Data Source: Windows

Potential File Download via a Headless Browser

Apr 6, 2026 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Command and Control Resources: Investigation Guide Data Source: Windows Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Windows Security Event Logs Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne Data Source: Sysmon Data Source: Crowdstrike ·

Share on:

Identifies headless browser execution from a suspicious parent process with arguments consistent with scripted retrieval. Adversaries use browsers because they are trusted, signed binaries that proxy and application-control policies allow through, bypassing restrictions on direct download tools.

Suspicious Access to LDAP Attributes

Apr 1, 2026 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Discovery Data Source: Windows Security Event Logs Data Source: Active Directory Data Source: Windows Resources: Investigation Guide ·

Share on:

Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.

Rapid7 Threat Command CVEs Correlation

May 6, 2025 · OS: Windows Data Source: Elastic Endgame Data Source: Windows Data Source: Network Data Source: Rapid7 Threat Command Rule Type: Threat Match Resources: Investigation Guide Use Case: Vulnerability Use Case: Asset Visibility Use Case: Continuous Monitoring ·

Share on:

This rule is triggered when CVEs collected from the Rapid7 Threat Command Integration have a match against vulnerabilities that were found in the customer environment.