Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token
forging capability that are often abused to bypass access control restrictions.
Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies.
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way
for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords,
websites, secure notes and certificates.
Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process
within a short time period. Adversaries may use malicious scripts for execution and command and control.
Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only
trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command
and control servers. Root certificates are used in public key cryptography to identify a root certificate authority
(CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of
trust that have been signed by the root certificate.
Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet,
there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution
time. An adversary may disable this attribute to evade defenses.
Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively
supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature
to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.
Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump
credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for
Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the
built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi
and website passwords, secure notes, certificates, and Kerberos.
Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by
writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.
Identifies attempts to execute a child process from within the context of an Electron application using the
child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.
Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use
AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should
not be run by itself, as this is a sign of execution with explicit logon credentials.
Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse
this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.
Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries
may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.
Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the
built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi
and website passwords, secure notes, certificates, and Kerberos.
Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a
network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS
installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect
their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or
malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.
Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their
own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain
Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or
Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon
launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in
the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.
Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is
attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this
feature to establish persistence by utilizing a malicious script.
Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this
capability to establish persistence in an environment by inserting code to be executed at login or logout.
Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an
attempt to evade user attention while maintaining persistence using a separate local account.
Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or
attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.
Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office
applications on macOS are allowed to write files that start with special characters, which can be combined with an
AutoStart location to achieve sandbox evasion.
Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell
Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS
privacy controls to access sensitive files.
Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may
indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera,
microphone, address book, and calendar.
Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on
a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute
code each time the screensaver is activated.
Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the
doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service.
alternative to using osascript.
Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user
visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted
Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar
notification procedure to execute a malicious program at a recurring interval to establish persistence.
Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader
PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and
CVE-2020-9613 and verify that the impacted system is patched.
Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This
activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.
Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this
service by writing a rule to execute commands when a defined event occurs, such as system start up or user
Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and
Excel). These child processes are often launched during exploitation of Office applications or by documents with
Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and
features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the
keychain storage data from a system to acquire credentials.
Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots
as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file
system, including all user data and files protected by Apple’s privacy framework (TCC).
Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's
malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence
on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to
execute code each time the screensaver is activated.
Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries
may use VPN connections to laterally move and control remote systems on a network.
Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to
hijack web browser traffic for credential access via traffic sniffing or redirection.
Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse
this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this
Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is
sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using
the net users command.
A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit
registry key manipulation. Verify process details such as command line, network connections and file writes.
Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs)
directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage
other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising
itself or these files as legitimate PID files.
Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/,
/var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed
executables used for persistence on high-uptime servers in these directories as system backdoors.
Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.
Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize
this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has
either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run
providing long-term persistence.
Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name.
Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.
This rule looks for hidden files or folders in common writable directories.
Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting
a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and
folders on the system for persistence and defense evasion.
Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and
command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts
at predefined intervals, ensuring their continued presence and enabling unauthorized activities.
This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells
spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured
through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.
Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They
extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate
information about a kernel module.
Identifies instances where the 'find' command is started on a Linux system with arguments targeting
specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*".
These paths are associated with VMware virtualization software, and their presence in the find command arguments
may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files
and configurations on the system.
Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments
related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram",
or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command
arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.
Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag,
which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related
paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization
software, and their presence in the touch command arguments may indicate that a threat actor is attempting to
tamper with timestamps of VM-related files and configurations on the system.
This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a
directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute
malicious code and delete itself to hide its tracks.
Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within
a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or
remove them at the end as part of the post-intrusion cleanup process.
Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or
renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be
opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious
files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).
Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files
or payloads into a writable directory and change permissions prior to execution.
A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by
exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data
Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets
for a wide variety of network security testing applications, including scanning and firewall auditing.
This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential
compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different
kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures,
escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to
tamper with the system's trusted state, allowing e.g. a VM Escape.
Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.
Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the
functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel
This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory
dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include
"truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly.
Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive
system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator,
and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.
Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges
or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the
host and access other resources or escalate privileges.
Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses
the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction
with netcat to gain a more stable reverse shell.
This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat
is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel.
This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools
or files to another host in the network or exfiltrate data while attempting to evade detection in the process.
This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the
kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel
space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks.
Attackers may attempt to evade detection by masquerading as a kernel worker process.
This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network
connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server.
Attackers may spawn reverse shells to establish persistence onto a target system.
Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious
actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute
malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute
additional malicious activities, or evade detection.
Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used
by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd
timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in
case the connection to the infected asset was lost.
This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within
a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a
public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection
attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities
for unauthorized access and malicious actions.
Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction
with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow
during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed
with and without the use of environment variables. For increased visibility, enable the collection of http_proxy,
HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.
Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of
chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot
to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts.
In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution.
With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions,
such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other
architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF),
can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or
orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent
it can be easily tuned to work for one.
This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces
fine-grained access control policies to restrict the actions and resources that specific applications and processes can
access. Adversaries may disable security tools to avoid possible detection of their tools and activities.
Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to
support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and
Identifies multiple external consecutive login failures targeting a user account from the same source address within
a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known
password, in an attempt to gain access to these accounts.
Identifies the execution of mount process with hidepid parameter, which can make processes invisible to
other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide
the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user
can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for
the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more.
With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option,
which can now be monitored and detected.
Identifies multiple internal consecutive login failures targeting a user account from the same source address within
a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known
password, in an attempt to gain access to these accounts.
Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz.
Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits
a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by
dumping the process and extracting lines that have a high probability of containing cleartext passwords.
Identifies the execution of the unshadow utility which is part of John the Ripper,
a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve
the combined contents of the '/etc/shadow' and '/etc/password' files.
Using the combined file generated from the utility, the malicious threat actors can use them as input
for password-cracking utilities or prepare themselves for future operations by gathering
credential information of the victim.
Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from
this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as
Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a
short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a
set of customly crafted passwords in an attempt to gain access to these accounts.
This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with
a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of
malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the
decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a
new file extension is added to the file.
This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can
leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels,
and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.
This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged
by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting
this pattern is indicative of a successful meterpreter shell connection.
This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans.
Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while
attempting to evade detection or due to the lack of network mapping tools available on the compromised host.
Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file.
Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to
enable unauthorized access or to log SSH credentials for exfiltration.
Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts
or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the
"systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or
alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence
on the system.
Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or
a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and
"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a
serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a
user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially
malicious files within the default MOTD file directories.
This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable
through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications,
services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd.
However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at
boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the
This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by
default are only be writable by the root user and docker group. Attackers that have permissions to write to these
sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto
the host file system.
This rule monitors for the execution of processes that interact with Linux containers through an interactive shell
without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact
with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might
be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a
container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.
This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a
buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable.
Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's
modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the
ability to escalate privileges to root on the affected machine.
Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment
variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.
This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python,
followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation.
Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated
privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the
privileges that are set on the binary that is being executed.
This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent
alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or
software privilege escalation exploit.
This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum
allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID
greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.
This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt.
Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure
communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass
network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal
This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection
within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels,
enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish
covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that
allow unauthorized access to internal systems.
Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim
system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable
This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the
openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process
monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege
Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.
Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor
file that can be abused to gain code execution as a mechanism for persistence.
This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This
activity consists of a parent-child relationship where a network event is followed by the creation of a shell process.
An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.
Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp
channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.
This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming
network connection. This behavior may indicate reverse shell activity via a Java application.
This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary
(located in a commonly abused location or executed manually) followed by a network event and ending with a shell being
spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish
persistence onto a target system.
This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by
the specified utilities that are initialized from a single process followed by a network connection attempt will be
captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This
activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the
auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux
UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.
Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating
privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may
utilize these to move laterally undetected and access additional resources.
This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection,
with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security
vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, ) to execute unintended
operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.
Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's
autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh.
An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different
combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can
include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and
potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting
a specific user account from the same source address and within a short time interval, followed by a successful
An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and
password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact
can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks
within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising
the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a
specific user account within a short time interval, followed by a successful authentication.
Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt
to login into multiple users with a common or known password to gain access to accounts.
Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and
replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or
enable persistence onto the system every time the sudo binary is executed.
This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate
privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID
that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0,
representing the root user. This exploit may work for sudo versions prior to v1.28.
This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a
debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token
manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by
attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence
of a living process that has a valid sudo token with the same uid as the current user.
This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions.
Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine through
DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by root,
such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate
This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a
wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate
commands or input containing wildcards (e.g., *, ?, ) to execute unintended operations or access sensitive data by
tricking the system into interpreting the wildcard characters in unexpected ways.
Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade
a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more
Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage
paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous
copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables
and other tasks, disguising itself or these files as legitimate PID files.
This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID)
and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the
file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries,
allowing them to maintain control over a compromised system with elevated permissions.
This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object
file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While
this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute
unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows
malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the
affected system and its data.
This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for
the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions,
potentially allowing to escalate privileges to root.
This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID
(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the
privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In
case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this
misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.
Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility.
Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The
output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is
consistent with malware families such as Bundlore.
Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window.
Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data
and may attempt to hold the organization's data to ransom for the purposes of extortion.
This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same
process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and
demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware
attack is the mass encryption of the file system, after which a new file extension is added to the file.
Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and
elevate privileges on compromised systems. File creation in these directories should not be entirely common and could
indicate a malicious binary or script installing persistence mechanisms for long term access.
This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious
directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially
malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to
unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can
help identify and mitigate potential security threats, protecting the system and its data from potential compromise.
Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH
or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and
"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a
serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a
user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially
malicious processes through the MOTD utility.
Identifies instances where VMware-related files, such as those with extensions like ".vmdk", ".vmx", ".vmxf", ".vmsd",
".vmsn", ".vswp", ".vmss", ".nvram", and ".vmem", are renamed on a Linux system. The rule monitors for the "rename"
event action associated with these file types, which could indicate malicious activity.
Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system.
The rule monitors for the "rename" event action associated with this specific file and path,
which could indicate malicious activity.
Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or
directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different
location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a
privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or
capabilities they would not normally have.
This rule monitors for the execution of several commonly used system commands executed by a previously unknown
executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially
malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code.
Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the
system and its data from potential compromise.
Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system
by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process.
The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a
threat actor is attempting to interfere with the virtualized environment on the targeted system.
This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool
that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to
restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection,
and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move
and rename system binaries to evade detection. Copying a system binary to a different location should not occur often,
so if it does, the activity should be investigated.
This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This
behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These
scripts leverage the "id" command to enumerate the privileges of all users present on the system.
An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies
common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy
RAT and other malware.
This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently
leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been
observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.
Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from
the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder
object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected
accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will
remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these
Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by
attackers in an attempt to evade detection or destroy forensic evidence on a system.
Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for
legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a
malicious payload remotely on all or a subset of the domain joined machines.
Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API
(DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.
Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root
certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity
(for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.
User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run
in the security context of a non-administrator account, unless an administrator specifically authorizes
administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control
Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating
data. With this enabled, an organization will lose visibility into data such as query type, response, and originating
IP, which are used to determine bad actors.
Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to
disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This
may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a
Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is
when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a
benign file type but is actually executable code.
Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application
programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to
run a COM object created in registry to evade defensive counter measures.
Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse
shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local
Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by
using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.
Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary
mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.
This rule identifies when a User Account starts the Active Directory Replication Process for the first time.
Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain,
thus compromising the entire domain.
The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first
point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic
to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or
RHEL) and macOS systems.
Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server
access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.
Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used
as a defense evasion technique to blend-in malicious activity with legitimate Windows software.
Identifies the modification of an account's Kerberos pre-authentication options. An adversary with
GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password
cracking attacks such as AS-REP roasting.
Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to
maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move
laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.
Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may
indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper
(sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.
Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access
masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool
agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz,
Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.
This rules identifies a process created from an executable with a space appended to the end of the filename. This may
indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of
certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can
hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name
so that the OS automatically executes the file when it's double-clicked.
An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler.
This technique is sometimes used to deploy a malicious payload using the Build Engine.
An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management
Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.
An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build
Engine and could have been caused by an Excel or Word document executing a malicious script payload.
Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server
access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account
password using aspnet_regiis command.
Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker
with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.
Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can
abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials
contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys,
certificates, and certificate requests.
Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in
clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of
an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from
Microsoft Office Products offer options for users and developers to control the security settings for running and using
Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust
future macros and/or disable security warnings, which could increase their chances of establishing persistence.
Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often
brute force login attempts across multiple users with a common or known password, in an attempt to gain access to
Identifies multiple consecutive logon failures from the same source address and within a short time interval.
Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt
to gain access to accounts.
Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
saved usernames and passwords. This may also be performed in preparation of lateral movement.
Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files.
Those files contain sensitive information including hashed domain and/or local credentials.
An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program
that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a
Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated)
registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).
A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse
task scheduling functionality to facilitate initial or recurring execution of malicious code.
An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and
bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an
event and execute arbitrary code when that event occurs, providing persistence on a system.
The Application Shim was created to allow for backward compatibility of software as the operating system codebase
changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary
code execution in legitimate Windows processes.
Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt
to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain
access web applications or Internet services as an authenticated user without needing credentials.
This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync
technique to get credential information of individual accounts or the entire domain, thus compromising the entire
Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate
an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export
the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a
process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in
preparation for credential access.
Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being
renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via
side-loading a malicious DLL within the memory space of one of those processes.
Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking
starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade
defenses via side loading a malicious DLL within the memory space of one of those processes.
Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many
other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell
script and alike.
Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS
process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are
performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade
detection and dump LSASS memory for credential access.
Windows contains accessibility features that may be launched with a key combination before a user has logged in. An
adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the
Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box
offensive tools without modifying the code. This rule aim is to take advantage of that.
Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to
elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security
vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.