP_SYS_PTRACE production
- Suspicious Passwd File Event Action production
- Telnet Authentication Bypass via User Environment Variable production
Escape to Host T1611 25 rules
- Chroot Execution Detected via Defend for Containers production
- Chroot Execution in Container Context on Linux production
- Container Runtime CLI Execution with Suspicious Arguments production
- DebugFS Execution Detected via Defend for Containers production
- Docker Release File Creation production
- Egress Connection from Entrypoint in Container production
- File System Debugger Launched Inside a Container production
- Kernel Load or Unload via Kexec Detected production
- Mount Execution Detected via Defend for Containers production
- Mount Launched Inside a Container production
- Namespace Manipulation Using Unshare production
- Namespace Manipulation Using Unshare in a Container production
- Nsenter Execution with Target Flag Inside Container production
- Nsenter to PID Namespace via Auditd production
- Pod or Container Creation with Suspicious Command-Line production
- Potential Chroot Container Escape via Mount production
- Potential Docker Escape via Nsenter production
- Potential notify_on_release Container Escape Detected via Defend for Containers production
- Potential Privilege Escalation in Container via Runc Init production
- Potential Privilege Escalation through Writable Docker Socket production
- Potential Privilege Escalation via Container Misconfiguration production
- Potential release_agent Container Escape Detected via Defend for Containers production
- Privileged Docker Container Creation production
- Suspicious Container Runtime CLI Execution production
- Unusual Process Connection to Docker or Containerd Socket production
Abuse Elevation Control Mechanism: Setuid and Setgid T1548.001 19 rules
- File Execution Permission Modification Detected via Defend for Containers production
- Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket production
- Potential Privilege Escalation via CVE-2023-4911 production
- Potential Privilege Escalation via Enlightenment production
- Potential Privilege Escalation via Python cap_setuid production
- Potential Privilege Escalation via Recently Compiled Executable production
- Potential Privilege Escalation via SUID/SGID production
- Potential Privilege Escalation via SUID/SGID Proxy Execution production
- Potential Root Effective Shell from Non-Standard Path via Auditd production
- Privilege Escalation via CAP_SETUID/SETGID Capabilities production
- Privilege Escalation via SUID/SGID production
- Setcap setuid/setgid Capability Set production
- SUID/SGUID Enumeration Detected production
- Suspicious File Made Executable via Chmod Inside A Container production
- Suspicious SUID Binary Execution production
- Suspicious SUID Binary Execution (Auditd Sequence) production
- System Binary Path File Permission Modification production
- UID Elevation from Previously Unknown Executable production
- Unusual Pkexec Execution production
Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 17 rules
- Deprecated - Sudo Heap-Based Buffer Overflow Attempt production
- Modification of Persistence Relevant Files Detected via Defend for Containers production
- Pod or Container Creation with Suspicious Command-Line production
- Potential CVE-2025-32463 Sudo Chroot Execution Attempt production
- Potential Defense Evasion via Doas production
- Potential Persistence via File Modification production
- Potential Privilege Escalation via Sudoers File Modification production
- Potential Privilege Escalation via SUID/SGID production
- Potential Sudo Hijacking production
- Potential Sudo Privilege Escalation via CVE-2019-14287 production
- Potential Sudo Token Manipulation via Process Injection production
- Potential Suspicious File Edit production
- Sudo Command Enumeration Detected production
- Sudoers File Activity production
- Suspicious Echo or Printf Execution Detected via Defend for Containers production
- Suspicious SUID Binary Execution production
- Suspicious SUID Binary Execution (Auditd Sequence) production
Event Triggered Execution T1546 9 rules
- D-Bus Service Created production
- Docker Release File Creation production
- Git Hook Child Process production
- Git Hook Command Execution production
- Git Hook Created or Modified production
- Git Hook Egress Network Connection production
- NetworkManager Dispatcher Script Creation production
- Potential release_agent Container Escape Detected via Defend for Containers production
- Systemd Generator Created production
Event Triggered Execution: Unix Shell Configuration Modification T1546.004 9 rules
- Bash Shell Profile Modification production
- Modification of Persistence Relevant Files Detected via Defend for Containers production
- Network Connection Initiated by Suspicious SSHD Child Process production
- Pod or Container Creation with Suspicious Command-Line production
- Potential Persistence via File Modification production
- Potential Suspicious File Edit production
- Shell Configuration Creation production
- Suspicious Echo or Printf Execution Detected via Defend for Containers production
- Unusual SSHD Child Process production
Event Triggered Execution: Installer Packages T1546.016 8 rules
- APT Package Manager Configuration File Creation production
- DNF Package Manager Plugin File Creation production
- DPKG Package Installed by Unusual Parent Process production
- RPM Package Installed by Unusual Parent Process production
- Suspicious APT Package Manager Execution production
- Suspicious APT Package Manager Network Connection production
- Unusual DPKG Execution production
- Yum Package Manager Plugin File Creation production
Abuse Elevation Control Mechanism T1548 6 rules
- Potential Privilege Escalation via unshare and UID Change production
- Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities production
- Privilege Escalation via GDB CAP_SYS_PTRACE production
- Process Capability Set via setcap Utility production
- Suspicious Symbolic Link Created production
- Unusual Sudo Activity production
Stealth
Hijack Execution Flow T1574 26 rules
- APT Package Manager Configuration File Creation production
- Boot File Copy production
- DNF Package Manager Plugin File Creation production
- DPKG Package Installed by Unusual Parent Process production
- Dracut Module Creation production
- Git Hook Child Process production
- Git Hook Command Execution production
- Git Hook Created or Modified production
- Git Hook Egress Network Connection production
- GRUB Configuration File Creation production
- GRUB Configuration Generation through Built-in Utilities production
- Initramfs Extraction via CPIO production
- Initramfs Unpacking via unmkinitramfs production
- NetworkManager Dispatcher Script Creation production
- Potential snap-confine Privilege Escalation via CVE-2026-3888 production
- Potential Sudo Hijacking production
- Python Path File (pth) Creation production
- Python Site or User Customize File Creation production
- RPM Package Installed by Unusual Parent Process production
- Suspicious APT Package Manager Execution production
- Suspicious APT Package Manager Network Connection production
- Suspicious Network Connection via systemd production
- Suspicious Symbolic Link Created production
- System Binary Symlink to Suspicious Location production
- Unusual DPKG Execution production
- Yum Package Manager Plugin File Creation production
Rootkit T1014 22 rules
- BPF Program or Map Load via bpftool production
- BPF Program Tampering via bpftool production
- Kernel Driver Load production
- Kernel Driver Load by non-root User production
- Kernel Instrumentation Discovery via kprobes and tracefs production
- Kernel Load or Unload via Kexec Detected production
- Kernel Module Load from Unusual Location production
- Kernel Module Load via Built-in Utility production
- Kernel Object File Creation production
- Kernel Seeking Activity production
- Kernel Unpacking Activity production
- Loadable Kernel Module Configuration File Creation production
- Network Activity Detected via Kworker production
- Potential Persistence via File Modification production
- Suspicious File Creation via Kworker production
- Suspicious Kworker UID Elevation production
- Suspicious Usage of bpf_probe_write_user Helper production
- Tainted Kernel Module Load production
- Tainted Out-Of-Tree Kernel Module Load production
- UID Elevation from Previously Unknown Executable production
- Unusual Execution from Kernel Thread (kthreadd) Parent production
- Unusual Kill Signal production
Impair Defenses: Disable or Modify Tools T1562.001 20 rules
- AppArmor Policy Interface Access production
- AppArmor Policy Violation Detected production
- AppArmor Profile Compilation via apparmor_parser production
- Attempt to Clear Kernel Ring Buffer production
- Attempt to Clear Logs via Journalctl production
- Attempt to Disable Auditd Service production
- Attempt to Disable IPTables or Firewall production
- Attempt to Disable Syslog Service production
- BPF filter applied using TC production
- BPF Program Tampering via bpftool production
- Elastic Agent Service Terminated production
- Elastic Defend Alert Followed by Telemetry Loss production
- High Number of Process Terminations production
- Kernel Module Removal production
- Kill Command Execution production
- Potential Disabling of AppArmor production
- Potential Disabling of SELinux production
- SELinux Configuration Creation or Renaming production
- Suspicious Kernel Feature Activity production
- Suspicious Write Attempt to AppArmor Policy Management Files production
Deobfuscate/Decode Files or Information T1140 16 rules
- Base16 or Base32 Encoding/Decoding Activity production
- Base64 Decoded Payload Piped to Interpreter production
- Command Line Obfuscation via Whitespace Padding production
- Decoded Payload Piped to Interpreter Detected via Defend for Containers production
- Encoded Payload Detected via Defend for Containers production
- Execution via OpenClaw Agent production
- Kernel Unpacking Activity production
- Long Base64 Encoded Command via Scripting Interpreter production
- Multi-Base64 Decoding Attempt from Suspicious Location production
- Potential Hex Payload Execution via Command-Line production
- Potential Hex Payload Execution via Common Utility production
- Suspicious Content Extracted or Decompressed via Funzip production
- Suspicious Echo or Printf Execution Detected via Defend for Containers production
- Suspicious Execution from Foomatic-rip or Cupsd Parent production
- Suspicious Interpreter Execution Detected via Defend for Containers production
- Unusual Base64 Encoding/Decoding Activity production
Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 15 rules
- Dynamic Linker (ld.so) Creation production
- Dynamic Linker Copy production
- Dynamic Linker Creation production
- Dynamic Linker Modification Detected via Defend for Containers production
- Modification of Dynamic Linker Preload Shared Object production
- Pod or Container Creation with Suspicious Command-Line production
- Potential CVE-2025-32463 Nsswitch File Creation production
- Potential Persistence via File Modification production
- Potential Privilege Escalation via PKEXEC production
- Potential Suspicious File Edit production
- Shared Object Created by Previously Unknown Process production
- Suspicious Dynamic Linker Discovery via od production
- Suspicious Echo or Printf Execution Detected via Defend for Containers production
- Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments production
- Unusual Preload Environment Variable Process Execution production
Hide Artifacts: Hidden Files and Directories T1564.001 10 rules
- Creation of Hidden Files and Directories via CommandLine production
- Creation of Hidden Shared Object File production
- Directory Creation in /bin directory production
- File Creation in /var/log via Suspicious Process production
- Hidden Directory Creation via Unusual Parent production
- Hidden Files and Directories via Hidden Flag production
- High Number of Egress Network Connections from Unusual Executable production
- Kill Command Execution production
- Potential Hidden Process via Mount Hidepid production
- Suspicious Process Execution Detected via Defend for Containers production
Obfuscated Files or Information T1027 7 rules
- Base16 or Base32 Encoding/Decoding Activity production
- Base64 Decoded Payload Piped to Interpreter production
- Encoded Payload Detected via Defend for Containers production
- GenAI Process Performing Encoding/Chunking Prior to Network Activity production
- Long Base64 Encoded Command via Scripting Interpreter production
- Potential Hex Payload Execution via Common Utility production
- Unusual Base64 Encoding/Decoding Activity production
Masquerading: Match Legitimate Resource Name or Location T1036.005 7 rules
- Abnormal Process ID or Lock File Created production
- Directory Creation in /bin directory production
- Executable Masquerading as Kernel Process production
- Potential Process Name Stomping with Prctl production
- Process Started from Process ID (PID) File production
- Suspicious File Creation via Kworker production
- System Path File Creation and Execution Detected via Defend for Containers production
Indicator Removal: File Deletion T1070.004 7 rules
- File Creation, Execution and Self-Deletion in Suspicious Directory production
- File Deletion via Shred production
- Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers production
- SSH Authorized Keys File Deletion production
- SSL Certificate Deletion production
- System Log File Deletion production
- WebServer Access Logs Deleted production
Valid Accounts T1078 7 rules
- FortiGate SSL VPN Login Followed by SIEM Alert by User production
- Kubeconfig File Creation or Modification production
- Potential Successful SSH Brute Force Attack production
- Successful SSH Authentication from Unusual IP Address production
- Successful SSH Authentication from Unusual SSH Public Key production
- Successful SSH Authentication from Unusual User production
- Unusual Linux Username production
System Binary Proxy Execution T1218 6 rules
- Curl or Wget Egress Network Connection via LoLBin production
- Dynamic Linker (ld.so) Creation production
- Host Detected with Suspicious Windows Process(es) production
- Potential Privilege Escalation via SUID/SGID Proxy Execution production
- Potentially Suspicious Process Started via tmux or screen production
- Proxy Shell Execution via Busybox production
Pre-OS Boot T1542 6 rules
- Boot File Copy production
- Dracut Module Creation production
- GRUB Configuration File Creation production
- GRUB Configuration Generation through Built-in Utilities production
- Initramfs Extraction via CPIO production
- Manual Dracut Execution production
Hide Artifacts T1564 6 rules
- Executable Masquerading as Kernel Process production
- Process Backgrounded by Unusual Parent production
- Suspicious Path Invocation from Command Line production
- Suspicious Path Mounted production
- System Binary Moved or Copied production
- System Binary Symlink to Suspicious Location production
Reflective Code Loading T1620 6 rules
- Memory Threat - Detected - Elastic Defend production
- Memory Threat - Prevented- Elastic Defend production
- Network Connection from Binary with RWX Memory Region production
- Process Started with Executable Stack production
- Suspicious Process Execution Detected via Defend for Containers production
- Unknown Execution of Binary with RWX Memory Region production
Process Injection: Ptrace System Calls T1055.008 4 rules
- Linux Process Hooking via GDB production
- Potential Sudo Token Manipulation via Process Injection production
- Privilege Escalation via GDB CAP_SYS_PTRACE production
- Root Network Connection via GDB CAP_SYS_PTRACE production
Indicator Removal: Clear Linux or Mac System Logs T1070.002 4 rules
- Attempt to Clear Kernel Ring Buffer production
- Attempt to Clear Logs via Journalctl production
- File Creation in /var/log via Suspicious Process production
- System Log File Deletion production
Direct Volume Access T1006 3 rules
Masquerading T1036 3 rules
Masquerading: Masquerade Task or Service T1036.004 3 rules
- Executable Masquerading as Kernel Process production
- Network Activity Detected via Kworker production
- Suspicious Kworker UID Elevation production
Process Injection T1055 3 rules
- Memory Threat - Detected - Elastic Defend production
- Memory Threat - Prevented- Elastic Defend production
- Unusual Linux Network Activity production
Valid Accounts: Local Accounts T1078.003 3 rules
- Potential Suspicious DebugFS Root Device Access production
- Unusual Interactive Shell Launched from System User production
- Unusual Login via System User production
Indirect Command Execution T1202 3 rules
Masquerading: Rename Legitimate Utilities T1036.003 2 rules
- Suspicious Renaming of ESXI Files production
- System Binary Moved or Copied production
Masquerading: Break Process Trees T1036.009 2 rules
- Process Backgrounded by Unusual Parent production
- Unusual Execution from Kernel Thread (kthreadd) Parent production
Virtualization/Sandbox Evasion: System Checks T1497.001 2 rules
- Virtual Machine Fingerprinting production
- Virtual Machine Fingerprinting via Grep production
Impair Defenses: Indicator Blocking T1562.006 2 rules
- Kill Command Execution production
- Suspicious Kernel Feature Activity production
Hide Artifacts: Hidden Users T1564.002 2 rules
- Unusual Interactive Shell Launched from System User production
- Unusual Login via System User production
Hijack Execution Flow: KernelCallbackTable T1574.013 2 rules
- Suspicious Kworker UID Elevation production
- UID Elevation from Previously Unknown Executable production
Masquerading: Masquerade File Type T1036.008 1 rule
- Process Started from Process ID (PID) File production
Indicator Removal T1070 1 rule
- Linux User or Group Deletion production
Indicator Removal: Timestomp T1070.006 1 rule
- ESXI Timestomping using Touch Command production
Trusted Developer Utilities Proxy Execution T1127 1 rule
- Anomalous Linux Compiler Activity production
Exploitation for Stealth T1211 1 rule
- Potential Defense Evasion via PRoot production
Pre-OS Boot: Bootkit T1542.003 1 rule
- Initramfs Unpacking via unmkinitramfs production
Impair Defenses T1562 1 rule
- Suspicious Sysctl File Event production
Defense Impairment
File and Directory Permissions Modification: Linux and Mac Permissions T1222.002 10 rules
- Access Control List Modification via setfacl production
- Executable Bit Set for Potential Persistence Script production
- File Creation in World-Writable Directory by Unusual Process production
- File Execution Permission Modification Detected via Defend for Containers production
- File made Immutable by Chattr production
- File Permission Modification in Writable Directory production
- Potential Unauthorized Access via Wildcard Injection Detected production
- Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities production
- Suspicious File Made Executable via Chmod Inside A Container production
- System Binary Path File Permission Modification production
Modify Authentication Process T1556 7 rules
- Pluggable Authentication Module (PAM) Version Discovery production
- Polkit Policy Creation production
- Potential Execution via SSH Backdoor production
- Potential OpenSSH Backdoor Logging Activity production
- Potential Persistence via File Modification production
- Potential SSH Password Grabbing via strace production
- Renaming of OpenSSH Binaries production
Modify Authentication Process: Pluggable Authentication Modules T1556.003 5 rules
- Authentication via Unusual PAM Grantor production
- Pluggable Authentication Module (PAM) Creation in Unusual Directory production
- Pluggable Authentication Module (PAM) Source Download production
- Pluggable Authentication Module or Configuration Creation production
- Potential Backdoor Execution Through PAM_EXEC production
Subvert Trust Controls T1553 2 rules
- SSL Certificate Deletion production
- Suspicious Kernel Feature Activity production
Credential Access
Unsecured Credentials: Credentials In Files T1552.001 21 rules
- AWS Credentials Searched For Inside A Container production
- Cloud Credential Search Detected via Defend for Containers production
- Credential Access via TruffleHog Execution production
- Kubeconfig File Creation or Modification production
- Kubeconfig File Discovery production
- Kubernetes and Cloud Credential Path Access via Process Arguments production
- Kubernetes Service Account Secret Access production
- Multi-Cloud CLI Token and Credential Access Commands production
- Potential Credential Discovery via Recursive Grep production
- Potential Secret Scanning via Gitleaks production
- Private Key Searching Activity production
- Security File Access via Common Utilities production
- Sensitive File Compression Detected via Defend for Containers production
- Sensitive Files Compression production
- Sensitive Files Compression Inside A Container production
- Sensitive Identity File Open by Suspicious Process via Auditd production
- Sensitive Keys Or Passwords Search Detected via Defend for Containers production
- Sensitive Keys Or Passwords Searched For Inside A Container production
- Service Account Token or Certificate Access Followed by Kubernetes API Request production
- Service Account Token or Certificate Read Detected via Defend for Containers production
- Web Server Exploitation Detected via Defend for Containers production
OS Credential Dumping: /etc/passwd and /etc/shadow T1003.008 7 rules
- Potential Linux Credential Dumping via Unshadow production
- Potential Privilege Escalation via Linux DAC permissions production
- Potential Shadow File Read via Command Line Utilities production
- Potential Suspicious File Edit production
- Potential Unauthorized Access via Wildcard Injection Detected production
- Suspicious Execution from Foomatic-rip or Cupsd Parent production
- Suspicious Symbolic Link Created production
Brute Force: Password Guessing T1110.001 6 rules
- Potential External Linux SSH Brute Force Detected production
- Potential Internal Linux SSH Brute Force Detected production
- Potential Linux Hack Tool Launched production
- Potential Linux Local Account Brute Force Detected production
- Potential Password Spraying Attack via SSH production
- Potential Successful SSH Brute Force Attack production
OS Credential Dumping: Proc Filesystem T1003.007 5 rules
- Linux init (PID 1) Secret Dump via GDB production
- Linux Process Hooking via GDB production
- Manual Memory Dumping via Proc Filesystem production
- Potential Linux Credential Dumping via Proc Filesystem production
- Suspicious /proc/maps Discovery production
Steal Application Access Token T1528 5 rules
- GitHub Authentication Token Access via Node.js production
- Kubernetes and Cloud Credential Path Access via Process Arguments production
- Kubernetes Service Account Secret Access production
- Multi-Cloud CLI Token and Credential Access Commands production
- Service Account Token or Certificate Access Followed by Kubernetes API Request production
Brute Force: Password Spraying T1110.003 4 rules
- Potential External Linux SSH Brute Force Detected production
- Potential Internal Linux SSH Brute Force Detected production
- Potential Password Spraying Attack via SSH production
- Potential Successful SSH Brute Force Attack production
OS Credential Dumping T1003 3 rules
- Credential Access via TruffleHog Execution production
- Potential Secret Scanning via Gitleaks production
- Segfault from Sensitive Process Detected production
Network Sniffing T1040 3 rules
Exploitation for Credential Access T1212 3 rules
- Manual Memory Dumping via Proc Filesystem production
- Potential Linux Credential Dumping via Proc Filesystem production
- Segfault from Sensitive Process Detected production
Credentials from Password Stores T1555 2 rules
- Credential Access via TruffleHog Execution production
- Potential Secret Scanning via Gitleaks production
Brute Force T1110 1 rule
Brute Force: Password Cracking T1110.002 1 rule
- Potential Linux Hack Tool Launched production
Unsecured Credentials T1552 1 rule
Discovery
System Information Discovery T1082 28 rules
- Enumeration of Kernel Modules via Proc production
- Environment Variable Enumeration Detected via Defend for Containers production
- Hping Process Activity production
- Interactive Privilege Boundary Enumeration Detected via Defend for Containers production
- Kernel Instrumentation Discovery via kprobes and tracefs production
- Kernel Seeking Activity production
- Kernel Unpacking Activity production
- Linux System Information Discovery production
- Linux System Information Discovery via Getconf production
- Manual Mount Discovery via /etc/exports or /etc/fstab production
- Passwordless Sudo Probing production
- Pluggable Authentication Module (PAM) Version Discovery production
- Polkit Version Discovery production
- Potential Linux Hack Tool Launched production
- Potential Meterpreter Reverse Shell production
- Service Account Namespace Read Detected via Defend for Containers production
- Suspicious Kernel Feature Activity production
- Suspicious Modprobe File Event production
- Suspicious Proc Pseudo File System Enumeration production
- Suspicious Sysctl File Event production
- Suspicious System Commands Executed by Previously Unknown Executable production
- Suspicious which Enumeration production
- System Information Discovery via dmidecode from Parent Shell production
- Unusual Kernel Module Enumeration production
- Unusual Linux System Information Discovery Activity production
- Virtual Machine Fingerprinting production
- Virtual Machine Fingerprinting via Grep production
- Yum/DNF Plugin Status Discovery production
Container and Resource Discovery T1613 27 rules
- Container Management Utility Execution Detected via Defend for Containers production
- Container Management Utility Run Inside A Container production
- Direct Interactive Kubernetes API Request by Common Utilities production
- Direct Interactive Kubernetes API Request by Unusual Utilities production
- Direct Interactive Kubernetes API Request Detected via Defend for Containers production
- DNS Enumeration Detected via Defend for Containers production
- Docker Socket Enumeration production
- Environment Variable Enumeration Detected via Defend for Containers production
- Forbidden Direct Interactive Kubernetes API Request production
- GitHub Authentication Token Access via Node.js production
- Interactive Privilege Boundary Enumeration Detected via Defend for Containers production
- Kubeconfig File Discovery production
- Kubectl Configuration Discovery production
- Kubectl Workload and Cluster Discovery production
- Kubelet API Connection Attempt to Internal IP production
- Kubelet Certificate File Access Detected via Defend for Containers production
- Kubelet Pod Discovery Detected via Defend for Containers production
- Kubernetes Service Account Secret Access production
- Potential Cluster Enumeration via jq Detected via Defend for Containers production
- Potential Direct Kubelet Access via Process Arguments production
- Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers production
- Potential Kubeletctl Execution production
- Potential Kubeletctl Execution Detected via Defend for Containers production
- Service Account Namespace Read Detected via Defend for Containers production
- Service Account Token or Certificate Access Followed by Kubernetes API Request production
- Tool Enumeration Detected via Defend for Containers production
- Unusual Process Connection to Docker or Containerd Socket production
File and Directory Discovery T1083 20 rules
- AWS Credentials Searched For Inside A Container production
- Cloud Credential Search Detected via Defend for Containers production
- ESXI Discovery via Find production
- ESXI Discovery via Grep production
- Kernel Instrumentation Discovery via kprobes and tracefs production
- Kubeconfig File Discovery production
- Kubelet Pod Discovery Detected via Defend for Containers production
- Potential Credential Discovery via Recursive Grep production
- Private Key Searching Activity production
- Process Capability Enumeration production
- Security File Access via Common Utilities production
- Sensitive Keys Or Passwords Search Detected via Defend for Containers production
- Sensitive Keys Or Passwords Searched For Inside A Container production
- SUID/SGUID Enumeration Detected production
- Suspicious Dynamic Linker Discovery via od production
- Suspicious Memory grep Activity production
- Suspicious Modprobe File Event production
- Suspicious System Commands Executed by Previously Unknown Executable production
- Suspicious which Enumeration production
- Yum/DNF Plugin Status Discovery production
Network Service Discovery T1046 11 rules
- DNS Enumeration Detected via Defend for Containers production
- Hping Process Activity production
- Nping Process Activity production
- Potential Linux Hack Tool Launched production
- Potential Network Scan Executed From Host production
- Potential Port Scanning Activity from Compromised Host production
- Potential Subnet Scanning Activity from Compromised Host production
- Potentially Suspicious Process Started via tmux or screen production
- Suricata and Elastic Defend Network Correlation production
- Suspicious Network Tool Launch Detected via Defend for Containers production
- Suspicious Network Tool Launched Inside A Container production
Process Discovery T1057 11 rules
- Potential Linux Credential Dumping via Proc Filesystem production
- Potential Linux Hack Tool Launched production
- Potential Memory Seeking Activity production
- Process Capability Enumeration production
- Process Discovery via Built-In Applications production
- Suspicious /proc/maps Discovery production
- Suspicious Dynamic Linker Discovery via od production
- Suspicious Memory grep Activity production
- Suspicious Proc Pseudo File System Enumeration production
- Suspicious System Commands Executed by Previously Unknown Executable production
- Unusual Linux Process Discovery Activity production
Software Discovery T1518 9 rules
- Enumeration of Kernel Modules via Proc production
- ESXI Discovery via Find production
- ESXI Discovery via Grep production
- Pluggable Authentication Module (PAM) Version Discovery production
- Polkit Version Discovery production
- Suspicious which Enumeration production
- Tool Enumeration Detected via Defend for Containers production
- Unusual Kernel Module Enumeration production
- Yum/DNF Plugin Status Discovery production
System Owner/User Discovery T1033 8 rules
- Interactive Privilege Boundary Enumeration Detected via Defend for Containers production
- Passwordless Sudo Probing production
- Potentially Suspicious Process Started via tmux or screen production
- Sudo Command Enumeration Detected production
- Suspicious System Commands Executed by Previously Unknown Executable production
- System Owner/User Discovery Linux production
- Unusual Linux User Discovery Activity production
- Unusual User Privilege Enumeration via id production
System Network Configuration Discovery T1016 5 rules
- DNS Enumeration Detected via Defend for Containers production
- Potential Meterpreter Reverse Shell production
- Suspicious System Commands Executed by Previously Unknown Executable production
- System Network Connections Discovery production
- Unusual Linux Network Configuration Discovery production
Remote System Discovery T1018 3 rules
Permission Groups Discovery T1069 3 rules
- Direct Interactive Kubernetes API Request by Unusual Utilities production
- Kubectl Workload and Cluster Discovery production
- System Owner/User Discovery Linux production
Permission Groups Discovery: Local Groups T1069.001 3 rules
- Account or Group Discovery via Built-In Tools production
- Sudo Command Enumeration Detected production
- Unusual User Privilege Enumeration via id production
Account Discovery: Local Account T1087.001 3 rules
- Account or Group Discovery via Built-In Tools production
- Potential Meterpreter Reverse Shell production
- Unusual User Privilege Enumeration via id production
Permission Groups Discovery: Domain Groups T1069.002 2 rules
- Account or Group Discovery via Built-In Tools production
- Discovery of Domain Groups production
Software Discovery: Security Software Discovery T1518.001 2 rules
- Process Discovery via Built-In Applications production
- Security Software Discovery via Grep production
Account Discovery T1087 1 rule
Lateral Movement
Remote Services: SSH T1021.004 15 rules
- Linux SSH X11 Forwarding production
- Network Connection Initiated by Suspicious SSHD Child Process production
- Potential Execution via SSH Backdoor production
- Potential Internal Linux SSH Brute Force Detected production
- Potential THC Tool Downloaded production
- Remote File Creation in World Writeable Directory production
- Renaming of OpenSSH Binaries production
- SSH Authorized Key File Activity Detected via Defend for Containers production
- SSH Authorized Keys File Activity production
- SSH Key Generated via ssh-keygen production
- Successful SSH Authentication from Unusual IP Address production
- Successful SSH Authentication from Unusual SSH Public Key production
- Successful SSH Authentication from Unusual User production
- Unusual Remote File Creation production
- Unusual SSHD Child Process production
Exploitation of Remote Services T1210 13 rules
- High Mean of Process Arguments in an RDP Session production
- High Mean of RDP Session Duration production
- High Variance in RDP Session Duration production
- Potential Telnet Authentication Bypass (CVE-2026-24061) production
- Spike in Number of Connections Made from a Source IP production
- Spike in Number of Connections Made to a Destination IP production
- Spike in Number of Processes in an RDP Session production
- Spike in Remote File Transfers production
- Telnet Authentication Bypass via User Environment Variable production
- Unusual Remote File Directory production
- Unusual Remote File Extension production
- Unusual Remote File Size production
- Unusual Time or Day for an RDP Session production
Remote Service Session Hijacking: SSH Hijacking T1563.001 8 rules
- Network Connection Initiated by Suspicious SSHD Child Process production
- Potential Execution via SSH Backdoor production
- Potential THC Tool Downloaded production
- Renaming of OpenSSH Binaries production
- SSH Authorized Key File Activity Detected via Defend for Containers production
- SSH Authorized Keys File Activity production
- SSH Key Generated via ssh-keygen production
- Unusual SSHD Child Process production
Remote Services: Remote Desktop Protocol T1021.001 7 rules
- High Mean of Process Arguments in an RDP Session production
- High Mean of RDP Session Duration production
- High Variance in RDP Session Duration production
- Spike in Number of Connections Made from a Source IP production
- Spike in Number of Connections Made to a Destination IP production
- Spike in Number of Processes in an RDP Session production
- Unusual Time or Day for an RDP Session production
Lateral Tool Transfer T1570 7 rules
- Remote File Creation in World Writeable Directory production
- Spike in Remote File Transfers production
- Unusual Remote File Creation production
- Unusual Remote File Directory production
- Unusual Remote File Extension production
- Unusual Remote File Size production
- Web Server Spawned via Python production
Remote Services T1021 5 rules
- Connection to External Network via Telnet production
- Connection to Internal Network via Telnet production
- Kubelet API Connection Attempt to Internal IP production
- Potential Direct Kubelet Access via Process Arguments production
- Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers production
No specific technique 1 rule
Collection
Data from Local System T1005 16 rules
- AWS Credentials Searched For Inside A Container production
- Credential Access via TruffleHog Execution production
- Kernel Seeking Activity production
- Kubernetes Service Account Secret Access production
- Linux init (PID 1) Secret Dump via GDB production
- Manual Memory Dumping via Proc Filesystem production
- Potential Data Exfiltration Through Wget production
- Potential Linux Credential Dumping via Unshadow production
- Potential Memory Seeking Activity production
- Potential Suspicious DebugFS Root Device Access production
- Sensitive File Compression Detected via Defend for Containers production
- Sensitive Files Compression production
- Sensitive Files Compression Inside A Container production
- Sensitive Keys Or Passwords Search Detected via Defend for Containers production
- Service Account Namespace Read Detected via Defend for Containers production
- Service Account Token or Certificate Read Detected via Defend for Containers production
Input Capture T1056 2 rules
- Potential SSH Password Grabbing via strace production
- Potential Sudo Hijacking production
Data from Network Shared Drive T1039 1 rule
- Unusual Remote File Size production
Data Staged: Local Data Staging T1074.001 1 rule
- Potential OpenSSH Backdoor Logging Activity production
Screen Capture T1113 1 rule
Clipboard Data T1115 1 rule
- Linux Clipboard Activity Detected production
Automated Collection T1119 1 rule
- Potential Database Dumping Activity production
Audio Capture T1123 1 rule
- Linux Audio Recording Activity Detected production
Video Capture T1125 1 rule
Data from Information Repositories T1213 1 rule
- Potential Database Dumping Activity production
Command & Control
Application Layer Protocol T1071 35 rules
- Connection to External Network via Telnet production
- Deprecated - Uncommon Destination Port Connection by Web Server production
- Deprecated - Unusual Command Execution from Web Server Parent production
- Deprecated - Unusual Process Spawned from Web Server Parent production
- Egress Connection from Entrypoint in Container production
- File Creation and Execution Detected via Defend for Containers production
- Git Hook Egress Network Connection production
- High Number of Egress Network Connections from Unusual Executable production
- Network Connection from Binary with RWX Memory Region production
- Network Connection via Recently Compiled Executable production
- Openssl Client or Server Activity production
- PANW and Elastic Defend - Command and Control Correlation production
- Payload Execution via Shell Pipe Detected by Defend for Containers production
- Potential Linux Tunneling and/or Port Forwarding production
- Potential Malware-Driven SSH Brute Force Attempt production
- Potential Meterpreter Reverse Shell production
- Potential Reverse Shell production
- Potential Reverse Shell via Background Process production
- Potential Reverse Shell via Child production
- Potential Reverse Shell via Java production
- Potential Reverse Shell via Suspicious Binary production
- Potential Reverse Shell via Suspicious Child Process production
- Potential Reverse Shell via UDP production
- Root Network Connection via GDB CAP_SYS_PTRACE production
- Suricata and Elastic Defend Network Correlation production
- Suspicious Named Pipe Creation production
- Suspicious Network Activity to the Internet by Previously Unknown Executable production
- Suspicious Process Execution Detected via Defend for Containers production
- System Path File Creation and Execution Detected via Defend for Containers production
- Unusual Child Execution via Web Server production
- Unusual Command Execution via Web Server production
- Unusual File Creation by Web Server production
- Unusual Linux Network Activity production
- Unusual Linux Network Port Activity production
- Web Server Exploitation Detected via Defend for Containers production
Ingress Tool Transfer T1105 22 rules
- AWS EC2 LOLBin Execution via SSM SendCommand production
- Curl or Wget Egress Network Connection via LoLBin production
- Curl or Wget Execution from Container Context production
- Execution via OpenClaw Agent production
- File Creation, Execution and Self-Deletion in Suspicious Directory production
- File Download Detected via Defend for Containers production
- Git Repository or File Download to Suspicious Directory production
- Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers production
- Ollama DNS Query to Untrusted Domain production
- Payload Execution via Shell Pipe Detected by Defend for Containers production
- Pluggable Authentication Module (PAM) Source Download production
- Potential THC Tool Downloaded production
- Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation production
- Potentially Suspicious Process Started via tmux or screen production
- Remote File Creation in World Writeable Directory production
- Suspicious Execution from Foomatic-rip or Cupsd Parent production
- Suspicious Network Tool Launch Detected via Defend for Containers production
- Suspicious Network Tool Launched Inside A Container production
- System Path File Creation and Execution Detected via Defend for Containers production
- Tool Installation Detected via Defend for Containers production
- Unusual Remote File Creation production
- Web Server Exploitation Detected via Defend for Containers production
Non-Application Layer Protocol T1095 15 rules
- File Transfer or Listener Established via Netcat production
- Netcat File Transfer or Listener Detected via Defend for Containers production
- Netcat Listener Established via rlwrap production
- Network Activity Detected via cat production
- Network Connection Initiated by Suspicious SSHD Child Process production
- Network Connection via Recently Compiled Executable production
- Potential Reverse Shell production
- Potential Reverse Shell Activity via Terminal production
- Potential Reverse Shell via Background Process production
- Potential Reverse Shell via Child production
- Potential Reverse Shell via Suspicious Binary production
- Potential Reverse Shell via Suspicious Child Process production
- Potential Reverse Shell via UDP production
- Suspicious Interpreter Execution Detected via Defend for Containers production
- Web Server Exploitation Detected via Defend for Containers production
Protocol Tunneling T1572 13 rules
- Curl SOCKS Proxy Activity from Unusual Parent production
- Curl SOCKS Proxy Detected via Defend for Containers production
- IPv4/IPv6 Forwarding Activity production
- Linux SSH X11 Forwarding production
- Potential Linux Tunneling and/or Port Forwarding production
- Potential Linux Tunneling and/or Port Forwarding via Command Line production
- Potential Linux Tunneling and/or Port Forwarding via SSH Option production
- Potential Protocol Tunneling via Chisel Client production
- Potential Protocol Tunneling via EarthWorm production
- Potential Traffic Tunneling using QEMU production
- ProxyChains Activity production
- Suspicious Utility Launched via ProxyChains production
- Tunneling and/or Port Forwarding Detected via Defend for Containers production
Proxy T1090 9 rules
- Curl SOCKS Proxy Detected via Defend for Containers production
- FortiGate SOCKS Traffic from an Unusual Process production
- Potential Linux Tunneling and/or Port Forwarding production
- Potential Linux Tunneling and/or Port Forwarding via Command Line production
- Potential Linux Tunneling and/or Port Forwarding via SSH Option production
- Potential Protocol Tunneling via Chisel Client production
- Potential Protocol Tunneling via EarthWorm production
- Potential Traffic Tunneling using QEMU production
- Tunneling and/or Port Forwarding Detected via Defend for Containers production
Application Layer Protocol: Web Protocols T1071.001 8 rules
- DNS to Commonly Abused Web Services production
- Execution via OpenClaw Agent production
- File Download Detected via Defend for Containers production
- Git Repository or File Download to Suspicious Directory production
- Linux Telegram API Request production
- Simple HTTP Web Server Connection production
- Simple HTTP Web Server Creation production
- Suspicious Interpreter Execution Detected via Defend for Containers production
Non-Standard Port T1571 4 rules
Web Service: Bidirectional Communication T1102.002 3 rules
- AWS CLI Command with Custom Endpoint URL production
- DNS to Commonly Abused Web Services production
- Linux Telegram API Request production
Proxy: External Proxy T1090.002 2 rules
- Curl SOCKS Proxy Activity from Unusual Parent production
- DNS to Commonly Abused Web Services production
Proxy: Multi-hop Proxy T1090.003 2 rules
- ProxyChains Activity production
- Suspicious Utility Launched via ProxyChains production
Proxy: Internal Proxy T1090.001 1 rule
- IPv4/IPv6 Forwarding Activity production
Web Service T1102 1 rule
- Uncommon DNS Request via Bun or Node.js production
Web Service: Dead Drop Resolver T1102.001 1 rule
- DNS to Commonly Abused Web Services production
Data Encoding: Standard Encoding T1132.001 1 rule
- Base16 or Base32 Encoding/Decoding Activity production
Remote Access Tools T1219 1 rule
- Potential Traffic Tunneling using QEMU production
Exfiltration
Exfiltration Over C2 Channel T1041 7 rules
- Network Activity Detected via Kworker production
- Potential Data Exfiltration Activity to an Unusual Destination Port production
- Potential Data Exfiltration Activity to an Unusual IP Address production
- Potential Data Exfiltration Activity to an Unusual ISO Code production
- Potential Data Exfiltration Activity to an Unusual Region production
- Unusual Linux Network Activity production
- Unusual Linux Network Port Activity production
Exfiltration Over Alternative Protocol T1048 4 rules
- File Transfer Utility Launched from Unusual Parent production
- Network Activity Detected via cat production
- Potential Data Exfiltration Through Wget production
- Potential Database Dumping Activity production
Data Transfer Size Limits T1030 2 rules
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 2 rules
Exfiltration Over Physical Medium: Exfiltration over USB T1052.001 2 rules
- Spike in Bytes Sent to an External Device production
- Unusual Process Writing Data to an External Device production
Exfiltration Over Web Service: Exfiltration to Code Repository T1567.001 1 rule
- DNS to Commonly Abused Web Services production
Impact
Service Stop T1489 8 rules
- Attempt to Disable Auditd Service production
- Attempt to Disable IPTables or Firewall production
- Attempt to Disable Syslog Service production
- Elastic Agent Service Terminated production
- High Number of Process Terminations production
- Kill Command Execution production
- Process Killing Detected via Defend for Containers production
- Suspicious Termination of ESXI Process production
Data Encrypted for Impact T1486 5 rules
- Potential Linux Ransomware Note Creation Detected production
- Ransomware - Detected - Elastic Defend production
- Ransomware - Prevented - Elastic Defend production
- Suspicious Data Encryption via OpenSSL Utility production
- Suspicious Renaming of ESXI Files production
Data Destruction T1485 2 rules
- File Deletion via Shred production
- SSL Certificate Deletion production
Resource Hijacking T1496 2 rules
- Potential Malware-Driven SSH Brute Force Attempt production
- Suspicious Mining Process Creation Event production
Resource Hijacking: Compute Hijacking T1496.001 2 rules
- Memory Swap Modification production
- Newly Observed Process Exhibiting High CPU Usage production
Account Access Removal T1531 2 rules
- Linux User or Group Deletion production
- SSH Authorized Keys File Deletion production
Data Manipulation: Stored Data Manipulation T1565.001 2 rules
- Hosts File Modified production
- Suspicious Sysctl File Event production
Network Denial of Service T1498 1 rule
- Nping Process Activity production
No specific technique 2 rules
Untagged
- Alerts From Multiple Integrations by Destination Address production
- Alerts From Multiple Integrations by Source Address production
- Alerts From Multiple Integrations by User Name production
- Alerts in Different ATT&CK Tactics by Host production
- Behavior - Detected - Elastic Defend production
- Behavior - Prevented - Elastic Defend production
- Elastic Defend and Email Alerts Correlation production
- Elastic Defend and Network Security Alerts Correlation production
- Endpoint Security (Elastic Defend) production
- External Alerts production
- LLM-Based Attack Chain Triage by Host production
- Multiple Alerts in Different ATT&CK Tactics on a Single Host production
- Multiple Alerts in Same ATT&CK Tactic by Host production
- Multiple Alerts Involving a User production
- Multiple Elastic Defend Alerts by Agent production
- Multiple Elastic Defend Alerts from a Single Process Tree production
- Multiple External EDR Alerts by Host production
- Multiple Machine Learning Alerts by Influencer Field production
- Multiple Rare Elastic Defend Behavior Rules by Host production
- Multiple Vulnerabilities by Asset via Wiz production
- My First Rule production
- Newly Observed Elastic Defend Behavior Alert production
- Newly Observed High Severity Detection Alert production
- Suspected Lateral Movement from Compromised Host production
macOS
Resource Development
Initial Access
Exploit Public-Facing Application T1190 5 rules
- Initial Access via File Upload Followed by GET Request production
- Ollama API Accessed from External Network production
- Potential JAVA/JNDI Exploitation Attempt production
- Suspicious React Server Child Process production
- Zoom Meeting with no Passcode production
Supply Chain Compromise: Compromise Software Supply Chain T1195.002 5 rules
- Elastic Defend Alert from GenAI Utility or Descendant production
- Elastic Defend Alert from Package Manager Install Ancestry production
- Execution via GitHub Actions Runner production
- Ollama DNS Query to Untrusted Domain production
- Remote GitHub Actions Runner Registration production
Drive-by Compromise T1189 1 rule
- Suspicious Browser Child Process production
Execution
Command and Scripting Interpreter: Unix Shell T1059.004 20 rules
- AWS SSM `SendCommand` with Run Shell Command Parameters production
- AWS SSM Session Manager Child Process Execution production
- Curl Execution via Shell Profile production
- Execution via GitHub Actions Runner production
- Execution via OpenClaw Agent production
- Execution with Explicit Credentials via Scripting production
- First Time Python Spawned a Shell on Host production
- Kubernetes Direct API Request via Curl or Wget production
- Node.js Pre or Post-Install Script Execution production
- Potential Etherhiding C2 via Blockchain Connection production
- Potential Git CVE-2025-48384 Exploitation production
- Potential JAVA/JNDI Exploitation Attempt production
- Privileged Container Creation with Host Directory Mount production
- Shell Execution via Apple Scripting production
- Suspicious Browser Child Process production
- Suspicious Emond Child Process production
- Suspicious File Creation via Pkg Install Script production
- Suspicious Installer Package Spawns Network Event production
- Suspicious macOS MS Office Child Process production
- Suspicious React Server Child Process production
Command and Scripting Interpreter: Python T1059.006 20 rules
- Deprecated - EggShell Backdoor Execution production
- Execution via GitHub Actions Runner production
- Execution via OpenClaw Agent production
- Execution with Explicit Credentials via Scripting production
- First Time Python Spawned a Shell on Host production
- Google Calendar C2 via Script Interpreter production
- Long Base64 Encoded Command via Scripting Interpreter production
- Perl Outbound Network Connection production
- Potential Etherhiding C2 via Blockchain Connection production
- Potential JAVA/JNDI Exploitation Attempt production
- Script Interpreter Connection to Non-Standard Port production
- Suspicious AWS S3 Connection via Script Interpreter production
- Suspicious Browser Child Process production
- Suspicious Curl to Jamf Endpoint production
- Suspicious Emond Child Process production
- Suspicious Installer Package Spawns Network Event production
- Suspicious macOS MS Office Child Process production
- Suspicious Python Shell Command Execution production
- Suspicious React Server Child Process production
- Unusual Library Load via Python production
Command and Scripting Interpreter: AppleScript T1059.002 16 rules
- Apple Script Execution followed by Network Connection production
- Apple Scripting Execution with Administrator Privileges production
- Creation of Hidden Login Item via Apple Script production
- Execution via GitHub Actions Runner production
- Execution via OpenClaw Agent production
- Execution with Explicit Credentials via Scripting production
- Google Calendar C2 via Script Interpreter production
- Potential Etherhiding C2 via Blockchain Connection production
- Prompt for Credentials with Osascript production
- Shell Execution via Apple Scripting production
- Suspicious AWS S3 Connection via Script Interpreter production
- Suspicious Browser Child Process production
- Suspicious Curl to Jamf Endpoint production
- Suspicious Emond Child Process production
- Suspicious Installer Package Spawns Network Event production
- Suspicious macOS MS Office Child Process production
Command and Scripting Interpreter: JavaScript T1059.007 14 rules
- Execution via Electron Child Process Node.js Module production
- Execution via GitHub Actions Runner production
- Execution via OpenClaw Agent production
- Google Calendar C2 via Script Interpreter production
- Long Base64 Encoded Command via Scripting Interpreter production
- Node.js Pre or Post-Install Script Execution production
- Potential Etherhiding C2 via Blockchain Connection production
- Potential JAVA/JNDI Exploitation Attempt production
- Script Interpreter Connection to Non-Standard Port production
- Suspicious Automator Workflows Execution production
- Suspicious AWS S3 Connection via Script Interpreter production
- Suspicious Curl to Jamf Endpoint production
- Suspicious Installer Package Spawns Network Event production
- Suspicious React Server Child Process production
Command and Scripting Interpreter: PowerShell T1059.001 10 rules
- AWS SSM `SendCommand` with Run Shell Command Parameters production
- AWS SSM Session Manager Child Process Execution production
- Command Line Obfuscation via Whitespace Padding production
- Execution via GitHub Actions Runner production
- Execution via OpenClaw Agent production
- Execution with Explicit Credentials via Scripting production
- Long Base64 Encoded Command via Scripting Interpreter production
- Suspicious Browser Child Process production
- Suspicious Emond Child Process production
- Suspicious React Server Child Process production
User Execution: Malicious File T1204.002 8 rules
- Elastic Defend Alert Followed by Telemetry Loss production
- Executable File Download via Wget production
- Gatekeeper Override and Execution production
- Malicious File - Detected - Elastic Defend production
- Malicious File - Prevented - Elastic Defend production
- Masquerading Space After Filename production
- Potential Widespread Malware Infection Across Multiple Hosts production
- Suspicious macOS MS Office Child Process production
Command and Scripting Interpreter T1059 6 rules
- GenAI or MCP Server Child Process Execution production
- Network Connection to OAST Domain via Script Interpreter production
- Persistence via Folder Action Script production
- Potential Reverse Shell Activity via Terminal production
- Remote GitHub Actions Runner Registration production
- Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners production
Exploitation for Client Execution T1203 4 rules
- Potential Git CVE-2025-48384 Exploitation production
- Potential JAVA/JNDI Exploitation Attempt production
- Suspicious Browser Child Process production
- Suspicious macOS MS Office Child Process production
Scheduled Task/Job: Cron T1053.003 3 rules
- Potential Persistence via Periodic Tasks production
- Privilege Escalation via Root Crontab File Modification production
- Suspicious CronTab Creation or Modification production
Command and Scripting Interpreter: Windows Command Shell T1059.003 3 rules
- Execution via GitHub Actions Runner production
- Execution via OpenClaw Agent production
- Suspicious React Server Child Process production
Deploy Container T1610 2 rules
Command and Scripting Interpreter: Lua T1059.011 1 rule
- Suspicious React Server Child Process production
Software Deployment Tools T1072 1 rule
- Suspicious Curl to Jamf Endpoint production
Shared Modules T1129 1 rule
- Unusual Library Load via Python production
User Execution T1204 1 rule
Persistence
Create or Modify System Process: Launch Agent T1543.001 6 rules
- Creation of Hidden Launch Agent or Daemon production
- First Time Python Created a LaunchAgent or LaunchDaemon production
- Launch Service Creation and Immediate Loading production
- Persistence via a Hidden Plist Filename production
- Persistence via Suspicious Launch Agent or Launch Daemon production
- Suspicious Hidden Child Process of Launchd production
External Remote Services T1133 5 rules
- Ollama API Accessed from External Network production
- Potential macOS SSH Brute Force Detected production
- Remote SSH Login Enabled via systemsetup Command production
- Virtual Private Network Connection Attempt production
- Zoom Meeting with no Passcode production
Create or Modify System Process T1543 3 rules
- Finder Sync Plugin Registered and Enabled production
- Node.js Pre or Post-Install Script Execution production
- Persistence via Docker Shortcut Modification production
Boot or Logon Initialization Scripts T1037 2 rules
- Persistence via Folder Action Script production
- Potential Persistence via Atom Init Script Modification production
Boot or Logon Initialization Scripts: Login Hook T1037.002 2 rules
- Persistence via Login or Logout Hook production
- Potential Persistence via Login Hook production
Account Manipulation: Additional Local or Domain Groups T1098.007 2 rules
- Potential Admin Group Account Addition production
- User Added to the Admin Group production
Boot or Logon Autostart Execution T1547 2 rules
- Persistence via DirectoryService Plugin Modification production
- Potential Persistence via Login Hook production
Boot or Logon Initialization Scripts: RC Scripts T1037.004 1 rule
- GenAI Process Accessing Sensitive Files production
Boot or Logon Initialization Scripts: Startup Items T1037.005 1 rule
- Suspicious StartupItem Plist Creation production
Account Manipulation: SSH Authorized Keys T1098.004 1 rule
- SSH Authorized Keys File Activity production
Create Account: Local Account T1136.001 1 rule
- Potential Hidden Local User Account Creation production
Boot or Logon Autostart Execution: Authentication Package T1547.002 1 rule
- Authorization Plugin Modification production
Privilege Escalation
Event Triggered Execution T1546 5 rules
- Persistence via Folder Action Script production
- Potential Persistence via Atom Init Script Modification production
- Suspicious Apple Mail Rule Plist Modification production
- Suspicious Calendar File Modification production
- Unusual Process Modifying GenAI Configuration File production
Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 3 rules
- Deprecated - Sudo Heap-Based Buffer Overflow Attempt production
- Potential Privilege Escalation via Sudoers File Modification production
- Sudoers File Activity production
Abuse Elevation Control Mechanism: TCC Manipulation T1548.006 3 rules
- Full Disk Access Permission Check production
- Potential Privacy Control Bypass via TCCDB Modification production
- Suspicious TCC Access Granted for User Folders production
Event Triggered Execution: Unix Shell Configuration Modification T1546.004 2 rules
- Bash Shell Profile Modification production
- Curl Execution via Shell Profile production
Event Triggered Execution: Emond T1546.014 2 rules
- Emond Rules Creation or Modification production
- Suspicious Emond Child Process production
Event Triggered Execution: Trap T1546.005 1 rule
- Trap Signals Execution production
Escape to Host T1611 1 rule
Stealth
Impair Defenses: Disable or Modify Tools T1562.001 9 rules
- Attempt to Unload Elastic Endpoint Security Kernel Extension production
- Elastic Agent Service Terminated production
- Elastic Defend Alert Followed by Telemetry Loss production
- Gatekeeper Override and Execution production
- Modification of Safari Settings via Defaults Command production
- Potential Privacy Control Bypass via TCCDB Modification production
- Quarantine Attrib Removed by Unsigned or Untrusted Process production
- SoftwareUpdate Preferences Modification production
- Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners production
Hide Artifacts: Hidden Files and Directories T1564.001 5 rules
- Creation of Hidden Launch Agent or Daemon production
- Hidden Files and Directories via Hidden Flag production
- Persistence via a Hidden Plist Filename production
- Potential Kubectl Masquerading via Unexpected Process production
- Suspicious Hidden Child Process of Launchd production
Valid Accounts T1078 4 rules
Valid Accounts: Local Accounts T1078.003 4 rules
- Attempt to Enable the Root Account production
- Potential Admin Group Account Addition production
- Potential Hidden Local User Account Creation production
- User Added to the Admin Group production
Deobfuscate/Decode Files or Information T1140 3 rules
- Command Line Obfuscation via Whitespace Padding production
- Execution via OpenClaw Agent production
- Long Base64 Encoded Command via Scripting Interpreter production
Hijack Execution Flow T1574 3 rules
Masquerading T1036 2 rules
Masquerading: Space after Filename T1036.006 2 rules
- Masquerading Space After Filename production
- Processes with Trailing Spaces production
Process Injection T1055 2 rules
- Memory Threat - Detected - Elastic Defend production
- Memory Threat - Prevented- Elastic Defend production
System Binary Proxy Execution: Rundll32 T1218.011 2 rules
- Execution via GitHub Actions Runner production
- Execution via OpenClaw Agent production
Virtualization/Sandbox Evasion: System Checks T1497.001 2 rules
- Suspicious SIP Check by macOS Application production
- Virtual Machine Fingerprinting via Grep production
Reflective Code Loading T1620 2 rules
- Memory Threat - Detected - Elastic Defend production
- Memory Threat - Prevented- Elastic Defend production
Direct Volume Access T1006 1 rule
- TCC Bypass via Mounted APFS Snapshot Access production
Obfuscated Files or Information: Encrypted/Encoded File T1027.013 1 rule
- Data Encrypted via OpenSSL Utility production
Masquerading: Match Legitimate Resource Name or Location T1036.005 1 rule
- Potential Microsoft Office Sandbox Evasion production
Indicator Removal: Clear Command History T1070.003 1 rule
- Tampering of Shell Command-Line History production
Indicator Removal: File Deletion T1070.004 1 rule
- WebServer Access Logs Deleted production
Indicator Removal: Timestomp T1070.006 1 rule
- Timestomping using Touch Command production
Defense Impairment
Subvert Trust Controls: Gatekeeper Bypass T1553.001 5 rules
- Attempt to Disable Gatekeeper production
- Gatekeeper Override and Execution production
- Quarantine Attrib Removed by Unsigned or Untrusted Process production
- Suspicious Curl from macOS Application production
- Suspicious Outbound Network Connection via Unsigned Binary production
Plist File Modification T1647 5 rules
- Creation of Hidden Login Item via Apple Script production
- Modification of Safari Settings via Defaults Command production
- Potential Persistence via Login Hook production
- SoftwareUpdate Preferences Modification production
- Suspicious Apple Mail Rule Plist Modification production
Modify Authentication Process T1556 2 rules
- Authorization Plugin Modification production
- Unusual Process Modifying GenAI Configuration File production
Credential Access
Unsecured Credentials: Credentials In Files T1552.001 7 rules
- Credential Access via TruffleHog Execution production
- First Time Python Accessed Sensitive Credential Files production
- GenAI Process Accessing Sensitive Files production
- Multi-Cloud CLI Token and Credential Access Commands production
- Potential Credential Discovery via Recursive Grep production
- Potential Kerberos Attack via Bifrost production
- Potential Secret Scanning via Gitleaks production
Steal Web Session Cookie T1539 5 rules
- First Time Python Accessed Sensitive Credential Files production
- Manual Loading of a Suspicious Chromium Extension production
- Potential Cookies Theft via Browser Debugging production
- Suspicious Web Browser Sensitive File Access production
- WebProxy Settings Modification production
Credentials from Password Stores: Keychain T1555.001 5 rules
- Dumping of Keychain Content via Security Command production
- First Time Python Accessed Sensitive Credential Files production
- Keychain CommandLine Interaction via Unsigned or Untrusted Process production
- Keychain Password Retrieval via Command Line production
- SystemKey Access via Command Line production
OS Credential Dumping T1003 3 rules
- Credential Access via TruffleHog Execution production
- Kerberos Cached Credentials Dumping production
- Potential Secret Scanning via Gitleaks production
Credentials from Password Stores T1555 3 rules
- Credential Access via TruffleHog Execution production
- GenAI Process Accessing Sensitive Files production
- Potential Secret Scanning via Gitleaks production
Steal or Forge Kerberos Tickets: Ccache Files T1558.005 3 rules
- First Time Python Accessed Sensitive Credential Files production
- Kerberos Cached Credentials Dumping production
- Potential Kerberos Attack via Bifrost production
Unsecured Credentials T1552 2 rules
- Kubectl Secrets Enumeration Across All Namespaces production
- Potential Impersonation Attempt via Kubectl production
Credentials from Password Stores: Credentials from Web Browsers T1555.003 2 rules
- Keychain Password Retrieval via Command Line production
- Suspicious Web Browser Sensitive File Access production
Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 2 rules
- Kerberos Cached Credentials Dumping production
- Potential Kerberos Attack via Bifrost production
OS Credential Dumping: /etc/passwd and /etc/shadow T1003.008 1 rule
- Dumping Account Hashes via Built-In Commands production
Brute Force T1110 1 rule
- Potential macOS SSH Brute Force Detected production
Adversary-in-the-Middle T1557 1 rule
- WebProxy Settings Modification production
Discovery
System Information Discovery T1082 5 rules
- Discovery Command Output Written to Suspicious File production
- Suspicious React Server Child Process production
- Suspicious SIP Check by macOS Application production
- System and Network Configuration Check production
- Virtual Machine Fingerprinting via Grep production
System Network Configuration Discovery T1016 4 rules
- Discovery Command Output Written to Suspicious File production
- System and Network Configuration Check production
- System Hosts File Access production
- System Network Connections Discovery production
Container and Resource Discovery T1613 4 rules
- Kubectl Permission Discovery production
- Kubectl Secrets Enumeration Across All Namespaces production
- Kubernetes Direct API Request via Curl or Wget production
- Potential Kubectl Masquerading via Unexpected Process production
System Network Configuration Discovery: Internet Connection Discovery T1016.001 2 rules
- DNS Request for IP Lookup Service via Unsigned Binary production
- External IP Address Discovery via Curl production
System Owner/User Discovery T1033 2 rules
- Discovery Command Output Written to Suspicious File production
- Suspicious React Server Child Process production
Permission Groups Discovery T1069 2 rules
- Kubectl Permission Discovery production
- Kubernetes Direct API Request via Curl or Wget production
File and Directory Discovery T1083 2 rules
- Full Disk Access Permission Check production
- Potential Credential Discovery via Recursive Grep production
Software Discovery: Security Software Discovery T1518.001 2 rules
- Process Discovery via Built-In Applications production
- Security Software Discovery via Grep production
Remote System Discovery T1018 1 rule
- System Hosts File Access production
Process Discovery T1057 1 rule
- Process Discovery via Built-In Applications production
Lateral Movement
Exploitation of Remote Services T1210 11 rules
- High Mean of Process Arguments in an RDP Session production
- High Mean of RDP Session Duration production
- High Variance in RDP Session Duration production
- Spike in Number of Connections Made from a Source IP production
- Spike in Number of Connections Made to a Destination IP production
- Spike in Number of Processes in an RDP Session production
- Spike in Remote File Transfers production
- Unusual Remote File Directory production
- Unusual Remote File Extension production
- Unusual Remote File Size production
- Unusual Time or Day for an RDP Session production
Remote Services: Remote Desktop Protocol T1021.001 7 rules
- High Mean of Process Arguments in an RDP Session production
- High Mean of RDP Session Duration production
- High Variance in RDP Session Duration production
- Spike in Number of Connections Made from a Source IP production
- Spike in Number of Connections Made to a Destination IP production
- Spike in Number of Processes in an RDP Session production
- Unusual Time or Day for an RDP Session production
Lateral Tool Transfer T1570 4 rules
- Spike in Remote File Transfers production
- Unusual Remote File Directory production
- Unusual Remote File Extension production
- Unusual Remote File Size production
Remote Services: SSH T1021.004 2 rules
- Remote SSH Login Enabled via systemsetup Command production
- SSH Authorized Keys File Activity production
Remote Services T1021 1 rule
- Virtual Private Network Connection Attempt production
Remote Services: SMB/Windows Admin Shares T1021.002 1 rule
- Attempt to Mount SMB Share via Command Line production
Replication Through Removable Media T1091 1 rule
- New USB Storage Device Mounted production
Use Alternate Authentication Material: Application Access Token T1550.001 1 rule
- Potential Impersonation Attempt via Kubectl production
Use Alternate Authentication Material: Pass the Hash T1550.002 1 rule
- Potential Kerberos Attack via Bifrost production
Use Alternate Authentication Material: Pass the Ticket T1550.003 1 rule
- Potential Kerberos Attack via Bifrost production
Remote Service Session Hijacking: SSH Hijacking T1563.001 1 rule
- SSH Authorized Keys File Activity production
No specific technique 1 rule
Collection
Data from Local System T1005 8 rules
- Credential Access via TruffleHog Execution production
- GenAI Process Accessing Sensitive Files production
- Potential Privacy Control Bypass via Localhost Secure Copy production
- Sensitive File Access followed by Compression production
- Suspicious TCC Access Granted for User Folders production
- Suspicious Web Browser Sensitive File Access production
- SystemKey Access via Command Line production
- TCC Bypass via Mounted APFS Snapshot Access production
Data Staged: Local Data Staging T1074.001 3 rules
- Data Encrypted via OpenSSL Utility production
- Discovery Command Output Written to Suspicious File production
- Sensitive File Access followed by Compression production
Clipboard Data T1115 2 rules
- Pbpaste Execution via Unusual Parent Process production
- Suspicious pbpaste High Volume Activity production
Data from Network Shared Drive T1039 1 rule
- Unusual Remote File Size production
Input Capture T1056 1 rule
- Suspicious pbpaste High Volume Activity production
Data from Information Repositories: Code Repositories T1213.003 1 rule
- Potential Secret Scanning via Gitleaks production
Archive Collected Data T1560 1 rule
Command & Control
Ingress Tool Transfer T1105 13 rules
- Apple Script Execution followed by Network Connection production
- Curl Execution via Shell Profile production
- Curl or Wget Spawned via Node.js production
- Executable File Download via Wget production
- Execution via OpenClaw Agent production
- Initial Access via File Upload Followed by GET Request production
- Ollama DNS Query to Untrusted Domain production
- Potential Git CVE-2025-48384 Exploitation production
- Suspicious Browser Child Process production
- Suspicious Curl from macOS Application production
- Suspicious Curl to Google App Script Endpoint production
- Suspicious File Downloaded from Google Drive production
- Suspicious Installer Package Spawns Network Event production
Application Layer Protocol: Web Protocols T1071.001 9 rules
- Curl or Wget Spawned via Node.js production
- Execution via OpenClaw Agent production
- GenAI Process Connection to Unusual Domain production
- Perl Outbound Network Connection production
- Suspicious Curl from macOS Application production
- Suspicious Curl to Google App Script Endpoint production
- Suspicious Installer Package Spawns Network Event production
- Unusual Network Connection to Suspicious Top Level Domain production
- Unusual Network Connection to Suspicious Web Service production
Web Service T1102 4 rules
Non-Standard Port T1571 4 rules
Application Layer Protocol T1071 3 rules
Proxy T1090 3 rules
- FortiGate SOCKS Traffic from an Unusual Process production
- Kubectl Network Configuration Modification production
- Potential Traffic Tunneling using QEMU production
Web Service: Bidirectional Communication T1102.002 3 rules
- Google Calendar C2 via Script Interpreter production
- Potential Etherhiding C2 via Blockchain Connection production
- Suspicious Curl to Google App Script Endpoint production
Non-Application Layer Protocol T1095 2 rules
- Potential Reverse Shell Activity via Terminal production
- Suspicious React Server Child Process production
Web Service: Dead Drop Resolver T1102.001 2 rules
- Google Calendar C2 via Script Interpreter production
- Potential Etherhiding C2 via Blockchain Connection production
Remote Access Tools T1219 2 rules
- Potential Traffic Tunneling using QEMU production
- Remote GitHub Actions Runner Registration production
Protocol Tunneling T1572 2 rules
- Kubectl Network Configuration Modification production
- Potential Traffic Tunneling using QEMU production
Exfiltration
Exfiltration Over Physical Medium: Exfiltration over USB T1052.001 3 rules
- New USB Storage Device Mounted production
- Spike in Bytes Sent to an External Device production
- Unusual Process Writing Data to an External Device production
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.001 1 rule
- Potential Data Exfiltration Through Curl production
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 1 rule
- Potential Data Exfiltration Through Curl production
Impact
Data Encrypted for Impact T1486 2 rules
- Ransomware - Detected - Elastic Defend production
- Ransomware - Prevented - Elastic Defend production
Service Stop T1489 1 rule
- Elastic Agent Service Terminated production
Data Manipulation: Stored Data Manipulation T1565.001 1 rule
- Hosts File Modified production
No specific technique 2 rules
Untagged
- Alerts From Multiple Integrations by Destination Address production
- Alerts From Multiple Integrations by Source Address production
- Alerts From Multiple Integrations by User Name production
- Alerts in Different ATT&CK Tactics by Host production
- Behavior - Detected - Elastic Defend production
- Behavior - Prevented - Elastic Defend production
- Elastic Defend and Email Alerts Correlation production
- Elastic Defend and Network Security Alerts Correlation production
- Endpoint Security (Elastic Defend) production
- External Alerts production
- LLM-Based Attack Chain Triage by Host production
- Multiple Alerts in Different ATT&CK Tactics on a Single Host production
- Multiple Alerts in Same ATT&CK Tactic by Host production
- Multiple Alerts Involving a User production
- Multiple Elastic Defend Alerts by Agent production
- Multiple Elastic Defend Alerts from a Single Process Tree production
- Multiple External EDR Alerts by Host production
- Multiple Machine Learning Alerts by Influencer Field production
- Multiple Rare Elastic Defend Behavior Rules by Host production
- Multiple Vulnerabilities by Asset via Wiz production
- My First Rule production
- Newly Observed Elastic Defend Behavior Alert production
- Newly Observed High Severity Detection Alert production
- Suspected Lateral Movement from Compromised Host production
AWS
Resource Development
Compromise Infrastructure: Domains T1584.001 2 rules
- AWS Route 53 Domain Transfer Lock Disabled production
- AWS Route 53 Domain Transferred to Another Account production
Stage Capabilities T1608 1 rule
- AWS SNS Topic Created by Rare User production
Execution
Serverless Execution T1648 3 rules
- AWS Lambda Function Created or Updated production
- AWS Lambda Layer Added to Existing Function production
- First Time AWS CloudFormation Stack Creation production
Cloud Administration Command T1651 3 rules
- AWS SSM `SendCommand` Execution by Rare User production
- AWS SSM Command Document Created by Rare User production
- First Time AWS CloudFormation Stack Creation production
Persistence
Account Manipulation T1098 13 rules
- AWS Bedrock Foundation Model Access Enabled or Entitlement Granted production
- AWS Bedrock Resource-Based Policy Modified or Deleted production
- AWS Bedrock Unauthorized Foundation Model Access Attempt production
- AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt production
- AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization production
- AWS IAM API Calls via Temporary Session Tokens production
- AWS IAM Customer Managed Policy Version Created or Default Version Set production
- AWS IAM Customer-Managed Policy Attached to Role by Rare User production
- AWS IAM Sensitive Operations via Lambda Execution Role production
- AWS Route 53 Domain Transfer Lock Disabled production
- AWS Route 53 Domain Transferred to Another Account production
- AWS Route 53 Private Hosted Zone Associated With a VPC production
- AWS S3 Bucket Policy Added to Share with External Account production
Account Manipulation: Additional Cloud Roles T1098.003 11 rules
- AWS EC2 Instance Interaction with IAM Service production
- AWS IAM AdministratorAccess Policy Attached to Group production
- AWS IAM AdministratorAccess Policy Attached to Role production
- AWS IAM AdministratorAccess Policy Attached to User production
- AWS IAM Assume Role Policy Update production
- AWS IAM Login Profile Added to User production
- AWS IAM Roles Anywhere Profile Creation production
- AWS IAM Roles Anywhere Trust Anchor Created with External CA production
- AWS IAM User Addition to Group production
- AWS Sensitive IAM Operations Performed via CloudShell production
- AWS STS AssumeRoot by Rare User and Member Account production
Account Manipulation: Additional Cloud Credentials T1098.001 8 rules
- AWS EC2 Instance Interaction with IAM Service production
- AWS First Occurrence of STS GetFederationToken Request by User production
- AWS IAM Login Profile Added for Root production
- AWS IAM Login Profile Added to User production
- AWS IAM SAML Provider Created production
- AWS IAM User Created Access Keys For Another User production
- AWS RDS DB Instance or Cluster Password Modified production
- AWS Sensitive IAM Operations Performed via CloudShell production
External Remote Services T1133 4 rules
- AWS EC2 Network Access Control List Creation production
- AWS EC2 Security Group Configuration Change production
- AWS RDS DB Instance Made Public production
- Insecure AWS EC2 VPC Security Group Ingress Rule Added production
Create Account: Cloud Account T1136.003 4 rules
- AWS IAM Create User via Assumed Role on EC2 Instance production
- AWS IAM Group Creation production
- AWS IAM Sensitive Operations via Lambda Execution Role production
- AWS Sensitive IAM Operations Performed via CloudShell production
Server Software Component T1505 3 rules
Account Manipulation: Additional Container Cluster Roles T1098.006 2 rules
- AWS EKS Access Entry Granted Cluster Admin Policy production
- AWS EKS Access Entry Modified production
Privilege Escalation
Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access T1548.005 7 rules
- AWS EC2 Instance Profile Associated with Running Instance production
- AWS IAM Customer Managed Policy Version Created or Default Version Set production
- AWS IAM Customer-Managed Policy Attached to Role by Rare User production
- AWS KMS Key Policy Updated via PutKeyPolicy production
- AWS STS AssumeRoot by Rare User and Member Account production
- AWS STS GetFederationToken with AdministratorAccess in Request production
- AWS STS Role Assumption by Service production
Abuse Elevation Control Mechanism T1548 4 rules
- AWS STS AssumeRole with New MFA Device production
- AWS STS GetSessionToken Usage production
- AWS STS Role Assumption by User production
- AWS STS Role Chaining production
Stealth
Valid Accounts: Cloud Accounts T1078.004 35 rules
- AWS Access Token Used from Multiple Addresses production
- AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN production
- AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key production
- AWS CloudShell Environment Created production
- AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
- AWS EC2 Instance Console Login via Assumed Role production
- AWS EC2 Instance Interaction with IAM Service production
- AWS EC2 Instance Profile Associated with Running Instance production
- AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role production
- AWS IAM API Calls via Temporary Session Tokens production
- AWS IAM Assume Role Policy Update production
- AWS IAM CompromisedKeyQuarantine Policy Attached to User production
- AWS IAM Login Profile Added for Root production
- AWS IAM Login Profile Added to User production
- AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts production
- AWS IAM Long-Term Access Key First Seen from Source IP production
- AWS IAM OIDC Provider Created by Rare User production
- AWS IAM SAML Provider Created production
- AWS IAM Sensitive Operations via Lambda Execution Role production
- AWS IAM Virtual MFA Device Registration Attempt with Session Token production
- AWS Management Console Root Login production
- AWS Rare Source AS Organization Activity production
- AWS Sign-In Console Login with Federated User production
- AWS Sign-In Root Password Recovery Requested production
- AWS Sign-In Token Created production
- AWS STS AssumeRole with New MFA Device production
- AWS STS AssumeRoot by Rare User and Member Account production
- AWS STS GetSessionToken Usage production
- AWS STS Role Assumption by User production
- AWS STS Role Chaining production
- AWS Suspicious User Agent Fingerprint production
- Unusual AWS Command for a User production
- Unusual AWS S3 Object Encryption with SSE-C production
- Unusual City For an AWS Command production
- Unusual Country For an AWS Command production
Impair Defenses: Disable or Modify Cloud Logs T1562.008 17 rules
- AWS Bedrock Model Invocation Logging Disabled or Modified production
- AWS CloudTrail Log Created production
- AWS CloudTrail Log Deleted production
- AWS CloudTrail Log Evasion production
- AWS CloudTrail Log Suspended production
- AWS CloudTrail Log Updated production
- AWS CloudWatch Log Group Deletion production
- AWS CloudWatch Log Stream Deletion production
- AWS Config Resource Deletion production
- AWS Configuration Recorder Stopped production
- AWS EKS Control Plane Logging Disabled production
- AWS Route 53 Resolver Query Log Configuration Deleted production
- AWS S3 Bucket Configuration Deletion production
- AWS S3 Bucket Expiration Lifecycle Configuration Added production
- AWS S3 Bucket Server Access Logging Disabled production
- AWS SQS Queue Purge production
- AWS VPC Flow Logs Deletion production
Impair Defenses: Disable or Modify Tools T1562.001 14 rules
- AWS Bedrock Automated Reasoning Safety Policy Tampering production
- AWS Bedrock Guardrail Deleted or Weakened production
- AWS CloudTrail Log Deleted production
- AWS CloudTrail Log Suspended production
- AWS CloudWatch Alarm Deletion production
- AWS CloudWatch Log Group Deletion production
- AWS CloudWatch Log Stream Deletion production
- AWS Config Resource Deletion production
- AWS Configuration Recorder Stopped production
- AWS EC2 Serial Console Access Enabled production
- AWS EventBridge Rule Disabled or Deleted production
- AWS GuardDuty Detector Deletion production
- AWS GuardDuty Member Account Manipulation production
- AWS S3 Bucket Configuration Deletion production
Impair Defenses: Disable or Modify Cloud Firewall T1562.007 6 rules
- AWS EC2 Network Access Control List Creation production
- AWS EC2 Network Access Control List Deletion production
- AWS EC2 Security Group Configuration Change production
- AWS WAF Access Control List Deletion production
- AWS WAF Rule or Rule Group Deletion production
- Insecure AWS EC2 VPC Security Group Ingress Rule Added production
Indicator Removal T1070 2 rules
- AWS S3 Bucket Configuration Deletion production
- AWS S3 Bucket Expiration Lifecycle Configuration Added production
Impair Defenses T1562 2 rules
- AWS KMS Key Policy Updated via PutKeyPolicy production
- AWS Route 53 Domain Transfer Lock Disabled production
Impair Defenses: Indicator Blocking T1562.006 1 rule
- AWS CloudWatch Alarm Deletion production
Defense Impairment
Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations T1578.005 10 rules
- AWS EC2 EBS Snapshot Access Removed production
- AWS EC2 Encryption Disabled production
- AWS EC2 Network Access Control List Creation production
- AWS EC2 Route Table Created production
- AWS EC2 Route Table Modified or Deleted production
- AWS EC2 Security Group Configuration Change production
- AWS EC2 Serial Console Access Enabled production
- AWS Lambda Function Policy Updated to Allow Public Invocation production
- AWS Lambda Layer Added to Existing Function production
- AWS RDS DB Instance or Cluster Deletion Protection Disabled production
Domain or Tenant Policy Modification: Trust Modification T1484.002 3 rules
- AWS IAM OIDC Provider Created by Rare User production
- AWS IAM SAML Provider Created production
- AWS IAM SAML Provider Updated production
Modify Authentication Process: Multi-Factor Authentication T1556.006 3 rules
- AWS IAM Deactivation of MFA Device production
- AWS IAM Virtual MFA Device Registration Attempt with Session Token production
- AWS STS AssumeRole with New MFA Device production
Modify Authentication Process: Conditional Access Policies T1556.009 1 rule
- AWS RDS DB Instance Made Public production
Modify Cloud Compute Infrastructure: Create Snapshot T1578.001 1 rule
- AWS RDS DB Snapshot Created production
Credential Access
Credentials from Password Stores: Cloud Secrets Management Stores T1555.006 5 rules
- AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity production
- AWS Secrets Manager Rapid Secrets Retrieval production
- AWS Systems Manager SecureString Parameter Request with Decryption Flag production
- First Time Seen AWS Secret Value Accessed in Secrets Manager production
- Multiple Cloud Secrets Accessed by Source Address production
Unsecured Credentials T1552 3 rules
Network Sniffing T1040 1 rule
- AWS EC2 Full Network Packet Capture Detected production
Brute Force T1110 1 rule
Unsecured Credentials: Credentials In Files T1552.001 1 rule
- AWS S3 Credential File Retrieved from Bucket production
Discovery
Cloud Infrastructure Discovery T1580 12 rules
- AWS Account Discovery By Rare User production
- AWS Discovery API Calls from VPN ASN for the First Time by Identity production
- AWS Discovery API Calls via CLI from a Single Resource production
- AWS EC2 Deprecated AMI Discovery production
- AWS EC2 Multi-Region DescribeInstances API Calls production
- AWS EC2 User Data Retrieval for EC2 Instance production
- AWS S3 Bucket Enumeration or Brute Force production
- AWS S3 Rapid Bucket Posture API Calls from a Single Principal production
- AWS Service Quotas Multi-Region GetServiceQuota Requests production
- AWS SSM Inventory Reconnaissance by Rare User production
- Rare AWS Error Code production
- Spike in AWS Error Messages production
Cloud Service Discovery T1526 8 rules
- AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key production
- AWS Discovery API Calls from VPN ASN for the First Time by Identity production
- AWS Discovery API Calls via CLI from a Single Resource production
- AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity production
- AWS S3 Rapid Bucket Posture API Calls from a Single Principal production
- AWS Service Quotas Multi-Region GetServiceQuota Requests production
- Rare AWS Error Code production
- Spike in AWS Error Messages production
Account Discovery: Cloud Account T1087.004 5 rules
- AWS Account Discovery By Rare User production
- AWS Discovery API Calls via CLI from a Single Resource production
- AWS EC2 Role GetCallerIdentity from New Source AS Organization production
- AWS IAM Principal Enumeration via UpdateAssumeRolePolicy production
- AWS STS GetCallerIdentity API Called for the First Time production
Software Discovery T1518 1 rule
Lateral Movement
Use Alternate Authentication Material: Application Access Token T1550.001 11 rules
- AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
- AWS EC2 Instance Console Login via Assumed Role production
- AWS First Occurrence of STS GetFederationToken Request by User production
- AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity production
- AWS Sign-In Token Created production
- AWS STS AssumeRole with New MFA Device production
- AWS STS GetFederationToken with AdministratorAccess in Request production
- AWS STS GetSessionToken Usage production
- AWS STS Role Assumption by Service production
- AWS STS Role Assumption by User production
- AWS STS Role Chaining production
Remote Services: Cloud Services T1021.007 4 rules
- AWS EC2 Instance Console Login via Assumed Role production
- AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity production
- AWS SSM Session Started to EC2 Instance production
- Unusual AWS Command for a User production
Remote Services: SSH T1021.004 2 rules
Internal Spearphishing T1534 1 rule
- AWS SNS Topic Message Publish by Rare User production
Collection
Data from Cloud Storage T1530 12 rules
- AWS API Activity from Uncommon S3 Client by Rare User production
- AWS CloudTrail Log Created production
- AWS CloudTrail Log Updated production
- AWS DynamoDB Scan by Unusual User production
- AWS EC2 Export Task production
- AWS S3 Bucket Enumeration or Brute Force production
- AWS S3 Bucket Policy Added to Allow Public Access production
- AWS S3 Bucket Policy Added to Share with External Account production
- AWS S3 Credential File Retrieved from Bucket production
- AWS S3 Rapid Bucket Posture API Calls from a Single Principal production
- AWS S3 Unauthenticated Bucket Access by Rare Source production
- AWS SNS Rare Protocol Subscription by User production
Data from Information Repositories T1213 2 rules
- AWS DynamoDB Scan by Unusual User production
- AWS DynamoDB Table Exported to S3 production
Data from Information Repositories: Databases T1213.006 2 rules
- AWS RDS Snapshot Export production
- AWS Secrets Manager Rapid Secrets Retrieval production
Data from Local System T1005 1 rule
- AWS EC2 Export Task production
Data Staged T1074 1 rule
- AWS EC2 Full Network Packet Capture Detected production
Data Staged: Remote Data Staging T1074.002 1 rule
- AWS RDS DB Instance Restored production
Automated Collection T1119 1 rule
- AWS EC2 Export Task production
Command & Control
Web Service T1102 1 rule
- AWS SNS Topic Message Publish by Rare User production
Exfiltration
Transfer Data to Cloud Account T1537 8 rules
- AWS EC2 AMI Shared with Another Account production
- AWS EC2 EBS Snapshot Shared or Made Public production
- AWS EC2 Export Task production
- AWS EC2 Full Network Packet Capture Detected production
- AWS RDS DB Snapshot Shared with Another Account production
- AWS S3 Bucket Policy Added to Allow Public Access production
- AWS S3 Bucket Policy Added to Share with External Account production
- AWS S3 Bucket Replicated to Another Account production
Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 5 rules
- AWS API Activity from Uncommon S3 Client by Rare User production
- AWS DynamoDB Table Exported to S3 production
- AWS EC2 Export Task production
- AWS RDS Snapshot Export production
- AWS S3 Bucket Replicated to Another Account production
Exfiltration Over Web Service T1567 3 rules
- AWS DynamoDB Scan by Unusual User production
- AWS SNS Rare Protocol Subscription by User production
- AWS SNS Topic Message Publish by Rare User production
Automated Exfiltration T1020 1 rule
- AWS EC2 Full Network Packet Capture Detected production
Exfiltration Over C2 Channel T1041 1 rule
- Unusual AWS Command for a User production
Impact
Data Destruction T1485 10 rules
- AWS CloudWatch Log Group Deletion production
- AWS CloudWatch Log Stream Deletion production
- AWS EC2 EBS Snapshot Access Removed production
- AWS EFS File System Deleted production
- AWS RDS DB Instance or Cluster Deleted production
- AWS RDS DB Instance or Cluster Deletion Protection Disabled production
- AWS RDS Snapshot Deleted production
- AWS S3 Unauthenticated Bucket Access by Rare Source production
- AWS SQS Queue Purge production
- Potential AWS S3 Bucket Ransomware Note Uploaded production
Data Manipulation: Stored Data Manipulation T1565.001 6 rules
- AWS Bedrock Knowledge Base or RAG Data Source Tampering production
- AWS CloudTrail Log Updated production
- AWS EC2 Encryption Disabled production
- AWS S3 Static Site JavaScript File Uploaded production
- AWS S3 Unauthenticated Bucket Access by Rare Source production
- Potential AWS S3 Bucket Ransomware Note Uploaded production
Data Encrypted for Impact T1486 4 rules
- AWS S3 Object Encryption Using External KMS Key production
- Excessive AWS S3 Object Encryption with SSE-C production
- Potential AWS S3 Bucket Ransomware Note Uploaded production
- Unusual AWS S3 Object Encryption with SSE-C production
Inhibit System Recovery T1490 4 rules
- AWS EC2 EBS Snapshot Access Removed production
- AWS RDS Snapshot Deleted production
- AWS S3 Bucket Configuration Deletion production
- AWS S3 Object Versioning Suspended production
Resource Hijacking: Cloud Service Hijacking T1496.004 4 rules
- AWS Bedrock Provisioned Model Throughput Tampering production
- AWS SNS Rare Protocol Subscription by User production
- AWS SNS Topic Created by Rare User production
- AWS SNS Topic Message Publish by Rare User production
Account Access Removal T1531 2 rules
- AWS IAM Deactivation of MFA Device production
- AWS IAM Group Deletion production
Service Stop T1489 1 rule
- AWS EventBridge Rule Disabled or Deleted production
Defacement: External Defacement T1491.002 1 rule
- AWS S3 Static Site JavaScript File Uploaded production
Financial Theft T1657 1 rule
- AWS S3 Bucket Enumeration or Brute Force production
Untagged
- AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User production
- AWS Bedrock Detected Multiple Validation Exception Errors by a Single User production
- AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request production
- AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session production
- AWS Bedrock High-Frequency Single-Model Inference API Probing production
- AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session production
- Potential Abuse of Resources by High Token Count and Large Response Sizes production
- Unusual High Confidence Content Filter Blocks Detected production
- Unusual High Denied Sensitive Information Policy Blocks Detected production
- Unusual High Denied Topic Blocks Detected production
- Unusual High Word Policy Blocks Detected production
Azure
Resource Development
Compromise Infrastructure: Domains T1584.001 1 rule
- Entra ID Custom Domain Added or Verified production
Stage Capabilities T1608 1 rule
- Azure Automation Webhook Created production
Initial Access
Phishing: Spearphishing Link T1566.002 12 rules
- Entra ID Concurrent Sign-in with Suspicious Properties production
- Entra ID Illicit Consent Grant via Registered Application production
- Entra ID Kali365 Default User-Agent Detected production
- Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN production
- Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
- Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
- Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
- Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
- Entra ID OAuth Device Code Grant by Unusual User production
- Entra ID OAuth Device Code Phishing via AiTM production
- Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
- Entra ID OAuth Phishing via First-Party Microsoft Application production
Trusted Relationship T1199 3 rules
Execution
Cloud Administration Command T1651 2 rules
- Azure Compute VM Command Executed production
- Azure VM Extension Deployment by User production
Scheduled Task/Job T1053 1 rule
- Azure Automation Runbook Created or Modified production
Command and Scripting Interpreter: PowerShell T1059.001 1 rule
- Entra ID PowerShell Sign-in production
Serverless Execution T1648 1 rule
- Azure Automation Runbook Created or Modified production
Persistence
Account Manipulation: Device Registration T1098.005 9 rules
- Entra ID ADRS Token Request by Microsoft Authentication Broker production
- Entra ID Device Registration with ROADtools Default OS Build production
- Entra ID Device with ROADtools Default OS Build (Entity Analytics) production
- Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN production
- Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
- Entra ID Protection User Alert and Device Registration production
- Entra ID Register Device with Unusual User Agent (Azure AD Join) production
- Entra ID Unusual Cloud Device Registration production
- Entra ID User Sign-in with Unusual Non-Managed Device production
Account Manipulation: Additional Cloud Credentials T1098.001 7 rules
- Azure Storage Account Key Regenerated production
- Entra ID Application Credential Modified production
- Entra ID Domain Federation Configuration Change production
- Entra ID Federated Identity Credential Issuer Modified production
- Entra ID Service Principal Credentials Created by Unusual User production
- Entra ID Service Principal Federated Credential Authentication by Unusual Client production
- Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Account Manipulation: Additional Cloud Roles T1098.003 6 rules
- Azure Event Hub Authorization Rule Created or Updated production
- Azure RBAC Built-In Administrator Roles Assigned production
- Entra ID Elevated Access to User Access Administrator production
- Entra ID Global Administrator Role Assigned production
- Entra ID Global Administrator Role Assigned (PIM User) production
- Entra ID Privileged Identity Management (PIM) Role Modified production
Account Manipulation T1098 3 rules
- Azure VM Extension Deployment by User production
- Entra ID User Added as Registered Application Owner production
- Entra ID User Added as Service Principal Owner production
Create Account: Cloud Account T1136.003 2 rules
- Entra ID External Guest User Invited production
- Entra ID Service Principal Created production
Privilege Escalation
Event Triggered Execution T1546 1 rule
- Azure Automation Webhook Created production
Stealth
Valid Accounts: Cloud Accounts T1078.004 40 rules
- Azure Arc Cluster Credential Access by Identity from Unusual Source production
- Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
- Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
- Azure Storage Account Keys Accessed by Privileged User production
- Entra ID Actor Token User Impersonation Abuse production
- Entra ID Concurrent Sign-in with Suspicious Properties production
- Entra ID High Risk Sign-in production
- Entra ID High Risk User Sign-in Heuristic production
- Entra ID Kali365 Default User-Agent Detected production
- Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
- Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
- Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
- Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
- Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
- Entra ID OAuth Device Code Grant by Unusual User production
- Entra ID OAuth Device Code Phishing via AiTM production
- Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
- Entra ID OAuth Phishing via First-Party Microsoft Application production
- Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
- Entra ID OAuth ROPC Grant Login Detected production
- Entra ID OAuth User Impersonation to Microsoft Graph production
- Entra ID OAuth user_impersonation Scope for Unusual User and Client production
- Entra ID PowerShell Sign-in production
- Entra ID Protection - Risk Detection - Sign-in Risk production
- Entra ID Protection - Risk Detection - User Risk production
- Entra ID Protection Admin Confirmed Compromise production
- Entra ID Protection Alerts for User Detected production
- Entra ID Protection User Alert and Device Registration production
- Entra ID Service Principal Federated Credential Authentication by Unusual Client production
- Entra ID Service Principal with Unusual Source ASN production
- Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
- Entra ID User Added as Service Principal Owner production
- Entra ID User Reported Suspicious Activity production
- Entra ID User Sign-in with Unusual Authentication Type production
- Entra ID User Sign-in with Unusual Client production
- Entra ID User Sign-in with Unusual Non-Managed Device production
- Microsoft Graph Request User Impersonation by Unusual Client production
- Unusual Azure Activity Logs Event for a User production
- Unusual City for an Azure Activity Logs Event production
- Unusual Country for an Azure Activity Logs Event production
Impair Defenses: Disable or Modify Tools T1562.001 5 rules
- Azure Diagnostic Settings Alert Suppression Rule Created or Modified production
- Azure Diagnostic Settings Deleted production
- Azure Kubernetes Services (AKS) Kubernetes Events Deleted production
- Azure Resource Group Deleted production
- Azure VNet Network Watcher Deleted production
Valid Accounts T1078 4 rules
- Azure Automation Account Created production
- Entra ID External Guest User Invited production
- Entra ID Privileged Identity Management (PIM) Role Modified production
- M365 or Entra ID Identity Sign-in from a Suspicious Source production
Impair Defenses: Disable or Modify Cloud Logs T1562.008 4 rules
- Azure Diagnostic Settings Deleted production
- Azure Event Hub Deleted production
- Azure Kubernetes Services (AKS) Kubernetes Events Deleted production
- Azure VNet Network Watcher Deleted production
Defense Impairment
File and Directory Permissions Modification T1222 2 rules
- Azure Blob Storage Container Access Level Modified production
- Azure Blob Storage Permissions Modified production
Modify Authentication Process: Multi-Factor Authentication T1556.006 2 rules
- Entra ID MFA Disabled for User production
- Entra ID User Sign-in with Unusual Authentication Type production
Credential Access
Steal Application Access Token T1528 12 rules
- Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
- Entra ID Concurrent Sign-in with Suspicious Properties production
- Entra ID Illicit Consent Grant via Registered Application production
- Entra ID Kali365 Default User-Agent Detected production
- Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
- Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
- Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
- Entra ID OAuth Phishing via First-Party Microsoft Application production
- Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
- Entra ID User Added as Registered Application Owner production
- Entra ID User Sign-in with Unusual Client production
- Microsoft Graph Request User Impersonation by Unusual Client production
Brute Force: Password Spraying T1110.003 7 rules
- Entra ID Excessive Account Lockouts Detected production
- Entra ID Protection - Risk Detection - Sign-in Risk production
- Entra ID Protection - Risk Detection - User Risk production
- Entra ID Sign-in Brute Force Attempted (Microsoft 365) production
- Entra ID Sign-in TeamFiltration User-Agent Detected production
- Entra ID User Sign-in Brute Force Attempted production
- Entra ID User Sign-in with Unusual Authentication Type production
Brute Force: Password Guessing T1110.001 4 rules
- Entra ID Excessive Account Lockouts Detected production
- Entra ID MFA TOTP Brute Force Attempted production
- Entra ID Sign-in Brute Force Attempted (Microsoft 365) production
- Entra ID User Sign-in Brute Force Attempted production
Steal Web Session Cookie T1539 2 rules
Unsecured Credentials: Cloud Instance Metadata API T1552.005 2 rules
- Azure Event Hub Authorization Rule Created or Updated production
- Azure Storage Account Key Regenerated production
Network Sniffing T1040 1 rule
Discovery
Cloud Service Discovery T1526 5 rules
Cloud Infrastructure Discovery T1580 4 rules
- Entra ID Sign-in BloodHound Suite User-Agent Detected production
- Entra ID Sign-in TeamFiltration User-Agent Detected production
- Rare Azure Activity Logs Event Failures production
- Spike in Azure Activity Logs Failed Messages production
Password Policy Discovery T1201 2 rules
Virtual Machine Discovery T1673 2 rules
Account Discovery T1087 1 rule
Lateral Movement
Use Alternate Authentication Material: Application Access Token T1550.001 18 rules
- Entra ID Actor Token User Impersonation Abuse production
- Entra ID Concurrent Sign-in with Suspicious Properties production
- Entra ID Kali365 Default User-Agent Detected production
- Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN production
- Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
- Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
- Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
- Entra ID OAuth Device Code Grant by Unusual User production
- Entra ID OAuth Device Code Phishing via AiTM production
- Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
- Entra ID OAuth Phishing via First-Party Microsoft Application production
- Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
- Entra ID OAuth User Impersonation to Microsoft Graph production
- Entra ID OAuth user_impersonation Scope for Unusual User and Client production
- Entra ID Service Principal Federated Credential Authentication by Unusual Client production
- Entra ID User Sign-in with Unusual Client production
- Microsoft Graph Request Email Access by Unusual User and Client production
- Microsoft Graph Request User Impersonation by Unusual Client production
Collection
Data from Cloud Storage T1530 2 rules
- Azure Storage Account Blob Public Access Enabled production
- Azure Storage Blob Retrieval via AzCopy production
Command & Control
Exfiltration
Impact
Data Destruction T1485 7 rules
- Azure Automation Runbook Deleted production
- Azure Compute Snapshot Deletion by Unusual User and Resource Group production
- Azure Compute Snapshot Deletions by User production
- Azure Event Hub Deleted production
- Azure Resource Group Deleted production
- Azure Storage Account Deletion by Unusual User production
- Azure Storage Account Deletions by User production
Inhibit System Recovery T1490 6 rules
- Azure Compute Restore Point Collection Deleted by Unusual User production
- Azure Compute Restore Point Collections Deleted production
- Azure Compute Snapshot Deletion by Unusual User and Resource Group production
- Azure Compute Snapshot Deletions by User production
- Azure Recovery Services Resource Deleted production
- Azure Resource Group Deleted production
Service Stop T1489 4 rules
- Azure Kubernetes Services (AKS) Kubernetes Pods Deleted production
- Azure Resource Group Deleted production
- Azure Storage Account Deletion by Unusual User production
- Azure Storage Account Deletions by User production
System Shutdown/Reboot T1529 2 rules
- Azure Kubernetes Services (AKS) Kubernetes Pods Deleted production
- Azure Resource Group Deleted production
Untagged
- Azure OpenAI Insecure Output Handling production
- Entra ID Protection - Risk Detection production
- Potential Azure OpenAI Model Theft production
- Potential Denial of Azure OpenAI ML Service production
GCP
Execution
Cloud Administration Command T1651 1 rule
- GCP Pub/Sub Topic Creation production
Persistence
Account Manipulation: Additional Cloud Roles T1098.003 2 rules
- GCP IAM Custom Role Creation production
- GCP Storage Bucket Permissions Modification production
Account Manipulation T1098 1 rule
- GCP IAM Service Account Key Deletion production
Account Manipulation: Additional Cloud Credentials T1098.001 1 rule
- GCP Service Account Key Creation production
Create Account: Cloud Account T1136.003 1 rule
- GCP Service Account Creation production
Stealth
Impair Defenses: Disable or Modify Cloud Firewall T1562.007 6 rules
- GCP Firewall Rule Creation production
- GCP Firewall Rule Deletion production
- GCP Firewall Rule Modification production
- GCP Virtual Private Cloud Network Deletion production
- GCP Virtual Private Cloud Route Creation production
- GCP Virtual Private Cloud Route Deletion production
Valid Accounts: Cloud Accounts T1078.004 3 rules
- Unusual City For a GCP Event production
- Unusual Country For a GCP Event production
- Unusual GCP Event for a User production
Impair Defenses: Disable or Modify Cloud Logs T1562.008 3 rules
- GCP Logging Bucket Deletion production
- GCP Logging Sink Deletion production
- GCP Logging Sink Modification production
Impair Defenses T1562 2 rules
- GCP Pub/Sub Subscription Deletion production
- GCP Pub/Sub Topic Deletion production
Valid Accounts T1078 1 rule
- GCP IAM Custom Role Creation production
Defense Impairment
Discovery
Cloud Service Discovery T1526 2 rules
- Rare GCP Audit Failure Event Code production
- Spike in GCP Audit Failed Messages production
Cloud Infrastructure Discovery T1580 2 rules
- Rare GCP Audit Failure Event Code production
- Spike in GCP Audit Failed Messages production
Lateral Movement
Remote Services: Cloud Services T1021.007 1 rule
- Unusual GCP Event for a User production
Collection
Data from Cloud Storage T1530 2 rules
- GCP Pub/Sub Subscription Creation production
- GCP Pub/Sub Topic Creation production
Automated Collection T1119 1 rule
- GCP Pub/Sub Subscription Creation production
Exfiltration
Exfiltration Over C2 Channel T1041 1 rule
- Unusual GCP Event for a User production
Transfer Data to Cloud Account T1537 1 rule
- GCP Logging Sink Modification production
Impact
Account Access Removal T1531 4 rules
- GCP IAM Role Deletion production
- GCP IAM Service Account Key Deletion production
- GCP Service Account Deletion production
- GCP Service Account Disabled production
Data Destruction T1485 2 rules
- GCP Storage Bucket Deletion production
- GCP Virtual Private Cloud Network Deletion production
Service Stop T1489 2 rules
- GCP Pub/Sub Subscription Deletion production
- GCP Pub/Sub Topic Deletion production
Microsoft 365
Resource Development
Stage Capabilities: Upload Malware T1608.001 2 rules
- M365 OneDrive Malware File Upload production
- M365 SharePoint Malware File Detected production
Initial Access
Phishing: Spearphishing Link T1566.002 7 rules
- Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish production
- M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
- M365 Identity OAuth Flow by User Sign-in to Device Registration production
- M365 Identity OAuth Illicit Consent Grant by Rare Client and User production
- M365 Identity OAuth Phishing via First-Party Microsoft Application production
- M365 Quarantine and Hygiene Signal production
- M365 Threat Intelligence Signal production
Phishing T1566 3 rules
No specific technique 1 rule
- M365 Purview Security Compliance Signal production
Execution
Command and Scripting Interpreter: PowerShell T1059.001 2 rules
- M365 Security Compliance Admin Signal production
- M365 SharePoint/OneDrive File Access via PowerShell production
User Execution T1204 1 rule
- M365 AIR Investigation Signal production
User Execution: Malicious Link T1204.001 1 rule
- M365 Threat Intelligence Signal production
User Execution: Malicious File T1204.002 1 rule
- M365 Threat Intelligence Signal production
Persistence
Account Manipulation T1098 4 rules
Account Manipulation: Additional Cloud Roles T1098.003 3 rules
- M365 Exchange Management Group Role Assigned production
- M365 Identity Global Administrator Role Assigned production
- M365 SharePoint Site Administrator Added production
Stealth
Impair Defenses: Disable or Modify Tools T1562.001 12 rules
- Deprecated - M365 Exchange DLP Policy Deleted production
- M365 Exchange Anti-Phish Policy Deleted production
- M365 Exchange Anti-Phish Rule Modification production
- M365 Exchange DKIM Signing Configuration Disabled production
- M365 Exchange Email Safe Attachment Rule Disabled production
- M365 Exchange Email Safe Link Policy Disabled production
- M365 Exchange Mail Flow Transport Rule Modified production
- M365 Exchange Mailbox Audit Logging Bypass Added production
- M365 Exchange Malware Filter Policy Deleted production
- M365 Exchange Malware Filter Rule Modified production
- M365 Security Compliance Admin Signal production
- M365 SharePoint Site Sharing Policy Weakened production
Valid Accounts: Cloud Accounts T1078.004 7 rules
- M365 Entra ID Risk Detection Signal production
- M365 Identity Login from Atypical Region production
- M365 Identity Login from Impossible Travel Location production
- M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
- M365 Identity OAuth Phishing via First-Party Microsoft Application production
- M365 Identity Unusual SSO Authentication Errors for User production
- M365 Identity User Account Lockouts production
Impair Defenses T1562 2 rules
Defense Impairment
Domain or Tenant Policy Modification T1484 8 rules
- Deprecated - M365 Teams External Access Enabled production
- Deprecated - M365 Teams Guest Access Enabled production
- M365 Exchange Anti-Phish Policy Deleted production
- M365 Exchange DKIM Signing Configuration Disabled production
- M365 Exchange Email Safe Link Policy Disabled production
- M365 Exchange Malware Filter Rule Modified production
- M365 SharePoint Site Sharing Policy Weakened production
- M365 Teams Custom Application Interaction Enabled production
Credential Access
Steal Application Access Token T1528 4 rules
- M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
- M365 Identity OAuth Flow by User Sign-in to Device Registration production
- M365 Identity OAuth Illicit Consent Grant by Rare Client and User production
- M365 Identity Unusual SSO Authentication Errors for User production
Brute Force: Password Spraying T1110.003 3 rules
- M365 Entra ID Risk Detection Signal production
- M365 Identity User Account Lockouts production
- M365 Identity User Brute Force Attempted production
Brute Force: Password Guessing T1110.001 2 rules
- M365 Identity User Account Lockouts production
- M365 Identity User Brute Force Attempted production
Brute Force: Credential Stuffing T1110.004 2 rules
- M365 Identity User Account Lockouts production
- M365 Identity User Brute Force Attempted production
No specific technique 1 rule
- M365 Purview Security Compliance Signal production
Discovery
Lateral Movement
Taint Shared Content T1080 2 rules
- M365 OneDrive Malware File Upload production
- M365 SharePoint Malware File Detected production
Collection
Data from Cloud Storage T1530 4 rules
- M365 OneDrive/SharePoint Excessive File Downloads production
- M365 Purview DLP Signal production
- M365 SharePoint Search for Sensitive Content production
- M365 SharePoint/OneDrive File Access via PowerShell production
Email Collection: Email Forwarding Rule T1114.003 2 rules
- M365 Exchange Inbox Forwarding Rule Created production
- M365 Exchange Mail Flow Transport Rule Created production
Data from Local System T1005 1 rule
- M365 Purview DLP Signal production
Email Collection T1114 1 rule
- M365 Purview DLP Signal production
No specific technique 2 rules
- M365 Purview Insider Risk Signal production
- M365 Purview Security Compliance Signal production
Exfiltration
Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 1 rule
- M365 Purview DLP Signal production
No specific technique 2 rules
- M365 Purview Insider Risk Signal production
- M365 Purview Security Compliance Signal production
Impact
Data Destruction T1485 1 rule
No specific technique 3 rules
Google Workspace
Initial Access
Execution
Persistence
Account Manipulation T1098 5 rules
- External User Added to Google Workspace Group production
- Google Workspace API Access Granted via Domain-Wide Delegation production
- Google Workspace Password Policy Modified production
- Google Workspace Role Modified production
- Google Workspace Suspended User Account Renewed production
Account Manipulation: Additional Cloud Roles T1098.003 3 rules
- Google Workspace Admin Role Assigned to a User production
- Google Workspace Custom Admin Role Created production
- Google Workspace User Organizational Unit Changed production
Stealth
Valid Accounts: Cloud Accounts T1078.004 7 rules
- External User Added to Google Workspace Group production
- First Time Seen Google Workspace OAuth Login from Third-Party Application production
- Google Workspace Device Registration Burst for Single User production
- Google Workspace Login Flagged Suspicious production
- Google Workspace Suspended User Account Renewed production
- Google Workspace User Login with Unusual ASN production
- Google Workspace User Sign-in from Atypical Device Type production
Defense Impairment
Domain or Tenant Policy Modification T1484 5 rules
- Application Removed from Blocklist in Google Workspace production
- Google Workspace Admin Role Deletion production
- Google Workspace Bitlocker Setting Disabled production
- Google Workspace Password Policy Modified production
- Google Workspace Restrictions for Marketplace Modified to Allow Any App production
Modify Authentication Process T1556 2 rules
- Google Workspace 2SV Policy Disabled production
- MFA Disabled for Google Workspace Organization production
Credential Access
Adversary-in-the-Middle T1557 3 rules
Steal Application Access Token T1528 2 rules
- Google Workspace Login Flagged Suspicious production
- Google Workspace User Login with Unusual ASN production
Lateral Movement
Collection
Exfiltration
Impact
Account Access Removal T1531 2 rules
- Google Workspace Admin Role Deletion production
- Google Workspace MFA Enforcement Disabled production
Untagged
- Forwarded Google Workspace Security Alert production
Okta
Initial Access
Trusted Relationship T1199 1 rule
- Okta Sign-In Events via Third-Party IdP production
Phishing: Spearphishing Link T1566.002 1 rule
- Okta FastPass Phishing Detection production
Persistence
Account Manipulation: Additional Cloud Roles T1098.003 2 rules
- Administrator Privileges Assigned to an Okta Group production
- Okta User Assigned Administrator Role production
Account Manipulation: Additional Cloud Credentials T1098.001 1 rule
- Attempt to Create Okta API Token production
Create Account T1136 1 rule
- Attempt to Create Okta API Token production
Stealth
Valid Accounts: Cloud Accounts T1078.004 15 rules
- First Occurrence of Okta User Session Started via Proxy production
- High Number of Okta User Password Reset or Unlock Attempts production
- Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
- New Okta Authentication Behavior Detected production
- Okta Admin Console Login Failure production
- Okta Alerts Following Unusual Proxy Authentication production
- Okta Sign-In Events via Third-Party IdP production
- Okta Successful Login After Credential Attack production
- Okta User Session Impersonation production
- Okta User Sessions Started from Different Geolocations production
- Potential Okta MFA Bombing via Push Notifications production
- Potentially Successful Okta MFA Bombing via Push Notifications production
- Successful Application SSO from Rare Unknown Client Device production
- Unauthorized Access to an Okta Application production
- Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials production
Impair Defenses: Disable or Modify Cloud Firewall T1562.007 9 rules
- Attempt to Deactivate an Okta Network Zone production
- Attempt to Deactivate an Okta Policy production
- Attempt to Deactivate an Okta Policy Rule production
- Attempt to Delete an Okta Network Zone production
- Attempt to Delete an Okta Policy production
- Attempt to Delete an Okta Policy Rule production
- Attempt to Modify an Okta Network Zone production
- Attempt to Modify an Okta Policy production
- Attempt to Modify an Okta Policy Rule production
Valid Accounts T1078 1 rule
- Suspicious Activity Reported by Okta User production
Defense Impairment
Modify Authentication Process: Multi-Factor Authentication T1556.006 5 rules
- Attempt to Deactivate an Okta Policy production
- Attempt to Delete an Okta Policy production
- Attempt to Reset MFA Factors for an Okta User Account production
- MFA Deactivation with no Re-Activation for Okta User Account production
- Stolen Credentials Used to Login to Okta Account After MFA Reset production
Domain or Tenant Policy Modification T1484 4 rules
- Attempt to Delete an Okta Policy Rule production
- Attempt to Modify an Okta Network Zone production
- Attempt to Modify an Okta Policy production
- Attempt to Modify an Okta Policy Rule production
Domain or Tenant Policy Modification: Trust Modification T1484.002 2 rules
- Attempt to Deactivate an Okta Network Zone production
- New Okta Identity Provider (IdP) Added by Admin production
Modify Authentication Process T1556 2 rules
- Attempt to Deactivate an Okta Policy Rule production
- Attempt to Modify an Okta Policy production
Credential Access
Brute Force: Password Spraying T1110.003 6 rules
- Attempts to Brute Force an Okta User Account production
- Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
- Multiple Okta User Authentication Events with Same Device Token Hash production
- Okta Successful Login After Credential Attack production
- Potential Okta Password Spray (Multi-Source) production
- Potential Okta Password Spray (Single Source) production
Brute Force: Password Guessing T1110.001 4 rules
- Attempts to Brute Force an Okta User Account production
- Okta Successful Login After Credential Attack production
- Potential Okta Brute Force (Device Token Rotation) production
- Potential Okta Brute Force (Multi-Source) production
Steal Web Session Cookie T1539 3 rules
- Multiple Device Token Hashes for Single Okta Session production
- Okta AiTM Session Cookie Replay production
- Okta Multiple OS Names Detected for a Single DT Hash production
Brute Force T1110 1 rule
- Okta Admin Console Login Failure production
Multi-Factor Authentication Interception T1111 1 rule
- Attempted Bypass of Okta MFA production
Lateral Movement
Impact
Service Stop T1489 2 rules
- Attempt to Deactivate an Okta Application production
- Attempt to Delete an Okta Application production
Network Denial of Service T1498 1 rule
- Possible Okta DoS Attack production
Endpoint Denial of Service: Service Exhaustion Flood T1499.002 1 rule
- Possible Okta DoS Attack production
Endpoint Denial of Service: Application Exhaustion Flood T1499.003 1 rule
- Possible Okta DoS Attack production
Account Access Removal T1531 1 rule
- Attempt to Revoke Okta API Token production
No specific technique 1 rule
- Attempt to Modify an Okta Application production
Untagged
GitHub
Resource Development
Acquire Infrastructure: Web Services T1583.006 1 rule
- GitHub Repo Created production
Initial Access
Supply Chain Compromise: Compromise Software Supply Chain T1195.002 4 rules
- GitHub Actions Unusual Bot Push to Repository production
- GitHub Actions Workflow Modification Blocked production
- Github Activity on a Private Repository from an Unusual IP production
- New GitHub Self Hosted Action Runner production
Supply Chain Compromise: Compromise Software Dependencies and Development Tools T1195.001 2 rules
- GitHub Actions Workflow Modification Blocked production
- New GitHub Self Hosted Action Runner production
Trusted Relationship T1199 1 rule
- New GitHub App Installed production
Execution
Serverless Execution T1648 7 rules
- First Occurrence GitHub Event for a Personal Access Token (PAT) production
- First Occurrence of GitHub Repo Interaction From a New IP production
- First Occurrence of GitHub User Interaction with Private Repo production
- First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) production
- GitHub App Deleted production
- GitHub Repo Created production
- High Number of Cloned GitHub Repos From PAT production
Software Deployment Tools T1072 1 rule
- New GitHub App Installed production
No specific technique 1 rule
Persistence
Account Manipulation: Additional Cloud Roles T1098.003 3 rules
- GitHub Owner Role Granted To User production
- New GitHub Owner Added production
- New User Added To GitHub Organization production
Create Account: Cloud Account T1136.003 2 rules
- New GitHub Owner Added production
- New GitHub Personal Access Token (PAT) Added production
Account Manipulation T1098 1 rule
- New GitHub App Installed production
Privilege Escalation
Event Triggered Execution T1546 1 rule
- GitHub Actions Workflow Modification Blocked production
Stealth
Valid Accounts: Cloud Accounts T1078.004 8 rules
- First Occurrence of GitHub Repo Interaction From a New IP production
- First Occurrence of IP Address For GitHub Personal Access Token (PAT) production
- First Occurrence of IP Address For GitHub User production
- First Occurrence of Personal Access Token (PAT) Use For a GitHub User production
- First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) production
- First Occurrence of User Agent For a GitHub Personal Access Token (PAT) production
- First Occurrence of User-Agent For a GitHub User production
- Github Activity on a Private Repository from an Unusual IP production
Impair Defenses: Disable or Modify Tools T1562.001 3 rules
- GitHub App Deleted production
- GitHub Protected Branch Settings Changed production
- GitHub Secret Scanning Disabled production
Credential Access
Lateral Movement
Collection
Data from Information Repositories: Code Repositories T1213.003 5 rules
- First Occurrence of GitHub Repo Interaction From a New IP production
- First Occurrence of GitHub User Interaction with Private Repo production
- Github Activity on a Private Repository from an Unusual IP production
- GitHub Exfiltration via High Number of Repository Clones by User production
- High Number of Cloned GitHub Repos From PAT production
Exfiltration
Automated Exfiltration T1020 5 rules
- GitHub Exfiltration via High Number of Repository Clones by User production
- GitHub Private Repository Turned Public production
- High Number of Closed Pull Requests by User production
- High Number of Protected Branch Force Pushes by User production
- Several Failed Protected Branch Force Pushes by User production
Exfiltration Over Web Service: Exfiltration to Code Repository T1567.001 5 rules
- GitHub Exfiltration via High Number of Repository Clones by User production
- GitHub Private Repository Turned Public production
- High Number of Closed Pull Requests by User production
- High Number of Protected Branch Force Pushes by User production
- Several Failed Protected Branch Force Pushes by User production
Impact
Data Destruction T1485 4 rules
- GitHub Repository Deleted production
- High Number of Closed Pull Requests by User production
- High Number of Protected Branch Force Pushes by User production
- Several Failed Protected Branch Force Pushes by User production
Account Access Removal T1531 3 rules
- GitHub PAT Access Revoked production
- GitHub User Blocked From Organization production
- Member Removed From GitHub Organization production
Kubernetes
Reconnaissance
Execution
Deploy Container T1610 8 rules
- Kubernetes Anonymous User Create/Update/Patch Pods Request production
- Kubernetes Container Created with Excessive Linux Capabilities production
- Kubernetes Pod Created with a Sensitive hostPath Volume production
- Kubernetes Pod Created With HostIPC production
- Kubernetes Pod Created With HostNetwork production
- Kubernetes Pod Created With HostPID production
- Kubernetes Pod Creation Using Common Debug or Base Images production
- Kubernetes Privileged Pod Created production
Container Administration Command T1609 7 rules
- Kubernetes Ephemeral Container Added to Pod production
- Kubernetes Pod Creation Using Common Debug or Base Images production
- Kubernetes Pod Exec Cloud Instance Metadata Access production
- Kubernetes Pod Exec Potential Reverse Shell production
- Kubernetes Pod Exec Sensitive File or Credential Path Access production
- Kubernetes Pod Exec with Curl or Wget to HTTPS production
- Kubernetes User Exec into Pod production
Command and Scripting Interpreter T1059 1 rule
- Kubernetes Pod Exec Potential Reverse Shell production
No specific technique 1 rule
- Kubernetes Forbidden Creation Request production
Persistence
Account Manipulation: Additional Container Cluster Roles T1098.006 9 rules
- EKS Authentication Configuration Modified production
- Kubernetes Client Certificate Signing Request Created or Approved production
- Kubernetes Cluster-Admin Role Binding Created production
- Kubernetes Creation of a RoleBinding Referencing a ServiceAccount production
- Kubernetes Creation or Modification of Sensitive Role production
- Kubernetes RBAC Wildcard Elevation on Existing Role production
- Kubernetes Sensitive RBAC Change Followed by Workload Modification production
- Kubernetes Service Account Modified RBAC Objects production
- Unusual Kubernetes Sensitive Workload Modification production
Privilege Escalation
Escape to Host T1611 8 rules
- Kubernetes API Server Proxying Request to Kubelet production
- Kubernetes Container Created with Excessive Linux Capabilities production
- Kubernetes Ephemeral Container Added to Pod production
- Kubernetes Pod Created with a Sensitive hostPath Volume production
- Kubernetes Pod Created With HostIPC production
- Kubernetes Pod Created With HostNetwork production
- Kubernetes Pod Created With HostPID production
- Kubernetes Privileged Pod Created production
Stealth
Indicator Removal: File Deletion T1070.004 1 rule
- Kubernetes Events Deleted production
Valid Accounts T1078 1 rule
- Kubernetes Unusual Decision by User Agent production
Impair Defenses T1562 1 rule
Credential Access
Unsecured Credentials: Container API T1552.007 8 rules
- Kubernetes Pod Exec Sensitive File or Credential Path Access production
- Kubernetes Rapid Secret GET Activity Against Multiple Objects production
- Kubernetes Secret Access via Unusual User Agent production
- Kubernetes Secret get or list from Node or Pod Service Account production
- Kubernetes Secret get or list with Suspicious User Agent production
- Kubernetes Secret or ConfigMap Access via Azure Arc Proxy production
- Kubernetes Secrets List Across Cluster or Sensitive Namespaces production
- Kubernetes Service Account Token Created via TokenRequest API production
Discovery
Container and Resource Discovery T1613 8 rules
- Kubernetes API Server Proxying Request to Kubelet production
- Kubernetes Denied Service Account Request via Unusual User Agent production
- Kubernetes Forbidden Request from Unusual User Agent production
- Kubernetes Multi-Resource Discovery production
- Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected production
- Kubernetes Potential Endpoint Permission Enumeration Attempt Detected production
- Kubernetes Secrets List Across Cluster or Sensitive Namespaces production
- Kubernetes Suspicious Self-Subject Review via Unusual User Agent production
Lateral Movement
Collection
Command & Control
Ingress Tool Transfer T1105 1 rule
Impact
Untagged
- Container Workload Protection production
Network
Reconnaissance
Active Scanning: Scanning IP Blocks T1595.001 3 rules
- Potential Network Scan Detected production
- Potential Network Sweep Detected production
- Potential SYN-Based Port Scan Detected production
Active Scanning T1595 1 rule
Initial Access
Exploit Public-Facing Application T1190 14 rules
- Accepted Default Telnet Port Connection production
- Anomalous React Server Components Flight Data Patterns production
- FortiGate FortiCloud SSO Login from Unusual Source production
- Inbound Connection to an Unsecure Elasticsearch Node production
- Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940) production
- Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771) production
- Potential VIEWSTATE RCE Attempt on SharePoint/IIS production
- RDP (Remote Desktop Protocol) from the Internet production
- React2Shell (CVE-2025-55182) Exploitation Attempt production
- React2Shell Network Security Alert production
- RPC (Remote Procedure Call) from the Internet production
- RPC (Remote Procedure Call) to the Internet production
- SMB (Windows File Sharing) Activity to the Internet production
- VNC (Virtual Network Computing) from the Internet production
Execution
Persistence
External Remote Services T1133 4 rules
- Accepted Default Telnet Port Connection production
- RDP (Remote Desktop Protocol) from the Internet production
- RPC (Remote Procedure Call) from the Internet production
- VNC (Virtual Network Computing) from the Internet production
Stealth
Valid Accounts T1078 2 rules
Credential Access
Discovery
Network Service Discovery T1046 3 rules
- Potential Network Scan Detected production
- Potential Network Sweep Detected production
- Potential SYN-Based Port Scan Detected production
Remote System Discovery T1018 1 rule
- Potential Network Sweep Detected production
Lateral Movement
Remote Services T1021 1 rule
- Accepted Default Telnet Port Connection production
Remote Services: Distributed Component Object Model T1021.003 1 rule
- RPC (Remote Procedure Call) to the Internet production
Exploitation of Remote Services T1210 1 rule
- Abnormally Large DNS Response production
Command & Control
Dynamic Resolution: Domain Generation Algorithms T1568.002 7 rules
- Cobalt Strike Command and Control Beacon production
- Halfbaked Command and Control Beacon production
- Machine Learning Detected a DNS Request Predicted to be a DGA Domain production
- Machine Learning Detected a DNS Request With a High DGA Probability Score production
- Machine Learning Detected DGA activity using a known SUNBURST DNS domain production
- Possible FIN7 DGA Command and Control Behavior production
- Potential DGA Activity production
Application Layer Protocol: Web Protocols T1071.001 4 rules
- Cobalt Strike Command and Control Beacon production
- Default Cobalt Strike Team Server Certificate production
- Halfbaked Command and Control Beacon production
- Possible FIN7 DGA Command and Control Behavior production
Application Layer Protocol T1071 3 rules
Remote Access Tools T1219 2 rules
Encrypted Channel T1573 2 rules
- Default Cobalt Strike Team Server Certificate production
- IPSEC NAT Traversal Port Activity production
Application Layer Protocol: Mail Protocols T1071.003 1 rule
- SMTP on Port 26/TCP production
Non-Application Layer Protocol T1095 1 rule
- IPSEC NAT Traversal Port Activity production
Ingress Tool Transfer T1105 1 rule
Non-Standard Port T1571 1 rule
- SMTP on Port 26/TCP production
Protocol Tunneling T1572 1 rule
- IPSEC NAT Traversal Port Activity production
Exfiltration
Exfiltration Over Alternative Protocol T1048 2 rules
- SMB (Windows File Sharing) Activity to the Internet production
- SMTP on Port 26/TCP production
Impact
Untagged
- Newly Observed FortiGate Alert production
- Newly Observed High Severity Suricata Alert production
- Newly Observed Palo Alto Network Alert production
Web
Reconnaissance
Active Scanning: Vulnerability Scanning T1595.002 6 rules
- Potential Spike in Web Server Error Logs production
- Web Server Discovery or Fuzzing Activity production
- Web Server Potential Command Injection Request production
- Web Server Potential Spike in Error Response Codes production
- Web Server Potential SQL Injection Request production
- Web Server Suspicious User Agent Requests production
Active Scanning: Wordlist Scanning T1595.003 6 rules
- Potential Spike in Web Server Error Logs production
- Web Server Discovery or Fuzzing Activity production
- Web Server Potential Command Injection Request production
- Web Server Potential Spike in Error Response Codes production
- Web Server Potential SQL Injection Request production
- Web Server Suspicious User Agent Requests production
Initial Access
Exploit Public-Facing Application T1190 4 rules
- Web Server Local File Inclusion Activity production
- Web Server Potential Command Injection Request production
- Web Server Potential Remote File Inclusion Activity production
- Web Server Potential SQL Injection Request production
Execution
Command and Scripting Interpreter: Unix Shell T1059.004 2 rules
- Web Server Potential Command Injection Request production
- Web Server Potential SQL Injection Request production
Persistence
Server Software Component T1505 1 rule
- Web Server Potential SQL Injection Request production
Stealth
Impair Defenses: Downgrade Attack T1562.010 1 rule
- Potential HTTP Downgrade Attack production
Credential Access
Unsecured Credentials: Credentials In Files T1552.001 2 rules
- Web Server Local File Inclusion Activity production
- Web Server Potential Command Injection Request production
Brute Force T1110 1 rule
- Web Server Suspicious User Agent Requests production
Discovery
File and Directory Discovery T1083 2 rules
- Web Server Local File Inclusion Activity production
- Web Server Potential Remote File Inclusion Activity production
Collection
Data from Local System T1005 1 rule
- Web Server Local File Inclusion Activity production
Command & Control
Application Layer Protocol T1071 2 rules
- Web Server Potential Command Injection Request production
- Web Server Potential SQL Injection Request production
Ingress Tool Transfer T1105 1 rule
Identity
Persistence
Account Manipulation T1098 6 rules
- Spike in Group Application Assignment Change Events production
- Spike in Group Membership Events production
- Spike in Group Privilege Change Events production
- Spike in User Account Management Events production
- Spike in User Lifecycle Management Change Events production
- Unusual Privilege Type assigned to a User production
Account Manipulation: Additional Local or Domain Groups T1098.007 3 rules
- Spike in Group Lifecycle Change Events production
- Spike in Group Management Events production
- Unusual Group Name Accessed by a User production
Create Account T1136 1 rule
- Spike in User Account Management Events production
Privilege Escalation
Exploitation for Privilege Escalation T1068 10 rules
- Spike in Group Application Assignment Change Events production
- Spike in Group Lifecycle Change Events production
- Spike in Group Membership Events production
- Spike in Group Privilege Change Events production
- Spike in Special Logon Events production
- Spike in Special Privilege Use Events production
- Spike in User Account Management Events production
- Unusual Group Name Accessed by a User production
- Unusual Privilege Type assigned to a User production
- Unusual Spike in Concurrent Active Sessions by a User production
Stealth
Valid Accounts T1078 18 rules
- CyberArk Privileged Access Security Error production
- High Command Line Entropy Detected for Privileged Commands production
- Spike in Group Application Assignment Change Events production
- Spike in Group Lifecycle Change Events production
- Spike in Group Management Events production
- Spike in Group Membership Events production
- Spike in Group Privilege Change Events production
- Spike in Privileged Command Execution by a User production
- Spike in Special Privilege Use Events production
- Spike in User Account Management Events production
- Spike in User Lifecycle Management Change Events production
- Unusual Group Name Accessed by a User production
- Unusual Host Name for Windows Privileged Operations Detected production
- Unusual Privilege Type assigned to a User production
- Unusual Process Detected for Privileged Commands by a User production
- Unusual Region Name for Windows Privileged Operations Detected production
- Unusual Source IP for Windows Privileged Operations Detected production
- Unusual Spike in Concurrent Active Sessions by a User production
Valid Accounts: Domain Accounts T1078.002 1 rule
- Spike in Special Logon Events production
Access Token Manipulation T1134 1 rule
- Spike in Special Privilege Use Events production
Discovery
Permission Groups Discovery T1069 1 rule
- Unusual Group Name Accessed by a User production
Untagged
- Correlated Alerts on Similar User Identities production
- LLM-Based Compromised User Triage by User production
Application
Reconnaissance
Active Scanning T1595 2 rules
- Spike in Firewall Denies production
- Spike in Network Traffic production
Gather Victim Network Information T1590 1 rule
- Spike in Firewall Denies production
Initial Access
Phishing: Spearphishing Attachment T1566.001 2 rules
- Network Traffic to Rare Destination Country production
- Unusual Network Destination Domain Name production
Phishing: Spearphishing Link T1566.002 2 rules
- Network Traffic to Rare Destination Country production
- Unusual Network Destination Domain Name production
Drive-by Compromise T1189 1 rule
- Unusual Web Request production
Phishing T1566 1 rule
- Unusual DNS Activity production
Execution
Exploitation for Client Execution T1203 2 rules
- Exploit - Detected - Elastic Endgame production
- Exploit - Prevented - Elastic Endgame production
User Execution T1204 1 rule
- Spike in host-based traffic production
Privilege Escalation
Exploitation for Privilege Escalation T1068 3 rules
- Exploit - Detected - Elastic Endgame production
- Exploit - Prevented - Elastic Endgame production
- Spike in host-based traffic production
Stealth
Valid Accounts T1078 3 rules
- Spike in Logon Events production
- Unusual Hour for a User to Logon production
- Unusual Source IP for a User to Logon from production
Process Injection T1055 2 rules
Valid Accounts: Domain Accounts T1078.002 2 rules
- Rare User Logon production
- Spike in Successful Logon Events from a Source IP production
Valid Accounts: Local Accounts T1078.003 2 rules
- Rare User Logon production
- Spike in Successful Logon Events from a Source IP production
Access Token Manipulation T1134 2 rules
Access Token Manipulation: Token Impersonation/Theft T1134.001 2 rules
- Permission Theft - Detected - Elastic Endgame production
- Permission Theft - Prevented - Elastic Endgame production
Impair Defenses T1562 1 rule
- Decline in host-based traffic production
Credential Access
Brute Force: Password Spraying T1110.003 3 rules
- Spike in Failed Logon Events production
- Spike in Logon Events production
- Spike in Successful Logon Events from a Source IP production
Brute Force T1110 1 rule
- Unusual Login Activity production
Brute Force: Password Guessing T1110.001 1 rule
- Spike in Failed Logon Events production
Discovery
Network Service Discovery T1046 4 rules
- Spike in Firewall Denies production
- Spike in host-based traffic production
- Spike in Network Traffic production
- Spike in Network Traffic To a Country production
Remote System Discovery T1018 1 rule
- Spike in Firewall Denies production
Lateral Movement
Remote Services T1021 1 rule
- Unusual Source IP for a User to Logon from production
Command & Control
Application Layer Protocol T1071 4 rules
- Network Traffic to Rare Destination Country production
- Spike in Firewall Denies production
- Spike in host-based traffic production
- Spike in Network Traffic To a Country production
Application Layer Protocol: Web Protocols T1071.001 3 rules
- Unusual Network Destination Domain Name production
- Unusual Web Request production
- Unusual Web User Agent production
Application Layer Protocol: DNS T1071.004 3 rules
- DNS Tunneling production
- Unusual DNS Activity production
- Unusual Network Destination Domain Name production
Ingress Tool Transfer T1105 2 rules
- Network Traffic to Rare Destination Country production
- Unusual Network Destination Domain Name production
Web Service T1102 1 rule
- Unusual Web Request production
Dynamic Resolution T1568 1 rule
- Unusual DNS Activity production
Protocol Tunneling T1572 1 rule
- DNS Tunneling production
Exfiltration
Exfiltration Over C2 Channel T1041 7 rules
- DNS Tunneling production
- Network Traffic to Rare Destination Country production
- Spike in Firewall Denies production
- Spike in host-based traffic production
- Spike in Network Traffic production
- Spike in Network Traffic To a Country production
- Unusual Network Destination Domain Name production
Exfiltration Over Alternative Protocol T1048 4 rules
- Network Traffic to Rare Destination Country production
- Spike in host-based traffic production
- Spike in Network Traffic To a Country production
- Unusual DNS Activity production
Impact
Network Denial of Service T1498 3 rules
- Spike in Firewall Denies production
- Spike in host-based traffic production
- Spike in Network Traffic production
Endpoint Denial of Service T1499 3 rules
- Decline in host-based traffic production
- Spike in Firewall Denies production
- Spike in host-based traffic production
Service Stop T1489 1 rule
- Decline in host-based traffic production
Untagged
- Adversary Behavior - Detected - Elastic Endgame production
- CrowdStrike External Alerts production
- Elastic Security External Alerts production
- Google SecOps External Alerts production
- IBM QRadar External Alerts production
- Malware - Detected - Elastic Endgame production
- Malware - Prevented - Elastic Endgame production
- Microsoft Sentinel External Alerts production
- Ransomware - Detected - Elastic Endgame production
- Ransomware - Prevented - Elastic Endgame production
- SentinelOne Alert External Alerts production
- SentinelOne Threat External Alerts production
- Splunk External Alerts production
- Threat Intel Email Indicator Match production
- Web Application Suspicious Activity: POST Request Declined production
- Web Application Suspicious Activity: sqlmap User Agent production
- Web Application Suspicious Activity: Unauthorized Method production