Update v8.19.18
editUpdate v8.19.18
editThis section lists all updates associated with version 8.19.18 of the Fleet integration Prebuilt Security Detection Rules.
| Rule | Description | Status | Version |
|---|---|---|---|
Identifies the creation of a new AWS CloudShell environment. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. The CreateEnvironment API is called when a user launches CloudShell for the first time or when accessing CloudShell in a new AWS region. Adversaries with console access may use CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. Monitoring environment creation helps detect unauthorized CloudShell usage from compromised console sessions. |
new |
1 |
|
Identifies AWS API activity originating from uncommon desktop client applications based on the user agent string. This rule detects S3 Browser and Cyberduck, which are graphical S3 management tools that provide bulk upload/download capabilities. While legitimate, these tools are rarely used in enterprise environments and have been observed in use by threat actors for data exfiltration. Any activity from these clients should be validated against authorized data transfer workflows. |
new |
1 |
|
Azure Service Principal Sign-In Followed by Arc Cluster Credential Access |
Detects when a service principal authenticates to Microsoft Entra ID and then lists credentials for an Azure Arc-connected Kubernetes cluster within a short time window. The |
new |
1 |
Azure Arc Cluster Credential Access by Identity from Unusual Source |
Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity. The |
new |
1 |
Azure Service Principal Authentication from Multiple Countries |
Detects when an Azure service principal authenticates from multiple countries within a short time window, which may indicate stolen credentials being used from different geographic locations. Service principals typically authenticate from consistent locations tied to their deployment infrastructure. Authentication from multiple countries in a brief period suggests credential compromise, particularly when the source countries do not align with the organization’s expected operating regions. This pattern has been observed in attacks using stolen CI/CD credentials, phished service principal secrets, and compromised automation accounts. |
new |
1 |
Detects when secrets or configmaps are accessed, created, modified, or deleted in a Kubernetes cluster by the Azure Arc AAD proxy service account. When operations are routed through the Azure Arc Cluster Connect proxy, the Kubernetes audit log records the acting user as |
new |
1 |
|
Identifies when a SharePoint or OneDrive site sharing policy is changed to weaken security controls. The SharingPolicyChanged event fires for many routine policy modifications, but this rule targets specific high-risk transitions where sharing restrictions are relaxed. This includes enabling guest sharing, enabling anonymous link sharing, making a site public, or enabling guest user access. Adversaries who compromise administrative accounts may weaken sharing policies to exfiltrate data to external accounts or create persistent external access paths. |
new |
1 |
|
Identifies when a new SharePoint Site Administrator is added in Microsoft 365. Site Administrators have full control over SharePoint Sites, including the ability to manage permissions, access all content, and modify site settings. Adversaries who compromise a privileged account may add themselves or a controlled account as a Site Administrator to maintain persistent, high-privilege access to sensitive SharePoint data. This technique was notably observed in the 0mega ransomware campaign, where attackers elevated privileges to exfiltrate data and deploy ransom notes across SharePoint sites. |
new |
1 |
|
Suspicious Write Attempt to AppArmor Policy Management Files |
Detects processes attempting to write to AppArmor policy management pseudo-files located under "/sys/kernel/security/apparmor/". These special kernel interfaces are used to load, replace, or remove AppArmor profiles (".load", ".replace", ".remove"). In normal environments, AppArmor policy management is typically performed by administrative tools such as "apparmor_parser" during system initialization or package installation. Direct interaction with these pseudo-files from shell utilities, interpreters, or scripting environments is uncommon and may indicate attempts to modify security policy at runtime. Adversaries may abuse these interfaces to weaken or disable AppArmor protections, introduce malicious profiles, or exploit vulnerabilities in the AppArmor policy parser as part of local privilege escalation chains. |
new |
1 |
Identifies access to AppArmor kernel policy control interfaces through the .load, .replace, or .remove files under /sys/kernel/security/apparmor/. These special files are used to load, modify, or remove AppArmor profiles and are rarely accessed during normal system activity outside of policy administration. Reads or writes to these interfaces may indicate legitimate security configuration changes, but can also reflect defense evasion, unauthorized policy tampering, or the installation of attacker-controlled profiles. This detection is especially valuable on systems where AppArmor policy changes are uncommon or tightly controlled. |
new |
1 |
|
Identifies events where the AppArmor security module blocked or restricted an operation due to a policy violation. AppArmor enforces mandatory access control policies that limit how processes interact with system resources such as files, network sockets, and capabilities. When a process attempts an action that is not permitted by the active profile, the kernel generates a policy violation event. While these events can occur during normal operation or misconfiguration, they may also indicate attempted privilege escalation, restricted file access, or malicious activity being prevented by the system’s security policy. |
new |
1 |
|
Detects the execution of "apparmor_parser" using the "-o" option to write a compiled AppArmor profile to an output file. This functionality is normally used by system administration tools or package installation scripts when building or loading AppArmor policies. In adversarial scenarios, attackers may use "apparmor_parser" to compile custom AppArmor profiles that can later be loaded into the kernel through AppArmor policy management interfaces. Malicious profiles may weaken security controls, alter the behavior of privileged programs, or assist in exploitation chains involving AppArmor policy manipulation. |
new |
1 |
|
This rule detects the use of database dumping utilities to exfiltrate data from a database. Attackers may attempt to dump the database to a file on the system and then exfiltrate the file to a remote server. |
new |
1 |
|
Potential snap-confine Privilege Escalation via CVE-2026-3888 |
This rule detects non-root file creation within "/tmp/.snap" or its host backing path "/tmp/snap-private-tmp/*/tmp/.snap", which may indicate exploitation attempts related to CVE-2026-3888. In vulnerable Ubuntu systems, the snap-confine utility normally creates the "/tmp/.snap" directory as root when initializing a snap sandbox. The vulnerability arises when systemd-tmpfiles deletes this directory after it becomes stale, allowing an unprivileged user to recreate it and populate attacker-controlled files. During subsequent snap sandbox initialization, snap-confine may bind-mount or trust these attacker-controlled paths, enabling manipulation of libraries or configuration files that can lead to local privilege escalation to root. Because legitimate creation of ".snap" directories should only be performed by root, non-root file activity in these locations is highly suspicious. This detection helps identify early stages of the exploit before privilege escalation is completed. |
new |
1 |
Detects the first time a Python process accesses sensitive credential files on a given host. This behavior may indicate post-exploitation credential theft via a malicious Python script, compromised dependency, or malicious model file deserialization. Legitimate Python processes do not typically access credential files such as SSH keys, AWS credentials, browser cookies, Kerberos tickets, or keychain databases, so a first occurrence is a strong indicator of compromise. |
new |
1 |
|
Detects the first time a Python process spawns a shell on a given host. Malicious Python scripts, compromised dependencies, or model file deserialization can result in shell spawns that would not occur during normal workflows. Since legitimate Python processes rarely shell out to interactive shells, a first occurrence of this behavior on a host is a strong signal of potential compromise. |
new |
1 |
|
Detects the first time a Python process creates or modifies a LaunchAgent or LaunchDaemon plist file on a given host. Malicious Python scripts, compromised dependencies, or model file deserialization can establish persistence on macOS by writing plist files to LaunchAgent or LaunchDaemon directories. Legitimate Python processes do not typically create persistence mechanisms, so a first occurrence is a strong indicator of compromise. |
new |
1 |
|
Generates a detection alert for each IBM QRadar offense written to the configured indices. Enabling this rule allows you to immediately begin investigating IBM QRadar offense alerts in the app. |
new |
1 |
|
Identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access. Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count. |
new |
1 |
|
Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect. This behavior may indicate abuse where an attacker triggers an MSI install then connects via a guest link with a known session key. |
new |
1 |
|
Identifies the use of Cloudflare Tunnel (cloudflared) to expose a local service or create an outbound tunnel. Adversaries may abuse quick tunnels (e.g. tunnel --url http://127.0.0.1:80) or named tunnels to proxy C2 traffic or exfiltrate data through Cloudflare’s edge while evading direct connection blocking. |
new |
1 |
|
Identifies execution of Yuze, a lightweight open-source tunneling tool used for intranet penetration. Yuze supports forward and reverse SOCKS5 proxy tunneling and is typically executed via rundll32 loading yuze.dll with the RunYuze export. Threat actors may use it to proxy C2 or pivot traffic. |
new |
1 |
|
Detects shell executions (cmd, PowerShell, rundll32) spawned by Velociraptor. Threat actors have been observed installing Velociraptor to execute shell commands on compromised systems, blending in with legitimate system processes. |
new |
1 |
|
Detects execution of JavaScript via Deno with suspicious command-line patterns (base64, eval, http, or import in a javascript context). Adversaries may abuse Deno to run malicious JavaScript for execution or staging. |
new |
1 |
|
Identifies abuse of rclone (or a renamed copy, e.g. disguised as a security or backup utility) to exfiltrate data to cloud storage or remote endpoints. Rclone is a legitimate file sync tool; threat actors rename it to blend with administrative traffic and use copy/sync with cloud backends (e.g. :s3:) and include filters to exfiltrate specific file types. |
new |
1 |
|
Detects GenAI tools connecting to unusual domains on macOS. Adversaries may compromise GenAI tools through prompt injection, malicious MCP servers, or poisoned plugins to establish C2 channels or exfiltrate sensitive data to attacker-controlled infrastructure. AI agents with network access can be manipulated to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. |
update |
4 |
|
Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented. |
update |
4 |
|
Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state. |
update |
113 |
|
Identifies the execution of a Python script that uses the ROT cipher for letters substitution. Adversaries may use this method to encode and obfuscate part of their malicious code in legit python packages. |
update |
5 |
|
Detects unusual modification of GenAI tool configuration files. Adversaries may inject malicious MCP server configurations to hijack AI agents for persistence, C2, or data exfiltration. Attack vectors include malware or scripts directly poisoning config files, supply chain attacks via compromised dependencies, and prompt injection attacks that abuse the GenAI tool itself to modify its own configuration. Unauthorized MCP servers added to these configs execute arbitrary commands when the AI tool is next invoked. |
update |
4 |
|
Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious interference with telemetry collection following detection. |
update |
2 |
|
Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying HTTP traffic that uses a different HTTP version than the one typically used in the environment. An HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, resulting in potentially less secure communication. For example, an attacker might downgrade a connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in the older protocol versions. |
update |
2 |
|
Detects suspicious child process execution from the OpenClaw, Moltbot, or Clawdbot AI coding agents running via Node.js. These tools can execute arbitrary shell commands through skills or prompt injection attacks. Malicious skills from public registries like ClawHub have been observed executing obfuscated download-and-execute commands targeting cryptocurrency wallets and credentials. This rule identifies shells, scripting interpreters, and common LOLBins spawned by these AI agents. |
update |
2 |
|
This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise. |
update |
4 |
|
Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise used from a VPN session, or initial access via VPN followed by post-compromise behavior. |
update |
2 |
|
This rule detects potential command injection attempts via web server requests by identifying URLs that contain suspicious patterns commonly associated with command execution payloads. Attackers may exploit vulnerabilities in web applications to inject and execute arbitrary commands on the server, often using interpreters like Python, Perl, Ruby, PHP, or shell commands. By monitoring for these indicators in web traffic, security teams can identify and respond to potential threats early. |
update |
4 |
|
This rule detects potential web server discovery or fuzzing activity by identifying a high volume of HTTP GET requests resulting in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks. |
update |
4 |
|
This rule detects unusual spikes in error response codes (500, 502, 503, 504) from web servers, which may indicate reconnaissance activities such as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side issues that could be exploited. |
update |
4 |
|
This rule detects unusual spikes in web server requests with uncommon or suspicious user-agent strings. Such activity may indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks. |
update |
4 |
|
Microsoft Graph Request Email Access by Unusual User and Client |
Identifies access to email resources via Microsoft Graph API using an first-party application on behalf of a user principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as /me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been seen doing this activity in the last 14 days. |
update |
4 |
Identifies when a user is observed for the first time authenticating using the device code authentication workflow. This authentication workflow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords. This rule only applies to Entra ID user types and detects new users leveraging this flow. |
update |
8 |
|
Microsoft Graph Request User Impersonation by Unusual Client |
This New Terms rule focuses on the first occurrence of a client application ID (azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID (azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully compromise a user’s credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the user. |
update |
6 |
Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges. |
update |
213 |
|
Detects the use of curl to upload files to an internet server. Threat actors often will collect and exfiltrate data on a system to their C2 server for review. Many threat actors have been observed using curl to upload the collected data. Use of curl in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity. |
update |
5 |
|
Detects the use of wget to upload files to an internet server. Threat actors often will collect data on a system and attempt to exfiltrate it back to their command and control servers. Use of wget in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity. |
update |
2 |
|
Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. |
update |
215 |
|
This rule detects the loading of a kernel module from an unusual location. Threat actors may use this technique to maintain persistence on a system by loading a kernel module into the kernel namespace. This behavior is strongly related to the presence of a rootkit on the system. |
update |
2 |
|
Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. |
update |
127 |
|
Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. Intended to surface RMM clients, scripts, or other non-browser activity contacting these services. |
update |
3 |
|
Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads. |
update |
12 |
|
Adversaries may install legitimate remote monitoring and management (RMM) tools or remote access software on compromised endpoints for command-and-control (C2), persistence, and execution of native commands. This rule detects when a process is started whose name or code signature (or whose parent’s name or code signature) resembles commonly abused RMM/remote access tools, including first-time-seen child processes of such tools. New Terms type: host has not seen this process (or child-of-RMM pattern) before within the configured history window. |
update |
116 |
|
Identifies powershell.exe being used to download an executable file from an untrusted remote destination. |
update |
115 |
|
Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination. |
update |
214 |
|
Identifies an executable or script file remotely downloaded via a TeamViewer transfer session. |
update |
217 |
|
Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance. |
update |
110 |
|
Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. |
update |
118 |
|
Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. |
update |
118 |
|
Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. |
update |
216 |
|
Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers for initial access and delivery of malware. |
update |
2 |
|
Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn’t by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. |
update |
318 |
|
Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It’s possible to bypass hooked functions by writing malicious functions that call syscalls directly. |
update |
315 |
|
Identifies suspicious creation of Alternate Data Streams on highly targeted files using a script or command interpreter. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. |
update |
322 |
|
Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution. |
update |
2 |
|
Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. |
update |
112 |
|
Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. |
update |
121 |
|
Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment. |
update |
316 |
|
Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. |
update |
119 |
|
Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected). |
update |
2 |
|
Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location. |
update |
2 |