Loading

Prebuilt rule catalog

Browse Elastic's full library of prebuilt detection rules, organized by MITRE ATT&CK tactic. Each rule includes the detection technique, rule type, severity, and a link to the full rule source on GitHub.

Use this catalog to:

  • Assess coverage: See which tactics and techniques have prebuilt detection rules available.
  • Find rules by threat: Jump to a specific tactic to find rules matching your threat model.
  • Understand rule types: Identify which rule engine (EQL, ES|QL, threshold, ML, and others) each rule uses, and link out to the rule source for full query logic, investigation notes, and false positive guidance.

To install these rules in your environment, refer to Install prebuilt rules. To understand the MITRE ATT&CK coverage your installed rules provide, refer to MITRE ATT&CK coverage.

Note

This catalog is automatically generated from the elastic/detection-rules repository. Rules are updated regularly; check the source repository for the latest changes.

Rules detecting techniques adversaries use to gain a first foothold in your environment, such as phishing, exploiting public-facing applications, and abusing valid accounts.

Name Technique Rule Type Severity Source
Accepted Default Telnet Port Connection T1021, T1190 Custom Query Medium GitHub ↗
Anomalous React Server Components Flight Data Patterns T1059, T1059.007, T1190 EQL Low GitHub ↗
AWS Access Token Used from Multiple Addresses T1078, T1078.004 ES|QL Medium GitHub ↗
AWS CLI with Kali Linux Fingerprint Identified T1078, T1078.004 EQL Medium GitHub ↗
AWS Management Console Root Login T1078, T1078.004 Custom Query Medium GitHub ↗
AWS Sign-In Console Login with Federated User T1078, T1078.004 Custom Query Medium GitHub ↗
AWS Sign-In Root Password Recovery Requested T1078 Custom Query High GitHub ↗
AWS Sign-In Token Created T1078, T1078.004 Custom Query Low GitHub ↗
Azure Storage Account Keys Accessed by Privileged User T1078, T1078.004, T1555, T1555.006 New Terms Medium GitHub ↗
Command Execution via SolarWinds Process T1059, T1059.001, T1059.003, T1195, T1195.002 EQL Medium GitHub ↗
Creation of SettingContent-ms Files T1204, T1204.002, T1566, T1566.001 EQL Low GitHub ↗
CyberArk Privileged Access Security Error T1078 Custom Query High GitHub ↗
CyberArk Privileged Access Security Recommended Monitor T1078 Custom Query High GitHub ↗
Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish T1566, T1566.001, T1566.002 Custom Query Medium GitHub ↗
Downloaded Shortcut Files T1204, T1204.002, T1566, T1566.001, T1566.002 EQL Medium GitHub ↗
Downloaded URL Files T1204, T1566, T1566.001, T1566.002 EQL Medium GitHub ↗
DPKG Package Installed by Unusual Parent Process T1195, T1195.002, T1543, T1546, T1546.016, T1574 New Terms Low GitHub ↗
Entra ID Actor Token User Impersonation Abuse T1078, T1078.004, T1548 ES|QL Medium GitHub ↗
Entra ID Concurrent Sign-in with Suspicious Properties T1528, T1566, T1566.002 ES|QL High GitHub ↗
Entra ID High Risk Sign-in T1078, T1078.004 Custom Query High GitHub ↗
Entra ID High Risk User Sign-in Heuristic T1078, T1078.004 Custom Query Medium GitHub ↗
Entra ID Illicit Consent Grant via Registered Application T1528, T1566, T1566.002 New Terms Medium GitHub ↗
Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource T1078, T1078.004, T1528, T1566, T1566.002 New Terms Medium GitHub ↗
Entra ID OAuth Device Code Flow with Concurrent Sign-ins T1528, T1566, T1566.002 ES|QL High GitHub ↗
Entra ID OAuth Device Code Grant by Microsoft Authentication Broker T1078, T1078.004, T1550, T1550.001, T1566, T1566.002 Custom Query Medium GitHub ↗
Entra ID OAuth Device Code Grant by Unusual User T1078, T1078.004, T1566, T1566.002 New Terms Medium GitHub ↗
Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) T1078, T1078.004, T1528, T1566, T1566.002 ES|QL High GitHub ↗
Entra ID OAuth Phishing via First-Party Microsoft Application T1078, T1078.004, T1528, T1566, T1566.002 Custom Query Medium GitHub ↗
Entra ID OAuth PRT Issuance to Non-Managed Device Detected T1078, T1078.004, T1098, T1098.005, T1528 EQL Medium GitHub ↗
Entra ID OAuth ROPC Grant Login Detected T1078, T1078.004 New Terms Medium GitHub ↗
Entra ID OAuth User Impersonation to Microsoft Graph T1078, T1078.004, T1550, T1550.001 ES|QL Medium GitHub ↗
Entra ID OAuth user_impersonation Scope for Unusual User and Client T1078, T1078.004, T1550, T1550.001, T1656 New Terms Medium GitHub ↗
Entra ID Protection - Risk Detection - Sign-in Risk T1071, T1078, T1078.004, T1110, T1110.003, T1556 Custom Query High GitHub ↗
Entra ID Protection - Risk Detection - User Risk T1071, T1078, T1078.004, T1110, T1110.003, T1556 Custom Query High GitHub ↗
Entra ID Protection Admin Confirmed Compromise T1078, T1078.004 Custom Query Critical GitHub ↗
Entra ID Protection Alerts for User Detected T1078, T1078.004 EQL High GitHub ↗
Entra ID Service Principal Federated Credential Authentication by Unusual Client T1078, T1078.004, T1550, T1550.001 New Terms Medium GitHub ↗
Entra ID Sharepoint or OneDrive Accessed by Unusual Client T1213, T1213.002, T1566 New Terms Medium GitHub ↗
Entra ID User Reported Suspicious Activity T1078, T1078.004 Custom Query Medium GitHub ↗
Entra ID User Sign-in with Unusual Authentication Type T1078, T1078.004, T1110, T1110.003, T1550 New Terms Medium GitHub ↗
Entra ID User Sign-in with Unusual Client T1078, T1078.004, T1528 New Terms Medium GitHub ↗
Entra ID User Sign-in with Unusual Non-Managed Device T1078, T1078.004, T1098, T1098.005 New Terms Low GitHub ↗
Execution from a Removable Media with Network Connection T1091 EQL Low GitHub ↗
Execution of File Written or Modified by Microsoft Office T1566, T1566.001, T1566.002 EQL High GitHub ↗
Execution via GitHub Actions Runner T1059, T1195, T1195.002 EQL Medium GitHub ↗
External User Added to Google Workspace Group T1078, T1078.004 EQL Medium GitHub ↗
File with Suspicious Extension Downloaded T1218, T1566, T1566.001, T1566.002 EQL Low GitHub ↗
First Occurrence of IP Address For GitHub Personal Access Token (PAT) T1078, T1078.004 New Terms Low GitHub ↗
First Occurrence of IP Address For GitHub User T1078, T1078.004 New Terms Low GitHub ↗
First Occurrence of Okta User Session Started via Proxy T1133 New Terms Medium GitHub ↗
First Occurrence of User Agent For a GitHub Personal Access Token (PAT) T1078, T1078.004 New Terms Low GitHub ↗
First Occurrence of User-Agent For a GitHub User T1078, T1078.004 New Terms Low GitHub ↗
First Time Seen Google Workspace OAuth Login from Third-Party Application T1078, T1078.004, T1550, T1550.001 New Terms Medium GitHub ↗
First Time Seen Removable Device T1052, T1052.001, T1091 New Terms Low GitHub ↗
First-Time FortiGate Administrator Login T1078 ES|QL High GitHub ↗
FortiGate Administrator Login from Multiple IP Addresses T1078 ES|QL High GitHub ↗
FortiGate FortiCloud SSO Login from Unusual Source T1078, T1078.004 ES|QL Medium GitHub ↗
FortiGate SSL VPN Login Followed by SIEM Alert by User T1078 EQL Medium GitHub ↗
GCP IAM Custom Role Creation T1078 Custom Query Medium GitHub ↗
GitHub Actions Unusual Bot Push to Repository T1059, T1195, T1195.002 New Terms Low GitHub ↗
GitHub Actions Workflow Modification Blocked T1059, T1195, T1195.002, T1546 ES|QL Medium GitHub ↗
Github Activity on a Private Repository from an Unusual IP T1059, T1195, T1195.002 New Terms Low GitHub ↗
Google Workspace Suspended User Account Renewed T1078, T1078.004 Custom Query Low GitHub ↗
High Number of Okta User Password Reset or Unlock Attempts T1078 Threshold Medium GitHub ↗
Inbound Connection to an Unsecure Elasticsearch Node T1190 Custom Query Medium GitHub ↗
Initial Access via File Upload Followed by GET Request T1190, T1505, T1505.003 EQL Medium GitHub ↗
Kubeconfig File Creation or Modification T1078, T1550 EQL Medium GitHub ↗
M365 AIR Investigation Signal T1204, T1566 Custom Query Low GitHub ↗
M365 Defender Alerts Signal Custom Query Low GitHub ↗
M365 Entra ID Risk Detection Signal T1078, T1078.004, T1110 Custom Query Low GitHub ↗
M365 Identity Login from Atypical Travel Location T1078, T1078.004 New Terms Medium GitHub ↗
M365 Identity Login from Impossible Travel Location T1078, T1078.004 Threshold Medium GitHub ↗
M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs T1528, T1550, T1550.001, T1566, T1566.002 ES|QL High GitHub ↗
M365 Identity OAuth Flow by User Sign-in to Device Registration T1098, T1098.005, T1528, T1566, T1566.002 EQL High GitHub ↗
M365 Identity OAuth Illicit Consent Grant by Rare Client and User T1528, T1566, T1566.002 New Terms Medium GitHub ↗
M365 Identity OAuth Phishing via First-Party Microsoft Application T1078, T1078.004, T1566, T1566.002 Custom Query Medium GitHub ↗
M365 Identity Unusual SSO Authentication Errors for User T1078, T1078.004, T1566 New Terms Medium GitHub ↗
M365 or Entra ID Identity Sign-in from a Suspicious Source T1078 ES|QL High GitHub ↗
M365 Purview Security Compliance Signal Custom Query Low GitHub ↗
M365 Quarantine and Hygiene Signal T1566 Custom Query Low GitHub ↗
M365 Threat Intelligence Signal T1204, T1566 Custom Query Low GitHub ↗
Microsoft Exchange Server UM Spawning Suspicious Processes T1190, T1210 EQL Medium GitHub ↗
Microsoft Exchange Server UM Writing Suspicious Files T1190, T1210 EQL Medium GitHub ↗
Microsoft Exchange Worker Spawning Suspicious Processes T1059, T1059.001, T1059.003, T1190 EQL High GitHub ↗
Microsoft Graph Request User Impersonation by Unusual Client T1078, T1078.004, T1528 New Terms Low GitHub ↗
Mounting Hidden or WebDav Remote Shares T1021, T1021.002, T1078, T1078.003, T1087, T1087.001, T1087.002 EQL Medium GitHub ↗
Network Traffic to Rare Destination Country T1041, T1048, T1071, T1105, T1566, T1566.001, T1566.002 Machine Learning Low GitHub ↗
New GitHub Self Hosted Action Runner T1195, T1195.002 New Terms Medium GitHub ↗
New Okta Authentication Behavior Detected Custom Query Low GitHub ↗
New USB Storage Device Mounted T1052, T1052.001, T1091 New Terms Low GitHub ↗
Okta Admin Console Login Failure T1078, T1110 Custom Query Low GitHub ↗
Okta Alerts Following Unusual Proxy Authentication T1078, T1078.004 EQL High GitHub ↗
Okta FastPass Phishing Detection T1566 Custom Query Medium GitHub ↗
Okta Sign-In Events via Third-Party IdP T1199 New Terms Medium GitHub ↗
Okta Successful Login After Credential Attack T1078, T1078.004, T1110, T1110.001, T1110.003, T1110.004 ES|QL High GitHub ↗
Okta User Sessions Started from Different Geolocations T1078, T1078.004 ES|QL Medium GitHub ↗
Ollama API Accessed from External Network T1190 EQL Medium GitHub ↗
Ollama DNS Query to Untrusted Domain T1105, T1195, T1195.002 EQL Low GitHub ↗
Potential Buffer Overflow Attack Detected T1068, T1190 Threshold Low GitHub ↗
Potential CVE-2025-33053 Exploitation T1218, T1566, T1566.001, T1566.002 EQL High GitHub ↗
Potential Execution via FileFix Phishing Attack T1059, T1059.001, T1059.003, T1218, T1218.005, T1566, T1566.001 EQL High GitHub ↗
Potential Fake CAPTCHA Phishing Attack T1059, T1059.001, T1059.003, T1218, T1218.005, T1566, T1566.001 EQL High GitHub ↗
Potential Foxmail Exploitation T1189, T1203 EQL High GitHub ↗
Potential Masquerading as Business App Installer T1036, T1036.001, T1036.005, T1189, T1204, T1204.002 EQL Low GitHub ↗
Potential Process Injection from Malicious Document T1055, T1566, T1566.001 EQL Low GitHub ↗
Potential Remote File Execution via MSIEXEC T1218, T1218.007, T1566, T1566.002 EQL Low GitHub ↗
Potential Telnet Authentication Bypass (CVE-2026-24061) T1190, T1210 EQL Critical GitHub ↗
Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771) T1190 Custom Query Low GitHub ↗
Potential VIEWSTATE RCE Attempt on SharePoint/IIS T1190 Custom Query Medium GitHub ↗
Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation T1190, T1505, T1505.003 EQL High GitHub ↗
Rare User Logon T1078, T1078.002, T1078.003 Machine Learning Low GitHub ↗
RDP (Remote Desktop Protocol) from the Internet T1021, T1190 Custom Query Medium GitHub ↗
React2Shell (CVE-2025-55182) Exploitation Attempt T1059, T1059.007, T1190 EQL High GitHub ↗
React2Shell Network Security Alert T1059, T1059.007, T1190 Custom Query High GitHub ↗
Remote Desktop File Opened from Suspicious Path T1566, T1566.001 EQL Medium GitHub ↗
Remote GitHub Actions Runner Registration T1059, T1195, T1195.002 EQL Medium GitHub ↗
Remote XSL Script Execution via COM T1220, T1566, T1566.002 EQL Low GitHub ↗
RPC (Remote Procedure Call) from the Internet T1190 Custom Query High GitHub ↗
RPC (Remote Procedure Call) to the Internet T1190 Custom Query High GitHub ↗
RPM Package Installed by Unusual Parent Process T1195, T1195.002, T1543, T1546, T1546.016, T1574 New Terms Low GitHub ↗
ScreenConnect Server Spawning Suspicious Processes T1059, T1059.001, T1059.003, T1190 EQL High GitHub ↗
SMB (Windows File Sharing) Activity to the Internet T1048, T1190 New Terms Medium GitHub ↗
SolarWinds Process Disabling Services via Registry T1112, T1195, T1195.002, T1562, T1562.001 EQL Medium GitHub ↗
Successful Application SSO from Rare Unknown Client Device T1078 New Terms Medium GitHub ↗
Successful SSH Authentication from Unusual IP Address T1078 New Terms Low GitHub ↗
Successful SSH Authentication from Unusual SSH Public Key T1078 New Terms Low GitHub ↗
Successful SSH Authentication from Unusual User T1078 New Terms Low GitHub ↗
SUNBURST Command and Control Activity T1071, T1071.001, T1195, T1195.002 EQL High GitHub ↗
Suspicious Activity Reported by Okta User T1078 Custom Query Medium GitHub ↗
Suspicious Browser Child Process T1189, T1203 EQL High GitHub ↗
Suspicious Child Execution via Web Server T1190, T1505, T1505.003 EQL Medium GitHub ↗
Suspicious Execution from INET Cache T1105, T1566, T1566.001 EQL High GitHub ↗
Suspicious Execution via Microsoft Office Add-Ins T1137, T1137.006, T1566, T1566.001 EQL Medium GitHub ↗
Suspicious Explorer Child Process T1059, T1059.001, T1059.003, T1059.005, T1218, T1566, T1566.001, T1566.002 EQL Medium GitHub ↗
Suspicious HTML File Creation T1027, T1027.006, T1566, T1566.001, T1566.002 EQL Medium GitHub ↗
Suspicious JetBrains TeamCity Child Process T1059, T1059.001, T1059.003, T1190 EQL Medium GitHub ↗
Suspicious macOS MS Office Child Process T1566, T1566.001 EQL Medium GitHub ↗
Suspicious MS Office Child Process T1059, T1059.001, T1059.003, T1218, T1566, T1566.001 EQL Medium GitHub ↗
Suspicious MS Outlook Child Process T1059, T1059.001, T1059.003, T1218, T1566, T1566.001 EQL Low GitHub ↗
Suspicious PDF Reader Child Process T1203, T1566, T1566.001 EQL Low GitHub ↗
Suspicious React Server Child Process T1190 EQL High GitHub ↗
Suspicious SolarWinds Child Process T1106, T1195, T1195.002 EQL Medium GitHub ↗
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process T1190 EQL High GitHub ↗
Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners T1059, T1195, T1195.001, T1562, T1562.001 EQL Medium GitHub ↗
Telnet Authentication Bypass via User Environment Variable T1190, T1210 EQL Critical GitHub ↗
Unauthorized Access to an Okta Application T1078 Custom Query Low GitHub ↗
Unusual AWS Command for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Azure Activity Logs Event for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual City For a GCP Event T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual City For an AWS Command T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual City for an Azure Activity Logs Event T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Country For a GCP Event T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Country For an AWS Command T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Country for an Azure Activity Logs Event T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual DPKG Execution T1195, T1195.002, T1543, T1546, T1546.016, T1574 EQL Medium GitHub ↗
Unusual Execution via Microsoft Common Console File T1204, T1204.002, T1566, T1566.001, T1566.002 EQL High GitHub ↗
Unusual GCP Event for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Hour for a User to Logon T1078 Machine Learning Low GitHub ↗
Unusual Linux Username T1078 Machine Learning Low GitHub ↗
Unusual Network Destination Domain Name T1041, T1071, T1071.001, T1566, T1566.001, T1566.002 Machine Learning Low GitHub ↗
Unusual Source IP for a User to Logon from T1078 Machine Learning Low GitHub ↗
Unusual Windows Remote User T1078 Machine Learning Low GitHub ↗
Unusual Windows Username T1078, T1078.002, T1078.003 Machine Learning Low GitHub ↗
VNC (Virtual Network Computing) from the Internet T1190, T1219 Custom Query High GitHub ↗
Web Shell Detection: Script Process Child of Common Web Processes T1047, T1059, T1059.001, T1059.003, T1059.005, T1190, T1505, T1505.003 New Terms High GitHub ↗
Windows Script Executing PowerShell T1059, T1059.001, T1059.005, T1566, T1566.001 EQL Low GitHub ↗
Windows Script Interpreter Executing Process via WMI T1047, T1059, T1059.005, T1566, T1566.001 EQL Medium GitHub ↗
Windows Server Update Service Spawning Suspicious Processes T1059, T1059.001, T1059.003, T1190 EQL High GitHub ↗
WPS Office Exploitation via DLL Hijack T1189, T1203 EQL High GitHub ↗
Zoom Meeting with no Passcode T1190 Custom Query Medium GitHub ↗

Rules detecting techniques adversaries use to run malicious code, including command-line interpreters, scripting, and exploitation of native OS utilities.

Name Technique Rule Type Severity Source
Abnormal Process ID or Lock File Created T1106 New Terms Medium GitHub ↗
Anomalous Process For a Windows Population T1204, T1204.002, T1543 Machine Learning Low GitHub ↗
Anomalous React Server Components Flight Data Patterns T1059, T1059.007, T1190 EQL Low GitHub ↗
Apple Script Execution followed by Network Connection T1059, T1059.002, T1105 EQL Medium GitHub ↗
Apple Scripting Execution with Administrator Privileges T1059, T1078 EQL Medium GitHub ↗
At Job Created or Modified T1053, T1053.002 EQL Medium GitHub ↗
At.exe Command Lateral Movement T1021, T1053, T1053.002, T1053.005 EQL Low GitHub ↗
AWS Lambda Function Created or Updated T1648 Custom Query Low GitHub ↗
AWS Lambda Layer Added to Existing Function T1648 Custom Query Low GitHub ↗
AWS SSM SendCommand Execution by Rare User T1651 New Terms Low GitHub ↗
AWS SSM SendCommand with Run Shell Command Parameters T1651 New Terms Medium GitHub ↗
AWS SSM Command Document Created by Rare User T1651 New Terms Low GitHub ↗
Azure Automation Runbook Created or Modified T1648 Custom Query Low GitHub ↗
Azure Compute VM Command Executed T1651 Custom Query Medium GitHub ↗
Base64 Decoded Payload Piped to Interpreter T1027, T1059, T1059.004, T1140, T1204, T1204.002 EQL High GitHub ↗
Binary Content Copy via Cmd.exe T1059, T1059.003, T1140 EQL Low GitHub ↗
Binary Executed from Shared Memory Directory T1059 EQL High GitHub ↗
Boot File Copy T1059, T1059.004, T1542, T1543, T1574 EQL Low GitHub ↗
BPF filter applied using TC T1059, T1059.004 EQL High GitHub ↗
Clearing Windows Console History T1059, T1059.001, T1070, T1070.003 EQL Medium GitHub ↗
Command and Scripting Interpreter via Windows Scripts T1059, T1059.001, T1059.003, T1059.005 EQL High GitHub ↗
Command Execution via SolarWinds Process T1059, T1059.001, T1059.003, T1195, T1195.002 EQL Medium GitHub ↗
Command Line Obfuscation via Whitespace Padding T1027, T1059, T1059.001, T1140 ES|QL Medium GitHub ↗
Command Shell Activity Started via RunDLL32 T1059, T1059.001, T1059.003, T1218, T1218.011, T1552 EQL Low GitHub ↗
Conhost Spawned By Suspicious Parent Process T1036, T1055, T1059 EQL High GitHub ↗
Container Management Utility Execution Detected via Defend for Containers T1609 EQL Low GitHub ↗
Container Management Utility Run Inside A Container T1609 EQL Low GitHub ↗
Creation of Hidden Login Item via Apple Script T1059, T1059.002, T1547, T1647 EQL Medium GitHub ↗
Creation of SettingContent-ms Files T1204, T1204.002, T1566, T1566.001 EQL Low GitHub ↗
Cron Job Created or Modified T1053, T1053.003 EQL Medium GitHub ↗
Cupsd or Foomatic-rip Shell Execution T1203 EQL High GitHub ↗
Curl or Wget Egress Network Connection via LoLBin T1059, T1059.004, T1218 EQL Medium GitHub ↗
Delayed Execution via Ping T1059, T1059.001, T1059.005, T1216, T1218, T1218.003, T1218.004, T1218.005, T1218.009, T1218.010, T1218.011, T1220, T1497, T1497.003 EQL Low GitHub ↗
Deprecated - EggShell Backdoor Execution T1059, T1059.006 Custom Query High GitHub ↗
Deprecated - Microsoft Exchange Transport Agent Install Script T1059, T1059.001, T1505, T1505.002 Custom Query Low GitHub ↗
Deprecated - Potential PowerShell Obfuscated Script T1027, T1059, T1059.001, T1140 Custom Query Low GitHub ↗
Deprecated - PowerShell Script with Discovery Capabilities T1007, T1012, T1049, T1057, T1059, T1059.001, T1082, T1083, T1087, T1087.001, T1087.002, T1135, T1201, T1482, T1518, T1518.001, T1615 Custom Query Low GitHub ↗
Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM T1021, T1021.006, T1059, T1059.001 Custom Query Low GitHub ↗
Disabling Windows Defender Security Settings via PowerShell T1059, T1059.001, T1562, T1562.001 EQL Medium GitHub ↗
Downloaded Shortcut Files T1204, T1204.002, T1566, T1566.001, T1566.002 EQL Medium GitHub ↗
Downloaded URL Files T1204, T1566, T1566.001, T1566.002 EQL Medium GitHub ↗
Dracut Module Creation T1059, T1059.004, T1542, T1543, T1574 EQL Low GitHub ↗
Dynamic Linker (ld.so) Creation T1059, T1059.004, T1218, T1574, T1574.006 EQL Medium GitHub ↗
Egress Connection from Entrypoint in Container T1059, T1059.004, T1611 EQL Medium GitHub ↗
Elastic Defend Alert Followed by Telemetry Loss T1204, T1204.002, T1562, T1562.001 EQL High GitHub ↗
Encoded Payload Detected via Defend for Containers T1027, T1059, T1059.004, T1140, T1204, T1204.002 EQL Medium GitHub ↗
Enumeration Command Spawned via WMIPrvSE T1016, T1016.001, T1018, T1047, T1057, T1087, T1518 EQL Low GitHub ↗
Executable File Creation with Multiple Extensions T1036, T1036.007, T1204, T1204.002 EQL Medium GitHub ↗
Executable File Download via Wget T1105, T1204, T1204.002 EQL Medium GitHub ↗
Execution from Unusual Directory - Command Line T1036, T1036.005, T1059, T1059.003 EQL Medium GitHub ↗
Execution of a Downloaded Windows Script T1059, T1059.003, T1059.005, T1059.007, T1218, T1218.005 EQL Medium GitHub ↗
Execution of an Unsigned Service T1036, T1036.001, T1569, T1569.002 New Terms Low GitHub ↗
Execution of COM object via Xwizard T1559, T1559.001 EQL Medium GitHub ↗
Execution of File Written or Modified by Microsoft Office T1566, T1566.001, T1566.002 EQL High GitHub ↗
Execution via Electron Child Process Node.js Module T1059, T1548 EQL Medium GitHub ↗
Execution via GitHub Actions Runner T1059, T1195, T1195.002 EQL Medium GitHub ↗
Execution via local SxS Shared Module T1129 EQL Medium GitHub ↗
Execution via MS VisualStudio Pre/Post Build Events T1127, T1127.001 EQL Low GitHub ↗
Execution via MSSQL xp_cmdshell Stored Procedure T1059, T1059.003, T1505, T1505.001 New Terms Medium GitHub ↗
Execution via OpenClaw Agent T1059, T1059.007, T1071, T1071.001 EQL Medium GitHub ↗
Execution with Explicit Credentials via Scripting T1059, T1078, T1548, T1548.004 EQL Medium GitHub ↗
Exploit - Detected - Elastic Endgame T1068 Custom Query High GitHub ↗
Exploit - Prevented - Elastic Endgame T1068 Custom Query Medium GitHub ↗
Exporting Exchange Mailbox via PowerShell T1005, T1059, T1059.001, T1114, T1114.002 EQL Medium GitHub ↗
File Creation and Execution Detected via Defend for Containers T1059, T1059.004, T1071 EQL Medium GitHub ↗
File Creation by Cups or Foomatic-rip Child T1203 EQL Medium GitHub ↗
File Creation in /var/log via Suspicious Process T1059, T1059.004, T1564, T1564.001 New Terms Medium GitHub ↗
File Creation, Execution and Self-Deletion in Suspicious Directory T1059, T1059.004 EQL High GitHub ↗
File Download Detected via Defend for Containers T1059, T1059.004, T1071, T1071.001 EQL Medium GitHub ↗
File Execution Permission Modification Detected via Defend for Containers T1059, T1222, T1222.002 EQL Low GitHub ↗
File Transfer or Listener Established via Netcat T1059, T1059.004 EQL Medium GitHub ↗
File Transfer Utility Launched from Unusual Parent ES|QL Medium GitHub ↗
File with Right-to-Left Override Character (RTLO) Created/Executed T1036, T1036.002, T1204, T1204.002 EQL Medium GitHub ↗
First Occurrence GitHub Event for a Personal Access Token (PAT) T1648 New Terms Low GitHub ↗
First Occurrence of GitHub Repo Interaction From a New IP T1648 New Terms Low GitHub ↗
First Occurrence of GitHub User Interaction with Private Repo T1648 New Terms Low GitHub ↗
First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) T1648 New Terms Low GitHub ↗
First Time AWS CloudFormation Stack Creation T1648 New Terms Medium GitHub ↗
GenAI or MCP Server Child Process Execution T1059 EQL Low GitHub ↗
Git Hook Child Process T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
Git Hook Command Execution T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
Git Hook Created or Modified T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
Git Hook Egress Network Connection T1059, T1059.004, T1543, T1574 EQL Medium GitHub ↗
GitHub Actions Unusual Bot Push to Repository T1059, T1195, T1195.002 New Terms Low GitHub ↗
GitHub Actions Workflow Modification Blocked T1059, T1195, T1195.002, T1546 ES|QL Medium GitHub ↗
Github Activity on a Private Repository from an Unusual IP T1059, T1195, T1195.002 New Terms Low GitHub ↗
GitHub App Deleted T1648 EQL Low GitHub ↗
GitHub Repo Created T1648 EQL Low GitHub ↗
GitHub UEBA - Multiple Alerts from a GitHub Account Threshold Medium GitHub ↗
Google Calendar C2 via Script Interpreter T1059, T1059.006, T1059.007, T1102, T1102.002 EQL High GitHub ↗
High Number of Cloned GitHub Repos From PAT T1648 Threshold Low GitHub ↗
Incoming Execution via PowerShell Remoting T1021, T1021.006, T1059, T1059.001 EQL Medium GitHub ↗
Initramfs Unpacking via unmkinitramfs T1059, T1059.004, T1542, T1543, T1574 EQL Low GitHub ↗
Interactive Exec Into Container Detected via Defend for Containers T1059, T1059.004, T1609 EQL Low GitHub ↗
Interactive Shell Launched via Unusual Parent Process in a Container T1059, T1059.004 New Terms Medium GitHub ↗
Interactive Shell Spawn Detected via Defend for Containers T1059, T1059.004 EQL Low GitHub ↗
Interactive Terminal Spawned via Perl T1059 EQL High GitHub ↗
Interactive Terminal Spawned via Python T1059, T1059.006 EQL High GitHub ↗
Kill Command Execution T1059, T1059.004, T1562, T1562.006, T1564, T1564.001 New Terms Low GitHub ↗
Kubectl Apply Pod from URL T1609, T1610 EQL Low GitHub ↗
Kubernetes Anonymous User Create/Update/Patch Pods Request EQL Medium GitHub ↗
Kubernetes Container Created with Excessive Linux Capabilities T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Direct API Request via Curl or Wget T1059, T1059.004, T1613 EQL Medium GitHub ↗
Kubernetes Forbidden Creation Request EQL Medium GitHub ↗
Kubernetes Forbidden Request from Unusual User Agent New Terms Medium GitHub ↗
Kubernetes Pod Created with a Sensitive hostPath Volume T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Pod Created With HostIPC T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Pod Created With HostNetwork T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Pod Created With HostPID T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Privileged Pod Created T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Unusual Decision by User Agent New Terms Low GitHub ↗
Kubernetes User Exec into Pod T1609 EQL Medium GitHub ↗
Linux Restricted Shell Breakout via Linux Binary(s) T1059, T1059.004 EQL Medium GitHub ↗
LSASS Process Access via Windows API T1003, T1003.001, T1106 ES|QL Medium GitHub ↗
M365 AIR Investigation Signal T1204, T1566 Custom Query Low GitHub ↗
M365 Defender Alerts Signal Custom Query Low GitHub ↗
M365 Threat Intelligence Signal T1204, T1566 Custom Query Low GitHub ↗
Malicious File - Detected - Elastic Defend T1204, T1204.002 Custom Query Medium GitHub ↗
Malicious File - Prevented - Elastic Defend T1204, T1204.002 Custom Query Low GitHub ↗
Manual Dracut Execution T1059, T1059.004, T1542 EQL Low GitHub ↗
Memory Swap Modification T1059, T1059.004, T1496 EQL Medium GitHub ↗
Microsoft Build Engine Started by a Script Process T1059, T1059.001, T1059.003, T1059.005, T1127, T1127.001 New Terms Medium GitHub ↗
Microsoft Build Engine Started by a System Process T1127, T1127.001 EQL Medium GitHub ↗
Microsoft Build Engine Started by an Office Application T1127, T1127.001 EQL High GitHub ↗
Microsoft Exchange Worker Spawning Suspicious Processes T1059, T1059.001, T1059.003, T1190 EQL High GitHub ↗
Microsoft Management Console File from Unusual Path T1059, T1059.005, T1059.007, T1218, T1218.014 EQL Medium GitHub ↗
Modification of Persistence Relevant Files Detected via Defend for Containers T1037, T1053, T1053.003, T1543, T1546, T1546.004, T1548, T1548.003 EQL Low GitHub ↗
Mofcomp Activity T1047, T1546, T1546.003 EQL Low GitHub ↗
MS Office Macro Security Registry Modifications T1112, T1204, T1204.002 EQL Medium GitHub ↗
Multi-Base64 Decoding Attempt from Suspicious Location T1027, T1059, T1059.004, T1140, T1204, T1204.002 EQL Medium GitHub ↗
Netcat File Transfer or Listener Detected via Defend for Containers T1059, T1059.004 EQL Medium GitHub ↗
Netcat Listener Established via rlwrap T1059, T1059.004 EQL Medium GitHub ↗
Network Connection by Cups or Foomatic-rip Child T1203 EQL High GitHub ↗
Network Connection from Binary with RWX Memory Region T1059, T1059.004, T1071 EQL Medium GitHub ↗
Network Connection via Compiled HTML File T1204, T1204.002, T1218, T1218.001 EQL Low GitHub ↗
Network Connection via Recently Compiled Executable T1059, T1059.004, T1071 EQL Medium GitHub ↗
Network Connection via Registration Utility T1218, T1218.009, T1218.010 EQL Low GitHub ↗
NetworkManager Dispatcher Script Creation T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
New ActiveSyncAllowedDeviceID Added via PowerShell T1059, T1059.001, T1098, T1098.002 EQL Medium GitHub ↗
New GitHub App Installed T1072 EQL Medium GitHub ↗
Node.js Pre or Post-Install Script Execution T1059, T1059.004, T1204, T1204.005, T1543, T1574 EQL Medium GitHub ↗
Openssl Client or Server Activity T1059, T1059.004, T1071 EQL Medium GitHub ↗
Outbound Scheduled Task Activity via PowerShell T1053, T1053.005, T1059, T1059.001 EQL Medium GitHub ↗
Payload Execution via Shell Pipe Detected by Defend for Containers T1059, T1059.004, T1071 EQL Medium GitHub ↗
Perl Outbound Network Connection T1059, T1071, T1071.001 EQL Medium GitHub ↗
Persistence via Folder Action Script T1037, T1059 EQL Medium GitHub ↗
Persistence via Hidden Run Key Detected T1106, T1112, T1547, T1547.001 EQL High GitHub ↗
Persistence via WMI Event Subscription T1047, T1546, T1546.003 EQL Low GitHub ↗
Persistence via WMI Standard Registry Provider T1047, T1543, T1543.003, T1547, T1547.001 EQL High GitHub ↗
Pod or Container Creation with Suspicious Command-Line T1053, T1053.002, T1053.003, T1059, T1059.004, T1609, T1611 EQL Medium GitHub ↗
Potential Code Execution via Postgresql T1059, T1059.004 EQL Medium GitHub ↗
Potential Command and Control via Internet Explorer T1071, T1559, T1559.001 EQL Medium GitHub ↗
Potential Command Shell via NetCat T1059, T1059.001, T1059.003 EQL High GitHub ↗
Potential Credential Access via LSASS Memory Dump T1003, T1003.001, T1106 EQL High GitHub ↗
Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers T1059, T1059.004, T1613 EQL Medium GitHub ↗
Potential Etherhiding C2 via Blockchain Connection T1059, T1059.004, T1059.006, T1059.007, T1102, T1102.002 EQL High GitHub ↗
Potential Execution via FileFix Phishing Attack T1059, T1059.001, T1059.003, T1218, T1218.005, T1566, T1566.001 EQL High GitHub ↗
Potential Fake CAPTCHA Phishing Attack T1059, T1059.001, T1059.003, T1218, T1218.005, T1566, T1566.001 EQL High GitHub ↗
Potential Foxmail Exploitation T1189, T1203 EQL High GitHub ↗
Potential Git CVE-2025-48384 Exploitation T1203 EQL High GitHub ↗
Potential Hex Payload Execution via Command-Line T1027, T1059, T1059.004, T1140, T1204, T1204.002 EQL Low GitHub ↗
Potential Hex Payload Execution via Common Utility T1027, T1059, T1059.004, T1140, T1204, T1204.002 EQL Low GitHub ↗
Potential JAVA/JNDI Exploitation Attempt T1059, T1059.007, T1203 EQL High GitHub ↗
Potential Linux Hack Tool Launched EQL Medium GitHub ↗
Potential Malicious PowerShell Based on Alert Correlation T1059, T1059.001 ES|QL High GitHub ↗
Potential Malware-Driven SSH Brute Force Attempt T1059, T1059.004, T1071, T1496 ES|QL Medium GitHub ↗
Potential Masquerading as Business App Installer T1036, T1036.001, T1036.005, T1189, T1204, T1204.002 EQL Low GitHub ↗
Potential Meterpreter Reverse Shell T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Notepad Markdown RCE Exploitation T1203 EQL High GitHub ↗
Potential PowerShell HackTool Script by Author T1059, T1059.001 Custom Query High GitHub ↗
Potential PowerShell HackTool Script by Function Names T1059, T1059.001 Custom Query Medium GitHub ↗
Potential PowerShell Obfuscated Script via High Entropy T1027, T1059, T1059.001, T1140 Custom Query Low GitHub ↗
Potential PowerShell Obfuscation via High Numeric Character Proportion T1027, T1059, T1059.001, T1140 ES|QL Low GitHub ↗
Potential PowerShell Pass-the-Hash/Relay Script T1059, T1059.001, T1550, T1550.002, T1557 Custom Query High GitHub ↗
Potential Privilege Escalation via Service ImagePath Modification T1543, T1543.003, T1569, T1569.002, T1574, T1574.011 EQL Medium GitHub ↗
Potential Process Injection via PowerShell T1055, T1055.001, T1055.002, T1059, T1059.001, T1106 Custom Query High GitHub ↗
Potential Reverse Shell T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Reverse Shell Activity via Terminal T1059 EQL High GitHub ↗
Potential Reverse Shell via Background Process T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Reverse Shell via Child T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Reverse Shell via Java T1059, T1059.004, T1071 EQL Medium GitHub ↗
Potential Reverse Shell via Suspicious Binary T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Reverse Shell via Suspicious Child Process T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Reverse Shell via UDP T1059, T1059.004, T1071 EQL Medium GitHub ↗
Potential SAP NetWeaver Exploitation T1059, T1059.007, T1203 EQL High GitHub ↗
Potential SAP NetWeaver WebShell Creation T1059, T1059.007, T1203 EQL High GitHub ↗
Potential Shell via Wildcard Injection Detected T1059, T1068 EQL Medium GitHub ↗
Potential Upgrade of Non-interactive Shell T1059, T1059.004 EQL Medium GitHub ↗
Potential Veeam Credential Access Command T1003, T1059, T1059.001, T1555 EQL Medium GitHub ↗
Potential Widespread Malware Infection Across Multiple Hosts T1204, T1204.002 ES|QL High GitHub ↗
PowerShell Invoke-NinjaCopy script T1003, T1003.002, T1003.003, T1006, T1059, T1059.001 Custom Query High GitHub ↗
PowerShell Kerberos Ticket Dump T1003, T1059, T1059.001, T1558 Custom Query High GitHub ↗
PowerShell Kerberos Ticket Request T1003, T1059, T1059.001, T1558, T1558.003 Custom Query High GitHub ↗
PowerShell Keylogging Script T1056, T1056.001, T1059, T1059.001, T1106 Custom Query High GitHub ↗
PowerShell Mailbox Collection Script T1059, T1059.001, T1114, T1114.001, T1114.002 Custom Query Medium GitHub ↗
PowerShell MiniDump Script T1003, T1003.001, T1059, T1059.001 Custom Query High GitHub ↗
PowerShell PSReflect Script T1059, T1059.001, T1106 Custom Query High GitHub ↗
PowerShell Script with Log Clear Capabilities T1059, T1059.001, T1070, T1070.001 Custom Query Low GitHub ↗
PowerShell Script with Password Policy Discovery Capabilities T1059, T1059.001, T1201 Custom Query Low GitHub ↗
PowerShell Script with Token Impersonation Capabilities T1059, T1059.001, T1106, T1134, T1134.001 Custom Query Medium GitHub ↗
PowerShell Script with Veeam Credential Access Capabilities T1003, T1059, T1059.001, T1555 Custom Query Medium GitHub ↗
PowerShell Script with Webcam Video Capture Capabilities T1059, T1059.001, T1125 Custom Query Medium GitHub ↗
PowerShell Script with Windows Defender Tampering Capabilities T1059, T1059.001, T1562, T1562.001 Custom Query Medium GitHub ↗
PowerShell Share Enumeration Script T1039, T1059, T1059.001, T1106, T1135 Custom Query High GitHub ↗
PowerShell Suspicious Discovery Related Windows API Functions T1039, T1059, T1059.001, T1069, T1069.001, T1087, T1087.001, T1106, T1135, T1482 Custom Query Low GitHub ↗
PowerShell Suspicious Payload Encoded and Compressed T1027, T1059, T1059.001, T1140 Custom Query High GitHub ↗
PowerShell Suspicious Script with Audio Capture Capabilities T1059, T1059.001, T1106, T1123 Custom Query High GitHub ↗
PowerShell Suspicious Script with Clipboard Retrieval Capabilities T1059, T1059.001, T1115 Custom Query Medium GitHub ↗
PowerShell Suspicious Script with Screenshot Capabilities T1059, T1059.001, T1113 Custom Query High GitHub ↗
Printer User (lp) Shell Execution T1203 EQL High GitHub ↗
Privileged Container Creation with Host Directory Mount T1059, T1059.004, T1609, T1611 EQL High GitHub ↗
Privileged Docker Container Creation T1059, T1059.004, T1609, T1611 New Terms Medium GitHub ↗
Process Activity via Compiled HTML File T1204, T1204.002, T1218, T1218.001 EQL Medium GitHub ↗
Process Backgrounded by Unusual Parent T1059, T1564 New Terms Low GitHub ↗
Process Started from Process ID (PID) File T1059 EQL High GitHub ↗
Process Started with Executable Stack T1059, T1059.004 Custom Query Low GitHub ↗
Proxy Shell Execution via Busybox T1059, T1059.004, T1218 EQL Low GitHub ↗
PsExec Network Connection T1021, T1021.002, T1569, T1569.002, T1570 EQL Low GitHub ↗
Python Path File (pth) Creation T1059, T1059.004, T1546, T1546.018, T1574 EQL Low GitHub ↗
Python Site or User Customize File Creation T1059, T1059.004, T1546, T1546.018, T1574 EQL Low GitHub ↗
React2Shell (CVE-2025-55182) Exploitation Attempt T1059, T1059.007, T1190 EQL High GitHub ↗
React2Shell Network Security Alert T1059, T1059.007, T1190 Custom Query High GitHub ↗
Remote File Download via PowerShell T1059, T1059.001, T1105 EQL Medium GitHub ↗
Remote File Download via Script Interpreter T1059, T1059.005, T1105 EQL Medium GitHub ↗
Remote GitHub Actions Runner Registration T1059, T1195, T1195.002 EQL Medium GitHub ↗
Remote Scheduled Task Creation T1021, T1053, T1053.005 EQL Medium GitHub ↗
Remote Scheduled Task Creation via RPC T1021, T1053, T1053.005 EQL Medium GitHub ↗
Root Network Connection via GDB CAP_SYS_PTRACE T1055, T1055.008, T1059, T1059.004, T1068, T1071 EQL Medium GitHub ↗
Scheduled Task Created by a Windows Script T1053, T1053.005, T1059, T1059.001, T1059.005 EQL Medium GitHub ↗
Scheduled Tasks AT Command Enabled T1053, T1053.002, T1562, T1562.001 EQL Medium GitHub ↗
ScreenConnect Server Spawning Suspicious Processes T1059, T1059.001, T1059.003, T1190 EQL High GitHub ↗
Script Interpreter Connection to Non-Standard Port T1059, T1059.006, T1059.007, T1571 EQL Medium GitHub ↗
Security Software Discovery using WMIC T1047, T1518, T1518.001 EQL Medium GitHub ↗
Segfault Detected Custom Query Low GitHub ↗
Service Command Lateral Movement T1021, T1543, T1543.003, T1569, T1569.002 EQL Low GitHub ↗
Service Control Spawned via Script Interpreter T1047, T1059, T1059.001, T1059.003, T1059.005, T1218, T1218.010, T1218.011, T1543, T1543.003 EQL Low GitHub ↗
Shell Execution via Apple Scripting T1059 EQL Medium GitHub ↗
Simple HTTP Web Server Connection T1059, T1059.004, T1071, T1505, T1505.003 EQL Low GitHub ↗
Simple HTTP Web Server Creation T1059, T1059.004, T1071, T1505, T1505.003 EQL Low GitHub ↗
Spike in host-based traffic T1041, T1068, T1204, T1498, T1499 Machine Learning Low GitHub ↗
Suspicious .NET Code Compilation T1027, T1027.004, T1059, T1059.005 EQL Medium GitHub ↗
Suspicious .NET Reflection via PowerShell T1055, T1055.001, T1055.002, T1059, T1059.001, T1620 Custom Query Medium GitHub ↗
Suspicious Apple Mail Rule Plist Modification T1204, T1546 EQL Medium GitHub ↗
Suspicious APT Package Manager Execution T1059, T1059.004, T1543, T1546, T1546.016, T1574 EQL Low GitHub ↗
Suspicious Automator Workflows Execution T1059 EQL Medium GitHub ↗
Suspicious Browser Child Process T1189, T1203 EQL High GitHub ↗
Suspicious Cmd Execution via WMI T1047, T1059, T1059.003 EQL High GitHub ↗
Suspicious Command Prompt Network Connection T1059, T1105 EQL Low GitHub ↗
Suspicious Content Extracted or Decompressed via Funzip T1027, T1059, T1059.004, T1140 EQL Medium GitHub ↗
Suspicious Curl to Jamf Endpoint T1072 EQL High GitHub ↗
Suspicious Echo or Printf Execution Detected via Defend for Containers T1037, T1053, T1053.003, T1543, T1546, T1546.004 EQL High GitHub ↗
Suspicious Execution from a Mounted Device T1059, T1059.001, T1059.003, T1218, T1218.005, T1218.010, T1218.011 EQL Medium GitHub ↗
Suspicious Execution from a WebDav Share T1021, T1021.002, T1204, T1204.002, T1570 EQL High GitHub ↗
Suspicious Execution from Foomatic-rip or Cupsd Parent T1203 EQL High GitHub ↗
Suspicious Execution via Scheduled Task T1053, T1053.005 EQL Medium GitHub ↗
Suspicious Execution via Windows Subsystem for Linux T1059, T1059.004, T1202 EQL Low GitHub ↗
Suspicious Execution with NodeJS T1059, T1059.007 EQL High GitHub ↗
Suspicious Explorer Child Process T1059, T1059.001, T1059.003, T1059.005, T1218, T1566, T1566.001, T1566.002 EQL Medium GitHub ↗
Suspicious File Made Executable via Chmod Inside A Container T1059, T1222, T1222.002 EQL Low GitHub ↗
Suspicious Image Load (taskschd.dll) from MS Office T1053, T1053.005 EQL Low GitHub ↗
Suspicious Installer Package Spawns Network Event T1059, T1059.007, T1071, T1071.001 EQL Medium GitHub ↗
Suspicious Inter-Process Communication via Outlook T1114, T1114.001, T1559, T1559.001 EQL Medium GitHub ↗
Suspicious Interpreter Execution Detected via Defend for Containers T1059, T1059.004, T1059.006, T1059.011, T1071, T1071.001 EQL Medium GitHub ↗
Suspicious JetBrains TeamCity Child Process T1059, T1059.001, T1059.003, T1190 EQL Medium GitHub ↗
Suspicious Mining Process Creation Event T1059, T1059.004 EQL Medium GitHub ↗
Suspicious MS Office Child Process T1059, T1059.001, T1059.003, T1218, T1566, T1566.001 EQL Medium GitHub ↗
Suspicious MS Outlook Child Process T1059, T1059.001, T1059.003, T1218, T1566, T1566.001 EQL Low GitHub ↗
Suspicious Named Pipe Creation T1059, T1059.004, T1071 New Terms High GitHub ↗
Suspicious Path Invocation from Command Line T1059, T1059.004, T1564 New Terms Low GitHub ↗
Suspicious PDF Reader Child Process T1203, T1566, T1566.001 EQL Low GitHub ↗
Suspicious Portable Executable Encoded in Powershell Script T1055, T1059, T1059.001 Custom Query Medium GitHub ↗
Suspicious PowerShell Engine ImageLoad T1059, T1059.001 New Terms Medium GitHub ↗
Suspicious Powershell Script T1059, T1059.001 Machine Learning Low GitHub ↗
Suspicious Process Access via Direct System Call T1055, T1106 EQL High GitHub ↗
Suspicious Process Execution Detected via Defend for Containers T1059, T1059.004, T1071, T1620 EQL High GitHub ↗
Suspicious Process Execution via Renamed PsExec Executable T1036, T1036.003, T1569, T1569.002 EQL Medium GitHub ↗
Suspicious SolarWinds Child Process T1106, T1195, T1195.002 EQL Medium GitHub ↗
Suspicious System Commands Executed by Previously Unknown Executable T1059, T1059.004 New Terms Low GitHub ↗
Suspicious Windows Command Shell Arguments T1059, T1059.003 EQL High GitHub ↗
Suspicious WMI Image Load from MS Office T1047 EQL Low GitHub ↗
Suspicious WMIC XSL Script Execution T1047, T1220 EQL Medium GitHub ↗
Suspicious Zoom Child Process T1036, T1055, T1203 EQL Medium GitHub ↗
Svchost spawning Cmd T1059 New Terms Low GitHub ↗
System Binary Path File Permission Modification T1059 EQL Low GitHub ↗
System Information Discovery via Windows Command Shell T1059, T1059.003, T1082, T1083 EQL Low GitHub ↗
System Path File Creation and Execution Detected via Defend for Containers T1059, T1059.004, T1071 EQL Medium GitHub ↗
System Shells via Services T1059, T1059.001, T1059.003, T1543, T1543.003 EQL Medium GitHub ↗
Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners T1059, T1195, T1195.001, T1562, T1562.001 EQL Medium GitHub ↗
Temporarily Scheduled Task Creation T1053, T1053.005 EQL Medium GitHub ↗
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer T1548, T1548.002, T1559, T1559.001 EQL Medium GitHub ↗
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface T1548, T1548.002, T1559, T1559.001 EQL High GitHub ↗
UAC Bypass via DiskCleanup Scheduled Task Hijack T1053, T1053.005, T1548, T1548.002 EQL Medium GitHub ↗
UAC Bypass via ICMLuaUtil Elevated COM Interface T1548, T1548.002, T1559, T1559.001 EQL High GitHub ↗
Uncommon Destination Port Connection by Web Server T1059, T1059.004, T1071, T1505, T1505.003 EQL Low GitHub ↗
Unix Socket Connection T1559 EQL Low GitHub ↗
Unknown Execution of Binary with RWX Memory Region T1059, T1059.004 New Terms Medium GitHub ↗
Unsigned DLL Loaded by Svchost T1036, T1036.001, T1543, T1543.003, T1569, T1569.002 EQL Medium GitHub ↗
Unusual Base64 Encoding/Decoding Activity T1027, T1059, T1059.004, T1140, T1204, T1204.002 ES|QL Low GitHub ↗
Unusual Command Execution from Web Server Parent T1059, T1059.004, T1071, T1505, T1505.003 ES|QL Low GitHub ↗
Unusual D-Bus Daemon Child Process T1059, T1059.004, T1543 EQL Low GitHub ↗
Unusual Executable File Creation by a System Critical Process T1203, T1211 EQL High GitHub ↗
Unusual Execution from Kernel Thread (kthreadd) Parent T1059, T1059.004 New Terms Medium GitHub ↗
Unusual Execution via Microsoft Common Console File T1204, T1204.002, T1566, T1566.001, T1566.002 EQL High GitHub ↗
Unusual File Creation by Web Server T1059, T1059.004, T1071, T1505, T1505.003 ES|QL Low GitHub ↗
Unusual Library Load via Python T1059, T1059.006 EQL High GitHub ↗
Unusual Parent Process for cmd.exe T1059 EQL Medium GitHub ↗
Unusual Pkexec Execution T1059, T1543 New Terms High GitHub ↗
Unusual Process Spawned from Web Server Parent T1059, T1059.004, T1071, T1505, T1505.003 ES|QL Low GitHub ↗
Unusual Web Server Command Execution T1059, T1059.004, T1071, T1505, T1505.003 New Terms Medium GitHub ↗
Unusual Windows Path Activity T1204, T1204.002, T1543, T1543.003 Machine Learning Low GitHub ↗
Veeam Backup Library Loaded by Unusual Process T1003, T1059, T1059.001, T1555 EQL Medium GitHub ↗
Volume Shadow Copy Deletion via PowerShell T1059, T1059.001, T1490 EQL High GitHub ↗
Volume Shadow Copy Deletion via WMIC T1047, T1490 EQL High GitHub ↗
Web Server Child Shell Spawn Detected via Defend for Containers T1059, T1059.004, T1071, T1505, T1505.003 EQL Medium GitHub ↗
Web Server Potential Command Injection Request T1059, T1059.004, T1071, T1505, T1505.003, T1595, T1595.002, T1595.003 ES|QL Low GitHub ↗
Web Server Spawned via Python T1059, T1059.006, T1570 EQL Medium GitHub ↗
Web Shell Detection: Script Process Child of Common Web Processes T1047, T1059, T1059.001, T1059.003, T1059.005, T1190, T1505, T1505.003 New Terms High GitHub ↗
Windows Defender Exclusions Added via PowerShell T1059, T1059.001, T1562, T1562.001, T1562.006 EQL Medium GitHub ↗
Windows Firewall Disabled via PowerShell T1059, T1059.001, T1562, T1562.004 EQL Medium GitHub ↗
Windows Script Executing PowerShell T1059, T1059.001, T1059.005, T1566, T1566.001 EQL Low GitHub ↗
Windows Script Execution from Archive T1059, T1059.005, T1059.007 EQL Medium GitHub ↗
Windows Script Interpreter Executing Process via WMI T1047, T1059, T1059.005, T1566, T1566.001 EQL Medium GitHub ↗
Windows Server Update Service Spawning Suspicious Processes T1059, T1059.001, T1059.003, T1190 EQL High GitHub ↗
WMI WBEMTEST Utility Execution T1047 EQL Low GitHub ↗
WMIC Remote Command T1021, T1021.006, T1047 EQL Low GitHub ↗
WPS Office Exploitation via DLL Hijack T1189, T1203 EQL High GitHub ↗

Rules detecting techniques adversaries use to maintain access across restarts and credential changes, such as scheduled tasks, startup items, and registry modifications.

Name Technique Rule Type Severity Source
A scheduled task was created T1053, T1053.005 EQL Low GitHub ↗
Account Password Reset Remotely T1098, T1531 EQL Medium GitHub ↗
Active Directory Group Modification by SYSTEM T1098 EQL Medium GitHub ↗
Adding Hidden File Attribute via Attrib T1222, T1222.001, T1564, T1564.001 EQL Low GitHub ↗
Administrator Privileges Assigned to an Okta Group T1098 Custom Query Medium GitHub ↗
AdminSDHolder Backdoor T1078, T1078.002, T1098 Custom Query High GitHub ↗
AdminSDHolder SDProp Exclusion Added T1078, T1078.002, T1098 EQL High GitHub ↗
Anomalous Process For a Linux Population T1543, T1543.003 Machine Learning Low GitHub ↗
Anomalous Process For a Windows Population T1204, T1204.002, T1543 Machine Learning Low GitHub ↗
Anomalous Windows Process Creation T1543 Machine Learning Low GitHub ↗
Application Added to Google Workspace Domain Custom Query Medium GitHub ↗
APT Package Manager Configuration File Creation T1543, T1546, T1546.016, T1574 EQL Low GitHub ↗
At Job Created or Modified T1053, T1053.002 EQL Medium GitHub ↗
Attempt to Create Okta API Token T1136 Custom Query Medium GitHub ↗
Attempt to Enable the Root Account T1078, T1078.003 EQL Medium GitHub ↗
Attempt to Reset MFA Factors for an Okta User Account T1098 Custom Query Low GitHub ↗
Attempt to Unload Elastic Endpoint Security Kernel Extension T1547, T1547.006, T1562, T1562.001 EQL High GitHub ↗
Authentication via Unusual PAM Grantor T1543, T1556 New Terms Medium GitHub ↗
Authorization Plugin Modification T1547, T1547.002 EQL Medium GitHub ↗
AWS EC2 Instance Console Login via Assumed Role T1021, T1021.007, T1078, T1078.004, T1550, T1550.001, T1552, T1552.005 EQL High GitHub ↗
AWS EC2 Instance Interaction with IAM Service T1078, T1078.004, T1098, T1098.001, T1098.003 EQL Low GitHub ↗
AWS EC2 Network Access Control List Creation T1133, T1562, T1562.007 Custom Query Low GitHub ↗
AWS EC2 Security Group Configuration Change T1562, T1562.007 Custom Query Low GitHub ↗
AWS First Occurrence of STS GetFederationToken Request by User T1098, T1098.001, T1550, T1550.001 New Terms Medium GitHub ↗
AWS IAM AdministratorAccess Policy Attached to Group T1098, T1098.003 EQL Medium GitHub ↗
AWS IAM AdministratorAccess Policy Attached to Role T1098, T1098.003 EQL Medium GitHub ↗
AWS IAM AdministratorAccess Policy Attached to User T1098, T1098.003 EQL Medium GitHub ↗
AWS IAM API Calls via Temporary Session Tokens T1098 New Terms Low GitHub ↗
AWS IAM Create User via Assumed Role on EC2 Instance T1136, T1136.003 New Terms Medium GitHub ↗
AWS IAM Deactivation of MFA Device T1531, T1556, T1556.006 Custom Query Medium GitHub ↗
AWS IAM Group Creation T1136, T1136.003 Custom Query Low GitHub ↗
AWS IAM Login Profile Added for Root T1078, T1078.004, T1098 EQL High GitHub ↗
AWS IAM Login Profile Added to User T1078, T1078.004, T1098, T1098.003 Custom Query Low GitHub ↗
AWS IAM OIDC Provider Created by Rare User T1078, T1078.004, T1484, T1484.002 New Terms Medium GitHub ↗
AWS IAM Roles Anywhere Profile Creation T1098, T1098.003 Custom Query Low GitHub ↗
AWS IAM Roles Anywhere Trust Anchor Created with External CA T1098, T1098.003 EQL Medium GitHub ↗
AWS IAM SAML Provider Created T1078, T1078.004, T1484, T1484.002 Custom Query Medium GitHub ↗
AWS IAM User Addition to Group T1098 Custom Query Low GitHub ↗
AWS IAM User Created Access Keys For Another User T1098, T1098.001 ES|QL Medium GitHub ↗
AWS IAM Virtual MFA Device Registration Attempt with Session Token T1098, T1098.005, T1556, T1556.006 EQL Medium GitHub ↗
AWS Lambda Function Policy Updated to Allow Public Invocation T1546 EQL Medium GitHub ↗
AWS RDS DB Instance Made Public T1556, T1556.009 EQL Medium GitHub ↗
AWS RDS DB Instance or Cluster Password Modified T1098, T1098.001 EQL Medium GitHub ↗
AWS Route 53 Domain Transfer Lock Disabled T1098, T1584, T1584.001 Custom Query High GitHub ↗
AWS Route 53 Domain Transferred to Another Account T1098, T1584, T1584.001 Custom Query High GitHub ↗
AWS Route 53 Private Hosted Zone Associated With a VPC T1098, T1583, T1583.001 Custom Query Medium GitHub ↗
AWS Sensitive IAM Operations Performed via CloudShell T1098, T1098.003, T1136, T1136.003 Custom Query Medium GitHub ↗
AWS STS AssumeRole with New MFA Device T1548, T1550, T1550.001, T1556, T1556.006 New Terms Low GitHub ↗
AWS STS AssumeRoot by Rare User and Member Account T1098, T1098.003, T1548, T1548.005 New Terms Medium GitHub ↗
AWS STS Role Chaining T1548, T1550, T1550.001 New Terms Medium GitHub ↗
Azure Automation Account Created T1078 Custom Query Low GitHub ↗
Azure Automation Webhook Created T1546, T1608 Custom Query Low GitHub ↗
Azure Event Hub Authorization Rule Created or Updated T1098, T1552, T1552.005 Custom Query Medium GitHub ↗
Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created T1078, T1078.004, T1098 Custom Query Low GitHub ↗
Azure Storage Account Key Regenerated T1098, T1098.001, T1552, T1552.005 Custom Query Low GitHub ↗
Bash Shell Profile Modification T1546, T1546.004 Custom Query Medium GitHub ↗
Bitsadmin Activity T1105, T1197 EQL Low GitHub ↗
Boot File Copy T1059, T1059.004, T1542, T1543, T1574 EQL Low GitHub ↗
BPF Program or Map Load via bpftool T1014, T1547, T1547.006 EQL Medium GitHub ↗
Browser Extension Install T1176 EQL Low GitHub ↗
Chkconfig Service Add T1037 EQL Medium GitHub ↗
Component Object Model Hijacking T1112, T1546, T1546.015 EQL Low GitHub ↗
Creation of a Hidden Local User Account T1136, T1136.001 EQL High GitHub ↗
Creation of Hidden Files and Directories via CommandLine T1564, T1564.001 EQL Low GitHub ↗
Creation of Hidden Launch Agent or Daemon T1543, T1543.001, T1564, T1564.001 EQL Medium GitHub ↗
Creation of Hidden Login Item via Apple Script T1059, T1059.002, T1547, T1647 EQL Medium GitHub ↗
Creation or Modification of a new GPO Scheduled Task or Service T1053, T1053.005, T1484, T1484.001 EQL Low GitHub ↗
Cron Job Created or Modified T1053, T1053.003 EQL Medium GitHub ↗
Curl Execution via Shell Profile T1105, T1546, T1546.004 EQL High GitHub ↗
D-Bus Service Created T1543 EQL Low GitHub ↗
Deprecated - Adobe Hijack Persistence T1554, T1574, T1574.010 EQL Low GitHub ↗
Deprecated - M365 Teams Guest Access Enabled T1098 Custom Query Medium GitHub ↗
Deprecated - Microsoft Exchange Transport Agent Install Script T1059, T1059.001, T1505, T1505.002 Custom Query Low GitHub ↗
Directory Creation in /bin directory T1564, T1564.001 EQL Low GitHub ↗
DNF Package Manager Plugin File Creation T1543, T1546, T1546.016, T1574 EQL Low GitHub ↗
DPKG Package Installed by Unusual Parent Process T1195, T1195.002, T1543, T1546, T1546.016, T1574 New Terms Low GitHub ↗
Dracut Module Creation T1059, T1059.004, T1542, T1543, T1574 EQL Low GitHub ↗
Dylib Injection via Process Environment Variables T1574, T1574.006 EQL High GitHub ↗
Dynamic Linker (ld.so) Creation T1059, T1059.004, T1218, T1574, T1574.006 EQL Medium GitHub ↗
Dynamic Linker Copy T1574, T1574.006 EQL High GitHub ↗
Dynamic Linker Creation T1574, T1574.006 EQL Medium GitHub ↗
Emond Rules Creation or Modification T1546, T1546.014 EQL Medium GitHub ↗
Entra ID ADRS Token Request by Microsoft Authentication Broker T1098, T1098.005 Custom Query Medium GitHub ↗
Entra ID Conditional Access Policy (CAP) Modified T1556, T1556.009 New Terms Medium GitHub ↗
Entra ID External Authentication Methods (EAM) Modified T1556, T1556.009 New Terms Medium GitHub ↗
Entra ID Federated Identity Credential Issuer Modified T1098, T1098.001, T1484, T1484.002 ES|QL High GitHub ↗
Entra ID Global Administrator Role Assigned T1098, T1098.003 Custom Query High GitHub ↗
Entra ID MFA Disabled for User T1556, T1556.006 Custom Query Medium GitHub ↗
Entra ID OAuth PRT Issuance to Non-Managed Device Detected T1078, T1078.004, T1098, T1098.005, T1528 EQL Medium GitHub ↗
Entra ID Privileged Identity Management (PIM) Role Modified T1078, T1098, T1098.003 Custom Query Medium GitHub ↗
Entra ID Protection User Alert and Device Registration T1078, T1078.004, T1098, T1098.005 EQL High GitHub ↗
Entra ID Service Principal Credentials Created by Unusual User T1098, T1098.001 New Terms Medium GitHub ↗
Entra ID Unusual Cloud Device Registration T1098, T1098.005 EQL Medium GitHub ↗
Entra ID User Added as Registered Application Owner T1098, T1528 Custom Query Low GitHub ↗
Entra ID User Added as Service Principal Owner T1078, T1078.004, T1098 Custom Query Low GitHub ↗
Entra ID User Sign-in with Unusual Non-Managed Device T1078, T1078.004, T1098, T1098.005 New Terms Low GitHub ↗
Executable Bit Set for Potential Persistence Script T1037, T1037.004, T1053, T1053.003, T1547, T1547.013 EQL Medium GitHub ↗
Execution of Persistent Suspicious Program T1547, T1547.001 EQL Medium GitHub ↗
Execution via MSSQL xp_cmdshell Stored Procedure T1059, T1059.003, T1505, T1505.001 New Terms Medium GitHub ↗
File Creation in /var/log via Suspicious Process T1059, T1059.004, T1564, T1564.001 New Terms Medium GitHub ↗
Finder Sync Plugin Registered and Enabled T1543 EQL Medium GitHub ↗
First Occurrence of Personal Access Token (PAT) Use For a GitHub User T1098, T1098.001 New Terms Low GitHub ↗
First Time Seen Driver Loaded T1068, T1543, T1543.003 New Terms Medium GitHub ↗
FortiGate Administrator Account Creation from Unusual Source T1136, T1136.001 New Terms Medium GitHub ↗
FortiGate SSO Login Followed by Administrator Account Creation T1136, T1136.001 EQL High GitHub ↗
FortiGate Super Admin Account Creation T1136, T1136.001 EQL Medium GitHub ↗
GCP IAM Custom Role Creation T1078 Custom Query Medium GitHub ↗
GCP Service Account Creation T1136 Custom Query Low GitHub ↗
GCP Service Account Key Creation T1098 Custom Query Low GitHub ↗
Git Hook Child Process T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
Git Hook Command Execution T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
Git Hook Created or Modified T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
Git Hook Egress Network Connection T1059, T1059.004, T1543, T1574 EQL Medium GitHub ↗
GitHub Actions Workflow Modification Blocked T1059, T1195, T1195.002, T1546 ES|QL Medium GitHub ↗
GitHub Owner Role Granted To User T1098, T1098.003 EQL Medium GitHub ↗
Google Workspace 2SV Policy Disabled T1556 Custom Query Medium GitHub ↗
Google Workspace Admin Role Assigned to a User T1098, T1098.003 Custom Query High GitHub ↗
Google Workspace API Access Granted via Domain-Wide Delegation T1098 Custom Query Medium GitHub ↗
Google Workspace Custom Admin Role Created T1098 Custom Query Medium GitHub ↗
Google Workspace Password Policy Modified T1098 Custom Query Medium GitHub ↗
Google Workspace Role Modified T1098 Custom Query Medium GitHub ↗
Google Workspace User Organizational Unit Changed T1098, T1098.003 Custom Query Low GitHub ↗
GRUB Configuration File Creation T1542, T1543, T1574 EQL Low GitHub ↗
GRUB Configuration Generation through Built-in Utilities T1542, T1543, T1574 EQL Low GitHub ↗
Hidden Directory Creation via Unusual Parent T1564, T1564.001 EQL Low GitHub ↗
High Number of Okta User Password Reset or Unlock Attempts T1078 Threshold Medium GitHub ↗
Image File Execution Options Injection T1112, T1546, T1546.012 EQL Medium GitHub ↗
Initial Access via File Upload Followed by GET Request T1190, T1505, T1505.003 EQL Medium GitHub ↗
Initramfs Extraction via CPIO T1542, T1543, T1574 EQL Low GitHub ↗
Initramfs Unpacking via unmkinitramfs T1059, T1059.004, T1542, T1543, T1574 EQL Low GitHub ↗
Installation of Custom Shim Databases T1546, T1546.011 EQL Medium GitHub ↗
Installation of Security Support Provider T1112, T1547, T1547.005 EQL Medium GitHub ↗
KDE AutoStart Script or Desktop File Creation T1547 EQL Medium GitHub ↗
Kernel Driver Load T1014, T1547, T1547.006 EQL Low GitHub ↗
Kernel Driver Load by non-root User T1014, T1547, T1547.006 EQL Medium GitHub ↗
Kernel Load or Unload via Kexec Detected T1547, T1547.006, T1601, T1601.001, T1611 EQL Medium GitHub ↗
Kernel Module Load from Unusual Location T1014, T1547, T1547.006 EQL High GitHub ↗
Kernel Module Load via Built-in Utility T1014, T1547, T1547.006 EQL Medium GitHub ↗
Kernel Module Removal T1547, T1547.006, T1562, T1562.001 EQL Low GitHub ↗
Kernel Object File Creation T1014, T1547, T1547.006 New Terms Low GitHub ↗
KRBTGT Delegation Backdoor T1098, T1558 EQL High GitHub ↗
Kubernetes Cluster-Admin Role Binding Created T1098, T1098.006 Custom Query Medium GitHub ↗
Kubernetes Creation of a RoleBinding Referencing a ServiceAccount T1098, T1098.006 Custom Query Medium GitHub ↗
Kubernetes Creation or Modification of Sensitive Role T1098, T1098.006 ES|QL Medium GitHub ↗
Kubernetes Exposed Service Created With Type NodePort T1133 Custom Query Medium GitHub ↗
Kubernetes Sensitive Configuration File Activity T1053, T1053.007, T1543, T1543.005 EQL Medium GitHub ↗
Kubernetes Sensitive RBAC Change Followed by Workload Modification T1098, T1098.006 EQL Medium GitHub ↗
Kubernetes Service Account Modified RBAC Objects T1098, T1098.006 Custom Query Medium GitHub ↗
Lateral Movement via Startup Folder T1021, T1021.001, T1547, T1547.001 EQL High GitHub ↗
Launch Service Creation and Immediate Loading T1543, T1543.001 EQL Low GitHub ↗
Linux Group Creation T1136, T1136.001 EQL Low GitHub ↗
Linux User Account Creation T1136, T1136.001 EQL Low GitHub ↗
Linux User Account Credential Modification T1098 EQL Medium GitHub ↗
Linux User Added to Privileged Group T1136, T1136.001 EQL Low GitHub ↗
Loadable Kernel Module Configuration File Creation T1014, T1547, T1547.006 EQL Medium GitHub ↗
Local Scheduled Task Creation T1053, T1053.005 EQL Low GitHub ↗
M365 Exchange Mailbox High-Risk Permission Delegated T1098, T1098.002 New Terms Low GitHub ↗
M365 Exchange Management Group Role Assigned T1098, T1098.003 Custom Query Medium GitHub ↗
M365 Identity Global Administrator Role Assigned T1098, T1098.003 Custom Query Medium GitHub ↗
M365 Identity OAuth Flow by User Sign-in to Device Registration T1098, T1098.005, T1528, T1566, T1566.002 EQL High GitHub ↗
M365 Security Compliance Admin Signal T1098, T1562, T1562.001 Custom Query Low GitHub ↗
Manual Dracut Execution T1059, T1059.004, T1542 EQL Low GitHub ↗
Manual Loading of a Suspicious Chromium Extension T1176, T1539 EQL High GitHub ↗
Message-of-the-Day (MOTD) File Creation T1037 EQL Medium GitHub ↗
MFA Deactivation with no Re-Activation for Okta User Account T1556, T1556.006 EQL Low GitHub ↗
MFA Disabled for Google Workspace Organization T1556 Custom Query Medium GitHub ↗
Modification of Persistence Relevant Files Detected via Defend for Containers T1037, T1053, T1053.003, T1543, T1546, T1546.004, T1548, T1548.003 EQL Low GitHub ↗
Modification or Removal of an Okta Application Sign-On Policy T1556 Custom Query Medium GitHub ↗
Mofcomp Activity T1047, T1546, T1546.003 EQL Low GitHub ↗
Netsh Helper DLL T1112, T1546, T1546.007 EQL Low GitHub ↗
Network Connection Initiated by Suspicious SSHD Child Process T1021, T1021.004, T1546, T1546.004, T1563, T1563.001 EQL Medium GitHub ↗
Network Connections Initiated Through XDG Autostart Entry T1547, T1547.013 EQL Medium GitHub ↗
Network Logon Provider Registry Modification T1543, T1556 EQL Medium GitHub ↗
Network Traffic to Rare Destination Country T1041, T1048, T1071, T1105, T1566, T1566.001, T1566.002 Machine Learning Low GitHub ↗
NetworkManager Dispatcher Script Creation T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
New ActiveSyncAllowedDeviceID Added via PowerShell T1059, T1059.001, T1098, T1098.002 EQL Medium GitHub ↗
New GitHub Owner Added T1136, T1136.003 EQL Medium GitHub ↗
New GitHub Personal Access Token (PAT) Added T1136, T1136.003, T1528 EQL Low GitHub ↗
New Okta Identity Provider (IdP) Added by Admin T1556, T1556.007 Custom Query Medium GitHub ↗
New User Added To GitHub Organization T1098, T1098.001 EQL Low GitHub ↗
Node.js Pre or Post-Install Script Execution T1059, T1059.004, T1204, T1204.005, T1543, T1574 EQL Medium GitHub ↗
Office Test Registry Persistence T1112, T1137, T1137.002 EQL Low GitHub ↗
Okta User Assigned Administrator Role T1098 Custom Query Medium GitHub ↗
OpenSSL Password Hash Generation T1136, T1136.001 EQL Medium GitHub ↗
Outlook Home Page Registry Modification T1137, T1137.004 EQL High GitHub ↗
Persistence via a Hidden Plist Filename T1543, T1543.001, T1547, T1547.011, T1564, T1564.001 EQL High GitHub ↗
Persistence via a Windows Installer T1053, T1053.005, T1218, T1218.007 EQL Medium GitHub ↗
Persistence via BITS Job Notify Cmdline T1197 EQL Medium GitHub ↗
Persistence via DirectoryService Plugin Modification T1547 EQL Medium GitHub ↗
Persistence via Docker Shortcut Modification T1543 EQL Medium GitHub ↗
Persistence via Folder Action Script T1037, T1059 EQL Medium GitHub ↗
Persistence via Hidden Run Key Detected T1106, T1112, T1547, T1547.001 EQL High GitHub ↗
Persistence via Login or Logout Hook T1037 EQL Medium GitHub ↗
Persistence via Microsoft Office AddIns T1137, T1137.006 EQL High GitHub ↗
Persistence via Microsoft Outlook VBA T1137 EQL Medium GitHub ↗
Persistence via PowerShell profile T1546, T1546.013 EQL Medium GitHub ↗
Persistence via Scheduled Job Creation T1053, T1053.005 EQL Medium GitHub ↗
Persistence via Suspicious Launch Agent or Launch Daemon T1543, T1543.001, T1543.004, T1547, T1547.011 EQL High GitHub ↗
Persistence via TelemetryController Scheduled Task Hijack T1053, T1053.005, T1574 EQL High GitHub ↗
Persistence via Update Orchestrator Service Hijack T1068, T1543, T1543.003, T1574 EQL High GitHub ↗
Persistence via WMI Event Subscription T1047, T1546, T1546.003 EQL Low GitHub ↗
Persistence via WMI Standard Registry Provider T1047, T1543, T1543.003, T1547, T1547.001 EQL High GitHub ↗
Persistent Scripts in the Startup Directory T1547, T1547.001, T1547.009 EQL Medium GitHub ↗
Pluggable Authentication Module (PAM) Creation in Unusual Directory T1543, T1556 EQL Low GitHub ↗
Pluggable Authentication Module (PAM) Source Download T1543, T1556 EQL Medium GitHub ↗
Pluggable Authentication Module (PAM) Version Discovery T1082, T1543, T1556 EQL Low GitHub ↗
Pluggable Authentication Module or Configuration Creation T1543, T1556 EQL Medium GitHub ↗
Pod or Container Creation with Suspicious Command-Line T1053, T1053.002, T1053.003, T1059, T1059.004, T1609, T1611 EQL Medium GitHub ↗
Polkit Policy Creation T1543, T1556 EQL Low GitHub ↗
Potential Application Shimming via Sdbinst T1546, T1546.011 EQL Low GitHub ↗
Potential Backdoor Execution Through PAM_EXEC T1543, T1556 EQL Medium GitHub ↗
Potential Execution of rc.local Script T1037, T1037.004 EQL Medium GitHub ↗
Potential Execution via SSH Backdoor T1021, T1021.004, T1543, T1556, T1563, T1563.001 EQL Medium GitHub ↗
Potential Hidden Local User Account Creation T1078, T1078.003 EQL Medium GitHub ↗
Potential Linux Backdoor User Account Creation T1136, T1136.001 EQL High GitHub ↗
Potential LSA Authentication Package Abuse T1547, T1547.002 EQL Medium GitHub ↗
Potential Masquerading as Browser Process T1036, T1036.001, T1036.005, T1554 EQL Low GitHub ↗
Potential Masquerading as Communication Apps T1036, T1036.001, T1036.005, T1554 EQL Medium GitHub ↗
Potential Masquerading as System32 DLL T1036, T1036.001, T1036.005, T1554, T1574, T1574.001 EQL Low GitHub ↗
Potential Masquerading as System32 Executable T1036, T1036.001, T1036.005, T1554 EQL Low GitHub ↗
Potential Masquerading as VLC DLL T1036, T1036.001, T1036.005, T1554 EQL Low GitHub ↗
Potential Modification of Accessibility Binaries T1546, T1546.008 EQL High GitHub ↗
Potential OpenSSH Backdoor Logging Activity T1554, T1556 EQL Low GitHub ↗
Potential Persistence via Atom Init Script Modification T1037 EQL Low GitHub ↗
Potential Persistence via File Modification T1014, T1037, T1037.004, T1053, T1053.003, T1136, T1136.001, T1543, T1543.002, T1547, T1547.006, T1548, T1548.003, T1556, T1574, T1574.006 EQL Low GitHub ↗
Potential Persistence via Login Hook T1547, T1647 Custom Query Medium GitHub ↗
Potential Persistence via Mandatory User Profile T1112, T1547 EQL Medium GitHub ↗
Potential Persistence via Periodic Tasks T1053, T1053.003 EQL Low GitHub ↗
Potential Persistence via Time Provider Modification T1547, T1547.003 EQL Medium GitHub ↗
Potential Port Monitor or Print Processor Registration Abuse T1547, T1547.010, T1547.012 EQL Medium GitHub ↗
Potential Privilege Escalation via SUID/SGID Proxy Execution T1068, T1218, T1548, T1548.001 EQL Medium GitHub ↗
Potential Privileged Escalation via SamAccountName Spoofing T1068, T1078, T1078.002, T1098 EQL High GitHub ↗
Potential SSH Password Grabbing via strace T1554, T1556 EQL Medium GitHub ↗
Potential Sudo Hijacking T1548, T1548.003, T1574 EQL Medium GitHub ↗
Potential Suspicious File Edit T1037, T1037.004, T1543, T1543.002, T1548, T1548.003, T1574, T1574.006 EQL Low GitHub ↗
Potential Web Shell ASPX File Creation T1505, T1505.003 EQL Medium GitHub ↗
Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation T1190, T1505, T1505.003 EQL High GitHub ↗
Privilege Escalation via SUID/SGID T1068, T1548, T1548.001 EQL Medium GitHub ↗
Process Capability Set via setcap Utility EQL Low GitHub ↗
Process Spawned from Message-of-the-Day (MOTD) T1037 EQL High GitHub ↗
Python Path File (pth) Creation T1059, T1059.004, T1546, T1546.018, T1574 EQL Low GitHub ↗
Python Site or User Customize File Creation T1059, T1059.004, T1546, T1546.018, T1574 EQL Low GitHub ↗
Rare AWS Error Code T1526, T1580 Machine Learning Low GitHub ↗
Rare Azure Activity Logs Event Failures T1526, T1580 Machine Learning Low GitHub ↗
Rare GCP Audit Failure Event Code T1526, T1580 Machine Learning Low GitHub ↗
rc.local/rc.common File Creation T1037, T1037.004 EQL High GitHub ↗
Registry Persistence via AppCert DLL T1546, T1546.009 EQL Medium GitHub ↗
Registry Persistence via AppInit DLL T1112, T1546, T1546.010 EQL Medium GitHub ↗
Remote Windows Service Installed T1021, T1543, T1543.003 EQL Medium GitHub ↗
Renaming of OpenSSH Binaries T1021, T1021.004, T1543, T1556, T1563, T1563.001 Custom Query Low GitHub ↗
RPM Package Installed by Unusual Parent Process T1195, T1195.002, T1543, T1546, T1546.016, T1574 New Terms Low GitHub ↗
Scheduled Task Created by a Windows Script T1053, T1053.005, T1059, T1059.001, T1059.005 EQL Medium GitHub ↗
Screensaver Plist File Modified by Unexpected Process T1546 EQL Medium GitHub ↗
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User T1098, T1558 Custom Query High GitHub ↗
Service Command Lateral Movement T1021, T1543, T1543.003, T1569, T1569.002 EQL Low GitHub ↗
Service DACL Modification via sc.exe T1543, T1543.003, T1564 EQL Medium GitHub ↗
Service Path Modification T1112, T1543, T1543.003 EQL Low GitHub ↗
Service Path Modification via sc.exe T1112, T1543, T1543.003 EQL Low GitHub ↗
Setcap setuid/setgid Capability Set T1548, T1548.001 EQL High GitHub ↗
Shadow File Modification by Unusual Process T1098 EQL Low GitHub ↗
Shared Object Created by Previously Unknown Process T1574, T1574.006 New Terms Medium GitHub ↗
Shell Configuration Creation T1546, T1546.004 EQL Medium GitHub ↗
Shortcut File Written or Modified on Startup Folder T1547, T1547.001, T1547.009 EQL Low GitHub ↗
Simple HTTP Web Server Connection T1059, T1059.004, T1071, T1505, T1505.003 EQL Low GitHub ↗
Simple HTTP Web Server Creation T1059, T1059.004, T1071, T1505, T1505.003 EQL Low GitHub ↗
SSH Authorized Key File Activity Detected via Defend for Containers T1021, T1021.004, T1098, T1098.004, T1563, T1563.001 EQL Medium GitHub ↗
SSH Authorized Keys File Activity T1021, T1021.004, T1098, T1098.004, T1563, T1563.001 New Terms Medium GitHub ↗
SSH Key Generated via ssh-keygen T1021, T1021.004, T1098, T1098.004, T1563, T1563.001 EQL Low GitHub ↗
Startup Folder Persistence via Unsigned Process T1036, T1036.001, T1547, T1547.001 EQL Medium GitHub ↗
Startup or Run Key Registry Modification T1547, T1547.001 EQL Low GitHub ↗
Startup Persistence by a Suspicious Process T1547, T1547.001 EQL Medium GitHub ↗
Stolen Credentials Used to Login to Okta Account After MFA Reset T1556, T1556.006 EQL High GitHub ↗
Sublime Plugin or Application Script Modification T1554 EQL Low GitHub ↗
SUID/SGID Bit Set T1548, T1548.001 EQL Low GitHub ↗
SUID/SGUID Enumeration Detected T1083, T1548, T1548.001 EQL Medium GitHub ↗
Suspicious Activity Reported by Okta User T1078 Custom Query Medium GitHub ↗
Suspicious Apple Mail Rule Plist Modification T1204, T1546 EQL Medium GitHub ↗
Suspicious APT Package Manager Execution T1059, T1059.004, T1543, T1546, T1546.016, T1574 EQL Low GitHub ↗
Suspicious APT Package Manager Network Connection T1543, T1546, T1546.016, T1574 EQL Medium GitHub ↗
Suspicious Calendar File Modification T1546 EQL Medium GitHub ↗
Suspicious Child Execution via Web Server T1190, T1505, T1505.003 EQL Medium GitHub ↗
Suspicious Communication App Child Process T1036, T1036.001, T1036.005, T1055, T1554 EQL Medium GitHub ↗
Suspicious CronTab Creation or Modification T1053, T1053.003 EQL Medium GitHub ↗
Suspicious DLL Loaded for Persistence or Privilege Escalation T1036, T1036.001, T1574, T1574.001 EQL High GitHub ↗
Suspicious Echo or Printf Execution Detected via Defend for Containers T1037, T1053, T1053.003, T1543, T1546, T1546.004 EQL High GitHub ↗
Suspicious Emond Child Process T1546, T1546.014 EQL Medium GitHub ↗
Suspicious Execution via Microsoft Office Add-Ins T1137, T1137.006, T1566, T1566.001 EQL Medium GitHub ↗
Suspicious Execution via Scheduled Task T1053, T1053.005 EQL Medium GitHub ↗
Suspicious File Creation via Kworker T1014, T1547 EQL Medium GitHub ↗
Suspicious File Creation via Pkg Install Script T1546, T1546.016 EQL High GitHub ↗
Suspicious Hidden Child Process of Launchd T1543, T1543.001, T1564, T1564.001 EQL Medium GitHub ↗
Suspicious Image Load (taskschd.dll) from MS Office T1053, T1053.005 EQL Low GitHub ↗
Suspicious ImagePath Service Creation T1112, T1543, T1543.003 EQL High GitHub ↗
Suspicious Network Connection via systemd T1543, T1543.002, T1574 EQL Medium GitHub ↗
Suspicious Outlook Child Process T1036, T1036.001, T1036.005, T1055, T1554 EQL Low GitHub ↗
Suspicious rc.local Error Message T1037, T1037.004 Custom Query Medium GitHub ↗
Suspicious Service was Installed in the System T1543, T1543.003 EQL Medium GitHub ↗
Suspicious Startup Shell Folder Modification T1112, T1547, T1547.001 EQL High GitHub ↗
Suspicious StartupItem Plist Creation T1037, T1037.005 EQL High GitHub ↗
Suspicious Usage of bpf_probe_write_user Helper T1014, T1547, T1547.006 Custom Query High GitHub ↗
Suspicious WerFault Child Process T1036, T1546, T1546.012 EQL Medium GitHub ↗
Suspicious WMI Event Subscription Created T1546, T1546.003 EQL Medium GitHub ↗
System Shells via Services T1059, T1059.001, T1059.003, T1543, T1543.003 EQL Medium GitHub ↗
System V Init Script Created T1037 EQL Low GitHub ↗
Systemd Generator Created T1543, T1543.002 EQL Medium GitHub ↗
Systemd Service Created T1543, T1543.002 EQL Medium GitHub ↗
Systemd Service Started by Unusual Parent Process T1543, T1543.002 New Terms Low GitHub ↗
Systemd Shell Execution During Boot T1543, T1543.002 EQL Low GitHub ↗
Systemd Timer Created T1053, T1053.006 EQL Low GitHub ↗
Systemd-udevd Rule File Creation T1037, T1546 EQL Low GitHub ↗
Tainted Kernel Module Load T1014, T1547, T1547.006 Custom Query Medium GitHub ↗
Tainted Out-Of-Tree Kernel Module Load T1014, T1547, T1547.006 Custom Query Medium GitHub ↗
Temporarily Scheduled Task Creation T1053, T1053.005 EQL Medium GitHub ↗
Unauthorized Access to an Okta Application T1078 Custom Query Low GitHub ↗
Uncommon Destination Port Connection by Web Server T1059, T1059.004, T1071, T1505, T1505.003 EQL Low GitHub ↗
Uncommon Registry Persistence Change T1112, T1546, T1546.002, T1547, T1547.001 EQL Medium GitHub ↗
Unexpected Child Process of macOS Screensaver Engine T1546, T1546.002 EQL Medium GitHub ↗
Unsigned DLL Loaded by Svchost T1036, T1036.001, T1543, T1543.003, T1569, T1569.002 EQL Medium GitHub ↗
Unusual AWS Command for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Azure Activity Logs Event for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Command Execution from Web Server Parent T1059, T1059.004, T1071, T1505, T1505.003 ES|QL Low GitHub ↗
Unusual D-Bus Daemon Child Process T1059, T1059.004, T1543 EQL Low GitHub ↗
Unusual DPKG Execution T1195, T1195.002, T1543, T1546, T1546.016, T1574 EQL Medium GitHub ↗
Unusual Exim4 Child Process T1037, T1554 New Terms Low GitHub ↗
Unusual File Creation by Web Server T1059, T1059.004, T1071, T1505, T1505.003 ES|QL Low GitHub ↗
Unusual GCP Event for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments T1574, T1574.006 New Terms High GitHub ↗
Unusual Linux Network Activity T1041, T1055, T1071 Machine Learning Low GitHub ↗
Unusual Linux Network Port Activity T1041, T1071, T1571 Machine Learning Low GitHub ↗
Unusual Login via System User T1098, T1098.004, T1564, T1564.002 New Terms Medium GitHub ↗
Unusual Network Destination Domain Name T1041, T1071, T1071.001, T1566, T1566.001, T1566.002 Machine Learning Low GitHub ↗
Unusual Persistence via Services Registry T1112, T1543, T1543.003 EQL Low GitHub ↗
Unusual Pkexec Execution T1059, T1543 New Terms High GitHub ↗
Unusual Preload Environment Variable Process Execution T1574, T1574.006 New Terms Low GitHub ↗
Unusual Process For a Linux Host T1543, T1543.002 Machine Learning Low GitHub ↗
Unusual Process For a Windows Host T1543, T1543.003 Machine Learning Low GitHub ↗
Unusual Process For MSSQL Service Accounts T1210, T1505, T1505.001 EQL Low GitHub ↗
Unusual Process Modifying GenAI Configuration File T1554, T1556 New Terms Medium GitHub ↗
Unusual Process Spawned from Web Server Parent T1059, T1059.004, T1071, T1505, T1505.003 ES|QL Low GitHub ↗
Unusual Scheduled Task Update T1053, T1053.005 New Terms Low GitHub ↗
Unusual SSHD Child Process T1021, T1021.004, T1546, T1546.004, T1563, T1563.001 New Terms Low GitHub ↗
Unusual Web Server Command Execution T1059, T1059.004, T1071, T1505, T1505.003 New Terms Medium GitHub ↗
Unusual Windows Network Activity T1041, T1055, T1071 Machine Learning Low GitHub ↗
Unusual Windows Path Activity T1204, T1204.002, T1543, T1543.003 Machine Learning Low GitHub ↗
Unusual Windows Service T1543, T1543.003 Machine Learning Low GitHub ↗
User Account Creation T1136, T1136.001 EQL Low GitHub ↗
User Added to Privileged Group in Active Directory T1098 EQL Medium GitHub ↗
User or Group Creation/Modification T1136, T1136.001 EQL Low GitHub ↗
Web Server Child Shell Spawn Detected via Defend for Containers T1059, T1059.004, T1071, T1505, T1505.003 EQL Medium GitHub ↗
Web Server Potential Command Injection Request T1059, T1059.004, T1071, T1505, T1505.003, T1595, T1595.002, T1595.003 ES|QL Low GitHub ↗
Web Shell Detection: Script Process Child of Common Web Processes T1047, T1059, T1059.001, T1059.003, T1059.005, T1190, T1505, T1505.003 New Terms High GitHub ↗
Werfault ReflectDebugger Persistence T1112, T1546 EQL Low GitHub ↗
Yum Package Manager Plugin File Creation T1543, T1546, T1546.016, T1574 EQL Medium GitHub ↗

Rules detecting techniques adversaries use to gain higher-level permissions, including exploitation of system vulnerabilities, access token manipulation, and elevation mechanism abuse.

Name Technique Rule Type Severity Source
Access to a Sensitive LDAP Attribute T1003, T1078, T1078.002, T1552, T1552.004 EQL Medium GitHub ↗
Active Directory Group Modification by SYSTEM T1098 EQL Medium GitHub ↗
Apple Scripting Execution with Administrator Privileges T1059, T1078 EQL Medium GitHub ↗
At Job Created or Modified T1053, T1053.002 EQL Medium GitHub ↗
AWS EC2 Instance Connect SSH Public Key Uploaded T1021, T1021.004, T1098, T1098.004 Custom Query Medium GitHub ↗
AWS EC2 Instance Interaction with IAM Service T1078, T1078.004, T1098, T1098.001, T1098.003 EQL Low GitHub ↗
AWS IAM AdministratorAccess Policy Attached to Group T1098, T1098.003 EQL Medium GitHub ↗
AWS IAM AdministratorAccess Policy Attached to Role T1098, T1098.003 EQL Medium GitHub ↗
AWS IAM AdministratorAccess Policy Attached to User T1098, T1098.003 EQL Medium GitHub ↗
AWS IAM Assume Role Policy Update T1078, T1078.004 New Terms Low GitHub ↗
AWS IAM Customer-Managed Policy Attached to Role by Rare User T1548, T1548.005 New Terms Low GitHub ↗
AWS IAM OIDC Provider Created by Rare User T1078, T1078.004, T1484, T1484.002 New Terms Medium GitHub ↗
AWS IAM SAML Provider Created T1078, T1078.004, T1484, T1484.002 Custom Query Medium GitHub ↗
AWS IAM SAML Provider Updated T1484, T1484.002 Custom Query Medium GitHub ↗
AWS IAM User Created Access Keys For Another User T1098, T1098.001 ES|QL Medium GitHub ↗
AWS Management Console Root Login T1078, T1078.004 Custom Query Medium GitHub ↗
AWS RDS DB Instance or Cluster Password Modified T1098, T1098.001 EQL Medium GitHub ↗
AWS Sensitive IAM Operations Performed via CloudShell T1098, T1098.003, T1136, T1136.003 Custom Query Medium GitHub ↗
AWS STS AssumeRole with New MFA Device T1548, T1550, T1550.001, T1556, T1556.006 New Terms Low GitHub ↗
AWS STS AssumeRoot by Rare User and Member Account T1098, T1098.003, T1548, T1548.005 New Terms Medium GitHub ↗
AWS STS GetSessionToken Usage T1548, T1550, T1550.001 Custom Query Low GitHub ↗
AWS STS Role Assumption by Service T1548, T1550, T1550.001 New Terms Low GitHub ↗
AWS STS Role Assumption by User T1548, T1550, T1550.001 New Terms Low GitHub ↗
AWS STS Role Chaining T1548, T1550, T1550.001 New Terms Medium GitHub ↗
Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created T1078, T1078.004, T1098 Custom Query Low GitHub ↗
Azure RBAC Built-In Administrator Roles Assigned T1098, T1098.003 Custom Query High GitHub ↗
Bypass UAC via Event Viewer T1548, T1548.002 EQL High GitHub ↗
Component Object Model Hijacking T1112, T1546, T1546.015 EQL Low GitHub ↗
Conhost Spawned By Suspicious Parent Process T1036, T1055, T1059 EQL High GitHub ↗
Creation or Modification of a new GPO Scheduled Task or Service T1053, T1053.005, T1484, T1484.001 EQL Low GitHub ↗
Credential Manipulation - Detected - Elastic Endgame T1134 Custom Query High GitHub ↗
Credential Manipulation - Prevented - Elastic Endgame T1134 Custom Query Medium GitHub ↗
Cron Job Created or Modified T1053, T1053.003 EQL Medium GitHub ↗
CyberArk Privileged Access Security Error T1078 Custom Query High GitHub ↗
CyberArk Privileged Access Security Recommended Monitor T1078 Custom Query High GitHub ↗
D-Bus Service Created T1543 EQL Low GitHub ↗
DebugFS Execution Detected via Defend for Containers T1611 EQL Medium GitHub ↗
Delegated Managed Service Account Modification by an Unusual User T1078, T1078.002, T1098 New Terms High GitHub ↗
Deprecated - Sudo Heap-Based Buffer Overflow Attempt T1068 Threshold High GitHub ↗
Deprecated - Suspicious PrintSpooler Service Executable File Creation T1068 New Terms Low GitHub ↗
Disabling User Account Control via Registry Modification T1112, T1548, T1548.002, T1562, T1562.001 EQL Medium GitHub ↗
dMSA Account Creation by an Unusual User T1078, T1078.002, T1098 New Terms High GitHub ↗
Docker Release File Creation T1611 EQL Low GitHub ↗
Egress Connection from Entrypoint in Container T1059, T1059.004, T1611 EQL Medium GitHub ↗
Entra ID Actor Token User Impersonation Abuse T1078, T1078.004, T1548 ES|QL Medium GitHub ↗
Entra ID Elevated Access to User Access Administrator T1098, T1098.003 New Terms High GitHub ↗
Entra ID Federated Identity Credential Issuer Modified T1098, T1098.001, T1484, T1484.002 ES|QL High GitHub ↗
Execution with Explicit Credentials via Scripting T1059, T1078, T1548, T1548.004 EQL Medium GitHub ↗
Expired or Revoked Driver Loaded T1036, T1036.001, T1068 EQL Medium GitHub ↗
Exploit - Detected - Elastic Endgame T1068 Custom Query High GitHub ↗
Exploit - Prevented - Elastic Endgame T1068 Custom Query Medium GitHub ↗
File System Debugger Launched Inside a Container T1611 EQL Medium GitHub ↗
First Time Seen Driver Loaded T1068, T1543, T1543.003 New Terms Medium GitHub ↗
First Time Seen NewCredentials Logon Process T1134, T1134.001 New Terms Medium GitHub ↗
FirstTime Seen Account Performing DCSync T1003, T1003.006, T1078, T1078.002 New Terms High GitHub ↗
Group Policy Abuse for Privilege Addition T1484, T1484.001 EQL High GitHub ↗
High Command Line Entropy Detected for Privileged Commands T1078 Machine Learning Low GitHub ↗
Interactive Logon by an Unusual Process T1134, T1134.002, T1134.003 EQL High GitHub ↗
Kerberos Pre-authentication Disabled for User T1078, T1078.002, T1558, T1558.004, T1562 EQL Medium GitHub ↗
Kernel Load or Unload via Kexec Detected T1547, T1547.006, T1601, T1601.001, T1611 EQL Medium GitHub ↗
Kubernetes Cluster-Admin Role Binding Created T1098, T1098.006 Custom Query Medium GitHub ↗
Kubernetes Container Created with Excessive Linux Capabilities T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Creation of a RoleBinding Referencing a ServiceAccount T1098, T1098.006 Custom Query Medium GitHub ↗
Kubernetes Creation or Modification of Sensitive Role T1098, T1098.006 ES|QL Medium GitHub ↗
Kubernetes Pod Created with a Sensitive hostPath Volume T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Pod Created With HostIPC T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Pod Created With HostNetwork T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Pod Created With HostPID T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Privileged Pod Created T1610, T1611 Custom Query Medium GitHub ↗
Kubernetes Sensitive RBAC Change Followed by Workload Modification T1098, T1098.006 EQL Medium GitHub ↗
Kubernetes Service Account Modified RBAC Objects T1098, T1098.006 Custom Query Medium GitHub ↗
Kubernetes Suspicious Assignment of Controller Service Account T1078, T1078.001 Custom Query Medium GitHub ↗
M365 Exchange Federated Domain Created or Modified T1484, T1484.002 Custom Query Low GitHub ↗
Modification of Dynamic Linker Preload Shared Object T1574, T1574.006 New Terms Medium GitHub ↗
Modification of Persistence Relevant Files Detected via Defend for Containers T1037, T1053, T1053.003, T1543, T1546, T1546.004, T1548, T1548.003 EQL Low GitHub ↗
Modification of the msPKIAccountCredentials T1068 Custom Query Medium GitHub ↗
Mount Execution Detected via Defend for Containers T1611 EQL Low GitHub ↗
Mount Launched Inside a Container T1611 EQL Medium GitHub ↗
Namespace Manipulation Using Unshare T1543 EQL Medium GitHub ↗
Permission Theft - Detected - Elastic Endgame T1134 Custom Query High GitHub ↗
Permission Theft - Prevented - Elastic Endgame T1134 Custom Query Medium GitHub ↗
Persistence via PowerShell profile T1546, T1546.013 EQL Medium GitHub ↗
Persistence via TelemetryController Scheduled Task Hijack T1053, T1053.005, T1574 EQL High GitHub ↗
Persistence via Update Orchestrator Service Hijack T1068, T1543, T1543.003, T1574 EQL High GitHub ↗
Pod or Container Creation with Suspicious Command-Line T1053, T1053.002, T1053.003, T1059, T1059.004, T1609, T1611 EQL Medium GitHub ↗
Potential Admin Group Account Addition T1078, T1078.003 EQL Medium GitHub ↗
Potential Application Shimming via Sdbinst T1546, T1546.011 EQL Low GitHub ↗
Potential Buffer Overflow Attack Detected T1068, T1190 Threshold Low GitHub ↗
Potential Chroot Container Escape via Mount T1611 EQL Medium GitHub ↗
Potential Credential Access via DCSync T1003, T1003.006, T1078, T1078.002 New Terms Medium GitHub ↗
Potential CVE-2025-32463 Nsswitch File Creation T1068 EQL High GitHub ↗
Potential CVE-2025-32463 Sudo Chroot Execution Attempt T1068 EQL High GitHub ↗
Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt T1068 EQL Low GitHub ↗
Potential Docker Escape via Nsenter T1611 EQL Medium GitHub ↗
Potential Escalation via Vulnerable MSI Repair T1068, T1218, T1218.007 EQL High GitHub ↗
Potential Exploitation of an Unquoted Service Path Vulnerability T1574, T1574.009 EQL Low GitHub ↗
Potential LSA Authentication Package Abuse T1547, T1547.002 EQL Medium GitHub ↗
Potential Modification of Accessibility Binaries T1546, T1546.008 EQL High GitHub ↗
Potential notify_on_release Container Escape Detected via Defend for Containers T1611 EQL Medium GitHub ↗
Potential Persistence via File Modification T1014, T1037, T1037.004, T1053, T1053.003, T1136, T1136.001, T1543, T1543.002, T1547, T1547.006, T1548, T1548.003, T1556, T1574, T1574.006 EQL Low GitHub ↗
Potential Persistence via Time Provider Modification T1547, T1547.003 EQL Medium GitHub ↗
Potential Port Monitor or Print Processor Registration Abuse T1547, T1547.010, T1547.012 EQL Medium GitHub ↗
Potential Privacy Control Bypass via Localhost Secure Copy T1548 EQL High GitHub ↗
Potential Privilege Escalation through Writable Docker Socket T1611 EQL Medium GitHub ↗
Potential Privilege Escalation via Container Misconfiguration T1611 EQL High GitHub ↗
Potential privilege escalation via CVE-2022-38028 T1036, T1068 EQL High GitHub ↗
Potential Privilege Escalation via CVE-2023-4911 T1068 EQL High GitHub ↗
Potential Privilege Escalation via Enlightenment T1068 EQL High GitHub ↗
Potential Privilege Escalation via InstallerFileTakeOver T1068 EQL High GitHub ↗
Potential Privilege Escalation via Linux DAC permissions T1068 New Terms Low GitHub ↗
Potential Privilege Escalation via OverlayFS T1068 EQL High GitHub ↗
Potential Privilege Escalation via PKEXEC T1068, T1574, T1574.007 EQL High GitHub ↗
Potential Privilege Escalation via Python cap_setuid T1068, T1548, T1548.001 EQL High GitHub ↗
Potential Privilege Escalation via Recently Compiled Executable T1068 EQL High GitHub ↗
Potential Privilege Escalation via Service ImagePath Modification T1543, T1543.003, T1569, T1569.002, T1574, T1574.011 EQL Medium GitHub ↗
Potential Privilege Escalation via Sudoers File Modification T1548, T1548.003 Custom Query High GitHub ↗
Potential Privilege Escalation via SUID/SGID Proxy Execution T1068, T1218, T1548, T1548.001 EQL Medium GitHub ↗
Potential Privileged Escalation via SamAccountName Spoofing T1068, T1078, T1078.002, T1098 EQL High GitHub ↗
Potential Process Injection from Malicious Document T1055, T1566, T1566.001 EQL Low GitHub ↗
Potential release_agent Container Escape Detected via Defend for Containers T1611 EQL Medium GitHub ↗
Potential Shadow File Read via Command Line Utilities T1003, T1003.008, T1068 New Terms Medium GitHub ↗
Potential Shell via Wildcard Injection Detected T1059, T1068 EQL Medium GitHub ↗
Potential Sudo Hijacking T1548, T1548.003, T1574 EQL Medium GitHub ↗
Potential Sudo Privilege Escalation via CVE-2019-14287 T1068 EQL High GitHub ↗
Potential Sudo Token Manipulation via Process Injection T1055, T1055.008, T1548, T1548.003 EQL Medium GitHub ↗
Potential Suspicious DebugFS Root Device Access T1078, T1078.003 EQL Low GitHub ↗
Potential Suspicious File Edit T1037, T1037.004, T1543, T1543.002, T1548, T1548.003, T1574, T1574.006 EQL Low GitHub ↗
Potential Unauthorized Access via Wildcard Injection Detected T1003, T1003.008, T1068 EQL Medium GitHub ↗
PowerShell Script with Token Impersonation Capabilities T1059, T1059.001, T1106, T1134, T1134.001 Custom Query Medium GitHub ↗
Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities T1068 EQL Medium GitHub ↗
Privilege Escalation via CAP_SETUID/SETGID Capabilities T1068, T1548, T1548.001 EQL Medium GitHub ↗
Privilege Escalation via GDB CAP_SYS_PTRACE T1055, T1055.008, T1068 EQL Medium GitHub ↗
Privilege Escalation via Named Pipe Impersonation T1134 EQL High GitHub ↗
Privilege Escalation via Rogue Named Pipe Impersonation T1134 EQL High GitHub ↗
Privilege Escalation via Root Crontab File Modification T1053, T1053.003 EQL High GitHub ↗
Privilege Escalation via SUID/SGID T1068, T1548, T1548.001 EQL Medium GitHub ↗
Privilege Escalation via Windir Environment Variable T1574, T1574.007 EQL High GitHub ↗
Privileged Container Creation with Host Directory Mount T1059, T1059.004, T1609, T1611 EQL High GitHub ↗
Privileged Docker Container Creation T1059, T1059.004, T1609, T1611 New Terms Medium GitHub ↗
Privileges Elevation via Parent Process PID Spoofing T1134, T1134.002, T1134.004 EQL High GitHub ↗
Process Capability Set via setcap Utility EQL Low GitHub ↗
Process Created with a Duplicated Token T1134, T1134.001, T1134.002 EQL Medium GitHub ↗
Process Created with an Elevated Token T1134, T1134.002 EQL High GitHub ↗
Process Creation via Secondary Logon T1134, T1134.002, T1134.003 EQL Medium GitHub ↗
Process Injection - Detected - Elastic Endgame T1055 Custom Query High GitHub ↗
Process Injection - Prevented - Elastic Endgame T1055 Custom Query Medium GitHub ↗
Process Injection by the Microsoft Build Engine T1055, T1127, T1127.001 EQL Low GitHub ↗
Rare AWS Error Code T1526, T1580 Machine Learning Low GitHub ↗
Rare Azure Activity Logs Event Failures T1526, T1580 Machine Learning Low GitHub ↗
Rare GCP Audit Failure Event Code T1526, T1580 Machine Learning Low GitHub ↗
Registry Persistence via AppCert DLL T1546, T1546.009 EQL Medium GitHub ↗
Remote Computer Account DnsHostName Update T1068, T1078, T1078.002 EQL High GitHub ↗
Root Network Connection via GDB CAP_SYS_PTRACE T1055, T1055.008, T1059, T1059.004, T1068, T1071 EQL Medium GitHub ↗
Scheduled Task Execution at Scale via GPO T1053, T1053.005, T1484, T1484.001, T1570 EQL Medium GitHub ↗
SeDebugPrivilege Enabled by a Suspicious Process T1134 EQL Medium GitHub ↗
Service Control Spawned via Script Interpreter T1047, T1059, T1059.001, T1059.003, T1059.005, T1218, T1218.010, T1218.011, T1543, T1543.003 EQL Low GitHub ↗
Service Creation via Local Kerberos Authentication T1543, T1543.003, T1558 EQL High GitHub ↗
Service Path Modification T1112, T1543, T1543.003 EQL Low GitHub ↗
Service Path Modification via sc.exe T1112, T1543, T1543.003 EQL Low GitHub ↗
Setcap setuid/setgid Capability Set T1548, T1548.001 EQL High GitHub ↗
Shadow File Modification by Unusual Process T1098 EQL Low GitHub ↗
Spike in AWS Error Messages T1526, T1580 Machine Learning Low GitHub ↗
Spike in Azure Activity Logs Failed Messages T1526, T1580 Machine Learning Low GitHub ↗
Spike in GCP Audit Failed Messages T1526, T1580 Machine Learning Low GitHub ↗
Spike in Group Application Assignment Change Events T1068, T1078, T1098 Machine Learning Low GitHub ↗
Spike in Group Lifecycle Change Events T1068, T1078 Machine Learning Low GitHub ↗
Spike in Group Management Events T1078, T1098 Machine Learning Low GitHub ↗
Spike in Group Membership Events T1068, T1078 Machine Learning Low GitHub ↗
Spike in Group Privilege Change Events T1068, T1078, T1098 Machine Learning Low GitHub ↗
Spike in host-based traffic T1041, T1068, T1204, T1498, T1499 Machine Learning Low GitHub ↗
Spike in Privileged Command Execution by a User T1078 Machine Learning Low GitHub ↗
Spike in Special Logon Events T1068, T1078 Machine Learning Low GitHub ↗
Spike in Special Privilege Use Events T1068, T1078 Machine Learning Low GitHub ↗
Spike in User Account Management Events T1068, T1078 Machine Learning Low GitHub ↗
Spike in User Lifecycle Management Change Events T1078, T1098 Machine Learning Low GitHub ↗
Startup/Logon Script added to Group Policy Object T1484, T1484.001, T1547 EQL Medium GitHub ↗
Sudoers File Activity T1548, T1548.003 EQL Medium GitHub ↗
SUID/SGID Bit Set T1548, T1548.001 EQL Low GitHub ↗
SUID/SGUID Enumeration Detected T1083, T1548, T1548.001 EQL Medium GitHub ↗
Suspicious Activity Reported by Okta User T1078 Custom Query Medium GitHub ↗
Suspicious Child Process of Adobe Acrobat Reader Update Service T1068 EQL High GitHub ↗
Suspicious DLL Loaded for Persistence or Privilege Escalation T1036, T1036.001, T1574, T1574.001 EQL High GitHub ↗
Suspicious Echo or Printf Execution Detected via Defend for Containers T1037, T1053, T1053.003, T1543, T1546, T1546.004 EQL High GitHub ↗
Suspicious Kworker UID Elevation T1014, T1574, T1574.013 EQL Medium GitHub ↗
Suspicious Passwd File Event Action T1068 EQL Medium GitHub ↗
Suspicious Print Spooler File Deletion T1068 EQL Medium GitHub ↗
Suspicious Print Spooler Point and Print DLL T1068 EQL High GitHub ↗
Suspicious Print Spooler SPL File Created T1068 EQL Low GitHub ↗
Suspicious SeIncreaseBasePriorityPrivilege Use T1134 Custom Query High GitHub ↗
Suspicious Symbolic Link Created T1003, T1003.008, T1548 EQL Low GitHub ↗
Suspicious WerFault Child Process T1036, T1546, T1546.012 EQL Medium GitHub ↗
Systemd Generator Created T1543, T1543.002 EQL Medium GitHub ↗
Systemd Service Created T1543, T1543.002 EQL Medium GitHub ↗
Systemd Service Started by Unusual Parent Process T1543, T1543.002 New Terms Low GitHub ↗
Systemd Shell Execution During Boot T1543, T1543.002 EQL Low GitHub ↗
Trap Signals Execution T1546, T1546.005 EQL Low GitHub ↗
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer T1548, T1548.002, T1559, T1559.001 EQL Medium GitHub ↗
UAC Bypass Attempt via Privileged IFileOperation COM Interface T1548, T1548.002, T1574, T1574.001 EQL High GitHub ↗
UAC Bypass Attempt via Windows Directory Masquerading T1036, T1036.005, T1548, T1548.002 EQL High GitHub ↗
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface T1548, T1548.002, T1559, T1559.001 EQL High GitHub ↗
UAC Bypass via DiskCleanup Scheduled Task Hijack T1053, T1053.005, T1548, T1548.002 EQL Medium GitHub ↗
UAC Bypass via ICMLuaUtil Elevated COM Interface T1548, T1548.002, T1559, T1559.001 EQL High GitHub ↗
UAC Bypass via Windows Firewall Snap-In Hijack T1218, T1218.014, T1548, T1548.002 EQL Medium GitHub ↗
UID Elevation from Previously Unknown Executable T1014, T1574, T1574.013 New Terms High GitHub ↗
Unauthorized Access to an Okta Application T1078 Custom Query Low GitHub ↗
Unsigned DLL loaded by DNS Service T1068 EQL Medium GitHub ↗
Unusual D-Bus Daemon Child Process T1059, T1059.004, T1543 EQL Low GitHub ↗
Unusual Group Name Accessed by a User T1068, T1069, T1078 Machine Learning Low GitHub ↗
Unusual Host Name for Okta Privileged Operations Detected T1078 Machine Learning Low GitHub ↗
Unusual Host Name for Windows Privileged Operations Detected T1078 Machine Learning Low GitHub ↗
Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments T1574, T1574.006 New Terms High GitHub ↗
Unusual Parent-Child Relationship T1055, T1055.012 EQL Medium GitHub ↗
Unusual Print Spooler Child Process T1068 EQL Medium GitHub ↗
Unusual Privilege Type assigned to a User T1068, T1078 Machine Learning Low GitHub ↗
Unusual Process Detected for Privileged Commands by a User T1078 Machine Learning Low GitHub ↗
Unusual Region Name for Okta Privileged Operations Detected T1078 Machine Learning Low GitHub ↗
Unusual Region Name for Windows Privileged Operations Detected T1078 Machine Learning Low GitHub ↗
Unusual Service Host Child Process - Childless Service T1055, T1055.012 EQL Medium GitHub ↗
Unusual Source IP for Okta Privileged Operations Detected T1078 Machine Learning Low GitHub ↗
Unusual Source IP for Windows Privileged Operations Detected T1078 Machine Learning Low GitHub ↗
Unusual Spike in Concurrent Active Sessions by a User T1068, T1078 Machine Learning Low GitHub ↗
Unusual Sudo Activity T1548 Machine Learning Low GitHub ↗
Unusual Windows User Privilege Elevation Activity Machine Learning Low GitHub ↗
User Added to the Admin Group T1078, T1078.003 EQL Low GitHub ↗
Windows Service Installed via an Unusual Client T1543, T1543.003 EQL High GitHub ↗

Rules detecting techniques adversaries use to avoid detection, including disabling security tools, obfuscating code, tampering with logs, and abusing trusted processes.

Name Technique Rule Type Severity Source
Access Control List Modification via setfacl T1222, T1222.002 EQL Low GitHub ↗
Adding Hidden File Attribute via Attrib T1222, T1222.001, T1564, T1564.001 EQL Low GitHub ↗
Agent Spoofing - Multiple Hosts Using Same Agent T1036 ES|QL High GitHub ↗
Alternate Data Stream Creation/Execution at Volume Root Directory T1564, T1564.004 EQL Medium GitHub ↗
Application Removed from Blocklist in Google Workspace T1562, T1562.001 Custom Query Medium GitHub ↗
APT Package Manager Configuration File Creation T1543, T1546, T1546.016, T1574 EQL Low GitHub ↗
Archive File with Unusual Extension T1036, T1036.008 EQL Low GitHub ↗
Attempt to Clear Kernel Ring Buffer T1070, T1070.002, T1562, T1562.001 EQL High GitHub ↗
Attempt to Clear Logs via Journalctl T1070, T1070.002, T1562, T1562.001 EQL Medium GitHub ↗
Attempt to Deactivate an Okta Network Zone T1562, T1562.007 Custom Query Medium GitHub ↗
Attempt to Deactivate an Okta Policy T1562, T1562.007 Custom Query Low GitHub ↗
Attempt to Deactivate an Okta Policy Rule T1562, T1562.007 Custom Query Medium GitHub ↗
Attempt to Delete an Okta Network Zone T1562, T1562.007 Custom Query Medium GitHub ↗
Attempt to Delete an Okta Policy T1562, T1562.007 Custom Query Medium GitHub ↗
Attempt to Delete an Okta Policy Rule T1562, T1562.007 Custom Query Low GitHub ↗
Attempt to Disable Auditd Service T1562, T1562.001 EQL Medium GitHub ↗
Attempt to Disable Gatekeeper T1553 EQL Medium GitHub ↗
Attempt to Disable IPTables or Firewall T1562, T1562.001 EQL Medium GitHub ↗
Attempt to Disable Syslog Service T1562, T1562.001 EQL Medium GitHub ↗
Attempt to Install Kali Linux via WSL T1202 EQL High GitHub ↗
Attempt to Install Root Certificate T1553, T1553.004 EQL Medium GitHub ↗
Attempt to Modify an Okta Network Zone T1562, T1562.007 Custom Query Medium GitHub ↗
Attempt to Modify an Okta Policy T1562, T1562.007 Custom Query Low GitHub ↗
Attempt to Modify an Okta Policy Rule T1562, T1562.007 Custom Query Low GitHub ↗
Attempt to Unload Elastic Endpoint Security Kernel Extension T1547, T1547.006, T1562, T1562.001 EQL High GitHub ↗
AWS CloudTrail Log Evasion T1562, T1562.008 Custom Query Medium GitHub ↗
AWS CloudTrail Log Suspended T1562, T1562.001 Custom Query Medium GitHub ↗
AWS CloudWatch Alarm Deletion T1562, T1562.001, T1562.006 Custom Query Medium GitHub ↗
AWS CloudWatch Log Group Deletion T1485, T1562, T1562.001 Custom Query Medium GitHub ↗
AWS CloudWatch Log Stream Deletion T1485, T1562, T1562.001 Custom Query Medium GitHub ↗
AWS Config Resource Deletion T1562, T1562.001, T1562.008 Custom Query Medium GitHub ↗
AWS Configuration Recorder Stopped T1562, T1562.001, T1562.008 Custom Query High GitHub ↗
AWS EC2 Network Access Control List Creation T1133, T1562, T1562.007 Custom Query Low GitHub ↗
AWS EC2 Network Access Control List Deletion T1562, T1562.007 Custom Query Medium GitHub ↗
AWS EC2 Security Group Configuration Change T1562, T1562.007 Custom Query Low GitHub ↗
AWS First Occurrence of STS GetFederationToken Request by User T1098, T1098.001, T1550, T1550.001 New Terms Medium GitHub ↗
AWS GuardDuty Detector Deletion T1562, T1562.001 Custom Query High GitHub ↗
AWS RDS DB Instance Made Public T1556, T1556.009 EQL Medium GitHub ↗
AWS RDS DB Instance or Cluster Password Modified T1098, T1098.001 EQL Medium GitHub ↗
AWS RDS DB Snapshot Created T1578, T1578.001 Custom Query Low GitHub ↗
AWS Route 53 Resolver Query Log Configuration Deleted T1562, T1562.008 Custom Query Medium GitHub ↗
AWS S3 Bucket Expiration Lifecycle Configuration Added T1070, T1485, T1485.001, T1562, T1562.008 EQL Low GitHub ↗
AWS S3 Bucket Server Access Logging Disabled T1562, T1562.008 EQL Medium GitHub ↗
AWS SQS Queue Purge T1562, T1562.008 Custom Query Medium GitHub ↗
AWS VPC Flow Logs Deletion T1562, T1562.008 Custom Query High GitHub ↗
AWS WAF Access Control List Deletion T1562, T1562.007 Custom Query Medium GitHub ↗
AWS WAF Rule or Rule Group Deletion T1562, T1562.007 Custom Query Medium GitHub ↗
Azure Automation Account Created T1078 Custom Query Low GitHub ↗
Azure Automation Runbook Deleted Custom Query Low GitHub ↗
Azure Blob Storage Permissions Modified T1222 Custom Query Medium GitHub ↗
Azure Diagnostic Settings Alert Suppression Rule Created or Modified T1562 Custom Query Low GitHub ↗
Azure Event Hub Deleted T1562, T1562.008 Custom Query Medium GitHub ↗
Azure Kubernetes Services (AKS) Kubernetes Events Deleted T1562, T1562.001 Custom Query Medium GitHub ↗
Azure VNet Firewall Front Door WAF Policy Deleted T1562, T1562.007 Custom Query Low GitHub ↗
Base16 or Base32 Encoding/Decoding Activity T1027, T1140 EQL Medium GitHub ↗
Base64 Decoded Payload Piped to Interpreter T1027, T1059, T1059.004, T1140, T1204, T1204.002 EQL High GitHub ↗
Binary Content Copy via Cmd.exe T1059, T1059.003, T1140 EQL Low GitHub ↗
Bitsadmin Activity T1105, T1197 EQL Low GitHub ↗
Boot File Copy T1059, T1059.004, T1542, T1543, T1574 EQL Low GitHub ↗
BPF Program or Map Load via bpftool T1014, T1547, T1547.006 EQL Medium GitHub ↗
BPF Program Tampering via bpftool T1014, T1562, T1562.001 EQL Medium GitHub ↗
Bypass UAC via Event Viewer T1548, T1548.002 EQL High GitHub ↗
Clearing Windows Console History T1059, T1059.001, T1070, T1070.003 EQL Medium GitHub ↗
Clearing Windows Event Logs T1070, T1070.001, T1562.002 EQL Low GitHub ↗
Code Signing Policy Modification Through Built-in tools T1553, T1553.006 EQL Medium GitHub ↗
Code Signing Policy Modification Through Registry T1112, T1553, T1553.006 EQL Medium GitHub ↗
Command Execution via ForFiles T1202 EQL Medium GitHub ↗
Command Line Obfuscation via Whitespace Padding T1027, T1059, T1059.001, T1140 ES|QL Medium GitHub ↗
Command Obfuscation via Unicode Modifier Letters T1027, T1027.010 EQL High GitHub ↗
Command Shell Activity Started via RunDLL32 T1059, T1059.001, T1059.003, T1218, T1218.011, T1552 EQL Low GitHub ↗
Component Object Model Hijacking T1112, T1546, T1546.015 EQL Low GitHub ↗
Conhost Spawned By Suspicious Parent Process T1036, T1055, T1059 EQL High GitHub ↗
Control Panel Process with Unusual Arguments T1218, T1218.002 EQL High GitHub ↗
Creation of Hidden Files and Directories via CommandLine T1564, T1564.001 EQL Low GitHub ↗
Creation of Hidden Launch Agent or Daemon T1543, T1543.001, T1564, T1564.001 EQL Medium GitHub ↗
Creation of Hidden Login Item via Apple Script T1059, T1059.002, T1547, T1647 EQL Medium GitHub ↗
Creation of Hidden Shared Object File T1564, T1564.001 EQL Medium GitHub ↗
Creation or Modification of Root Certificate T1553, T1553.004 EQL Low GitHub ↗
Curl or Wget Egress Network Connection via LoLBin T1059, T1059.004, T1218 EQL Medium GitHub ↗
Decline in host-based traffic T1499, T1562 Machine Learning Low GitHub ↗
Delayed Execution via Ping T1059, T1059.001, T1059.005, T1216, T1218, T1218.003, T1218.004, T1218.005, T1218.009, T1218.010, T1218.011, T1220, T1497, T1497.003 EQL Low GitHub ↗
Delete Volume USN Journal with Fsutil T1070, T1070.004 EQL Low GitHub ↗
Deprecated - Encoded Executable Stored in the Registry T1112, T1140 EQL Medium GitHub ↗
Deprecated - M365 Exchange DLP Policy Deleted T1562 Custom Query Medium GitHub ↗
Deprecated - M365 Teams External Access Enabled T1562 Custom Query Medium GitHub ↗
Deprecated - Potential PowerShell Obfuscated Script T1027, T1059, T1059.001, T1140 Custom Query Low GitHub ↗
Directory Creation in /bin directory T1564, T1564.001 EQL Low GitHub ↗
Disable Windows Event and Security Logs Using Built-in Tools T1070, T1070.001, T1562, T1562.002, T1562.006 EQL Low GitHub ↗
Disable Windows Firewall Rules via Netsh T1562, T1562.004 EQL Medium GitHub ↗
Disabling Lsa Protection via Registry Modification T1112, T1562, T1562.001 EQL High GitHub ↗
Disabling User Account Control via Registry Modification T1112, T1548, T1548.002, T1562, T1562.001 EQL Medium GitHub ↗
Disabling Windows Defender Security Settings via PowerShell T1059, T1059.001, T1562, T1562.001 EQL Medium GitHub ↗
DNF Package Manager Plugin File Creation T1543, T1546, T1546.016, T1574 EQL Low GitHub ↗
DNS Global Query Block List Modified or Disabled T1557, T1562, T1562.001 EQL Medium GitHub ↗
DNS-over-HTTPS Enabled via Registry T1112, T1562 EQL Low GitHub ↗
Domain Added to Google Workspace Trusted Domains T1562, T1562.007 Custom Query High GitHub ↗
Dracut Module Creation T1059, T1059.004, T1542, T1543, T1574 EQL Low GitHub ↗
Dylib Injection via Process Environment Variables T1574, T1574.006 EQL High GitHub ↗
Dynamic Linker (ld.so) Creation T1059, T1059.004, T1218, T1574, T1574.006 EQL Medium GitHub ↗
Dynamic Linker Creation T1574, T1574.006 EQL Medium GitHub ↗
Dynamic Linker Modification Detected via Defend for Containers T1574, T1574.006 EQL High GitHub ↗
Elastic Agent Service Terminated T1562, T1562.001 EQL Medium GitHub ↗
Elastic Defend Alert Followed by Telemetry Loss T1204, T1204.002, T1562, T1562.001 EQL High GitHub ↗
Enable Host Network Discovery via Netsh T1562, T1562.004 EQL Medium GitHub ↗
Encoded Payload Detected via Defend for Containers T1027, T1059, T1059.004, T1140, T1204, T1204.002 EQL Medium GitHub ↗
Entra ID OAuth Device Code Grant by Microsoft Authentication Broker T1078, T1078.004, T1550, T1550.001, T1566, T1566.002 Custom Query Medium GitHub ↗
Entra ID OAuth User Impersonation to Microsoft Graph T1078, T1078.004, T1550, T1550.001 ES|QL Medium GitHub ↗
Entra ID OAuth user_impersonation Scope for Unusual User and Client T1078, T1078.004, T1550, T1550.001, T1656 New Terms Medium GitHub ↗
Entra ID Privileged Identity Management (PIM) Role Modified T1078, T1098, T1098.003 Custom Query Medium GitHub ↗
Entra ID Service Principal Federated Credential Authentication by Unusual Client T1078, T1078.004, T1550, T1550.001 New Terms Medium GitHub ↗
Entra ID User Sign-in with Unusual Authentication Type T1078, T1078.004, T1110, T1110.003, T1550 New Terms Medium GitHub ↗
ESXI Timestomping using Touch Command T1070, T1070.006 EQL Medium GitHub ↗
Executable File Creation with Multiple Extensions T1036, T1036.007, T1204, T1204.002 EQL Medium GitHub ↗
Executable File with Unusual Extension T1036, T1036.008 EQL Low GitHub ↗
Executable Masquerading as Kernel Process T1036, T1036.004, T1564 EQL High GitHub ↗
Execution from Unusual Directory - Command Line T1036, T1036.005, T1059, T1059.003 EQL Medium GitHub ↗
Execution of a Downloaded Windows Script T1059, T1059.003, T1059.005, T1059.007, T1218, T1218.005 EQL Medium GitHub ↗
Execution of an Unsigned Service T1036, T1036.001, T1569, T1569.002 New Terms Low GitHub ↗
Execution via Electron Child Process Node.js Module T1059, T1548 EQL Medium GitHub ↗
Execution via Microsoft DotNet ClickOnce Host T1127, T1218, T1218.011 EQL Low GitHub ↗
Execution via MS VisualStudio Pre/Post Build Events T1127, T1127.001 EQL Low GitHub ↗
Execution via Windows Command Debugging Utility T1218 EQL Medium GitHub ↗
Execution via Windows Subsystem for Linux T1202 EQL Medium GitHub ↗
Expired or Revoked Driver Loaded T1036, T1036.001, T1068 EQL Medium GitHub ↗
File and Directory Permissions Modification T1222, T1222.001 EQL Low GitHub ↗
File Compressed or Archived into Common Format by Unsigned Process T1027, T1074, T1074.001, T1132, T1132.001, T1560, T1560.001 EQL Low GitHub ↗
File Creation in /var/log via Suspicious Process T1059, T1059.004, T1564, T1564.001 New Terms Medium GitHub ↗
File Deletion via Shred T1070, T1070.004 EQL Medium GitHub ↗
File Execution Permission Modification Detected via Defend for Containers T1059, T1222, T1222.002 EQL Low GitHub ↗
File made Immutable by Chattr T1222, T1222.002 EQL Medium GitHub ↗
File or Directory Deletion Command T1070, T1070.004 EQL Low GitHub ↗
File Permission Modification in Writable Directory T1222 New Terms High GitHub ↗
File with Right-to-Left Override Character (RTLO) Created/Executed T1036, T1036.002, T1204, T1204.002 EQL Medium GitHub ↗
File with Suspicious Extension Downloaded T1218, T1566, T1566.001, T1566.002 EQL Low GitHub ↗
First Time Seen Google Workspace OAuth Login from Third-Party Application T1078, T1078.004, T1550, T1550.001 New Terms Medium GitHub ↗
FortiGate Overly Permissive Firewall Policy Created T1562, T1562.004 EQL High GitHub ↗
Full Disk Access Permission Check T1083, T1548, T1548.006 EQL Medium GitHub ↗
Full User-Mode Dumps Enabled System-Wide T1003, T1003.001, T1112 EQL Medium GitHub ↗
Gatekeeper Override and Execution T1553, T1553.001, T1562, T1562.001 EQL High GitHub ↗
GCP Firewall Rule Creation T1562 Custom Query Low GitHub ↗
GCP Firewall Rule Deletion T1562 Custom Query Medium GitHub ↗
GCP Firewall Rule Modification T1562 Custom Query Medium GitHub ↗
GCP Logging Bucket Deletion T1562 Custom Query Medium GitHub ↗
GCP Logging Sink Deletion T1562 Custom Query Medium GitHub ↗
GCP Pub/Sub Subscription Deletion T1562 Custom Query Low GitHub ↗
GCP Storage Bucket Configuration Modification T1578 Custom Query Medium GitHub ↗
GCP Storage Bucket Permissions Modification T1222 Custom Query Medium GitHub ↗
GCP Virtual Private Cloud Network Deletion T1562, T1562.007 Custom Query Medium GitHub ↗
GCP Virtual Private Cloud Route Creation T1562, T1562.007 Custom Query Low GitHub ↗
GCP Virtual Private Cloud Route Deletion T1562, T1562.007 Custom Query Medium GitHub ↗
GenAI Process Compiling or Generating Executables T1027, T1027.004 EQL Medium GitHub ↗
GenAI Process Performing Encoding/Chunking Prior to Network Activity T1027 EQL Medium GitHub ↗
Git Hook Child Process T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
Git Hook Command Execution T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
Git Hook Created or Modified T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
Git Hook Egress Network Connection T1059, T1059.004, T1543, T1574 EQL Medium GitHub ↗
GitHub Protected Branch Settings Changed T1562, T1562.001 EQL Medium GitHub ↗
GitHub Secret Scanning Disabled T1562, T1562.001 EQL Low GitHub ↗
Google Workspace Bitlocker Setting Disabled T1562, T1562.001 Custom Query Medium GitHub ↗
Google Workspace Restrictions for Marketplace Modified to Allow Any App T1562, T1562.001 Custom Query Medium GitHub ↗
Hidden Directory Creation via Unusual Parent T1564, T1564.001 EQL Low GitHub ↗
Hidden Files and Directories via Hidden Flag T1564, T1564.001 EQL Medium GitHub ↗
High Number of Okta User Password Reset or Unlock Attempts T1078 Threshold Medium GitHub ↗
Host Detected with Suspicious Windows Process(es) T1036 Machine Learning Low GitHub ↗
Host File System Changes via Windows Subsystem for Linux T1202 EQL Medium GitHub ↗
IIS HTTP Logging Disabled T1562, T1562.002 EQL High GitHub ↗
Image File Execution Options Injection T1112, T1546, T1546.012 EQL Medium GitHub ↗
Image Loaded with Invalid Signature T1036, T1036.001 EQL Low GitHub ↗
ImageLoad via Windows Update Auto Update Client T1218 EQL Medium GitHub ↗
Incoming DCOM Lateral Movement via MSHTA T1021, T1021.003, T1218, T1218.005 EQL High GitHub ↗
Incoming DCOM Lateral Movement with MMC T1021, T1021.003, T1218, T1218.014 EQL High GitHub ↗
Indirect Command Execution via Forfiles/Pcalua T1202 EQL Low GitHub ↗
Ingress Transfer via Windows BITS T1105, T1197 EQL Low GitHub ↗
Initramfs Unpacking via unmkinitramfs T1059, T1059.004, T1542, T1543, T1574 EQL Low GitHub ↗
Insecure AWS EC2 VPC Security Group Ingress Rule Added T1562, T1562.007 Custom Query Medium GitHub ↗
Installation of Security Support Provider T1112, T1547, T1547.005 EQL Medium GitHub ↗
InstallUtil Activity T1218, T1218.004 EQL Low GitHub ↗
InstallUtil Process Making Network Connections T1218, T1218.004 EQL Medium GitHub ↗
Kerberos Pre-authentication Disabled for User T1078, T1078.002, T1558, T1558.004, T1562 EQL Medium GitHub ↗
Kernel Driver Load T1014, T1547, T1547.006 EQL Low GitHub ↗
Kernel Driver Load by non-root User T1014, T1547, T1547.006 EQL Medium GitHub ↗
Kernel Instrumentation Discovery via kprobes and tracefs T1014, T1082 EQL Low GitHub ↗
Kernel Load or Unload via Kexec Detected T1547, T1547.006, T1601, T1601.001, T1611 EQL Medium GitHub ↗
Kernel Module Load from Unusual Location T1014, T1547, T1547.006 EQL High GitHub ↗
Kernel Module Load via Built-in Utility T1014, T1547, T1547.006 EQL Medium GitHub ↗
Kernel Module Removal T1547, T1547.006, T1562, T1562.001 EQL Low GitHub ↗
Kernel Object File Creation T1014, T1547, T1547.006 New Terms Low GitHub ↗
Kernel Seeking Activity T1014, T1082 EQL Medium GitHub ↗
Kernel Unpacking Activity T1014, T1082 EQL Medium GitHub ↗
Kill Command Execution T1059, T1059.004, T1562, T1562.006, T1564, T1564.001 New Terms Low GitHub ↗
Kubeconfig File Creation or Modification T1078, T1550 EQL Medium GitHub ↗
Kubernetes Events Deleted T1070, T1070.004 EQL Low GitHub ↗
Linux User or Group Deletion T1070 EQL Low GitHub ↗
Loadable Kernel Module Configuration File Creation T1014, T1547, T1547.006 EQL Medium GitHub ↗
Local Account TokenFilter Policy Disabled T1112, T1550, T1550.002, T1562 EQL Medium GitHub ↗
M365 Defender Alerts Signal Custom Query Low GitHub ↗
M365 Exchange Anti-Phish Policy Deleted T1562, T1562.001 Custom Query Medium GitHub ↗
M365 Exchange Anti-Phish Rule Modification T1562, T1562.001 Custom Query Medium GitHub ↗
M365 Exchange DKIM Signing Configuration Disabled T1562, T1562.001 Custom Query Medium GitHub ↗
M365 Exchange Email Safe Attachment Rule Disabled T1562 Custom Query Low GitHub ↗
M365 Exchange Email Safe Link Policy Disabled T1562, T1562.001 Custom Query Medium GitHub ↗
M365 Exchange Inbox Phishing Evasion Rule Created T1564, T1564.008 New Terms Medium GitHub ↗
M365 Exchange Mailbox Audit Logging Bypass Added T1562, T1562.001, T1562.008 Custom Query Medium GitHub ↗
M365 Exchange Malware Filter Policy Deleted T1562 Custom Query Medium GitHub ↗
M365 Exchange Malware Filter Rule Modified T1562 Custom Query Medium GitHub ↗
M365 Exchange MFA Notification Email Deleted or Moved T1070, T1070.008 EQL Low GitHub ↗
M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs T1528, T1550, T1550.001, T1566, T1566.002 ES|QL High GitHub ↗
M365 Security Compliance Admin Signal T1098, T1562, T1562.001 Custom Query Low GitHub ↗
M365 Teams Custom Application Interaction Enabled T1562 Custom Query Medium GitHub ↗
Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score T1036, T1036.004 EQL High GitHub ↗
Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score T1036, T1036.004 EQL Low GitHub ↗
Masquerading Space After Filename T1036, T1036.006 EQL Medium GitHub ↗
Memory Dump File with Unusual Extension T1003, T1003.001, T1036, T1036.008 EQL Low GitHub ↗
Memory Threat - Detected - Elastic Defend T1055, T1620 Custom Query High GitHub ↗
Memory Threat - Prevented- Elastic Defend T1055, T1620 Custom Query High GitHub ↗
Microsoft Build Engine Started an Unusual Process T1027, T1027.004, T1127, T1127.001 New Terms Low GitHub ↗
Microsoft Build Engine Started by a Script Process T1059, T1059.001, T1059.003, T1059.005, T1127, T1127.001 New Terms Medium GitHub ↗
Microsoft Build Engine Started by a System Process T1127, T1127.001 EQL Medium GitHub ↗
Microsoft Build Engine Started by an Office Application T1127, T1127.001 EQL High GitHub ↗
Microsoft Build Engine Using an Alternate Name T1036, T1036.003, T1127, T1127.001 EQL Low GitHub ↗
Microsoft Management Console File from Unusual Path T1059, T1059.005, T1059.007, T1218, T1218.014 EQL Medium GitHub ↗
Microsoft Windows Defender Tampering T1112, T1562 EQL Medium GitHub ↗
Modification of AmsiEnable Registry Key T1112, T1562, T1562.001 EQL High GitHub ↗
Modification of Environment Variable via Unsigned or Untrusted Parent T1574, T1574.007 EQL Medium GitHub ↗
Modification of Safari Settings via Defaults Command T1562, T1562.001 EQL Medium GitHub ↗
MS Office Macro Security Registry Modifications T1112, T1204, T1204.002 EQL Medium GitHub ↗
MsBuild Making Network Connections T1127, T1127.001 EQL Medium GitHub ↗
Mshta Making Network Connections T1218, T1218.005 EQL Medium GitHub ↗
MsiExec Service Child Process With Network Connection T1218, T1218.007 EQL Medium GitHub ↗
Multi-Base64 Decoding Attempt from Suspicious Location T1027, T1059, T1059.004, T1140, T1204, T1204.002 EQL Medium GitHub ↗
Netsh Helper DLL T1112, T1546, T1546.007 EQL Low GitHub ↗
Network Activity Detected via cat EQL Medium GitHub ↗
Network Activity Detected via Kworker T1014, T1036, T1041 New Terms Low GitHub ↗
Network Connection by Cups or Foomatic-rip Child T1203 EQL High GitHub ↗
Network Connection via Compiled HTML File T1204, T1204.002, T1218, T1218.001 EQL Low GitHub ↗
Network Connection via MsXsl T1220 EQL Low GitHub ↗
Network Connection via Registration Utility T1218, T1218.009, T1218.010 EQL Low GitHub ↗
Network Connection via Signed Binary T1218 EQL Low GitHub ↗
Network-Level Authentication (NLA) Disabled T1112, T1562 EQL Low GitHub ↗
NetworkManager Dispatcher Script Creation T1059, T1059.004, T1543, T1574 EQL Low GitHub ↗
Node.js Pre or Post-Install Script Execution T1059, T1059.004, T1204, T1204.005, T1543, T1574 EQL Medium GitHub ↗
NTDS Dump via Wbadmin T1003, T1003.002, T1003.003, T1006 EQL Medium GitHub ↗
NullSessionPipe Registry Modification T1021, T1021.002, T1112 EQL Medium GitHub ↗
Office Test Registry Persistence T1112, T1137, T1137.002 EQL Low GitHub ↗
Parent Process Detected with Suspicious Windows Process(es) T1036 Machine Learning Low GitHub ↗
Payload Execution via Shell Pipe Detected by Defend for Containers T1059, T1059.004, T1071 EQL Medium GitHub ↗
Persistence via a Hidden Plist Filename T1543, T1543.001, T1547, T1547.011, T1564, T1564.001 EQL High GitHub ↗
Persistence via a Windows Installer T1053, T1053.005, T1218, T1218.007 EQL Medium GitHub ↗
Persistence via Hidden Run Key Detected T1106, T1112, T1547, T1547.001 EQL High GitHub ↗
Port Forwarding Rule Addition T1112, T1572 EQL Medium GitHub ↗
Potential Credential Access via Renamed COM+ Services DLL T1003, T1003.001, T1218, T1218.011 EQL High GitHub ↗
Potential Credential Access via Trusted Developer Utility T1003, T1003.002, T1127, T1127.001, T1555, T1555.004 EQL High GitHub ↗
Potential Credential Access via Windows Utilities T1003, T1003.001, T1003.003, T1218, T1218.011 EQL High GitHub ↗
Potential CVE-2025-33053 Exploitation T1218, T1566, T1566.001, T1566.002 EQL High GitHub ↗
Potential Defense Evasion via CMSTP.exe T1218, T1218.003 EQL Low GitHub ↗
Potential Defense Evasion via Doas T1548, T1548.003 EQL Medium GitHub ↗
Potential Defense Evasion via PRoot T1211 EQL High GitHub ↗
Potential Disabling of AppArmor T1562, T1562.001 EQL High GitHub ↗
Potential Disabling of SELinux T1562, T1562.001 EQL High GitHub ↗
Potential DLL Side-Loading via Trusted Microsoft Programs T1036, T1574, T1574.001 EQL Medium GitHub ↗
Potential Escalation via Vulnerable MSI Repair T1068, T1218, T1218.007 EQL High GitHub ↗
Potential Evasion via Filter Manager T1562, T1562.001 EQL Medium GitHub ↗
Potential Evasion via Windows Filtering Platform T1562, T1562.004 EQL Medium GitHub ↗
Potential Execution via FileFix Phishing Attack T1059, T1059.001, T1059.003, T1218, T1218.005, T1566, T1566.001 EQL High GitHub ↗
Potential Fake CAPTCHA Phishing Attack T1059, T1059.001, T1059.003, T1218, T1218.005, T1566, T1566.001 EQL High GitHub ↗
Potential File Transfer via Certreq T1105, T1218, T1567 EQL Medium GitHub ↗
Potential Hex Payload Execution via Command-Line T1027, T1059, T1059.004, T1140, T1204, T1204.002 EQL Low GitHub ↗
Potential Hex Payload Execution via Common Utility T1027, T1059, T1059.004, T1140, T1204, T1204.002 EQL Low GitHub ↗
Potential Hidden Process via Mount Hidepid T1564 EQL High GitHub ↗
Potential HTTP Downgrade Attack T1562, T1562.010 New Terms Low GitHub ↗
Potential Impersonation Attempt via Kubectl T1078, T1528, T1550, T1550.001, T1552 EQL Medium GitHub ↗
Potential Kubectl Masquerading via Unexpected Process T1036, T1036.003, T1564 EQL Medium GitHub ↗
Potential Local NTLM Relay via HTTP T1212, T1218, T1218.011 EQL High GitHub ↗
Potential Masquerading as Browser Process T1036, T1036.001, T1036.005, T1554 EQL Low GitHub ↗
Potential Masquerading as Business App Installer T1036, T1036.001, T1036.005, T1189, T1204, T1204.002 EQL Low GitHub ↗
Potential Masquerading as Communication Apps T1036, T1036.001, T1036.005, T1554 EQL Medium GitHub ↗
Potential Masquerading as Svchost T1036, T1036.005 ES|QL High GitHub ↗
Potential Masquerading as System32 DLL T1036, T1036.001, T1036.005, T1554, T1574, T1574.001 EQL Low GitHub ↗
Potential Masquerading as System32 Executable T1036, T1036.001, T1036.005, T1554 EQL Low GitHub ↗
Potential Masquerading as VLC DLL T1036, T1036.001, T1036.005, T1554 EQL Low GitHub ↗
Potential Microsoft Office Sandbox Evasion T1497 EQL High GitHub ↗
Potential NetNTLMv1 Downgrade Attack T1112, T1562, T1562.010 EQL Medium GitHub ↗
Potential Persistence via File Modification T1014, T1037, T1037.004, T1053, T1053.003, T1136, T1136.001, T1543, T1543.002, T1547, T1547.006, T1548, T1548.003, T1556, T1574, T1574.006 EQL Low GitHub ↗
Potential Persistence via Login Hook T1547, T1647 Custom Query Medium GitHub ↗
Potential Persistence via Mandatory User Profile T1112, T1547 EQL Medium GitHub ↗
Potential PowerShell Obfuscated Script via High Entropy T1027, T1059, T1059.001, T1140 Custom Query Low GitHub ↗
Potential PowerShell Obfuscation via High Numeric Character Proportion T1027, T1059, T1059.001, T1140 ES|QL Low GitHub ↗
Potential Privacy Control Bypass via Localhost Secure Copy T1548 EQL High GitHub ↗
Potential Privacy Control Bypass via TCCDB Modification T1562, T1562.001 EQL Medium GitHub ↗
Potential privilege escalation via CVE-2022-38028 T1036, T1068 EQL High GitHub ↗
Potential Privilege Escalation via PKEXEC T1068, T1574, T1574.007 EQL High GitHub ↗
Potential Privilege Escalation via SUID/SGID Proxy Execution T1068, T1218, T1548, T1548.001 EQL Medium GitHub ↗
Potential Process Injection from Malicious Document T1055, T1566, T1566.001 EQL Low GitHub ↗
Potential Process Injection via PowerShell T1055, T1055.001, T1055.002, T1059, T1059.001, T1106 Custom Query High GitHub ↗
Potential Process Name Stomping with Prctl T1036, T1036.005 EQL High GitHub ↗
Potential Remote File Execution via MSIEXEC T1218, T1218.007, T1566, T1566.002 EQL Low GitHub ↗
Potential Remote Install via MsiExec T1218, T1218.007 EQL High GitHub ↗
Potential RemoteMonologue Attack T1112, T1562 EQL Medium GitHub ↗
Potential Secure File Deletion via SDelete Utility T1070, T1070.004, T1485 EQL Low GitHub ↗
Potential Timestomp in Executable Files T1070, T1070.006 EQL Medium GitHub ↗
Potential Windows Error Manager Masquerading T1036, T1036.005 EQL Medium GitHub ↗
Potential Windows Session Hijacking via CcmExec T1574 EQL Medium GitHub ↗
Potentially Suspicious Process Started via tmux or screen T1218 EQL Medium GitHub ↗
PowerShell Invoke-NinjaCopy script T1003, T1003.002, T1003.003, T1006, T1059, T1059.001 Custom Query High GitHub ↗
PowerShell Script Block Logging Disabled T1112, T1562, T1562.002 EQL Medium GitHub ↗
PowerShell Script with Encryption/Decryption Capabilities T1027, T1140 Custom Query Medium GitHub ↗
PowerShell Script with Log Clear Capabilities T1059, T1059.001, T1070, T1070.001 Custom Query Low GitHub ↗
PowerShell Script with Windows Defender Tampering Capabilities T1059, T1059.001, T1562, T1562.001 Custom Query Medium GitHub ↗
PowerShell Suspicious Payload Encoded and Compressed T1027, T1059, T1059.001, T1140 Custom Query High GitHub ↗
Process Activity via Compiled HTML File T1204, T1204.002, T1218, T1218.001 EQL Medium GitHub ↗
Process Backgrounded by Unusual Parent T1059, T1564 New Terms Low GitHub ↗
Process Execution from an Unusual Directory T1036, T1036.005 EQL Medium GitHub ↗
Process Injection by the Microsoft Build Engine T1055, T1127, T1127.001 EQL Low GitHub ↗
Processes with Trailing Spaces T1036, T1036.006 EQL Low GitHub ↗
Program Files Directory Masquerading T1036, T1036.005 EQL Medium GitHub ↗
Proxy Execution via Console Window Host T1202 EQL High GitHub ↗
Proxy Execution via Windows OpenSSH T1202 EQL High GitHub ↗
Proxy Shell Execution via Busybox T1059, T1059.004, T1218 EQL Low GitHub ↗
Python Path File (pth) Creation T1059, T1059.004, T1546, T1546.018, T1574 EQL Low GitHub ↗
Python Site or User Customize File Creation T1059, T1059.004, T1546, T1546.018, T1574 EQL Low GitHub ↗
Quarantine Attrib Removed by Unsigned or Untrusted Process T1562, T1562.001 EQL Medium GitHub ↗
Rare AWS Error Code T1526, T1580 Machine Learning Low GitHub ↗
Rare Azure Activity Logs Event Failures T1526, T1580 Machine Learning Low GitHub ↗
Rare GCP Audit Failure Event Code T1526, T1580 Machine Learning Low GitHub ↗
RDP Enabled via Registry T1021, T1021.001, T1112 EQL Medium GitHub ↗
Registry Persistence via AppInit DLL T1112, T1546, T1546.010 EQL Medium GitHub ↗
Remote Desktop Enabled in Windows Firewall by Netsh T1562, T1562.004 EQL Medium GitHub ↗
Remote XSL Script Execution via COM T1220, T1566, T1566.002 EQL Low GitHub ↗
Renamed Automation Script Interpreter T1036, T1036.003 EQL High GitHub ↗
Renamed Utility Executed with Short Program Name T1036, T1036.003 EQL Medium GitHub ↗
Root Certificate Installation T1553, T1553.004 EQL Medium GitHub ↗
ROT Encoded Python Script Execution T1027, T1027.013, T1140 EQL Medium GitHub ↗
Scheduled Tasks AT Command Enabled T1053, T1053.002, T1562, T1562.001 EQL Medium GitHub ↗
Script Execution via Microsoft HTML Application T1218, T1218.005, T1218.011 EQL High GitHub ↗
SELinux Configuration Creation or Renaming T1562, T1562.001 EQL Low GitHub ↗
Sensitive Audit Policy Sub-Category Disabled T1070, T1070.001, T1562, T1562.002, T1562.006 Custom Query Medium GitHub ↗
Service Control Spawned via Script Interpreter T1047, T1059, T1059.001, T1059.003, T1059.005, T1218, T1218.010, T1218.011, T1543, T1543.003 EQL Low GitHub ↗
Service DACL Modification via sc.exe T1543, T1543.003, T1564 EQL Medium GitHub ↗
Service Disabled via Registry Modification T1112, T1489 EQL Low GitHub ↗
Service Path Modification T1112, T1543, T1543.003 EQL Low GitHub ↗
Service Path Modification via sc.exe T1112, T1543, T1543.003 EQL Low GitHub ↗
Shell Command-Line History Deletion Detected via Defend for Containers T1070, T1070.003 EQL High GitHub ↗
Signed Proxy Execution via MS Work Folders T1218 EQL Medium GitHub ↗
SIP Provider Modification T1553, T1553.003 EQL Medium GitHub ↗
SoftwareUpdate Preferences Modification T1562, T1562.001 EQL Medium GitHub ↗
SolarWinds Process Disabling Services via Registry T1112, T1195, T1195.002, T1562, T1562.001 EQL Medium GitHub ↗
Spike in Successful Logon Events from a Source IP T1078, T1078.002, T1078.003, T1110 Machine Learning Low GitHub ↗
SSH Authorized Keys File Deletion T1070, T1070.004 EQL Low GitHub ↗
SSL Certificate Deletion T1070, T1070.004, T1485, T1553 EQL Low GitHub ↗
Startup Folder Persistence via Unsigned Process T1036, T1036.001, T1547, T1547.001 EQL Medium GitHub ↗
Suspicious .NET Code Compilation T1027, T1027.004, T1059, T1059.005 EQL Medium GitHub ↗
Suspicious .NET Reflection via PowerShell T1055, T1055.001, T1055.002, T1059, T1059.001, T1620 Custom Query Medium GitHub ↗
Suspicious Activity Reported by Okta User T1078 Custom Query Medium GitHub ↗
Suspicious Antimalware Scan Interface DLL T1562, T1562.001, T1574, T1574.001 EQL High GitHub ↗
Suspicious APT Package Manager Execution T1059, T1059.004, T1543, T1546, T1546.016, T1574 EQL Low GitHub ↗
Suspicious APT Package Manager Network Connection T1543, T1546, T1546.016, T1574 EQL Medium GitHub ↗
Suspicious CertUtil Commands T1140 EQL Medium GitHub ↗
Suspicious Communication App Child Process T1036, T1036.001, T1036.005, T1055, T1554 EQL Medium GitHub ↗
Suspicious Content Extracted or Decompressed via Funzip T1027, T1059, T1059.004, T1140 EQL Medium GitHub ↗
Suspicious DLL Loaded for Persistence or Privilege Escalation T1036, T1036.001, T1574, T1574.001 EQL High GitHub ↗
Suspicious Endpoint Security Parent Process T1036, T1036.005 EQL Medium GitHub ↗
Suspicious Execution from a Mounted Device T1059, T1059.001, T1059.003, T1218, T1218.005, T1218.010, T1218.011 EQL Medium GitHub ↗
Suspicious Execution via MSIEXEC T1218, T1218.007 EQL Low GitHub ↗
Suspicious Execution via Windows Subsystem for Linux T1059, T1059.004, T1202 EQL Low GitHub ↗
Suspicious Explorer Child Process T1059, T1059.001, T1059.003, T1059.005, T1218, T1566, T1566.001, T1566.002 EQL Medium GitHub ↗
Suspicious File Creation via Kworker T1014, T1547 EQL Medium GitHub ↗
Suspicious File Made Executable via Chmod Inside A Container T1059, T1222, T1222.002 EQL Low GitHub ↗
Suspicious Hidden Child Process of Launchd T1543, T1543.001, T1564, T1564.001 EQL Medium GitHub ↗
Suspicious HTML File Creation T1027, T1027.006, T1566, T1566.001, T1566.002 EQL Medium GitHub ↗
Suspicious ImagePath Service Creation T1112, T1543, T1543.003 EQL High GitHub ↗
Suspicious Kernel Feature Activity T1082, T1553, T1562, T1562.006 EQL Medium GitHub ↗
Suspicious Kworker UID Elevation T1014, T1574, T1574.013 EQL Medium GitHub ↗
Suspicious Managed Code Hosting Process T1055 EQL High GitHub ↗
Suspicious Microsoft Antimalware Service Execution T1574, T1574.001 EQL High GitHub ↗
Suspicious Microsoft Diagnostics Wizard Execution T1218 EQL High GitHub ↗
Suspicious Microsoft HTML Application Child Process T1218, T1218.005 EQL High GitHub ↗
Suspicious MS Office Child Process T1059, T1059.001, T1059.003, T1218, T1566, T1566.001 EQL Medium GitHub ↗
Suspicious MS Outlook Child Process T1059, T1059.001, T1059.003, T1218, T1566, T1566.001 EQL Low GitHub ↗
Suspicious Network Connection via systemd T1543, T1543.002, T1574 EQL Medium GitHub ↗
Suspicious Outlook Child Process T1036, T1036.001, T1036.005, T1055, T1554 EQL Low GitHub ↗
Suspicious Path Invocation from Command Line T1059, T1059.004, T1564 New Terms Low GitHub ↗
Suspicious Path Mounted T1564 EQL Medium GitHub ↗
Suspicious Portable Executable Encoded in Powershell Script T1055, T1059, T1059.001 Custom Query Medium GitHub ↗
Suspicious Process Access via Direct System Call T1055, T1106 EQL High GitHub ↗
Suspicious Process Creation CallTrace T1055 EQL Medium GitHub ↗
Suspicious Process Execution Detected via Defend for Containers T1059, T1059.004, T1071, T1620 EQL High GitHub ↗
Suspicious Process Execution via Renamed PsExec Executable T1036, T1036.003, T1569, T1569.002 EQL Medium GitHub ↗
Suspicious Renaming of ESXI Files T1036, T1036.003 EQL Medium GitHub ↗
Suspicious Script Object Execution T1218, T1218.010 EQL Medium GitHub ↗
Suspicious Startup Shell Folder Modification T1112, T1547, T1547.001 EQL High GitHub ↗
Suspicious TCC Access Granted for User Folders T1005, T1548, T1548.006 ES|QL High GitHub ↗
Suspicious Troubleshooting Pack Cabinet Execution T1218 EQL Low GitHub ↗
Suspicious Usage of bpf_probe_write_user Helper T1014, T1547, T1547.006 Custom Query High GitHub ↗
Suspicious WerFault Child Process T1036, T1546, T1546.012 EQL Medium GitHub ↗
Suspicious WMIC XSL Script Execution T1047, T1220 EQL Medium GitHub ↗
Suspicious Zoom Child Process T1036, T1055, T1203 EQL Medium GitHub ↗
System Binary Moved or Copied T1036, T1036.003, T1564 EQL Medium GitHub ↗
System Binary Symlink to Suspicious Location T1202, T1564, T1574 New Terms Low GitHub ↗
System File Ownership Change T1222, T1222.001 EQL Medium GitHub ↗
System Log File Deletion T1070, T1070.002 EQL Medium GitHub ↗
System Path File Creation and Execution Detected via Defend for Containers T1059, T1059.004, T1071 EQL Medium GitHub ↗
Tainted Kernel Module Load T1014, T1547, T1547.006 Custom Query Medium GitHub ↗
Tainted Out-Of-Tree Kernel Module Load T1014, T1547, T1547.006 Custom Query Medium GitHub ↗
Tampering of Shell Command-Line History T1070, T1070.003 EQL Medium GitHub ↗
Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners T1059, T1195, T1195.001, T1562, T1562.001 EQL Medium GitHub ↗
TCC Bypass via Mounted APFS Snapshot Access T1006 EQL High GitHub ↗
Timestomping using Touch Command T1070, T1070.006 EQL Medium GitHub ↗
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer T1548, T1548.002, T1559, T1559.001 EQL Medium GitHub ↗
UAC Bypass Attempt via Privileged IFileOperation COM Interface T1548, T1548.002, T1574, T1574.001 EQL High GitHub ↗
UAC Bypass Attempt via Windows Directory Masquerading T1036, T1036.005, T1548, T1548.002 EQL High GitHub ↗
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface T1548, T1548.002, T1559, T1559.001 EQL High GitHub ↗
UAC Bypass via DiskCleanup Scheduled Task Hijack T1053, T1053.005, T1548, T1548.002 EQL Medium GitHub ↗
UAC Bypass via ICMLuaUtil Elevated COM Interface T1548, T1548.002, T1559, T1559.001 EQL High GitHub ↗
UAC Bypass via Windows Firewall Snap-In Hijack T1218, T1218.014, T1548, T1548.002 EQL Medium GitHub ↗
UID Elevation from Previously Unknown Executable T1014, T1574, T1574.013 New Terms High GitHub ↗
Unauthorized Access to an Okta Application T1078 Custom Query Low GitHub ↗
Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials T1550, T1550.001 New Terms Medium GitHub ↗
Uncommon Registry Persistence Change T1112, T1546, T1546.002, T1547, T1547.001 EQL Medium GitHub ↗
Unsigned BITS Service Client Process T1036, T1036.001, T1197 EQL Low GitHub ↗
Unsigned DLL Loaded by a Trusted Process T1574, T1574.001 EQL Low GitHub ↗
Unsigned DLL Loaded by Svchost T1036, T1036.001, T1543, T1543.003, T1569, T1569.002 EQL Medium GitHub ↗
Unsigned DLL Side-Loading from a Suspicious Folder T1036, T1036.001, T1574, T1574.001 EQL Medium GitHub ↗
Untrusted Driver Loaded T1036, T1036.001 EQL High GitHub ↗
Unusual Base64 Encoding/Decoding Activity T1027, T1059, T1059.004, T1140, T1204, T1204.002 ES|QL Low GitHub ↗
Unusual Child Process from a System Virtual Process T1055 EQL High GitHub ↗
Unusual Child Processes of RunDLL32 T1218, T1218.011 EQL High GitHub ↗
Unusual Executable File Creation by a System Critical Process T1203, T1211 EQL High GitHub ↗
Unusual File Creation - Alternate Data Stream T1564, T1564.004 EQL High GitHub ↗
Unusual Interactive Shell Launched from System User T1564, T1564.002 New Terms Medium GitHub ↗
Unusual Kill Signal T1014 EQL High GitHub ↗
Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments T1574, T1574.006 New Terms High GitHub ↗
Unusual Linux Network Activity T1041, T1055, T1071 Machine Learning Low GitHub ↗
Unusual Login via System User T1098, T1098.004, T1564, T1564.002 New Terms Medium GitHub ↗
Unusual Network Activity from a Windows System Binary T1036, T1036.005, T1127, T1127.001, T1218.005 EQL Medium GitHub ↗
Unusual Network Connection via DllHost T1218 EQL Medium GitHub ↗
Unusual Network Connection via RunDLL32 T1071, T1071.001, T1218, T1218.011 EQL Medium GitHub ↗
Unusual Persistence via Services Registry T1112, T1543, T1543.003 EQL Low GitHub ↗
Unusual Preload Environment Variable Process Execution T1574, T1574.006 New Terms Low GitHub ↗
Unusual Process Execution on WBEM Path T1036 EQL Low GitHub ↗
Unusual Process Execution Path - Alternate Data Stream T1564, T1564.004 EQL Medium GitHub ↗
Unusual Process Extension T1036, T1036.008 EQL Low GitHub ↗
Unusual Process Modifying GenAI Configuration File T1554, T1556 New Terms Medium GitHub ↗
Unusual Process Network Connection T1127 EQL Low GitHub ↗
Unusual Process Spawned by a Host T1218 Machine Learning Low GitHub ↗
Unusual Process Spawned by a Parent Process T1036 Machine Learning Low GitHub ↗
Unusual Process Spawned by a User T1036 Machine Learning Low GitHub ↗
Unusual Service Host Child Process - Childless Service T1055, T1055.012 EQL Medium GitHub ↗
Unusual Sudo Activity T1548 Machine Learning Low GitHub ↗
Unusual Windows Network Activity T1041, T1055, T1071 Machine Learning Low GitHub ↗
User Detected with Suspicious Windows Process(es) T1036 Machine Learning Low GitHub ↗
WDAC Policy File by an Unusual Process T1562 EQL High GitHub ↗
WebServer Access Logs Deleted T1070 EQL Medium GitHub ↗
Werfault ReflectDebugger Persistence T1112, T1546 EQL Low GitHub ↗
Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) T1553, T1553.002 Custom Query Low GitHub ↗
Windows Defender Disabled via Registry Modification T1112, T1562, T1562.001, T1562.006 EQL Low GitHub ↗
Windows Defender Exclusions Added via PowerShell T1059, T1059.001, T1562, T1562.001, T1562.006 EQL Medium GitHub ↗
Windows Event Logs Cleared T1070, T1070.001 Custom Query Low GitHub ↗
Windows Firewall Disabled via PowerShell T1059, T1059.001, T1562, T1562.004 EQL Medium GitHub ↗
Windows Installer with Suspicious Properties T1218, T1218.007 EQL Low GitHub ↗
Windows Sandbox with Sensitive Configuration T1564, T1564.006 EQL Medium GitHub ↗
Windows Subsystem for Linux Distribution Installed T1112, T1202 EQL Medium GitHub ↗
Windows Subsystem for Linux Enabled via Dism Utility T1202 EQL Medium GitHub ↗
WRITEDAC Access on Active Directory Object T1222, T1222.001 Custom Query Low GitHub ↗
Yum Package Manager Plugin File Creation T1543, T1546, T1546.016, T1574 EQL Medium GitHub ↗

Rules detecting techniques adversaries use to steal credentials, such as dumping passwords, keylogging, brute forcing, and Kerberos attacks.

Name Technique Rule Type Severity Source
Access to a Sensitive LDAP Attribute T1003, T1078, T1078.002, T1552, T1552.004 EQL Medium GitHub ↗
Active Directory Forced Authentication from Linux Host - SMB Named Pipes T1187 EQL Medium GitHub ↗
Attempted Bypass of Okta MFA T1111 Custom Query High GitHub ↗
Attempted Private Key Access T1552, T1552.004 EQL Low GitHub ↗
Attempts to Brute Force an Okta User Account T1110 Threshold Medium GitHub ↗
Authentication via Unusual PAM Grantor T1543, T1556 New Terms Medium GitHub ↗
AWS Credentials Searched For Inside A Container T1552, T1552.001 EQL High GitHub ↗
AWS EC2 Instance Console Login via Assumed Role T1021, T1021.007, T1078, T1078.004, T1550, T1550.001, T1552, T1552.005 EQL High GitHub ↗
AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role T1552, T1552.005 New Terms Medium GitHub ↗
AWS EC2 User Data Retrieval for EC2 Instance T1552, T1552.005, T1580 New Terms Medium GitHub ↗
AWS IAM CompromisedKeyQuarantine Policy Attached to User T1552 EQL High GitHub ↗
AWS IAM Principal Enumeration via UpdateAssumeRolePolicy T1087, T1087.004, T1110 Threshold Medium GitHub ↗
AWS IAM User Addition to Group T1098 Custom Query Low GitHub ↗
AWS Management Console Brute Force of Root User Identity T1110 Threshold High GitHub ↗
AWS Secrets Manager Rapid Secrets Retrieval T1555, T1555.006 Threshold Medium GitHub ↗
AWS Systems Manager SecureString Parameter Request with Decryption Flag T1555, T1555.006 New Terms Medium GitHub ↗
Azure Event Hub Authorization Rule Created or Updated T1098, T1552, T1552.005 Custom Query Medium GitHub ↗
Azure Key Vault Excessive Secret or Key Retrieved T1555, T1555.006 ES|QL Medium GitHub ↗
Azure Key Vault Unusual Secret Key Usage T1555, T1555.006 New Terms Medium GitHub ↗
Azure Storage Account Key Regenerated T1098, T1098.001, T1552, T1552.005 Custom Query Low GitHub ↗
Azure Storage Account Keys Accessed by Privileged User T1078, T1078.004, T1555, T1555.006 New Terms Medium GitHub ↗
Azure VNet Full Network Packet Capture Enabled T1040 Custom Query Medium GitHub ↗
Browser Process Spawned from an Unusual Parent T1555, T1555.003 EQL High GitHub ↗
Cloud Credential Search Detected via Defend for Containers T1552, T1552.001 EQL Medium GitHub ↗
Command Shell Activity Started via RunDLL32 T1059, T1059.001, T1059.003, T1218, T1218.011, T1552 EQL Low GitHub ↗
Creation of a DNS-Named Record T1557 EQL Low GitHub ↗
Creation or Modification of Domain Backup DPAPI private key T1552, T1552.004, T1555 EQL High GitHub ↗
Credential Access via TruffleHog Execution T1003, T1555 EQL Medium GitHub ↗
Credential Acquisition via Registry Hive Dumping T1003, T1003.002, T1003.004 EQL High GitHub ↗
Credential Dumping - Detected - Elastic Endgame T1003, T1003.001 Custom Query High GitHub ↗
Credential Dumping - Prevented - Elastic Endgame T1003, T1003.001 Custom Query Medium GitHub ↗
DNS Global Query Block List Modified or Disabled T1557, T1562, T1562.001 EQL Medium GitHub ↗
Dumping Account Hashes via Built-In Commands T1003 EQL High GitHub ↗
Dumping of Keychain Content via Security Command T1555, T1555.001 EQL High GitHub ↗
Entra ID Concurrent Sign-in with Suspicious Properties T1528, T1566, T1566.002 ES|QL High GitHub ↗
Entra ID Excessive Account Lockouts Detected T1110, T1110.001, T1110.003, T1110.004 Threshold High GitHub ↗
Entra ID Illicit Consent Grant via Registered Application T1528, T1566, T1566.002 New Terms Medium GitHub ↗
Entra ID MFA TOTP Brute Force Attempted T1110, T1110.001 ES|QL Medium GitHub ↗
Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource T1078, T1078.004, T1528, T1566, T1566.002 New Terms Medium GitHub ↗
Entra ID OAuth Device Code Flow with Concurrent Sign-ins T1528, T1566, T1566.002 ES|QL High GitHub ↗
Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) T1078, T1078.004, T1528, T1566, T1566.002 ES|QL High GitHub ↗
Entra ID OAuth Phishing via First-Party Microsoft Application T1078, T1078.004, T1528, T1566, T1566.002 Custom Query Medium GitHub ↗
Entra ID OAuth PRT Issuance to Non-Managed Device Detected T1078, T1078.004, T1098, T1098.005, T1528 EQL Medium GitHub ↗
Entra ID Protection - Risk Detection - Sign-in Risk T1071, T1078, T1078.004, T1110, T1110.003, T1556 Custom Query High GitHub ↗
Entra ID Protection - Risk Detection - User Risk T1071, T1078, T1078.004, T1110, T1110.003, T1556 Custom Query High GitHub ↗
Entra ID Sign-in Brute Force Attempted (Microsoft 365) T1110, T1110.001, T1110.003, T1110.004 ES|QL Medium GitHub ↗
Entra ID Sign-in TeamFiltration User-Agent Detected T1069, T1069.003, T1082, T1087, T1087.004, T1110, T1110.003, T1201, T1526, T1580, T1673 Custom Query Medium GitHub ↗
Entra ID User Added as Registered Application Owner T1098, T1528 Custom Query Low GitHub ↗
Entra ID User Sign-in Brute Force Attempted T1110, T1110.001, T1110.003, T1110.004 ES|QL Medium GitHub ↗
Entra ID User Sign-in with Unusual Authentication Type T1078, T1078.004, T1110, T1110.003, T1550 New Terms Medium GitHub ↗
Entra ID User Sign-in with Unusual Client T1078, T1078.004, T1528 New Terms Medium GitHub ↗
First Time Seen AWS Secret Value Accessed in Secrets Manager T1555, T1555.006 New Terms Medium GitHub ↗
FirstTime Seen Account Performing DCSync T1003, T1003.006, T1078, T1078.002 New Terms High GitHub ↗
Full User-Mode Dumps Enabled System-Wide T1003, T1003.001, T1112 EQL Medium GitHub ↗
GenAI Process Accessing Sensitive Files T1005, T1555 EQL High GitHub ↗
GitHub Authentication Token Access via Node.js T1528, T1552, T1613 EQL Medium GitHub ↗
Google Workspace Drive Encryption Key(s) Accessed from Anonymous User T1552, T1552.004 EQL High GitHub ↗
Kerberos Cached Credentials Dumping T1003, T1558, T1558.003 EQL High GitHub ↗
Kerberos Pre-authentication Disabled for User T1078, T1078.002, T1558, T1558.004, T1562 EQL Medium GitHub ↗
Kerberos Traffic from Unusual Process T1558 EQL Medium GitHub ↗
Keychain CommandLine Interaction via Unsigned or Untrusted Process T1555, T1555.001 EQL High GitHub ↗
Keychain Password Retrieval via Command Line T1555, T1555.001, T1555.003 EQL High GitHub ↗
Kirbi File Creation T1003, T1558 EQL High GitHub ↗
KRBTGT Delegation Backdoor T1098, T1558 EQL High GitHub ↗
Kubernetes Service Account Secret Access T1528, T1552, T1613 EQL Medium GitHub ↗
Linux init (PID 1) Secret Dump via GDB T1003, T1003.007 EQL High GitHub ↗
Linux Process Hooking via GDB T1003, T1003.007 EQL Low GitHub ↗
LSASS Memory Dump Creation T1003, T1003.001 EQL High GitHub ↗
LSASS Memory Dump Handle Access T1003, T1003.001 New Terms Medium GitHub ↗
LSASS Process Access via Windows API T1003, T1003.001, T1106 ES|QL Medium GitHub ↗
M365 Entra ID Risk Detection Signal T1078, T1078.004, T1110 Custom Query Low GitHub ↗
M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs T1528, T1550, T1550.001, T1566, T1566.002 ES|QL High GitHub ↗
M365 Identity OAuth Flow by User Sign-in to Device Registration T1098, T1098.005, T1528, T1566, T1566.002 EQL High GitHub ↗
M365 Identity OAuth Illicit Consent Grant by Rare Client and User T1528, T1566, T1566.002 New Terms Medium GitHub ↗
M365 Identity User Account Lockouts T1110, T1110.001, T1110.003, T1110.004 ES|QL Medium GitHub ↗
M365 Identity User Brute Force Attempted T1110, T1110.001, T1110.003, T1110.004 ES|QL Medium GitHub ↗
M365 Purview Security Compliance Signal Custom Query Low GitHub ↗
Manual Loading of a Suspicious Chromium Extension T1176, T1539 EQL High GitHub ↗
Manual Memory Dumping via Proc Filesystem T1003, T1003.007, T1212 EQL High GitHub ↗
Memory Dump File with Unusual Extension T1003, T1003.001, T1036, T1036.008 EQL Low GitHub ↗
Microsoft Graph Request User Impersonation by Unusual Client T1078, T1078.004, T1528 New Terms Low GitHub ↗
Microsoft IIS Connection Strings Decryption T1003 EQL High GitHub ↗
Microsoft IIS Service Account Password Dumped T1003 EQL Low GitHub ↗
Mimikatz Memssp Log File Detected T1003 EQL High GitHub ↗
Modification of WDigest Security Provider T1003, T1003.001 EQL High GitHub ↗
Multiple Cloud Secrets Accessed by Source Address T1555, T1555.006 ES|QL High GitHub ↗
Multiple Device Token Hashes for Single Okta Session T1539 ES|QL Medium GitHub ↗
Multiple Logon Failure Followed by Logon Success T1110, T1110.001, T1110.003 EQL Medium GitHub ↗
Multiple Logon Failure from the same Source Address T1110, T1110.001, T1110.003 ES|QL Medium GitHub ↗
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy T1110, T1110.003, T1110.004 Threshold Medium GitHub ↗
Multiple Okta User Authentication Events with Same Device Token Hash T1110, T1110.003, T1110.004 ES|QL Low GitHub ↗
Multiple Vault Web Credentials Read T1003, T1555, T1555.004 EQL Medium GitHub ↗
Network Logon Provider Registry Modification T1543, T1556 EQL Medium GitHub ↗
New GitHub Personal Access Token (PAT) Added T1136, T1136.003, T1528 EQL Low GitHub ↗
NTDS Dump via Wbadmin T1003, T1003.002, T1003.003, T1006 EQL Medium GitHub ↗
NTDS or SAM Database File Copied T1003, T1003.002, T1003.003 EQL High GitHub ↗
Okta Admin Console Login Failure T1078, T1110 Custom Query Low GitHub ↗
Okta AiTM Session Cookie Replay T1539, T1550, T1550.004 ES|QL High GitHub ↗
Okta Multiple OS Names Detected for a Single DT Hash T1539 Threshold High GitHub ↗
Okta Successful Login After Credential Attack T1078, T1078.004, T1110, T1110.001, T1110.003, T1110.004 ES|QL High GitHub ↗
Okta User Session Impersonation Custom Query High GitHub ↗
Pluggable Authentication Module (PAM) Creation in Unusual Directory T1543, T1556 EQL Low GitHub ↗
Pluggable Authentication Module (PAM) Source Download T1543, T1556 EQL Medium GitHub ↗
Pluggable Authentication Module (PAM) Version Discovery T1082, T1543, T1556 EQL Low GitHub ↗
Pluggable Authentication Module or Configuration Creation T1543, T1556 EQL Medium GitHub ↗
Polkit Policy Creation T1543, T1556 EQL Low GitHub ↗
Potential Active Directory Replication Account Backdoor T1003, T1003.006 Custom Query Medium GitHub ↗
Potential ADIDNS Poisoning via Wildcard Record Creation T1557 EQL High GitHub ↗
Potential Backdoor Execution Through PAM_EXEC T1543, T1556 EQL Medium GitHub ↗
Potential Computer Account NTLM Relay Activity T1187, T1557, T1557.001 EQL Medium GitHub ↗
Potential Cookies Theft via Browser Debugging T1539 EQL Medium GitHub ↗
Potential Credential Access via DCSync T1003, T1003.006, T1078, T1078.002 New Terms Medium GitHub ↗
Potential Credential Access via DuplicateHandle in LSASS T1003, T1003.001 EQL Medium GitHub ↗
Potential Credential Access via LSASS Memory Dump T1003, T1003.001, T1106 EQL High GitHub ↗
Potential Credential Access via Memory Dump File Creation T1003, T1003.001 EQL Low GitHub ↗
Potential Credential Access via Renamed COM+ Services DLL T1003, T1003.001, T1218, T1218.011 EQL High GitHub ↗
Potential Credential Access via Trusted Developer Utility T1003, T1003.002, T1127, T1127.001, T1555, T1555.004 EQL High GitHub ↗
Potential Credential Access via Windows Utilities T1003, T1003.001, T1003.003, T1218, T1218.011 EQL High GitHub ↗
Potential Execution via SSH Backdoor T1021, T1021.004, T1543, T1556, T1563, T1563.001 EQL Medium GitHub ↗
Potential External Linux SSH Brute Force Detected T1110, T1110.001, T1110.003 EQL Low GitHub ↗
Potential Impersonation Attempt via Kubectl T1078, T1528, T1550, T1550.001, T1552 EQL Medium GitHub ↗
Potential Internal Linux SSH Brute Force Detected T1110, T1110.001, T1110.003 EQL Medium GitHub ↗
Potential Invoke-Mimikatz PowerShell Script T1003, T1003.001 Custom Query Critical GitHub ↗
Potential Kerberos Attack via Bifrost T1550, T1550.003, T1558, T1558.003 EQL High GitHub ↗
Potential Kerberos Coercion via DNS-Based SPN Spoofing T1187, T1557, T1557.001 Custom Query High GitHub ↗
Potential Kerberos Relay Attack against a Computer Account T1187, T1557, T1557.001 EQL High GitHub ↗
Potential Kerberos SPN Spoofing via Suspicious DNS Query T1187, T1557, T1557.001 EQL High GitHub ↗
Potential Linux Credential Dumping via Proc Filesystem T1003, T1003.007, T1212 EQL High GitHub ↗
Potential Linux Credential Dumping via Unshadow T1003, T1003.008 EQL High GitHub ↗
Potential Linux Local Account Brute Force Detected T1110, T1110.001 ES|QL Medium GitHub ↗
Potential Local NTLM Relay via HTTP T1212, T1218, T1218.011 EQL High GitHub ↗
Potential LSASS Clone Creation via PssCaptureSnapShot T1003, T1003.001 EQL High GitHub ↗
Potential LSASS Memory Dump via PssCaptureSnapShot T1003, T1003.001 Threshold High GitHub ↗
Potential Machine Account Relay Attack via SMB T1187, T1557, T1557.001 EQL High GitHub ↗
Potential macOS SSH Brute Force Detected T1110 Threshold Medium GitHub ↗
Potential NTLM Relay Attack against a Computer Account T1187, T1557, T1557.001 EQL High GitHub ↗
Potential Okta Brute Force (Device Token Rotation) T1110 ES|QL Low GitHub ↗
Potential Okta Brute Force (Multi-Source) T1110, T1110.001 ES|QL Medium GitHub ↗
Potential Okta Credential Stuffing (Single Source) T1110, T1110.004 ES|QL Medium GitHub ↗
Potential Okta MFA Bombing via Push Notifications T1621 EQL High GitHub ↗
Potential Okta Password Spray (Multi-Source) T1110, T1110.003 ES|QL Medium GitHub ↗
Potential Okta Password Spray (Single Source) T1110, T1110.003 ES|QL Medium GitHub ↗
Potential OpenSSH Backdoor Logging Activity T1554, T1556 EQL Low GitHub ↗
Potential Password Spraying Attack via SSH T1110, T1110.001, T1110.003 ES|QL Low GitHub ↗
Potential Persistence via File Modification T1014, T1037, T1037.004, T1053, T1053.003, T1136, T1136.001, T1543, T1543.002, T1547, T1547.006, T1548, T1548.003, T1556, T1574, T1574.006 EQL Low GitHub ↗
Potential PowerShell Pass-the-Hash/Relay Script T1059, T1059.001, T1550, T1550.002, T1557 Custom Query High GitHub ↗
Potential Remote Credential Access via Registry T1003, T1003.002, T1021 EQL High GitHub ↗
Potential Secret Scanning via Gitleaks T1003, T1555 EQL Medium GitHub ↗
Potential Shadow Credentials added to AD Object T1556 Custom Query High GitHub ↗
Potential Shadow File Read via Command Line Utilities T1003, T1003.008, T1068 New Terms Medium GitHub ↗
Potential SSH Password Grabbing via strace T1554, T1556 EQL Medium GitHub ↗
Potential Successful SSH Brute Force Attack T1110, T1110.001, T1110.003 EQL High GitHub ↗
Potential Unauthorized Access via Wildcard Injection Detected T1003, T1003.008, T1068 EQL Medium GitHub ↗
Potential Veeam Credential Access Command T1003, T1059, T1059.001, T1555 EQL Medium GitHub ↗
Potential WPAD Spoofing via DNS Record Creation T1557 EQL Medium GitHub ↗
Potentially Successful Okta MFA Bombing via Push Notifications T1621 EQL High GitHub ↗
PowerShell Invoke-NinjaCopy script T1003, T1003.002, T1003.003, T1006, T1059, T1059.001 Custom Query High GitHub ↗
PowerShell Kerberos Ticket Dump T1003, T1059, T1059.001, T1558 Custom Query High GitHub ↗
PowerShell Kerberos Ticket Request T1003, T1059, T1059.001, T1558, T1558.003 Custom Query High GitHub ↗
PowerShell MiniDump Script T1003, T1003.001, T1059, T1059.001 Custom Query High GitHub ↗
PowerShell Script with Veeam Credential Access Capabilities T1003, T1059, T1059.001, T1555 Custom Query Medium GitHub ↗
Private Key Searching Activity T1552, T1552.001 EQL High GitHub ↗
Privileged Account Brute Force T1110, T1110.001, T1110.003 ES|QL Medium GitHub ↗
Prompt for Credentials with Osascript T1056, T1056.002 EQL High GitHub ↗
Rare Connection to WebDAV Target T1187 ES|QL Medium GitHub ↗
Renaming of OpenSSH Binaries T1021, T1021.004, T1543, T1556, T1563, T1563.001 Custom Query Low GitHub ↗
Searching for Saved Credentials via VaultCmd T1003, T1555, T1555.004 EQL Medium GitHub ↗
Sensitive File Compression Detected via Defend for Containers T1552, T1552.001, T1560, T1560.001 EQL Medium GitHub ↗
Sensitive Files Compression T1552, T1552.001, T1560, T1560.001 New Terms Medium GitHub ↗
Sensitive Files Compression Inside A Container T1552, T1552.001, T1560, T1560.001 EQL High GitHub ↗
Sensitive Keys Or Passwords Search Detected via Defend for Containers T1552, T1552.001 EQL Medium GitHub ↗
Sensitive Keys Or Passwords Searched For Inside A Container T1552, T1552.001 EQL Medium GitHub ↗
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User T1098, T1558 Custom Query High GitHub ↗
Sensitive Registry Hive Access via RegBack T1003, T1003.002, T1003.004 EQL High GitHub ↗
Service Creation via Local Kerberos Authentication T1543, T1543.003, T1558 EQL High GitHub ↗
Spike in Failed Logon Events T1110 Machine Learning Low GitHub ↗
Spike in Logon Events T1110 Machine Learning Low GitHub ↗
Spike in Successful Logon Events from a Source IP T1078, T1078.002, T1078.003, T1110 Machine Learning Low GitHub ↗
Suspicious /proc/maps Discovery T1003, T1003.007, T1057 EQL High GitHub ↗
Suspicious Kerberos Authentication Ticket Request T1550, T1550.003, T1558, T1558.003 EQL High GitHub ↗
Suspicious LSASS Access via MalSecLogon T1003, T1003.001 EQL High GitHub ↗
Suspicious Lsass Process Access T1003, T1003.001 EQL Medium GitHub ↗
Suspicious Module Loaded by LSASS T1003, T1003.001 EQL Medium GitHub ↗
Suspicious pbpaste High Volume Activity T1056 EQL Medium GitHub ↗
Suspicious Remote Registry Access via SeBackupPrivilege T1003, T1003.002, T1003.004, T1021 EQL Medium GitHub ↗
Suspicious Symbolic Link Created T1003, T1003.008, T1548 EQL Low GitHub ↗
Suspicious Web Browser Sensitive File Access T1539, T1555, T1555.003 EQL High GitHub ↗
Symbolic Link to Shadow Copy Created T1003, T1003.002, T1003.003 EQL Medium GitHub ↗
SystemKey Access via Command Line T1555, T1555.001 EQL High GitHub ↗
Untrusted DLL Loaded by Azure AD Sync Service T1003 EQL High GitHub ↗
Unusual Instance Metadata Service (IMDS) API Request T1552, T1552.005, T1580 EQL Medium GitHub ↗
Unusual Linux Process Calling the Metadata Service T1552, T1552.005 Machine Learning Low GitHub ↗
Unusual Linux User Calling the Metadata Service T1552, T1552.005 Machine Learning Low GitHub ↗
Unusual Login Activity T1110 Machine Learning Low GitHub ↗
Unusual Web Config File Access T1003 New Terms High GitHub ↗
Unusual Windows Process Calling the Metadata Service T1552, T1552.005 Machine Learning Low GitHub ↗
Unusual Windows User Calling the Metadata Service T1552, T1552.005 Machine Learning Low GitHub ↗
User account exposed to Kerberoasting T1558, T1558.003 Custom Query Medium GitHub ↗
Veeam Backup Library Loaded by Unusual Process T1003, T1059, T1059.001, T1555 EQL Medium GitHub ↗
Web Server Suspicious User Agent Requests T1110, T1595, T1595.001, T1595.002, T1595.003 ES|QL Low GitHub ↗
WebProxy Settings Modification T1539 EQL Medium GitHub ↗
Windows Registry File Creation in SMB Share T1003, T1003.002, T1021, T1021.002 EQL Medium GitHub ↗
Wireless Credential Dumping using Netsh Command T1003, T1082, T1555 EQL High GitHub ↗

Rules detecting techniques adversaries use to learn about your environment, including network scanning, system enumeration, and account discovery.

Name Technique Rule Type Severity Source
Account or Group Discovery via Built-In Tools T1069, T1069.001, T1069.002, T1087, T1087.001, T1087.002 New Terms Low GitHub ↗
Active Directory Discovery using AdExplorer T1016, T1018, T1069, T1069.002, T1087, T1087.002, T1482 EQL Low GitHub ↗
AdFind Command Activity T1016, T1018, T1069, T1069.002, T1087, T1087.002, T1482 EQL Low GitHub ↗
AWS Discovery API Calls via CLI from a Single Resource T1580 ES|QL Low GitHub ↗
AWS EC2 Deprecated AMI Discovery T1580 Custom Query Low GitHub ↗
AWS EC2 Multi-Region DescribeInstances API Calls T1580 ES|QL Low GitHub ↗
AWS EC2 User Data Retrieval for EC2 Instance T1552, T1552.005, T1580 New Terms Medium GitHub ↗
AWS IAM Principal Enumeration via UpdateAssumeRolePolicy T1087, T1087.004, T1110 Threshold Medium GitHub ↗
AWS S3 Bucket Enumeration or Brute Force T1530, T1619, T1657 Threshold Low GitHub ↗
AWS S3 Unauthenticated Bucket Access by Rare Source T1485, T1530, T1619 New Terms Medium GitHub ↗
AWS Service Quotas Multi-Region GetServiceQuota Requests T1580 ES|QL Low GitHub ↗
AWS SSM Inventory Reconnaissance by Rare User T1538, T1580 New Terms Medium GitHub ↗
AWS STS GetCallerIdentity API Called for the First Time T1087, T1087.004 New Terms Medium GitHub ↗
Deprecated - PowerShell Script with Discovery Capabilities T1007, T1012, T1049, T1057, T1059, T1059.001, T1082, T1083, T1087, T1087.001, T1087.002, T1135, T1201, T1482, T1518, T1518.001, T1615 Custom Query Low GitHub ↗
Deprecated - Unusual Discovery Activity by User New Terms Low GitHub ↗
Discovery Command Output Written to Suspicious File T1074, T1074.001, T1082 EQL Medium GitHub ↗
Discovery of Domain Groups T1069 EQL Low GitHub ↗
Discovery of Internet Capabilities via Built-in Tools T1016, T1016.001 New Terms Low GitHub ↗
DNS Request for IP Lookup Service via Unsigned Binary T1016, T1016.001 EQL Medium GitHub ↗
Docker Socket Enumeration T1613 EQL Medium GitHub ↗
Entra ID Sign-in BloodHound Suite User-Agent Detected T1069, T1069.003, T1082, T1087, T1087.004, T1201, T1526, T1580, T1673 EQL Medium GitHub ↗
Entra ID Sign-in TeamFiltration User-Agent Detected T1069, T1069.003, T1082, T1087, T1087.004, T1110, T1110.003, T1201, T1526, T1580, T1673 Custom Query Medium GitHub ↗
Enumerating Domain Trusts via DSQUERY.EXE T1018, T1482 EQL Low GitHub ↗
Enumerating Domain Trusts via NLTEST.EXE T1018, T1482 EQL Low GitHub ↗
Enumeration Command Spawned via WMIPrvSE T1016, T1016.001, T1018, T1047, T1057, T1087, T1518 EQL Low GitHub ↗
Enumeration of Administrator Accounts T1069, T1069.001, T1069.002, T1087, T1087.001, T1087.002 EQL Low GitHub ↗
Enumeration of Kernel Modules via Proc T1082 New Terms Low GitHub ↗
Enumeration of Privileged Local Groups Membership T1069, T1069.001 New Terms Medium GitHub ↗
Enumeration of Users or Groups via Built-in Commands T1069, T1069.001, T1087, T1087.001 EQL Low GitHub ↗
ESXI Discovery via Find T1518 EQL Medium GitHub ↗
ESXI Discovery via Grep T1518 EQL Medium GitHub ↗
External IP Address Discovery via Curl T1016, T1016.001 EQL Low GitHub ↗
External IP Lookup from Non-Browser Process T1016, T1016.001, T1614 EQL Low GitHub ↗
Full Disk Access Permission Check T1083, T1548, T1548.006 EQL Medium GitHub ↗
GitHub Authentication Token Access via Node.js T1528, T1552, T1613 EQL Medium GitHub ↗
Group Policy Discovery via Microsoft GPResult Utility T1615 EQL Low GitHub ↗
Hping Process Activity T1082 EQL Medium GitHub ↗
Kernel Instrumentation Discovery via kprobes and tracefs T1014, T1082 EQL Low GitHub ↗
Kernel Seeking Activity T1014, T1082 EQL Medium GitHub ↗
Kernel Unpacking Activity T1014, T1082 EQL Medium GitHub ↗
Kubeconfig File Discovery T1613 EQL Low GitHub ↗
Kubectl Configuration Discovery T1613 EQL Low GitHub ↗
Kubectl Permission Discovery T1613 EQL Medium GitHub ↗
Kubectl Workload and Cluster Discovery T1069, T1613 EQL Low GitHub ↗
Kubelet Certificate File Access Detected via Defend for Containers T1613 EQL Low GitHub ↗
Kubelet Pod Discovery Detected via Defend for Containers T1613 EQL Low GitHub ↗
Kubernetes Denied Service Account Request via Unusual User Agent T1613 New Terms Low GitHub ↗
Kubernetes Direct API Request via Curl or Wget T1059, T1059.004, T1613 EQL Medium GitHub ↗
Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected T1613 ES|QL Medium GitHub ↗
Kubernetes Potential Endpoint Permission Enumeration Attempt Detected T1613 ES|QL Medium GitHub ↗
Kubernetes Service Account Secret Access T1528, T1552, T1613 EQL Medium GitHub ↗
Kubernetes Suspicious Self-Subject Review via Unusual User Agent T1613 New Terms Low GitHub ↗
Linux System Information Discovery T1082 New Terms Low GitHub ↗
Linux System Information Discovery via Getconf T1082 New Terms Low GitHub ↗
M365 SharePoint Search for Sensitive Content T1213, T1213.002, T1530, T1619 EQL Low GitHub ↗
Manual Mount Discovery via /etc/exports or /etc/fstab T1082 EQL Medium GitHub ↗
Mounting Hidden or WebDav Remote Shares T1021, T1021.002, T1078, T1078.003, T1087, T1087.001, T1087.002 EQL Medium GitHub ↗
Network Traffic Capture via CAP_NET_RAW T1040 New Terms Low GitHub ↗
Nping Process Activity T1046 EQL Medium GitHub ↗
Peripheral Device Discovery T1120 EQL Low GitHub ↗
Pluggable Authentication Module (PAM) Version Discovery T1082, T1543, T1556 EQL Low GitHub ↗
Polkit Version Discovery T1082 EQL Low GitHub ↗
Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers T1059, T1059.004, T1613 EQL Medium GitHub ↗
Potential Enumeration via Active Directory Web Service T1018 EQL Medium GitHub ↗
Potential Memory Seeking Activity T1057 EQL Low GitHub ↗
Potential Network Scan Detected T1046, T1595, T1595.001 ES|QL Low GitHub ↗
Potential Network Scan Executed From Host T1046 Threshold Medium GitHub ↗
Potential Network Share Discovery T1039, T1135 EQL Low GitHub ↗
Potential Network Sweep Detected T1046, T1595, T1595.001 Threshold Low GitHub ↗
Potential Port Scanning Activity from Compromised Host T1046 ES|QL Low GitHub ↗
Potential Subnet Scanning Activity from Compromised Host T1046 ES|QL Medium GitHub ↗
Potential SYN-Based Port Scan Detected T1046, T1595, T1595.001 Threshold Low GitHub ↗
PowerShell Script with Password Policy Discovery Capabilities T1059, T1059.001, T1201 Custom Query Low GitHub ↗
PowerShell Share Enumeration Script T1039, T1059, T1059.001, T1106, T1135 Custom Query High GitHub ↗
PowerShell Suspicious Discovery Related Windows API Functions T1039, T1059, T1059.001, T1069, T1069.001, T1087, T1087.001, T1106, T1135, T1482 Custom Query Low GitHub ↗
Private Key Searching Activity T1552, T1552.001 EQL High GitHub ↗
Process Capability Enumeration T1057 EQL Medium GitHub ↗
Process Discovery Using Built-in Tools T1057 EQL Low GitHub ↗
Process Discovery via Built-In Applications T1057, T1518, T1518.001 New Terms Low GitHub ↗
Query Registry using Built-in Tools T1012 New Terms Low GitHub ↗
Rare AWS Error Code T1526, T1580 Machine Learning Low GitHub ↗
Rare Azure Activity Logs Event Failures T1526, T1580 Machine Learning Low GitHub ↗
Rare GCP Audit Failure Event Code T1526, T1580 Machine Learning Low GitHub ↗
Remote System Discovery Commands T1016, T1018 EQL Low GitHub ↗
Security File Access via Common Utilities EQL Low GitHub ↗
Security Software Discovery using WMIC T1047, T1518, T1518.001 EQL Medium GitHub ↗
Security Software Discovery via Grep T1518, T1518.001 EQL Medium GitHub ↗
Spike in AWS Error Messages T1526, T1580 Machine Learning Low GitHub ↗
Spike in Azure Activity Logs Failed Messages T1526, T1580 Machine Learning Low GitHub ↗
Spike in Firewall Denies T1041, T1046, T1071, T1498, T1499, T1590 Machine Learning Low GitHub ↗
Spike in GCP Audit Failed Messages T1526, T1580 Machine Learning Low GitHub ↗
Spike in Network Traffic T1041, T1046, T1498, T1595 Machine Learning Low GitHub ↗
Spike in Network Traffic To a Country T1041, T1046, T1071, T1595 Machine Learning Low GitHub ↗
Sudo Command Enumeration Detected T1033 EQL Low GitHub ↗
SUID/SGUID Enumeration Detected T1083, T1548, T1548.001 EQL Medium GitHub ↗
Suspicious /proc/maps Discovery T1003, T1003.007, T1057 EQL High GitHub ↗
Suspicious Access to LDAP Attributes T1069 EQL Low GitHub ↗
Suspicious Dynamic Linker Discovery via od T1057 EQL High GitHub ↗
Suspicious Kernel Feature Activity T1082, T1553, T1562, T1562.006 EQL Medium GitHub ↗
Suspicious Memory grep Activity T1057 EQL High GitHub ↗
Suspicious Modprobe File Event T1082 New Terms Low GitHub ↗
Suspicious Network Tool Launch Detected via Defend for Containers T1046, T1105, T1595 EQL Low GitHub ↗
Suspicious Network Tool Launched Inside A Container T1046, T1105, T1595 EQL Low GitHub ↗
Suspicious Proc Pseudo File System Enumeration T1057, T1082 Threshold Low GitHub ↗
Suspicious SIP Check by macOS Application T1082, T1497, T1497.001 EQL Medium GitHub ↗
Suspicious Sysctl File Event T1082 New Terms Low GitHub ↗
Suspicious which Enumeration T1082 EQL Low GitHub ↗
System and Network Configuration Check T1016, T1082 EQL Medium GitHub ↗
System Hosts File Access T1018 EQL Low GitHub ↗
System Information Discovery via dmidecode from Parent Shell T1082 EQL Low GitHub ↗
System Information Discovery via Windows Command Shell T1059, T1059.003, T1082, T1083 EQL Low GitHub ↗
System Network Connections Discovery T1049 New Terms Low GitHub ↗
System Owner/User Discovery Linux T1033, T1069 New Terms Low GitHub ↗
System Public IP Discovery via DNS Query T1016, T1071, T1071.004 EQL High GitHub ↗
System Service Discovery through built-in Windows Utilities T1007 EQL Low GitHub ↗
System Time Discovery T1124 EQL Low GitHub ↗
Unusual Discovery Signal Alert with Unusual Process Command Line New Terms Low GitHub ↗
Unusual Discovery Signal Alert with Unusual Process Executable New Terms Low GitHub ↗
Unusual Group Name Accessed by a User T1068, T1069, T1078 Machine Learning Low GitHub ↗
Unusual Instance Metadata Service (IMDS) API Request T1552, T1552.005, T1580 EQL Medium GitHub ↗
Unusual Kernel Module Enumeration T1082 New Terms Low GitHub ↗
Unusual Linux Network Configuration Discovery T1016 Machine Learning Low GitHub ↗
Unusual Linux Network Connection Discovery T1049 Machine Learning Low GitHub ↗
Unusual Linux Process Discovery Activity T1057 Machine Learning Low GitHub ↗
Unusual Linux System Information Discovery Activity T1082 Machine Learning Low GitHub ↗
Unusual Linux User Discovery Activity T1033 Machine Learning Low GitHub ↗
Unusual User Privilege Enumeration via id T1033 EQL Medium GitHub ↗
Virtual Machine Fingerprinting T1082 EQL High GitHub ↗
Virtual Machine Fingerprinting via Grep T1082 EQL Medium GitHub ↗
Web Server Local File Inclusion Activity T1083 ES|QL Low GitHub ↗
Web Server Potential Remote File Inclusion Activity T1083 ES|QL Low GitHub ↗
Whoami Process Activity T1033 EQL Low GitHub ↗
Windows Account or Group Discovery T1069, T1069.001, T1069.002, T1087, T1087.001, T1087.002, T1201 EQL Low GitHub ↗
Windows Network Enumeration T1018, T1039, T1135 EQL Medium GitHub ↗
Windows System Information Discovery T1082 EQL Low GitHub ↗
Windows System Network Connections Discovery T1049, T1082 EQL Low GitHub ↗
Wireless Credential Dumping using Netsh Command T1003, T1082, T1555 EQL High GitHub ↗
Yum/DNF Plugin Status Discovery T1082 EQL Low GitHub ↗

Rules detecting techniques adversaries use to move through your environment, including remote services, pass-the-hash, and internal spearphishing.

Name Technique Rule Type Severity Source
Abnormally Large DNS Response T1210 Custom Query Medium GitHub ↗
Accepted Default Telnet Port Connection T1021, T1190 Custom Query Medium GitHub ↗
At.exe Command Lateral Movement T1021, T1053, T1053.002, T1053.005 EQL Low GitHub ↗
Attempt to Mount SMB Share via Command Line T1021, T1021.002 EQL Low GitHub ↗
AWS EC2 Instance Connect SSH Public Key Uploaded T1021, T1021.004, T1098, T1098.004 Custom Query Medium GitHub ↗
AWS EC2 Instance Console Login via Assumed Role T1021, T1021.007, T1078, T1078.004, T1550, T1550.001, T1552, T1552.005 EQL High GitHub ↗
AWS SNS Topic Message Publish by Rare User T1496, T1496.004, T1534, T1567 New Terms Medium GitHub ↗
AWS SSM Session Started to EC2 Instance T1021, T1021.007 New Terms Medium GitHub ↗
AWS STS AssumeRole with New MFA Device T1548, T1550, T1550.001, T1556, T1556.006 New Terms Low GitHub ↗
AWS STS GetSessionToken Usage T1548, T1550, T1550.001 Custom Query Low GitHub ↗
AWS STS Role Assumption by Service T1548, T1550, T1550.001 New Terms Low GitHub ↗
AWS STS Role Assumption by User T1548, T1550, T1550.001 New Terms Low GitHub ↗
AWS STS Role Chaining T1548, T1550, T1550.001 New Terms Medium GitHub ↗
Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM T1021, T1021.006, T1059, T1059.001 Custom Query Low GitHub ↗
Execution via TSClient Mountpoint T1021, T1021.001 EQL High GitHub ↗
High Mean of Process Arguments in an RDP Session T1210 Machine Learning Low GitHub ↗
High Mean of RDP Session Duration T1210 Machine Learning Low GitHub ↗
High Variance in RDP Session Duration T1210 Machine Learning Low GitHub ↗
Incoming DCOM Lateral Movement via MSHTA T1021, T1021.003, T1218, T1218.005 EQL High GitHub ↗
Incoming DCOM Lateral Movement with MMC T1021, T1021.003, T1218, T1218.014 EQL High GitHub ↗
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows T1021, T1021.003 EQL Medium GitHub ↗
Incoming Execution via PowerShell Remoting T1021, T1021.006, T1059, T1059.001 EQL Medium GitHub ↗
Incoming Execution via WinRM Remote Shell T1021, T1021.006 EQL Medium GitHub ↗
Kubeconfig File Creation or Modification T1078, T1550 EQL Medium GitHub ↗
Lateral Movement Alerts from a Newly Observed Source Address ES|QL High GitHub ↗
Lateral Movement Alerts from a Newly Observed User ES|QL High GitHub ↗
Lateral Movement via Startup Folder T1021, T1021.001, T1547, T1547.001 EQL High GitHub ↗
Local Account TokenFilter Policy Disabled T1112, T1550, T1550.002, T1562 EQL Medium GitHub ↗
M365 OneDrive Malware File Upload T1080, T1608, T1608.001 Custom Query High GitHub ↗
M365 SharePoint Malware File Detected T1080, T1608, T1608.001 Custom Query High GitHub ↗
Microsoft Exchange Server UM Spawning Suspicious Processes T1190, T1210 EQL Medium GitHub ↗
Microsoft Exchange Server UM Writing Suspicious Files T1190, T1210 EQL Medium GitHub ↗
Mounting Hidden or WebDav Remote Shares T1021, T1021.002, T1078, T1078.003, T1087, T1087.001, T1087.002 EQL Medium GitHub ↗
Multiple Okta Sessions Detected for a Single User T1550, T1550.004 Threshold Medium GitHub ↗
Network Connection Initiated by Suspicious SSHD Child Process T1021, T1021.004, T1546, T1546.004, T1563, T1563.001 EQL Medium GitHub ↗
NullSessionPipe Registry Modification T1021, T1021.002, T1112 EQL Medium GitHub ↗
Okta AiTM Session Cookie Replay T1539, T1550, T1550.004 ES|QL High GitHub ↗
Potential Execution via SSH Backdoor T1021, T1021.004, T1543, T1556, T1563, T1563.001 EQL Medium GitHub ↗
Potential Kerberos Attack via Bifrost T1550, T1550.003, T1558, T1558.003 EQL High GitHub ↗
Potential Lateral Tool Transfer via SMB Share T1021, T1021.002, T1570 EQL Medium GitHub ↗
Potential Outgoing RDP Connection by Unusual Process T1021, T1021.001 EQL Low GitHub ↗
Potential Pass-the-Hash (PtH) Attempt T1550, T1550.002 New Terms Medium GitHub ↗
Potential PowerShell Pass-the-Hash/Relay Script T1059, T1059.001, T1550, T1550.002, T1557 Custom Query High GitHub ↗
Potential Ransomware Behavior - Note Files by System T1021, T1021.002, T1485 ES|QL Medium GitHub ↗
Potential Ransomware Note File Dropped via SMB T1021, T1021.002, T1485, T1490 EQL High GitHub ↗
Potential Remote Credential Access via Registry T1003, T1003.002, T1021 EQL High GitHub ↗
Potential Remote Desktop Shadowing Activity T1021, T1021.001 EQL High GitHub ↗
Potential Remote Desktop Tunneling Detected T1021, T1021.004, T1572 EQL High GitHub ↗
Potential SharpRDP Behavior T1021, T1021.001 EQL High GitHub ↗
Potential Telnet Authentication Bypass (CVE-2026-24061) T1190, T1210 EQL Critical GitHub ↗
Potential THC Tool Downloaded T1021, T1021.004, T1563, T1563.001 EQL High GitHub ↗
Potential WSUS Abuse for Lateral Movement T1210 EQL Medium GitHub ↗
PsExec Network Connection T1021, T1021.002, T1569, T1569.002, T1570 EQL Low GitHub ↗
Rare AWS Error Code T1526, T1580 Machine Learning Low GitHub ↗
Rare Azure Activity Logs Event Failures T1526, T1580 Machine Learning Low GitHub ↗
Rare GCP Audit Failure Event Code T1526, T1580 Machine Learning Low GitHub ↗
RDP (Remote Desktop Protocol) from the Internet T1021, T1190 Custom Query Medium GitHub ↗
RDP Enabled via Registry T1021, T1021.001, T1112 EQL Medium GitHub ↗
Remote Execution via File Shares T1021, T1021.002 EQL Medium GitHub ↗
Remote File Copy to a Hidden Share T1021, T1021.002 EQL Medium GitHub ↗
Remote File Creation in World Writeable Directory T1021, T1021.004, T1570 New Terms Medium GitHub ↗
Remote Scheduled Task Creation T1021, T1053, T1053.005 EQL Medium GitHub ↗
Remote Scheduled Task Creation via RPC T1021, T1053, T1053.005 EQL Medium GitHub ↗
Remote SSH Login Enabled via systemsetup Command T1021, T1021.004 EQL Medium GitHub ↗
Remote Windows Service Installed T1021, T1543, T1543.003 EQL Medium GitHub ↗
Remotely Started Services via RPC T1021 EQL Medium GitHub ↗
Renaming of OpenSSH Binaries T1021, T1021.004, T1543, T1556, T1563, T1563.001 Custom Query Low GitHub ↗
Scheduled Task Execution at Scale via GPO T1053, T1053.005, T1484, T1484.001, T1570 EQL Medium GitHub ↗
Service Command Lateral Movement T1021, T1543, T1543.003, T1569, T1569.002 EQL Low GitHub ↗
SMB Connections via LOLBin or Untrusted Process T1021, T1021.002 EQL Medium GitHub ↗
Spike in AWS Error Messages T1526, T1580 Machine Learning Low GitHub ↗
Spike in Azure Activity Logs Failed Messages T1526, T1580 Machine Learning Low GitHub ↗
Spike in GCP Audit Failed Messages T1526, T1580 Machine Learning Low GitHub ↗
Spike in Number of Connections Made from a Source IP T1210 Machine Learning Low GitHub ↗
Spike in Number of Connections Made to a Destination IP T1210 Machine Learning Low GitHub ↗
Spike in Number of Processes in an RDP Session T1210 Machine Learning Low GitHub ↗
Spike in Remote File Transfers T1210 Machine Learning Low GitHub ↗
SSH Authorized Key File Activity Detected via Defend for Containers T1021, T1021.004, T1098, T1098.004, T1563, T1563.001 EQL Medium GitHub ↗
SSH Authorized Keys File Activity T1021, T1021.004, T1098, T1098.004, T1563, T1563.001 New Terms Medium GitHub ↗
SSH Key Generated via ssh-keygen T1021, T1021.004, T1098, T1098.004, T1563, T1563.001 EQL Low GitHub ↗
Suspicious Curl to Jamf Endpoint T1072 EQL High GitHub ↗
Suspicious Execution from a WebDav Share T1021, T1021.002, T1204, T1204.002, T1570 EQL High GitHub ↗
Suspicious File Renamed via SMB T1021, T1021.002, T1485, T1490 EQL High GitHub ↗
Suspicious Kerberos Authentication Ticket Request T1550, T1550.003, T1558, T1558.003 EQL High GitHub ↗
Suspicious RDP ActiveX Client Loaded T1021, T1021.001 EQL Medium GitHub ↗
Suspicious Remote Registry Access via SeBackupPrivilege T1003, T1003.002, T1003.004, T1021 EQL Medium GitHub ↗
Telnet Authentication Bypass via User Environment Variable T1190, T1210 EQL Critical GitHub ↗
Unusual AWS Command for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Azure Activity Logs Event for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Child Process of dns.exe T1210 EQL High GitHub ↗
Unusual File Operation by dns.exe T1210 New Terms Medium GitHub ↗
Unusual GCP Event for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Linux Network Activity T1041, T1055, T1071 Machine Learning Low GitHub ↗
Unusual Process For MSSQL Service Accounts T1210, T1505, T1505.001 EQL Low GitHub ↗
Unusual Remote File Creation T1021, T1021.004, T1570 New Terms Low GitHub ↗
Unusual Remote File Directory T1210 Machine Learning Low GitHub ↗
Unusual Remote File Extension T1210 Machine Learning Low GitHub ↗
Unusual Remote File Size T1210 Machine Learning Low GitHub ↗
Unusual SSHD Child Process T1021, T1021.004, T1546, T1546.004, T1563, T1563.001 New Terms Low GitHub ↗
Unusual Time or Day for an RDP Session T1210 Machine Learning Low GitHub ↗
Unusual Windows Network Activity T1041, T1055, T1071 Machine Learning Low GitHub ↗
Virtual Private Network Connection Attempt T1021 EQL Low GitHub ↗
Web Server Spawned via Python T1059, T1059.006, T1570 EQL Medium GitHub ↗
Windows Registry File Creation in SMB Share T1003, T1003.002, T1021, T1021.002 EQL Medium GitHub ↗
WMIC Remote Command T1021, T1021.006, T1047 EQL Low GitHub ↗

Rules detecting techniques adversaries use to gather data of interest before exfiltration, including screen captures, clipboard data, and email collection.

Name Technique Rule Type Severity Source
Accessing Outlook Data Files T1114, T1114.001 EQL Low GitHub ↗
AWS CloudTrail Log Updated T1530, T1565, T1565.001 Custom Query Low GitHub ↗
AWS DynamoDB Scan by Unusual User T1530, T1567 New Terms Low GitHub ↗
AWS EC2 Export Task T1005, T1119, T1530, T1537 Custom Query Medium GitHub ↗
AWS RDS Snapshot Export T1213, T1213.006 Custom Query Low GitHub ↗
AWS S3 Bucket Enumeration or Brute Force T1530, T1619, T1657 Threshold Low GitHub ↗
AWS S3 Bucket Policy Added to Share with External Account T1530, T1537 EQL Medium GitHub ↗
AWS S3 Unauthenticated Bucket Access by Rare Source T1485, T1530, T1619 New Terms Medium GitHub ↗
AWS SNS Rare Protocol Subscription by User T1496, T1496.004, T1530, T1567 New Terms Low GitHub ↗
Azure Storage Account Blob Public Access Enabled T1530 New Terms Medium GitHub ↗
Compression DLL Loaded by Unusual Process T1560 EQL Low GitHub ↗
Discovery Command Output Written to Suspicious File T1074, T1074.001, T1082 EQL Medium GitHub ↗
Encrypting Files with WinRar or 7z T1005, T1560, T1560.001 EQL Medium GitHub ↗
Entra ID Sharepoint or OneDrive Accessed by Unusual Client T1213, T1213.002, T1566 New Terms Medium GitHub ↗
Exchange Mailbox Export via PowerShell T1005, T1114, T1114.001, T1114.002 Custom Query Medium GitHub ↗
Exporting Exchange Mailbox via PowerShell T1005, T1059, T1059.001, T1114, T1114.002 EQL Medium GitHub ↗
File Compressed or Archived into Common Format by Unsigned Process T1027, T1074, T1074.001, T1132, T1132.001, T1560, T1560.001 EQL Low GitHub ↗
File Staged in Root Folder of Recycle Bin T1074, T1074.001 EQL Low GitHub ↗
FortiGate Configuration File Downloaded T1602, T1602.002 EQL Medium GitHub ↗
GCP Pub/Sub Subscription Creation T1530 Custom Query Low GitHub ↗
GenAI Process Accessing Sensitive Files T1005, T1555 EQL High GitHub ↗
Google Drive Ownership Transferred via Google Workspace T1074, T1074.002 Custom Query Medium GitHub ↗
Google Workspace Custom Gmail Route Created or Modified T1114, T1114.003 Custom Query Medium GitHub ↗
Linux Audio Recording Activity Detected T1123 New Terms Low GitHub ↗
Linux Clipboard Activity Detected T1115 New Terms Low GitHub ↗
Linux Video Recording or Screenshot Activity Detected T1113, T1125 New Terms Low GitHub ↗
M365 Exchange Inbox Forwarding Rule Created T1114, T1114.003 Custom Query Medium GitHub ↗
M365 Exchange Mailbox Items Accessed Excessively T1114, T1114.002 Custom Query Medium GitHub ↗
M365 OneDrive/SharePoint Excessive File Downloads T1530 ES|QL Medium GitHub ↗
M365 Purview DLP Signal Custom Query Low GitHub ↗
M365 Purview Insider Risk Signal Custom Query Low GitHub ↗
M365 Purview Security Compliance Signal Custom Query Low GitHub ↗
M365 SharePoint Search for Sensitive Content T1213, T1213.002, T1530, T1619 EQL Low GitHub ↗
M365 SharePoint/OneDrive File Access via PowerShell T1213, T1213.002, T1530 Custom Query Medium GitHub ↗
Microsoft Graph Request Email Access by Unusual User and Client T1114 New Terms Medium GitHub ↗
Pbpaste Execution via Unusual Parent Process T1115 EQL High GitHub ↗
Potential Network Share Discovery T1039, T1135 EQL Low GitHub ↗
PowerShell Keylogging Script T1056, T1056.001, T1059, T1059.001, T1106 Custom Query High GitHub ↗
PowerShell Mailbox Collection Script T1059, T1059.001, T1114, T1114.001, T1114.002 Custom Query Medium GitHub ↗
PowerShell Script with Webcam Video Capture Capabilities T1059, T1059.001, T1125 Custom Query Medium GitHub ↗
PowerShell Share Enumeration Script T1039, T1059, T1059.001, T1106, T1135 Custom Query High GitHub ↗
PowerShell Suspicious Discovery Related Windows API Functions T1039, T1059, T1059.001, T1069, T1069.001, T1087, T1087.001, T1106, T1135, T1482 Custom Query Low GitHub ↗
PowerShell Suspicious Script with Audio Capture Capabilities T1059, T1059.001, T1106, T1123 Custom Query High GitHub ↗
PowerShell Suspicious Script with Clipboard Retrieval Capabilities T1059, T1059.001, T1115 Custom Query Medium GitHub ↗
PowerShell Suspicious Script with Screenshot Capabilities T1059, T1059.001, T1113 Custom Query High GitHub ↗
Rare AWS Error Code T1526, T1580 Machine Learning Low GitHub ↗
Rare Azure Activity Logs Event Failures T1526, T1580 Machine Learning Low GitHub ↗
Rare GCP Audit Failure Event Code T1526, T1580 Machine Learning Low GitHub ↗
Sensitive File Access followed by Compression T1074, T1074.001, T1560 EQL High GitHub ↗
Sensitive File Compression Detected via Defend for Containers T1552, T1552.001, T1560, T1560.001 EQL Medium GitHub ↗
Sensitive Files Compression T1552, T1552.001, T1560, T1560.001 New Terms Medium GitHub ↗
Sensitive Files Compression Inside A Container T1552, T1552.001, T1560, T1560.001 EQL High GitHub ↗
Suspicious Inter-Process Communication via Outlook T1114, T1114.001, T1559, T1559.001 EQL Medium GitHub ↗
Suspicious TCC Access Granted for User Folders T1005, T1548, T1548.006 ES|QL High GitHub ↗
Windows Network Enumeration T1018, T1039, T1135 EQL Medium GitHub ↗

Rules detecting techniques adversaries use to communicate with compromised systems, including web protocols, DNS tunneling, and encrypted channels.

Name Technique Rule Type Severity Source
Accepted Default Telnet Port Connection T1021, T1190 Custom Query Medium GitHub ↗
Apple Script Execution followed by Network Connection T1059, T1059.002, T1105 EQL Medium GitHub ↗
Attempt to Establish VScode Remote Tunnel T1219 EQL Medium GitHub ↗
AWS CLI Command with Custom Endpoint URL T1102 New Terms Medium GitHub ↗
Bitsadmin Activity T1105, T1197 EQL Low GitHub ↗
Cobalt Strike Command and Control Beacon T1071, T1568, T1568.002 Custom Query High GitHub ↗
Connection to Common Large Language Model Endpoints T1102 EQL Medium GitHub ↗
Connection to Commonly Abused Free SSL Certificate Providers T1573 EQL Low GitHub ↗
Connection to Commonly Abused Web Services T1090, T1090.002, T1102, T1567, T1567.001, T1567.002, T1568, T1568.002 EQL Low GitHub ↗
Curl Execution via Shell Profile T1105, T1546, T1546.004 EQL High GitHub ↗
Curl or Wget Egress Network Connection via LoLBin T1059, T1059.004, T1218 EQL Medium GitHub ↗
Curl or Wget Spawned via Node.js T1071, T1071.001 EQL Medium GitHub ↗
Curl SOCKS Proxy Activity from Unusual Parent T1572 EQL Medium GitHub ↗
Curl SOCKS Proxy Detected via Defend for Containers T1572 EQL Medium GitHub ↗
Default Cobalt Strike Team Server Certificate T1071, T1071.001 Custom Query High GitHub ↗
DNS Tunneling T1572 Machine Learning Low GitHub ↗
Entra ID Protection - Risk Detection - Sign-in Risk T1071, T1078, T1078.004, T1110, T1110.003, T1556 Custom Query High GitHub ↗
Entra ID Protection - Risk Detection - User Risk T1071, T1078, T1078.004, T1110, T1110.003, T1556 Custom Query High GitHub ↗
Executable File Download via Wget T1105, T1204, T1204.002 EQL Medium GitHub ↗
Execution via OpenClaw Agent T1059, T1059.007, T1071, T1071.001 EQL Medium GitHub ↗
File Compressed or Archived into Common Format by Unsigned Process T1027, T1074, T1074.001, T1132, T1132.001, T1560, T1560.001 EQL Low GitHub ↗
File Creation and Execution Detected via Defend for Containers T1059, T1059.004, T1071 EQL Medium GitHub ↗
File Download Detected via Defend for Containers T1059, T1059.004, T1071, T1071.001 EQL Medium GitHub ↗
First Time Seen Commonly Abused Remote Access Tool Execution T1219 New Terms Medium GitHub ↗
FortiGate SOCKS Traffic from an Unusual Process T1090 EQL Medium GitHub ↗
GenAI Process Connection to Suspicious Top Level Domain T1071, T1071.004 EQL Medium GitHub ↗
GenAI Process Connection to Unusual Domain T1071, T1071.001 New Terms Medium GitHub ↗
Git Repository or File Download to Suspicious Directory T1071 EQL Low GitHub ↗
Google Calendar C2 via Script Interpreter T1059, T1059.006, T1059.007, T1102, T1102.002 EQL High GitHub ↗
Halfbaked Command and Control Beacon T1071, T1568, T1568.002 Custom Query High GitHub ↗
High Number of Egress Network Connections from Unusual Executable T1071 ES|QL Medium GitHub ↗
Ingress Transfer via Windows BITS T1105, T1197 EQL Low GitHub ↗
IPSEC NAT Traversal Port Activity Custom Query Low GitHub ↗
IPv4/IPv6 Forwarding Activity T1572 EQL Low GitHub ↗
Kubectl Network Configuration Modification T1090, T1572 EQL Low GitHub ↗
Linux SSH X11 Forwarding T1572 EQL Low GitHub ↗
Linux Telegram API Request T1071, T1071.001 EQL Medium GitHub ↗
Machine Learning Detected a DNS Request Predicted to be a DGA Domain T1568, T1568.002 Custom Query Low GitHub ↗
Machine Learning Detected a DNS Request With a High DGA Probability Score T1568, T1568.002 Custom Query Low GitHub ↗
Machine Learning Detected DGA activity using a known SUNBURST DNS domain T1568, T1568.002 Custom Query High GitHub ↗
NetSupport Manager Execution from an Unusual Path T1219 EQL High GitHub ↗
Network Activity Detected via cat EQL Medium GitHub ↗
Network Activity Detected via Kworker T1014, T1036, T1041 New Terms Low GitHub ↗
Network Activity to a Suspicious Top Level Domain T1071, T1071.004 EQL High GitHub ↗
Network Connection by Cups or Foomatic-rip Child T1203 EQL High GitHub ↗
Network Connection from Binary with RWX Memory Region T1059, T1059.004, T1071 EQL Medium GitHub ↗
Network Connection Initiated by Suspicious SSHD Child Process T1021, T1021.004, T1546, T1546.004, T1563, T1563.001 EQL Medium GitHub ↗
Network Connection to OAST Domain via Script Interpreter T1102, T1567 EQL High GitHub ↗
Network Connection via Certutil T1105 EQL Low GitHub ↗
Network Connection via Recently Compiled Executable T1059, T1059.004, T1071 EQL Medium GitHub ↗
Network Traffic to Rare Destination Country T1041, T1048, T1071, T1105, T1566, T1566.001, T1566.002 Machine Learning Low GitHub ↗
Ollama DNS Query to Untrusted Domain T1105, T1195, T1195.002 EQL Low GitHub ↗
Openssl Client or Server Activity T1059, T1059.004, T1071 EQL Medium GitHub ↗
Outlook Home Page Registry Modification T1137, T1137.004 EQL High GitHub ↗
PANW and Elastic Defend - Command and Control Correlation EQL Medium GitHub ↗
Payload Execution via Shell Pipe Detected by Defend for Containers T1059, T1059.004, T1071 EQL Medium GitHub ↗
Perl Outbound Network Connection T1059, T1071, T1071.001 EQL Medium GitHub ↗
Port Forwarding Rule Addition T1112, T1572 EQL Medium GitHub ↗
Possible FIN7 DGA Command and Control Behavior T1071, T1568, T1568.002 Custom Query High GitHub ↗
Potential Command and Control via Internet Explorer T1071, T1559, T1559.001 EQL Medium GitHub ↗
Potential DGA Activity T1568 Machine Learning Low GitHub ↗
Potential DNS Tunneling via NsLookup T1071, T1071.004, T1572 EQL Medium GitHub ↗
Potential Etherhiding C2 via Blockchain Connection T1059, T1059.004, T1059.006, T1059.007, T1102, T1102.002 EQL High GitHub ↗
Potential File Download via a Headless Browser T1105 EQL High GitHub ↗
Potential File Transfer via Certreq T1105, T1218, T1567 EQL Medium GitHub ↗
Potential File Transfer via Curl for Windows T1105 EQL Low GitHub ↗
Potential Linux Tunneling and/or Port Forwarding T1572 EQL Medium GitHub ↗
Potential Linux Tunneling and/or Port Forwarding via Command Line T1572 EQL Medium GitHub ↗
Potential Linux Tunneling and/or Port Forwarding via SSH Option T1572 EQL Low GitHub ↗
Potential Malware-Driven SSH Brute Force Attempt T1059, T1059.004, T1071, T1496 ES|QL Medium GitHub ↗
Potential Meterpreter Reverse Shell T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Protocol Tunneling via Chisel Client T1572 EQL Medium GitHub ↗
Potential Protocol Tunneling via EarthWorm T1572 EQL High GitHub ↗
Potential REMCOS Trojan Execution T1219 EQL High GitHub ↗
Potential Remote Desktop Tunneling Detected T1021, T1021.004, T1572 EQL High GitHub ↗
Potential Reverse Shell T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Reverse Shell via Background Process T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Reverse Shell via Child T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Reverse Shell via Java T1059, T1059.004, T1071 EQL Medium GitHub ↗
Potential Reverse Shell via Suspicious Binary T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Reverse Shell via Suspicious Child Process T1059, T1059.004, T1071 EQL High GitHub ↗
Potential Reverse Shell via UDP T1059, T1059.004, T1071 EQL Medium GitHub ↗
Potential Traffic Tunneling using QEMU T1219 EQL Medium GitHub ↗
ProxyChains Activity T1572 EQL Medium GitHub ↗
RDP (Remote Desktop Protocol) from the Internet T1021, T1190 Custom Query Medium GitHub ↗
Remote File Copy via TeamViewer T1105, T1219 EQL Medium GitHub ↗
Remote File Download via Desktopimgdownldr Utility T1105 EQL Medium GitHub ↗
Remote File Download via MpCmdRun T1105 EQL Medium GitHub ↗
Remote File Download via PowerShell T1059, T1059.001, T1105 EQL Medium GitHub ↗
Remote File Download via Script Interpreter T1059, T1059.005, T1105 EQL Medium GitHub ↗
Root Network Connection via GDB CAP_SYS_PTRACE T1055, T1055.008, T1059, T1059.004, T1068, T1071 EQL Medium GitHub ↗
Roshal Archive (RAR) or PowerShell File Downloaded from the Internet T1105 Custom Query Medium GitHub ↗
Script Interpreter Connection to Non-Standard Port T1059, T1059.006, T1059.007, T1571 EQL Medium GitHub ↗
Simple HTTP Web Server Connection T1059, T1059.004, T1071, T1505, T1505.003 EQL Low GitHub ↗
Simple HTTP Web Server Creation T1059, T1059.004, T1071, T1505, T1505.003 EQL Low GitHub ↗
SMTP on Port 26/TCP T1048 Custom Query Low GitHub ↗
Spike in Firewall Denies T1041, T1046, T1071, T1498, T1499, T1590 Machine Learning Low GitHub ↗
Spike in Network Traffic To a Country T1041, T1046, T1071, T1595 Machine Learning Low GitHub ↗
Statistical Model Detected C2 Beaconing Activity T1102, T1102.002 Custom Query Low GitHub ↗
Statistical Model Detected C2 Beaconing Activity with High Confidence T1102, T1102.002 Custom Query Low GitHub ↗
SUNBURST Command and Control Activity T1071, T1071.001, T1195, T1195.002 EQL High GitHub ↗
Suricata and Elastic Defend Network Correlation EQL Medium GitHub ↗
Suspicious APT Package Manager Network Connection T1543, T1546, T1546.016, T1574 EQL Medium GitHub ↗
Suspicious AWS S3 Connection via Script Interpreter T1102, T1567, T1567.002 ES|QL Medium GitHub ↗
Suspicious Command Prompt Network Connection T1059, T1105 EQL Low GitHub ↗
Suspicious Curl from macOS Application T1105 EQL High GitHub ↗
Suspicious Curl to Google App Script Endpoint T1102, T1102.002, T1105 EQL High GitHub ↗
Suspicious Execution from INET Cache T1105, T1566, T1566.001 EQL High GitHub ↗
Suspicious File Downloaded from Google Drive T1105 EQL Medium GitHub ↗
Suspicious Installer Package Spawns Network Event T1059, T1059.007, T1071, T1071.001 EQL Medium GitHub ↗
Suspicious Interpreter Execution Detected via Defend for Containers T1059, T1059.004, T1059.006, T1059.011, T1071, T1071.001 EQL Medium GitHub ↗
Suspicious Named Pipe Creation T1059, T1059.004, T1071 New Terms High GitHub ↗
Suspicious Network Activity to the Internet by Previously Unknown Executable T1071 New Terms Low GitHub ↗
Suspicious Network Connection via systemd T1543, T1543.002, T1574 EQL Medium GitHub ↗
Suspicious Network Tool Launch Detected via Defend for Containers T1046, T1105, T1595 EQL Low GitHub ↗
Suspicious Network Tool Launched Inside A Container T1046, T1105, T1595 EQL Low GitHub ↗
Suspicious Outbound Network Connection via Unsigned Binary T1571 EQL High GitHub ↗
Suspicious Process Execution Detected via Defend for Containers T1059, T1059.004, T1071, T1620 EQL High GitHub ↗
Suspicious ScreenConnect Client Child Process T1219 EQL Medium GitHub ↗
Suspicious Utility Launched via ProxyChains T1572 EQL Medium GitHub ↗
System Path File Creation and Execution Detected via Defend for Containers T1059, T1059.004, T1071 EQL Medium GitHub ↗
System Public IP Discovery via DNS Query T1016, T1071, T1071.004 EQL High GitHub ↗
Tunneling and/or Port Forwarding Detected via Defend for Containers T1572 EQL Medium GitHub ↗
Uncommon Destination Port Connection by Web Server T1059, T1059.004, T1071, T1505, T1505.003 EQL Low GitHub ↗
Unusual Command Execution from Web Server Parent T1059, T1059.004, T1071, T1505, T1505.003 ES|QL Low GitHub ↗
Unusual DNS Activity T1071, T1071.004 Machine Learning Low GitHub ↗
Unusual File Creation by Web Server T1059, T1059.004, T1071, T1505, T1505.003 ES|QL Low GitHub ↗
Unusual Linux Network Activity T1041, T1055, T1071 Machine Learning Low GitHub ↗
Unusual Linux Network Port Activity T1041, T1071, T1571 Machine Learning Low GitHub ↗
Unusual Network Connection to Suspicious Top Level Domain T1071, T1071.001 New Terms Medium GitHub ↗
Unusual Network Connection to Suspicious Web Service T1071, T1071.001 New Terms Medium GitHub ↗
Unusual Network Connection via RunDLL32 T1071, T1071.001, T1218, T1218.011 EQL Medium GitHub ↗
Unusual Network Destination Domain Name T1041, T1071, T1071.001, T1566, T1566.001, T1566.002 Machine Learning Low GitHub ↗
Unusual Process Spawned from Web Server Parent T1059, T1059.004, T1071, T1505, T1505.003 ES|QL Low GitHub ↗
Unusual SSHD Child Process T1021, T1021.004, T1546, T1546.004, T1563, T1563.001 New Terms Low GitHub ↗
Unusual Web Request T1071, T1071.001 Machine Learning Low GitHub ↗
Unusual Web Server Command Execution T1059, T1059.004, T1071, T1505, T1505.003 New Terms Medium GitHub ↗
Unusual Web User Agent T1071, T1071.001 Machine Learning Low GitHub ↗
Unusual Windows Network Activity T1041, T1055, T1071 Machine Learning Low GitHub ↗
VNC (Virtual Network Computing) from the Internet T1190, T1219 Custom Query High GitHub ↗
VNC (Virtual Network Computing) to the Internet T1219 Custom Query Medium GitHub ↗
Web Server Child Shell Spawn Detected via Defend for Containers T1059, T1059.004, T1071, T1505, T1505.003 EQL Medium GitHub ↗
Web Server Potential Command Injection Request T1059, T1059.004, T1071, T1505, T1505.003, T1595, T1595.002, T1595.003 ES|QL Low GitHub ↗
Web Server Potential Remote File Inclusion Activity T1083 ES|QL Low GitHub ↗

Rules detecting techniques adversaries use to steal data from your environment, including transfers over alternative protocols, scheduled transfers, and data compression.

Name Technique Rule Type Severity Source
AWS DynamoDB Scan by Unusual User T1530, T1567 New Terms Low GitHub ↗
AWS DynamoDB Table Exported to S3 T1567, T1567.002 New Terms Low GitHub ↗
AWS EC2 AMI Shared with Another Account T1537 Custom Query Medium GitHub ↗
AWS EC2 EBS Snapshot Shared or Made Public T1537 EQL Medium GitHub ↗
AWS EC2 Export Task T1005, T1119, T1530, T1537 Custom Query Medium GitHub ↗
AWS RDS Snapshot Export T1213, T1213.006 Custom Query Low GitHub ↗
AWS S3 Bucket Policy Added to Share with External Account T1530, T1537 EQL Medium GitHub ↗
AWS S3 Bucket Replicated to Another Account T1537 EQL Medium GitHub ↗
AWS SNS Rare Protocol Subscription by User T1496, T1496.004, T1530, T1567 New Terms Low GitHub ↗
AWS SNS Topic Message Publish by Rare User T1496, T1496.004, T1534, T1567 New Terms Medium GitHub ↗
Azure Storage Blob Retrieval via AzCopy T1567, T1567.002 New Terms Medium GitHub ↗
Connection to Commonly Abused Web Services T1090, T1090.002, T1102, T1567, T1567.001, T1567.002, T1568, T1568.002 EQL Low GitHub ↗
Curl or Wget Egress Network Connection via LoLBin T1059, T1059.004, T1218 EQL Medium GitHub ↗
File Transfer Utility Launched from Unusual Parent ES|QL Medium GitHub ↗
First Time Seen Removable Device T1052, T1052.001, T1091 New Terms Low GitHub ↗
GCP Logging Sink Modification T1537 Custom Query Low GitHub ↗
GitHub Exfiltration via High Number of Repository Clones by User T1020, T1567, T1567.001 ES|QL Medium GitHub ↗
GitHub Private Repository Turned Public T1020, T1567, T1567.001 EQL Low GitHub ↗
High Number of Closed Pull Requests by User T1020, T1485, T1567, T1567.001 ES|QL Medium GitHub ↗
High Number of Protected Branch Force Pushes by User T1020, T1485, T1567, T1567.001 ES|QL Medium GitHub ↗
M365 Exchange Mail Flow Transport Rule Created T1537 Custom Query Medium GitHub ↗
M365 Exchange Mail Flow Transport Rule Modified T1537 Custom Query Medium GitHub ↗
M365 OneDrive/SharePoint Excessive File Downloads T1530 ES|QL Medium GitHub ↗
M365 Purview DLP Signal Custom Query Low GitHub ↗
M365 Purview Insider Risk Signal Custom Query Low GitHub ↗
M365 Purview Security Compliance Signal Custom Query Low GitHub ↗
M365 SharePoint/OneDrive File Access via PowerShell T1213, T1213.002, T1530 Custom Query Medium GitHub ↗
Network Activity Detected via cat EQL Medium GitHub ↗
Network Activity Detected via Kworker T1014, T1036, T1041 New Terms Low GitHub ↗
Network Connection by Cups or Foomatic-rip Child T1203 EQL High GitHub ↗
Network Connection to OAST Domain via Script Interpreter T1102, T1567 EQL High GitHub ↗
Network Traffic to Rare Destination Country T1041, T1048, T1071, T1105, T1566, T1566.001, T1566.002 Machine Learning Low GitHub ↗
New USB Storage Device Mounted T1052, T1052.001, T1091 New Terms Low GitHub ↗
Potential Data Exfiltration Activity to an Unusual Destination Port T1041 Machine Learning Low GitHub ↗
Potential Data Exfiltration Activity to an Unusual IP Address T1041 Machine Learning Low GitHub ↗
Potential Data Exfiltration Activity to an Unusual ISO Code T1041 Machine Learning Low GitHub ↗
Potential Data Exfiltration Activity to an Unusual Region T1041 Machine Learning Low GitHub ↗
Potential Data Exfiltration Through Curl T1048 EQL Medium GitHub ↗
Potential Data Exfiltration Through Wget T1048 EQL Medium GitHub ↗
Potential Data Splitting Detected EQL Medium GitHub ↗
Potential File Transfer via Certreq T1105, T1218, T1567 EQL Medium GitHub ↗
Rare SMB Connection to the Internet T1048 New Terms Medium GitHub ↗
Sensitive File Access followed by Compression T1074, T1074.001, T1560 EQL High GitHub ↗
Several Failed Protected Branch Force Pushes by User T1020, T1485, T1567, T1567.001 ES|QL Medium GitHub ↗
SMB (Windows File Sharing) Activity to the Internet T1048, T1190 New Terms Medium GitHub ↗
SMTP on Port 26/TCP T1048 Custom Query Low GitHub ↗
Spike in Bytes Sent to an External Device T1052 Machine Learning Low GitHub ↗
Spike in Bytes Sent to an External Device via Airdrop T1011 Machine Learning Low GitHub ↗
Spike in Firewall Denies T1041, T1046, T1071, T1498, T1499, T1590 Machine Learning Low GitHub ↗
Spike in host-based traffic T1041, T1068, T1204, T1498, T1499 Machine Learning Low GitHub ↗
Spike in Network Traffic T1041, T1046, T1498, T1595 Machine Learning Low GitHub ↗
Spike in Network Traffic To a Country T1041, T1046, T1071, T1595 Machine Learning Low GitHub ↗
Suspicious AWS S3 Connection via Script Interpreter T1102, T1567, T1567.002 ES|QL Medium GitHub ↗
Unusual AWS Command for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Azure Activity Logs Event for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual GCP Event for a User T1021, T1021.007, T1041, T1078, T1078.004 Machine Learning Low GitHub ↗
Unusual Linux Network Activity T1041, T1055, T1071 Machine Learning Low GitHub ↗
Unusual Linux Network Port Activity T1041, T1071, T1571 Machine Learning Low GitHub ↗
Unusual Network Destination Domain Name T1041, T1071, T1071.001, T1566, T1566.001, T1566.002 Machine Learning Low GitHub ↗
Unusual Process Writing Data to an External Device T1052 Machine Learning Low GitHub ↗
Unusual Windows Network Activity T1041, T1055, T1071 Machine Learning Low GitHub ↗

Rules detecting techniques adversaries use to disrupt availability or compromise integrity, including data destruction, ransomware, and resource hijacking.

Name Technique Rule Type Severity Source
Account Password Reset Remotely T1098, T1531 EQL Medium GitHub ↗
Attempt to Deactivate an Okta Application T1489 Custom Query Low GitHub ↗
Attempt to Delete an Okta Application T1489 Custom Query Low GitHub ↗
Attempt to Modify an Okta Application Custom Query Low GitHub ↗
Attempt to Revoke Okta API Token T1531 Custom Query Low GitHub ↗
AWS CloudTrail Log Updated T1530, T1565, T1565.001 Custom Query Low GitHub ↗
AWS CloudWatch Log Group Deletion T1485, T1562, T1562.001 Custom Query Medium GitHub ↗
AWS CloudWatch Log Stream Deletion T1485, T1562, T1562.001 Custom Query Medium GitHub ↗
AWS EC2 EBS Snapshot Access Removed T1485, T1490 EQL Medium GitHub ↗
AWS EFS File System Deleted T1485 Custom Query Medium GitHub ↗
AWS EventBridge Rule Disabled or Deleted T1489 Custom Query Low GitHub ↗
AWS IAM Deactivation of MFA Device T1531, T1556, T1556.006 Custom Query Medium GitHub ↗
AWS IAM Group Deletion T1531 Custom Query Low GitHub ↗
AWS KMS Customer Managed Key Disabled or Scheduled for Deletion T1485 Custom Query Medium GitHub ↗
AWS RDS DB Instance or Cluster Deleted T1485 Custom Query Medium GitHub ↗
AWS RDS DB Instance or Cluster Deletion Protection Disabled T1485 EQL Medium GitHub ↗
AWS RDS Snapshot Deleted T1485 EQL Medium GitHub ↗
AWS S3 Bucket Enumeration or Brute Force T1530, T1619, T1657 Threshold Low GitHub ↗
AWS S3 Bucket Expiration Lifecycle Configuration Added T1070, T1485, T1485.001, T1562, T1562.008 EQL Low GitHub ↗
AWS S3 Object Encryption Using External KMS Key T1486 ES|QL Medium GitHub ↗
AWS S3 Object Versioning Suspended T1490 EQL Medium GitHub ↗
AWS S3 Static Site JavaScript File Uploaded T1565, T1565.001 ES|QL Medium GitHub ↗
AWS S3 Unauthenticated Bucket Access by Rare Source T1485, T1530, T1619 New Terms Medium GitHub ↗
AWS SNS Rare Protocol Subscription by User T1496, T1496.004, T1530, T1567 New Terms Low GitHub ↗
AWS SNS Topic Created by Rare User T1496, T1496.004, T1608 New Terms Low GitHub ↗
AWS SNS Topic Message Publish by Rare User T1496, T1496.004, T1534, T1567 New Terms Medium GitHub ↗
Azure Compute Restore Point Collection Deleted by Unusual User T1490 New Terms Medium GitHub ↗
Azure Compute Restore Point Collections Deleted T1490 Threshold High GitHub ↗
Azure Compute Snapshot Deletion by Unusual User and Resource Group T1485, T1490 New Terms Low GitHub ↗
Azure Compute Snapshot Deletions by User T1485, T1490 Threshold Medium GitHub ↗
Azure Kubernetes Services (AKS) Kubernetes Pods Deleted T1489, T1529 Custom Query Medium GitHub ↗
Azure Recovery Services Resource Deleted T1490 Custom Query Medium GitHub ↗
Azure Storage Account Deletion by Unusual User T1485, T1489 New Terms Medium GitHub ↗
Azure Storage Account Deletions by User T1485, T1489 Threshold High GitHub ↗
Backup Deletion with Wbadmin T1485, T1490 EQL Low GitHub ↗
Decline in host-based traffic T1499, T1562 Machine Learning Low GitHub ↗
Deprecated - M365 Security Compliance Potential Ransomware Activity T1486 Custom Query Medium GitHub ↗
Deprecated - M365 Security Compliance Unusual Volume of File Deletion T1485 Custom Query Medium GitHub ↗
Deprecated - M365 Security Compliance User Restricted from Sending Email Custom Query Medium GitHub ↗
Detection Alert on a Process Exhibiting CPU Spike ES|QL High GitHub ↗
Excessive AWS S3 Object Encryption with SSE-C T1486 Threshold High GitHub ↗
GCP Service Account Deletion T1531 Custom Query Medium GitHub ↗
GCP Service Account Disabled T1531 Custom Query Medium GitHub ↗
Github Activity on a Private Repository from an Unusual IP T1059, T1195, T1195.002 New Terms Low GitHub ↗
GitHub PAT Access Revoked T1531 EQL Low GitHub ↗
GitHub Private Repository Turned Public T1020, T1567, T1567.001 EQL Low GitHub ↗
GitHub Repository Deleted T1485 EQL Medium GitHub ↗
GitHub User Blocked From Organization T1531 EQL Low GitHub ↗
Google Workspace Admin Role Deletion T1531 Custom Query Medium GitHub ↗
Google Workspace MFA Enforcement Disabled T1531 Custom Query Medium GitHub ↗
High Number of Closed Pull Requests by User T1020, T1485, T1567, T1567.001 ES|QL Medium GitHub ↗
High Number of Process and/or Service Terminations T1489 Threshold Medium GitHub ↗
High Number of Process Terminations T1489 Threshold Medium GitHub ↗
High Number of Protected Branch Force Pushes by User T1020, T1485, T1567, T1567.001 ES|QL Medium GitHub ↗
Hosts File Modified T1565, T1565.001 EQL Medium GitHub ↗
M365 Purview Insider Risk Signal Custom Query Low GitHub ↗
M365 Purview Security Compliance Signal Custom Query Low GitHub ↗
Member Removed From GitHub Organization T1531 EQL Low GitHub ↗
Memory Swap Modification T1059, T1059.004, T1496 EQL Medium GitHub ↗
Modification of Boot Configuration T1490 EQL Low GitHub ↗
Multiple Alerts on a Host Exhibiting CPU Spike ES|QL Critical GitHub ↗
Newly Observed Process Exhibiting High CPU Usage T1496, T1496.001 ES|QL High GitHub ↗
Possible Okta DoS Attack T1498, T1499 Custom Query Medium GitHub ↗
Potential AWS S3 Bucket Ransomware Note Uploaded T1485, T1486 EQL Medium GitHub ↗
Potential Linux Ransomware Note Creation Detected T1486 EQL Medium GitHub ↗
Potential Malware-Driven SSH Brute Force Attempt T1059, T1059.004, T1071, T1496 ES|QL Medium GitHub ↗
Potential Ransomware Behavior - Note Files by System T1021, T1021.002, T1485 ES|QL Medium GitHub ↗
Potential Ransomware Note File Dropped via SMB T1021, T1021.002, T1485, T1490 EQL High GitHub ↗
Potential Secure File Deletion via SDelete Utility T1070, T1070.004, T1485 EQL Low GitHub ↗
Potential System Tampering via File Modification T1485, T1490 EQL High GitHub ↗
Ransomware - Detected - Elastic Defend T1486 Custom Query High GitHub ↗
Ransomware - Prevented - Elastic Defend T1486 Custom Query High GitHub ↗
Service Disabled via Registry Modification T1112, T1489 EQL Low GitHub ↗
Several Failed Protected Branch Force Pushes by User T1020, T1485, T1567, T1567.001 ES|QL Medium GitHub ↗
Spike in Firewall Denies T1041, T1046, T1071, T1498, T1499, T1590 Machine Learning Low GitHub ↗
Spike in host-based traffic T1041, T1068, T1204, T1498, T1499 Machine Learning Low GitHub ↗
Spike in Network Traffic T1041, T1046, T1498, T1595 Machine Learning Low GitHub ↗
SSL Certificate Deletion T1070, T1070.004, T1485, T1553 EQL Low GitHub ↗
Suspicious Data Encryption via OpenSSL Utility T1486 EQL Medium GitHub ↗
Suspicious File Renamed via SMB T1021, T1021.002, T1485, T1490 EQL High GitHub ↗
Suspicious Termination of ESXI Process T1489 EQL High GitHub ↗
Third-party Backup Files Deleted via Unexpected Process T1485, T1490 EQL Medium GitHub ↗
Unusual AWS S3 Object Encryption with SSE-C T1486 New Terms High GitHub ↗
Volume Shadow Copy Deleted or Resized via VssAdmin T1490 EQL High GitHub ↗
Volume Shadow Copy Deletion via PowerShell T1059, T1059.001, T1490 EQL High GitHub ↗
Volume Shadow Copy Deletion via WMIC T1047, T1490 EQL High GitHub ↗

Rules detecting techniques adversaries use to gather information for planning an attack, including active scanning and search open databases.

Name Technique Rule Type Severity Source
Potential Network Scan Detected T1046, T1595, T1595.001 ES|QL Low GitHub ↗
Potential Network Sweep Detected T1046, T1595, T1595.001 Threshold Low GitHub ↗
Potential Spike in Web Server Error Logs T1595, T1595.002, T1595.003 ES|QL Low GitHub ↗
Potential SYN-Based Port Scan Detected T1046, T1595, T1595.001 Threshold Low GitHub ↗
Spike in Firewall Denies T1041, T1046, T1071, T1498, T1499, T1590 Machine Learning Low GitHub ↗
Spike in Network Traffic T1041, T1046, T1498, T1595 Machine Learning Low GitHub ↗
Spike in Network Traffic To a Country T1041, T1046, T1071, T1595 Machine Learning Low GitHub ↗
Suspicious Network Tool Launch Detected via Defend for Containers T1046, T1105, T1595 EQL Low GitHub ↗
Suspicious Network Tool Launched Inside A Container T1046, T1105, T1595 EQL Low GitHub ↗
Web Server Discovery or Fuzzing Activity T1595, T1595.002, T1595.003 ES|QL Low GitHub ↗
Web Server Potential Command Injection Request T1059, T1059.004, T1071, T1505, T1505.003, T1595, T1595.002, T1595.003 ES|QL Low GitHub ↗
Web Server Potential Spike in Error Response Codes T1595, T1595.002, T1595.003 ES|QL Low GitHub ↗
Web Server Suspicious User Agent Requests T1110, T1595, T1595.001, T1595.002, T1595.003 ES|QL Low GitHub ↗

Rules detecting techniques adversaries use to establish resources for operations, including acquiring infrastructure and developing capabilities.

Name Technique Rule Type Severity Source
Anomalous Linux Compiler Activity T1588, T1588.001 Machine Learning Low GitHub ↗
AWS Route 53 Domain Transfer Lock Disabled T1098, T1584, T1584.001 Custom Query High GitHub ↗
AWS Route 53 Domain Transferred to Another Account T1098, T1584, T1584.001 Custom Query High GitHub ↗
AWS Route 53 Private Hosted Zone Associated With a VPC T1098, T1583, T1583.001 Custom Query Medium GitHub ↗
AWS SNS Topic Created by Rare User T1496, T1496.004, T1608 New Terms Low GitHub ↗
Azure Automation Webhook Created T1546, T1608 Custom Query Low GitHub ↗
M365 OneDrive Malware File Upload T1080, T1608, T1608.001 Custom Query High GitHub ↗
M365 SharePoint Malware File Detected T1080, T1608, T1608.001 Custom Query High GitHub ↗

Rules not mapped to a specific MITRE ATT&CK tactic.

Name Technique Rule Type Severity Source
Adversary Behavior - Detected - Elastic Endgame Custom Query Medium GitHub ↗
Alerts From Multiple Integrations by Destination Address ES|QL High GitHub ↗
Alerts From Multiple Integrations by Source Address ES|QL High GitHub ↗
Alerts From Multiple Integrations by User Name ES|QL High GitHub ↗
Alerts in Different ATT&CK Tactics by Host ES|QL High GitHub ↗
AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User ES|QL High GitHub ↗
AWS Bedrock Detected Multiple Validation Exception Errors by a Single User ES|QL High GitHub ↗
AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request ES|QL Low GitHub ↗
AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session ES|QL Medium GitHub ↗
AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session ES|QL Medium GitHub ↗
Azure OpenAI Insecure Output Handling ES|QL Low GitHub ↗
Behavior - Detected - Elastic Defend Custom Query Medium GitHub ↗
Behavior - Prevented - Elastic Defend Custom Query Low GitHub ↗
Container Workload Protection Custom Query Medium GitHub ↗
Correlated Alerts on Similar User Identities ES|QL High GitHub ↗
CrowdStrike External Alerts Custom Query Medium GitHub ↗
Elastic Defend and Email Alerts Correlation ES|QL High GitHub ↗
Elastic Defend and Network Security Alerts Correlation ES|QL High GitHub ↗
Elastic Security External Alerts Custom Query Medium GitHub ↗
Endpoint Security (Elastic Defend) Custom Query Medium GitHub ↗
Entra ID Protection - Risk Detection Custom Query Medium GitHub ↗
External Alerts Custom Query Medium GitHub ↗
Forwarded Google Workspace Security Alert Custom Query High GitHub ↗
Google SecOps External Alerts Custom Query Medium GitHub ↗
Google Workspace Object Copied to External Drive with App Consent EQL Medium GitHub ↗
LLM-Based Attack Chain Triage by Host ES|QL Critical GitHub ↗
LLM-Based Compromised User Triage by User ES|QL Critical GitHub ↗
Malware - Detected - Elastic Endgame Custom Query Critical GitHub ↗
Malware - Prevented - Elastic Endgame Custom Query High GitHub ↗
Microsoft Sentinel External Alerts Custom Query Medium GitHub ↗
Multiple Alerts in Different ATT&CK Tactics on a Single Host Threshold High GitHub ↗
Multiple Alerts in Same ATT&CK Tactic by Host ES|QL High GitHub ↗
Multiple Alerts Involving a User ES|QL High GitHub ↗
Multiple Elastic Defend Alerts by Agent ES|QL High GitHub ↗
Multiple Elastic Defend Alerts from a Single Process Tree ES|QL High GitHub ↗
Multiple External EDR Alerts by Host ES|QL High GitHub ↗
Multiple Machine Learning Alerts by Influencer Field ES|QL High GitHub ↗
Multiple Rare Elastic Defend Behavior Rules by Host ES|QL Critical GitHub ↗
Multiple Vulnerabilities by Asset via Wiz ES|QL Critical GitHub ↗
My First Rule Threshold Low GitHub ↗
Newly Observed Elastic Defend Behavior Alert ES|QL High GitHub ↗
Newly Observed FortiGate Alert ES|QL Critical GitHub ↗
Newly Observed High Severity Detection Alert ES|QL High GitHub ↗
Newly Observed High Severity Suricata Alert ES|QL Critical GitHub ↗
Newly Observed Palo Alto Network Alert ES|QL Critical GitHub ↗
Okta ThreatInsight Threat Suspected Promotion Custom Query Medium GitHub ↗
Parent Process PID Spoofing EQL High GitHub ↗
Potential Abuse of Resources by High Token Count and Large Response Sizes ES|QL Medium GitHub ↗
Potential Azure OpenAI Model Theft ES|QL Medium GitHub ↗
Potential Denial of Azure OpenAI ML Service ES|QL Medium GitHub ↗
Ransomware - Detected - Elastic Endgame Custom Query Critical GitHub ↗
Ransomware - Prevented - Elastic Endgame Custom Query High GitHub ↗
Rapid7 Threat Command CVEs Correlation Indicator Match High GitHub ↗
SentinelOne Alert External Alerts Custom Query Medium GitHub ↗
SentinelOne Threat External Alerts Custom Query Medium GitHub ↗
Splunk External Alerts Custom Query Medium GitHub ↗
Suspected Lateral Movement from Compromised Host ES|QL High GitHub ↗
Threat Intel Email Indicator Match Indicator Match High GitHub ↗
Threat Intel Hash Indicator Match Indicator Match High GitHub ↗
Threat Intel IP Address Indicator Match Indicator Match High GitHub ↗
Threat Intel URL Indicator Match Indicator Match High GitHub ↗
Threat Intel Windows Registry Indicator Match Indicator Match High GitHub ↗
Unusual High Confidence Content Filter Blocks Detected ES|QL Medium GitHub ↗
Unusual High Denied Sensitive Information Policy Blocks Detected ES|QL Medium GitHub ↗
Unusual High Denied Topic Blocks Detected ES|QL Medium GitHub ↗
Unusual High Word Policy Blocks Detected ES|QL Medium GitHub ↗
Web Application Suspicious Activity: POST Request Declined Custom Query Medium GitHub ↗
Web Application Suspicious Activity: Unauthorized Method Custom Query Medium GitHub ↗
WMI Incoming Lateral Movement EQL Medium GitHub ↗