Update v8.19.19
editUpdate v8.19.19
editThis section lists all updates associated with version 8.19.19 of the Fleet integration Prebuilt Security Detection Rules.
| Rule | Description | Status | Version |
|---|---|---|---|
Identifies recursive grep activity on Linux or macOS where the command line suggests hunting for secrets, credentials, keys, tokens, or sensitive paths (for example .env, .git, .aws). Events are aggregated per host, user, parent process, and one-minute window, the rule surfaces activity only when at least three distinct grep command lines match in the same bucket, to reduce noise from one-off searches. |
new |
1 |
|
Identifies the execution of the OpenSSL utility to encrypt data. Adversaries may use OpenSSL to encrypt data to disrupt the availability of their target’s data and may attempt to hold the organization’s data to ransom for the purposes of extortion. |
new |
1 |
|
Detects the execution of suspicious shell commands via the Python interpreter. Attackers may use Python to execute shell commands to gain access to the system or to perform other malicious activities, such as credential access, data exfiltration, or lateral movement. |
new |
2 |
|
This rule detects when secrets are accessed via an unusual user agent, user name and source IP. Attackers may attempt to access secrets in a Kubernetes cluster to gain access to sensitive information after gaining access to the cluster. |
new |
1 |
|
M365 Azure Monitor Alert Email with Financial or Billing Theme |
Detects Azure Monitor alert notification emails with financial or billing themed subject lines delivered to organization users. Adversaries abuse Azure Monitor alert rules to deliver callback phishing emails from Microsoft’s legitimate azure-noreply@microsoft.com address. Because the emails originate from Microsoft’s own infrastructure, they pass SPF, DKIM, and DMARC checks, bypassing email security filters and increasing victim trust. The attacker embeds a fraudulent billing or security lure in the alert rule description, which is rendered in the notification email body. Observed subject patterns include invoice numbers, payment references, and order confirmations. |
new |
1 |
This rule detects authenticated sessions accessing secret stores across multiple environments from the same source address within a short period of time, including cloud providers (AWS, GCP, Azure) and Kubernetes clusters. Adversaries with access to compromised credentials or session tokens may attempt to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, Azure Key Vault, or Kubernetes Secrets in rapid succession to expand their access or exfiltrate sensitive information. |
update |
5 |
|
Detects the use of curl to upload files to an internet server. Threat actors often will collect and exfiltrate data on a system to their C2 server for review. Many threat actors have been observed using curl to upload the collected data. Use of curl in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity. |
update |
6 |
|
Identifies file downloads or access from OneDrive or SharePoint using PowerShell-based user agents. Adversaries may use native PowerShell cmdlets like Invoke-WebRequest or Invoke-RestMethod with Microsoft Graph API to exfiltrate data after compromising OAuth tokens via device code phishing or other credential theft techniques. This rule detects both direct PowerShell access and PnP PowerShell module usage for file operations. FileAccessed events are included to detect adversaries reading file content via API and saving locally, bypassing traditional download methods. Normal users access SharePoint/OneDrive via browsers or sync clients, making PowerShell-based file access inherently suspicious. |
update |
2 |
|
This rule detects the creation of .pth files in system-wide and user-specific Python package directories, which can be abused for persistent code execution. .pth files automatically execute Python code when the interpreter starts, making them a stealthy persistence mechanism. Monitoring these paths helps identify unauthorized modifications that could indicate persistence by an attacker or malicious package injection. |
update |
6 |
|
This rule detects the creation and modification of sitecustomize.py and usercustomize.py, which Python automatically executes on startup. Attackers can exploit these files for persistence by injecting malicious code. The rule monitors system-wide, user-specific, and virtual environment locations to catch unauthorized changes that could indicate persistence or backdooring attempts. |
update |
6 |
|
Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. |
update |
128 |