Elastic Security Detection Rules

Spike in Privileged Command Execution by a User

Last updated 2 months ago on 2025-07-02

Created 6 months ago on 2025-02-18

About

A machine learning job has detected an increase in the execution of privileged commands by a user, suggesting potential privileged access activity. This may indicate an attempt by the user to gain unauthorized access to sensitive or restricted parts of the system.

Tags

Use Case: Privileged Access DetectionRule Type: MLRule Type: Machine LearningTactic: Privilege Escalation

Severity

low

Risk Score

21

MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

pad(opens in a new tab or window)

endpoint(opens in a new tab or window)

sysmon_linux(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Spike in Privileged Command Execution by a User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).