Update v0.13.2edit

This section lists all updates associated with version 0.13.2 of the Fleet integration Prebuilt Security Detection Rules.

Included in this release are 3 new rules for the recently observed REvil activity as well as 4 new rules covering the recent PrintNightmare vulnerability.

Rule Description Status Version

AWS EC2 Full Network Packet Capture Detected

Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.

new

1

AWS RDS Snapshot Export

Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.

new

1

AWS RDS Security Group Deletion

Identifies the deletion of an Amazon Relational Database Service (RDS) Security Group.

new

1

AWS RDS Security Group Creation

Identifies the creation of an Amazon Relational Database Service (RDS) Security Group.

new

1

AWS RDS Instance Creation

Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.

new

1

AWS Route 53 Domain Transfer Lock Disabled

Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

new

1

AWS Route 53 Domain Transferred to Another Account

Identifies when a request has been made to transfer a Route 53 domain to another AWS account.

new

1

Azure Service Principal Credentials Added

Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.

new

1

Disabling Windows Defender Security Settings via PowerShell

Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.

new

1

Enable Host Network Discovery via Netsh

Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.

new

1

Potential DLL Side-Loading via Microsoft Antimalware Service Executable

Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.

new

1

Potential PrintNightmare File Modification

Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.

new

1

Potential PrintNightmare Exploit Registry Modification

Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.

new

1

Suspicious Print Spooler File Deletion

Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.

new

1

Unusual Print Spooler Child Process

Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.

new

1

AWS EC2 VM Export Failure

Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.

update

2

Shell Execution via Apple Scripting

Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.

update

3

Persistence via Folder Action Script

A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.

update

3

Attempts to Brute Force a Microsoft 365 User Account

Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.

update

5

Potential Password Spraying of Microsoft 365 User Accounts

Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.

update

4

SMB (Windows File Sharing) Activity to the Internet

This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration.

update

9