heroui logo

Shell Execution via Elastic Endpoint

Elastic Detection Rules

View Source
Summary
This rule detects shell executions initiated via Elastic Endpoint on Linux hosts. It monitors process start events and flags cases where the parent executable is the Elastic Endpoint agent (e.g., /opt/Elastic/Endpoint/elastic-endpoint) and the child process is a shell (bash, dash, sh, tcsh, csh, zsh, ksh, fish) invoked with common command flags (-c, -cl, -lc, --command). Such patterns indicate potential remote command execution or command obfuscation through the endpoint console, which can be used for defense evasion or command-and-control activity. The detection targets logs from endpoint process events and SentinelOne cloud funnel data, tying to MITRE ATT&CK techniques: TA0011 (Command and Control) via T1219 (Remote Access Tools); TA0005 (Defense Evasion) via T1218 (System Binary Proxy Execution); and TA0002 (Execution) via T1059.004 (Unix Shell). The rule uses data sources from Linux endpoints and is designed to surface suspicious, shell-based command execution orchestrated through Elastic Defend/Elastic Endpoint telemetry. It includes setup guidance for integrating Elastic Defend with Fleet and notes on recommended configuration to enable endpoint telemetry. Severity is set to low to reflect that legitimate automation could trigger the rule, but it can reveal abuse when observed in context with other indicators.
Categories
  • Endpoint
  • Linux
Data Sources
  • Process
  • Command
ATT&CK Techniques
  • T1219
  • T1218
  • T1059
  • T1059.004
Created: 2026-07-02