⚙️ Execution Detections
🔍 Monitoring Process Behavior
Execution detection recipes monitor process execution patterns to identify suspicious or malicious activities related to how programs are started and behave. Track abnormal execution, offensive tools, and malicious runtime behaviors in real-time.
🎯 What These Detections Monitor
Execution recipes track process execution patterns including spawning methods, execution locations, and runtime behaviors:
🚀 Execution Patterns
- Non-standard execution methods
- Unusual directory execution
- Interpreter shell spawning
🛠️ Security Tools
- Network scanning tools
- Packet capture utilities
- Man-in-the-middle tools
🔐 Credential Access
- Password utilities
- Credential searching
- Brute force attempts
🦠 Malicious Activity
- Cryptocurrency miners
- DoS/DDoS tools
- Container escapes
📂 Detection Categories
🔄 Loader and Execution Bypass
- Binary Executed by Loader - Binaries executed through system loaders
- Code on the Fly - Code execution from memory without persistent files
- Hidden ELF Execution - Execution of hidden or obfuscated ELF binaries
🎯 Unusual Execution Patterns
- Execution from Unusual Directories - Non-standard locations such as temporary and system directories
- Interpreter Shell Spawning - Shells spawned from scripting language interpreters
- Web Server Execution - Processes spawned from web servers
- Web Server Shell Execution - Shell execution from web server processes
🛠️ Security Tool Detection
- Network Scanning Tools - Tools that scan networks for open ports and services
- Network Sniffing Tools - Packet capture tools that intercept and analyze network traffic
- File Copy Tools - Tools that copy files over the network
- MITM Tools - Tools that intercept and modify network traffic
- Network Suspicious Tools - General suspicious network utilities
🔐 Credential and Data Access
- Password Usage - Execution of password-related utilities
- Credentials Text Lookup - Attempts to search for credentials in text files
- Password Brute Force - Brute force attempts
🚨 Malicious Activity
- Cryptocurrency Miner Execution - Known cryptocurrency mining software
- Denial of Service Tools - DoS and DDoS tools
- Data Encoding Execution - Use of encoding/obfuscation tools
- File Attribute Changes - Suspicious file attribute modifications
🐳 Container Security
- Suspicious runc Execution - Suspicious container runtime activities
🛡️ MITRE ATT&CK Coverage
Execution
- T1059 - Command and Scripting Interpreter
- T1203 - Exploitation for Client Execution
- T1543 - Create or Modify System Process
Defense Evasion
- T1574 - Hijack Execution Flow
- T1027 - Obfuscated Files or Information
Discovery & Reconnaissance
- T1046 - Network Service Scanning
- T1040 - Network Sniffing
Impact & Resource Hijacking
- T1496 - Resource Hijacking (Cryptomining)
- T1499 - Endpoint Denial of Service