Update v0.14.3edit

This section lists all updates associated with version 0.14.3 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

AWS RDS Snapshot Export

Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.

new

1

AWS RDS Snapshot Restored

Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.

new

2

AWS EventBridge Rule Disabled or Deleted

Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.

new

2

AWS EFS File System or Mount Deleted

Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.

new

1

AWS Route53 private hosted zone associated with a VPC

Identifies when a Route53 private hosted zone has been associated with VPC.

new

1

AWS Route Table Created

Identifies when an AWS Route Table has been created.

new

1

AWS SAML Activity

Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.

new

1

AWS Security Token Service (STS) AssumeRole Usage

Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.

new

1

Azure Full Network Packet Capture Detected

Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

new

1

Azure Blob Permissions Modification

Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target’s security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.

new

1

Azure Kubernetes Events Deleted

Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

new

2

Azure Kubernetes Pods Deleted

Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.

new

2

Azure Virtual Network Device Modified or Deleted

Identifies when a virtual network device is being modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router.

new

1

Azure Active Directory High Risk User Sign-in Heuristic

Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.

new

1

Azure Kubernetes Rolebindings Created

Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.

new

1

GCP Kubernetes Rolebindings Created or Patched

Identifies the creation or patching of potential malicious rolebinding. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings.

new

1

PowerShell Suspicious Script with Audio Capture Capabilities

Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.

new

2

PowerShell Keylogging Script

Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.

new

1

PowerShell MiniDump Script

This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.

new

2

Potential Credential Access via Renamed COM+ Services DLL

Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access.

new

1

Potential Credential Access via LSASS Memory Dump

Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access.

new

1

Potential LSASS Memory Dump via PssCaptureSnapShot

Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

new

1

Potential LSASS Clone Creation via PssCaptureSnapShot

Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

new

1

Clearing Windows Console History

Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

new

1

DNS-over-HTTPS Enabled via Registry

Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.

new

2

Suspicious .NET Reflection via PowerShell

This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.

new

1

Potential Process Injection via PowerShell

Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.

new

1

Windows Firewall Disabled via PowerShell

Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network constraints, like internet and network lateral communication restrictions.

new

1

Suspicious Process Access via Direct System Call

Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It’s possible to bypass hooked functions by writing malicious functions that call syscalls directly.

new

2

Suspicious Process Creation CallTrace

Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection or hollowing attempt.

new

1

PowerShell Suspicious Discovery Related Windows API Functions

This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.

new

2

Enumeration of Privileged Local Groups Membership

Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.

new

1

Suspicious Portable Executable Encoded in Powershell Script

Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to disk.

new

2

Account Password Reset Remotely

Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.

new

1

Privilege Escalation via Rogue Named Pipe Impersonation

Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.

new

1

Suspicious JAVA Child Process

Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.

update

3

Hosts File Modified

The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.

update

6

Threat Intel Filebeat Module (v7.x) Indicator Match

This rule is triggered when indicators from the Threat Intel Filebeat module (v7.x) has a match against local file or network observations.

update

4

GCP Virtual Private Cloud Route Creation

Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target’s cloud environment.

update

6

Microsoft 365 Potential ransomware activity

Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.

update

2

Roshal Archive (RAR) or PowerShell File Downloaded from the Internet

Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.

update

9

Ransomware - Detected - Elastic Endgame

Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

7

Ransomware - Prevented - Elastic Endgame

Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

7

Exporting Exchange Mailbox via PowerShell

Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.

update

6

Remote File Download via PowerShell

Identifies powershell.exe being used to download an executable file from an untrusted remote destination.

update

3

Remote File Download via Script Interpreter

Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.

update

3

Kerberos Traffic from Unusual Process

Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.

update

4

Potential Credential Access via DuplicateHandle in LSASS

Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.

update

2

Clearing Windows Event Logs

Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.

update

11

Windows Defender Exclusions Added via PowerShell

Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.

update

5

Disabling Windows Defender Security Settings via PowerShell

Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.

update

2

Control Panel Process with Unusual Arguments

Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.

update

2

Microsoft Build Engine Started by a Script Process

An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.

update

10

InstallUtil Process Making Network Connections

Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.

update

4

Potential Windows Error Manager Masquerading

Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.

update

4

Network Connection via Signed Binary

Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to live off the land and execute malicious files that could bypass application allowlists and signature validation.

update

9

Suspicious CertUtil Commands

Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.

update

10

Suspicious Zoom Child Process

A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.

update

5

Whitespace Padding in Process Command Line

Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior.

update

5

Outbound Scheduled Task Activity via PowerShell

Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.

update

4

Process Activity via Compiled HTML File

Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).

update

10

Third-party Backup Files Deleted via Unexpected Process

Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.

update

2

Volume Shadow Copy Deletion via PowerShell

Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.

update

2

Microsoft Exchange Worker Spawning Suspicious Processes

Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.

update

2

Incoming DCOM Lateral Movement via MSHTA

Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evading detection.

update

4

Incoming DCOM Lateral Movement with MMC

Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.

update

4

Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows

Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.

update

4

Lateral Tool Transfer

Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.

update

3

Incoming Execution via WinRM Remote Shell

Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.

update

3

WMI Incoming Lateral Movement

Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.

update

3

Incoming Execution via PowerShell Remoting

Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.

update

3

Potential SharpRDP Behavior

Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.

update

4

Remotely Started Services via RPC

Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators."

update

3

Remote Scheduled Task Creation

Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.

update

5

Local Scheduled Task Creation

A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.

update

9

Scheduled Task Created by a Windows Script

A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.

update

5

New ActiveSyncAllowedDeviceID Added via PowerShell

Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.

update

6

Component Object Model Hijacking

Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.

update

5

System Shells via Services

Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.

update

10

Webshell Detection: Script Process Child of Common Web Processes

Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.

update

3

Network Connection via Mshta

Identifies mshta.exe making a network connection. This may indicate adversarial activity, as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection.

deprecated

5