Update v0.14.2edit

This section lists all updates associated with version 0.14.2 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

Virtual Machine Fingerprinting via Grep

An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.

new

1

AWS ElastiCache Security Group Created

Identifies when an ElastiCache security group has been created.

new

1

AWS ElastiCache Security Group Modified or Deleted

Identifies when an ElastiCache security group has been modified or deleted.

new

1

AWS Route Table Modified or Deleted

Identifies when an AWS Route Table has been modified or deleted.

new

1

AWS STS GetSessionToken Abuse

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

new

1

Azure Frontdoor Web Application Firewall (WAF) Policy Deleted

Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.

new

1

Microsoft 365 Potential ransomware activity

Identifies when Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.

new

1

Microsoft 365 User Restricted from Sending Email

Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.

new

1

O365 Exchange Suspicious Mailbox Right Delegation

Identifies the assignment of rights to accesss content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target business while creating inbox rules, so messages can evade spam/phishing detection mechanisms.

new

1

New or Modified Federation Domain

Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.

new

1

Unauthorized Access to an Okta Application

Identifies when an unauthorized access attempt is made by a user for an Okta application.

new

1

Unexpected Child Process of macOS Screensaver Engine

Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker’s malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.

new

1

Screensaver Plist File Modified by Unexpected Process

Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.

new

1

Microsoft 365 Unusual Volume of File Deletion

Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.

new

1

Potential Credential Access via DuplicateHandle in LSASS

Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump Lsass memory for credential access.

new

1

Control Panel Process with Unusual Arguments

Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse Control.exe to proxy execution of malicious code.

new

1

Third-party Backup Files Deleted via Unexpected Process

Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a Ransomware attack is less likely.

new

1

Volume Shadow Copy Deletion via PowerShell

Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.

new

1

Threat Intel Filebeat Module Indicator Match

This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.

update

2

AWS RDS Snapshot Export

Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.

update

2

Spike in AWS Error Messages

A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.

update

7

Rare AWS Error Code

A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.

update

7

Unusual City For an AWS Command

A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).

update

7

Unusual Country For an AWS Command

A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).

update

7

Unusual AWS Command for a User

A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.

update

7

AWS Security Group Configuration Change Detection

Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.

update

2

AWS RDS Instance Creation

Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.

update

2

Kerberos Cached Credentials Dumping

Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.

update

4

Potential Kerberos Attack via Bifrost

Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.

update

2

Rare User Logon

A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.

update

3

Spike in Logon Events from a Source IP

A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.

update

2

Unusual Process For a Windows Host

Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.

update

8

DNS Activity to the Internet

This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization’s ability to provide enterprise monitoring and logging of DNS, and it opens your network to a variety of abuses and malicious communications.

update

12

Roshal Archive (RAR) or PowerShell File Downloaded from the Internet

Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.

update

8

Exporting Exchange Mailbox via PowerShell

Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.

update

5

Encrypting Files with WinRar or 7z

Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.

update

4

Connection to Commonly Abused Web Services

Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.

update

5

Potential DNS Tunneling via NsLookup

This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.

update

3

Potential Command and Control via Internet Explorer

Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.

update

4

Port Forwarding Rule Addition

Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.

update

4

Potential Remote Desktop Tunneling Detected

Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.

update

4

Remote File Copy via TeamViewer

Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.

update

5

Potential Credential Access via Windows Utilities

Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.

update

5

NTDS or SAM Database File Copied

Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.

update

5

Creation or Modification of Domain Backup DPAPI private key

Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.

update

6

Credential Acquisition via Registry Hive Dumping

Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.

update

4

LSASS Memory Dump Creation

Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.

update

5

Searching for Saved Credentials via VaultCmd

Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.

update

2

Clearing Windows Event Logs

Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.

update

10

Windows Event Logs Cleared

Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.

update

2

Windows Defender Exclusions Added via PowerShell

Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.

update

3

Disable Windows Firewall Rules via Netsh

Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.

update

10

Disable Windows Event and Security Logs Using Built-in Tools

Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.

update

2

Suspicious .NET Code Compilation

Identifies suspicious .NET code execution. connections.

update

5

Remote Desktop Enabled in Windows Firewall

Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.

update

4

Enable Host Network Discovery via Netsh

Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.

update

2

Microsoft Build Engine Started by an Office Application

An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.

update

9

Microsoft Build Engine Started by a Script Process

An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.

update

9

Microsoft Build Engine Started by a System Process

An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.

update

9

Microsoft Build Engine Using an Alternate Name

An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.

update

9

Potential DLL Side-Loading via Microsoft Antimalware Service Executable

Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.

update

2

Executable File Creation with Multiple Extensions

Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.

update

3

Encoded Executable Stored in the Registry

Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.

update

4

IIS HTTP Logging Disabled

Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.

update

6

Renamed AutoIt Scripts Interpreter

Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.

update

5

Program Files Directory Masquerading

Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections whitelisting those folders.

update

5

MsBuild Making Network Connections

Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.

update

8

Process Termination followed by Deletion

Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.

update

3

Unusual Process Execution Path - Alternate Data Stream

Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.

update

5

Potential Evasion via Filter Manager

The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.

update

8

Whitespace Padding in Process Command Line

Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior.

update

2

AdFind Command Activity

This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.

update

5

Enumeration of Administrator Accounts

Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.

update

4

Net command via SYSTEM account

Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.

update

8

Security Software Discovery using WMIC

Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.

update

4

Enumeration Command Spawned via WMIPrvSE

Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).

update

2

Network Connection via Compiled HTML File

Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).

update

9

Outbound Scheduled Task Activity via PowerShell

Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.

update

3

Process Activity via Compiled HTML File

Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).

update

9

Deleting Backup Catalogs with Wbadmin

Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.

update

10

Modification of Boot Configuration

Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.

update

9

High Number of Process and/or Service Terminations

This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.

update

3

Volume Shadow Copy Deleted or Resized via VssAdmin

Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.

update

10

Volume Shadow Copy Deletion via WMIC

Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.

update

10

Suspicious MS Office Child Process

Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.

update

9

Incoming DCOM Lateral Movement via MSHTA

Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection.

update

3

Incoming DCOM Lateral Movement with MMC

Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.

update

3

Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows

Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.

update

3

Direct Outbound SMB Connection

Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.

update

7

Abnormally Large DNS Response

Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.

update

5

RDP Enabled via Registry

Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.

update

4

Potential SharpRDP Behavior

Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.

update

3

Remote Scheduled Task Creation

Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.

update

4

Creation of a Hidden Local User Account

Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.

update

2

Suspicious Startup Shell Folder Modification

Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.

update

2

Creation or Modification of a new GPO Scheduled Task or Service

Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.

update

6

Persistence via Scheduled Job Creation

A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

update

2

Scheduled Task Created by a Windows Script

A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.

update

4

New ActiveSyncAllowedDeviceID Added via PowerShell

Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.

update

5

Uncommon Registry Persistence Change

Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary’s attempt to persist in a stealthy manner.

update

4

Suspicious Execution via Scheduled Task

Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.

update

4

User Added to Privileged Group in Active Directory

Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.

update

3

User Account Creation

Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.

update

9

Persistence via TelemetryController Scheduled Task Hijack

Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.

update

6

Persistence via WMI Event Subscription

An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.

update

4

Webshell Detection: Script Process Child of Common Web Processes

Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.

update

2

Unusual Parent-Child Relationship

Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.

update

10