IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Update v8.19.27

edit

This section lists all updates associated with version 8.19.27 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

Web Server Cloud Metadata SSRF Request

Detects HTTP requests to web servers whose URL or query string references cloud instance metadata endpoints or equivalent encoded variants. Attackers exploit server-side request forgery (SSRF) vulnerabilities in web applications to reach link-local metadata services on AWS, GCP, Azure, and similar cloud providers and harvest temporary credentials, tokens, or instance details.

new

1

GenAI CLI Started with Unsafe Permission Bypass

Identifies GenAI agent CLIs started with permission-bypass or auto-approval flags that disable human-in-the-loop guardrails. These modes are intended for isolated sandboxes but are frequently misused on internet-connected developer workstations, allowing prompt injection, compromised dependencies, or malicious skills to execute commands, modify files, or reach sensitive paths without confirmation.

new

1

Web Server Potential SQL Injection Request

This rule detects potential SQL injection attempts in web server requests by identifying common SQL injection patterns in URLs. Such activity may indicate reconnaissance or exploitation attempts by attackers trying to manipulate backend databases or extract sensitive information.

new

4

AWS IAM Account Password Policy Deleted

Identifies deletion of the AWS account password policy via DeleteAccountPasswordPolicy. The account password policy enforces minimum password requirements (length, complexity, rotation, and reuse) for all IAM users in the account. Deleting it removes those requirements account-wide, weakening authentication and easing follow-on credential-based attacks. This is an account-level change that legitimately occurs only during deliberate administration, so its deletion by an unexpected principal warrants review.

new

1

AWS Lambda Function Invoked by an Unusual Principal

Identifies the first time within the prior 14 days that a principal directly invokes an AWS Lambda function in an account, excluding invocations made on behalf of AWS services (normal event-source triggers). Adversaries who compromise credentials or move laterally may directly invoke functions to execute code, retrieve data returned by a function, or abuse an over-permissioned execution role. Direct, ad hoc invocation by a principal that does not normally call Lambda deviates from the usual event-driven invocation pattern and is worth reviewing. This rule relies on AWS Lambda data event logging, which is not enabled by default.

new

1

AWS Lambda Function Invoked Cross-Account

Identifies an AWS Lambda function invoked by a principal whose AWS account differs from the account that owns the function (a cross-account invocation). The caller’s account is parsed from the invoking principal’s ARN and compared to the function account. Adversaries who have been granted invoke permission on a function from an external account, or who operate from a separate attacker-controlled account, can use cross-account invocation to execute functions or retrieve the data they return. This is the data-plane counterpart to detecting the cross-account grant itself, and relies on AWS Lambda data event logging, which is not enabled by default.

new

2

AWS Lambda Function Invoked from an Unusual Source ASN

Identifies an AWS Lambda function invoked directly by a principal from a source network (ASN) not seen for that principal in the prior 10 days, excluding common cloud provider networks. Direct invocation from an unfamiliar external network can indicate use of stolen execution-role or user credentials from attacker-controlled infrastructure to execute functions or retrieve the data they return. This rule relies on AWS Lambda data event logging, which is not enabled by default.

new

1

AWS ECR Repository or Registry Policy Granted Public Access

Detects when an Amazon ECR repository or registry policy is modified to grant public access using a wildcard principal (Principal:"") statement. This rule analyzes SetRepositoryPolicy and PutRegistryPolicy events whose policy document grants an Allow effect to a wildcard ("") principal, indicating that pull (and potentially push) permissions were extended to all identities, including unauthenticated users. A public container registry can expose proprietary images and any secrets baked into their layers, and, if push is allowed, enables supply-chain implantation. Public ECR access is sometimes intentional for image distribution, so the granting principal and the permissions should be validated.

new

1

AWS Backup Recovery Point Deleted

Identifies deletion of an AWS Backup recovery point via DeleteRecoveryPoint. A recovery point is a stored backup of a protected resource (EBS, RDS, DynamoDB, EFS, S3, and others). Deleting recovery points removes the ability to restore the associated data and is a core anti-recovery technique used in ransomware and data-destruction attacks to ensure victims cannot recover without paying or rebuilding. Routine lifecycle expirations are performed by the AWS Backup service itself; deletion by a non-service principal is rare and should be reviewed.

new

1

AWS Backup Vault Deleted or Vault Lock Removed

Identifies deletion of an AWS Backup vault or removal of its Vault Lock configuration via DeleteBackupVault or DeleteBackupVaultLockConfiguration. A backup vault stores recovery points, and Vault Lock enforces WORM (write-once, read-many) immutability that prevents recovery points from being deleted before their retention expires. Removing the lock defeats the primary control designed to stop ransomware from destroying backups, and deleting the vault removes the backup container entirely. Both actions are strong anti-recovery signals and are rare in normal operations.

new

1

AWS KMS Imported Key Material Deleted

Identifies deletion of imported key material from an AWS KMS customer managed key via DeleteImportedKeyMaterial. Keys created with an external key material origin (BYOK) rely on key material that the customer imports. Deleting that material immediately makes the key unusable and renders all data encrypted under it inaccessible, with no recovery window. Unlike ScheduleKeyDeletion, which enforces a pending deletion period of 7 to 30 days, this action takes effect instantly, making it an attractive primitive for cloud ransomware and data-destruction attacks. Because this operation only applies to external-origin keys and is rare in normal operations, its use by an unexpected principal warrants prompt review.

new

1

AWS Lambda Function High-Frequency Invocation by a Single Principal

Identifies a single principal directly invoking AWS Lambda functions at a high volume within a one-hour window. Adversaries may drive excessive invocations to abuse functions for resource hijacking or cryptomining, to inflate costs in a denial-of-wallet attack, or to enumerate function behavior. This is a volumetric heuristic: the threshold is environment-dependent and high-throughput applications can exceed it, so tune it to the deployment. This rule relies on AWS Lambda data event logging, which is not enabled by default.

new

2

AWS IAM User Console Login from Multiple Geolocations

Identifies an IAM user that successfully signs in to the AWS Management Console from two or more distinct countries within a short window. A single user authenticating from multiple geographic locations in a brief period is physically implausible and indicates that the account’s credentials or console session are being used from more than one place at once. This is a hallmark of adversary-in-the-middle (AiTM) phishing and session theft, where the legitimate user signs in from their location while the attacker replays the captured session or credentials from their own infrastructure. Because the attacker logs in from a different network, the divergent sign-in geolocations are the detectable signal even when MFA appears satisfied (AiTM relays the live MFA challenge). This is the CloudTrail-native analog of identity-provider impossible-travel sign-in detections.

new

2

AWS IAM Login Profile Created or Modified for an IAM User

Identifies creation or modification of a console login profile for an AWS IAM user via CreateLoginProfile or UpdateLoginProfile. A login profile enables password-based console sign-in for an IAM user. Adversaries who obtain programmatic credentials may create a login profile to add persistent interactive console access, or update an existing profile to reset another user’s password and take over the account, even after the original access keys are rotated. Because console access for IAM users is increasingly provisioned through federation or IAM Identity Center, direct use of these APIs by an unexpected principal warrants review. This rule targets IAM users (the userName parameter is present); creation of a login profile for the account root user is covered by a separate rule.

new

1

AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content

Identifies an Amazon SageMaker notebook lifecycle configuration whose OnStart or OnCreate script, after base64 decoding, contains patterns associated with malicious activity such as reverse shells, EC2 instance metadata (IMDS) credential access, or download-and-execute commands. A lifecycle configuration runs as root on the notebook instance, so a script with these patterns is a strong indicator of an attempt to backdoor the notebook, steal the execution role’s credentials, or establish persistent code execution. This rule decodes the script in the request and matches high-signal indicators; it is a higher-fidelity companion to the rule that alerts on any lifecycle configuration change.

new

1

AWS IAM Inline Policy Added to a Group

Identifies an inline policy added to an IAM group via PutGroupPolicy. An inline policy attached to a group grants its permissions to every current and future member of that group. Adversaries can abuse this to escalate privileges (grant elevated permissions to a group they belong to, or will add themselves to) and to establish persistence through a durable, membership-based grant that is easy to overlook. Group inline policies are uncommon compared to managed-policy attachments, so their creation by an unexpected principal warrants review.

new

1

AWS IAM Permissions Boundary Modified or Removed

Identifies the modification or removal of an IAM permissions boundary on an IAM user or role. A permissions boundary caps the maximum permissions an identity can have, regardless of its attached identity policies. An adversary who can delete a boundary ("DeleteUserPermissionsBoundary", "DeleteRolePermissionsBoundary") or replace it with a more permissive one ("PutUserPermissionsBoundary", "PutRolePermissionsBoundary") can lift that cap and unlock permissions the identity’s policies already grant, enabling privilege escalation. Boundary changes are infrequent and usually performed by a small set of administrators or infrastructure-as-code pipelines, so changes by unexpected principals warrant review.

new

1

Azure AD Graph Access with Unusual User and ASN

Identifies Azure AD Graph (graph.windows.net) requests originating from network sources outside the major public-cloud and Microsoft ASNs that legitimate first-party callers normally come from. Adversary tooling typically rides on commodity hosting (residential ISPs, VPS providers, anonymisers) which produces an ASN distribution very different from the Microsoft / AWS / GCP / Akamai / Cloudflare ranges that dominate legitimate AAD Graph traffic.

new

1

GKE Secret get or list with Suspicious User Agent

Detects successful GKE secret get or list operations where the user agent matches scripting runtimes, minimal HTTP clients, or offensive-distribution fingerprints rather than typical kubectl or controller traffic.

new

1

GKE Secrets List from Unusual Source AS Organization

Detects the first time a human GKE caller lists secrets cluster-wide or in default or kube-system from a source autonomous system that is not attributed to common cloud provider organizations. This can indicate remote secret enumeration using stolen credentials from an unusual network.

new

1

GKE API Request Failure Burst by User

Detects bursts of failed GKE API requests from a single user identity within a five-minute window. Repeated authorization failures across multiple actions can indicate credential stuffing, RBAC probing, or reconnaissance with stolen tokens.

new

1

GKE Suspicious Self-Subject Review via Service Account

Detects GKE service account or node identities invoking self-subject access or rules review APIs. Non-human identities rarely enumerate their own permissions outside known controllers; this can indicate stolen tokens probing effective RBAC.

new

1

GKE User Exec into Pod

Detects the first occurrence of a non-system GKE identity establishing an exec session into a pod. kubectl exec enables interactive command execution inside workloads and is a common post-compromise technique to access secrets and expand access.

new

1

GKE Admission Webhook Created or Modified

Detects creation or modification of GKE mutating or validating admission webhook configurations by non-system identities. Malicious webhooks can inject workloads, block security tooling, or intercept API traffic for persistence and defense evasion.

new

1

GKE Cluster-Admin Role Binding Created or Modified

Detects creation or modification of a GKE ClusterRoleBinding that grants the cluster-admin ClusterRole, providing unrestricted cluster access and enabling rapid privilege escalation or persistence.

new

1

GKE Container Created with Excessive Linux Capabilities

Detects GKE pod creation with dangerous Linux capabilities that are commonly abused in container escape techniques. Standalone pods are included; controller-owned ReplicaSet, DaemonSet, and StatefulSet workloads are excluded.

new

1

GKE Pod Created With HostIPC

Detects GKE pod create, update, or patch events that enable host IPC namespace sharing. This exposes host inter-process communication mechanisms and can support privilege escalation. Controller-owned workloads are excluded.

new

1

GKE Pod Created With HostNetwork

Detects GKE pod create, update, or patch events that enable host network namespace sharing. HostNetwork grants access to the node network stack and can bypass namespace network policies. System identities and controller-owned workloads are excluded.

new

1

GKE Pod Created With HostPID

Detects GKE pod create, update, or patch events that enable host PID namespace sharing. HostPID exposes host processes and can support privilege escalation, especially with ptrace or privileged containers. System identities and controller-owned workloads are excluded.

new

1

GKE Privileged Pod Created

Detects successful GKE audit events where a pod is created with allowPrivilegeEscalation enabled. This weakens container isolation and can help an attacker escalate toward host access. Standalone pods are included; workloads owned by ReplicaSet, DaemonSet, or StatefulSet controllers are excluded.

new

1

GKE Pod Created with a Sensitive hostPath Volume

Detects GKE pod create, update, or patch events that mount sensitive hostPath volumes such as the root filesystem, kubelet paths, or container runtime sockets. This can enable container escape and credential theft. System identities and controller-owned workloads are excluded.

new

1

Shell Execution via Elastic Endpoint

This rule detects shell executions via Elastic Endpoint. Elastic Endpoint has a built-in response action console that can be used to execute shell commands on compromised systems.

new

1

Network Connection Followed by File Creation

Detects network connections originating from a binary located in a potentially suspicious location, followed by a file creation event. This behavior is consistent with C2 agents such as Poseidon and Athena, connecting to a C2 framework such as Mythic. The agent polls the C2 for commands through a web request, after which the command gets executed.

new

1

Shared Object Load via LoLBin

This rule detects when a process not commonly used to load shared objects, is executed with arguments that load a shared object file. This technique can load a malicious shared object into memory while attempting to evade detection.

new

1

Potential Proxy Execution via Systemd-run

This rule detects the execution of a command or binary through the systemd-run binary. Systemd-run can schedule commands to be executed in the background through systemd. Attackers may use this technique to execute commands while attempting to evade detection.

new

1

Linux External IP Address Discovery via Curl

Detects applications making a curl request to a known public IP address lookup web service. Malware tends to perform this action to assess potential targets.

new

1

Suspicious Command Execution via Busybox Proxy

This rule detects the execution of command line arguments capable of spawning shells or establishing network connections through Busybox. This technique can be used to execute commands while attempting to evade detection.

new

1

Payload Downloaded by Interpreter and Piped to Interpreter

This rule detects when a payload is downloaded by an interpreter, and piped to an interpreter. Attackers may use this technique to download and execute payloads for various malicious purposes, such as establishing persistence or exfiltrating data.

new

1

XDG-Open Command Execution

This rule monitors for the execution of the xdg-open process that is typically used to open documents and URLs in the user’s preferred desktop application. Attackers may use this command to trick users into opening malicious documents or URLs to gain access to the target system.

new

1

Systemd Service Override Configuration File Created

This rule detects the creation or renaming of a new Systemd override configuration file in any of the Systemd service locations for both root and regular users. Systemd override configuration files are configuration files in Linux systems used to override the default Systemd service configuration for a specific service. Malicious actors can leverage systemd override configuration files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.

new

1

Potential Privilege Escalation via a Suspicious UID Change

Detects a potential privilege escalation sequence via a suspicious UID change sequence. This rule checks for non-root execution of a process executable in a user or world-writable directory followed by a UID change event to 0 (root). This sequence is indicative of a potential local privilege escalation exploit.

new

1

Potential Privilege Escalation via a Parent Process Sequence

Detects a potential privilege escalation sequence via a parent process relationship. This rule checks for non-root execution of a process executable in a user or world-writable directory followed by a UID change event to 0 (root). This sequence is indicative of a potential local privilege escalation exploit.

new

1

Potential Privilege Escalation via a Parent/Child Process Sequence

Detects a potential privilege escalation sequence via a parent/child process relationship. This rule checks for non-root execution of a parent process executable in a user or world-writable directory by a non-root user followed by a UID change event to 0 (root) by the child process. This sequence is indicative of a potential local privilege escalation exploit.

new

1

Potential ICMP Tunneling Activity to the Internet

Identifies ICMP Echo traffic from an internal host to an external destination with a larger-than-typical transaction size. Covert channels and ICMP tunneling tools embed data in echo payloads that exceed normal OS ping behavior, which is usually limited to small fixed-size packets.

new

1

ICMP Redirect Message from Internal Host

Identifies ICMP Redirect messages (type 5 for IPv4, type 137 for IPv6) sourced from an internal IPv4 or IPv6 address. Legitimate redirects are normally sent only by on-path routers. A workstation or server emitting redirects can indicate route manipulation for adversary-in-the-middle activity.

new

1

Deprecated TLS Version or Weak Cipher Negotiated Externally

Identifies successful outbound TLS sessions that negotiate deprecated protocol versions (SSLv3, TLS 1.0, or TLS 1.1) or weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Adversaries-in-the-middle and legacy malware often force these negotiations to decrypt or intercept traffic. Modern clients and services should negotiate TLS 1.2 or 1.3 with strong ciphers on internet-bound connections.

new

1

ICMP Timestamp or Information Request from the Internet

Identifies inbound ICMP Timestamp (type 13) or Information (type 15) requests from external addresses to internal RFC1918 destinations. These message types are rarely used in modern networks and are commonly associated with host and path fingerprinting during reconnaissance.

new

1

Potential DHCP Starvation via High Client MAC Cardinality

Identifies a burst of DHCP DISCOVER messages with an unusually high number of distinct client hardware addresses observed on the same capture segment within a short window. Attackers flood DISCOVER requests with spoofed or random MAC addresses to exhaust the DHCP lease pool, often as a precursor to deploying a rogue DHCP server.

new

1

SMB (Windows File Sharing) Activity from the Internet

This rule detects network events that may indicate inbound Windows file sharing (SMB or CIFS) traffic originating from the Internet. SMB should never be directly reachable from the Internet, as it is a primary target for exploitation by threat actors seeking initial access. Inbound SMB from a public IP is a direct precondition for attacks such as EternalBlue (MS17-010) and related SMB remote code execution vulnerabilities.

new

1

Splunk Enterprise PostgreSQL Backup-to-Restore Potential RCE Sequence

Detects a POST to the Splunk Enterprise PostgreSQL backup endpoint followed by a POST to the restore endpoint from the same client to the same host within a 15-minute window. This sequence is unusual and can align with the public CVE-2026-20253 pre-authentication RCE chain, where an attacker stages a database dump via the backup path and executes attacker-controlled SQL via the restore path.

new

1

Splunk Enterprise PostgreSQL Recovery Endpoint Injection Artifacts

Detects CVE-2026-20253 exploit artifacts against the Splunk Enterprise PostgreSQL sidecar recovery endpoints via complementary signals. Where endpoint or Network Packet Capture request-body logging is available, the rule matches PostgreSQL connection-string injection keywords, suspicious backupFile destinations, and known filesystem artifacts used to pivot from backup/restore primitives to file write or RCE. It also detects vulnerable recovery endpoint probing and empty-password Basic auth credentials observed in public exploit tooling.

new

1

Potential SSH Reverse Port Forwarding

Identifies the use of Windows OpenSSH or Plink to create a reverse SSH port forward or reverse dynamic SOCKS proxy. Adversaries may abuse reverse forwarding to expose an internal service or proxy listener through an external SSH server, establishing an outbound tunnel that bypasses direct inbound connectivity controls.

new

1

Protected Storage Service Access via SMB

Identifies remote access to the Windows Protected Storage Service through the IPC$ share. Attackers may abuse this named pipe to interact with the Protected Storage Service and extract sensitive credentials, certificates, or DPAPI backup keys.

new

1

Potential DNS Exfiltration via Excessive Chunked Queries

Identifies potential DNS exfiltration on Windows hosts by detecting a high volume of DNS queries whose subdomain labels follow a chunked encoding pattern (index-payload.base_domain). Attackers split stolen data across many DNS queries to evade volume-based detection; this rule aggregates queries per process, base domain, and five-minute window and flags sessions with many distinct chunk indices and sufficiently long encoded payloads.

new

1

Potential SQL Injection Against Microsoft SQL Server

Identifies potential SQL injection attempts against Microsoft SQL Server by detecting obfuscated T-SQL patterns in SQL Server Audit events. Attackers use CHAR concatenation, CONVERT-based subqueries, and CASE/UNION constructs to bypass input validation and extract data or execute unauthorized statements.

new

2

GenAI Process Accessing Sensitive Files

Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.

update

8

Unusual Process Modifying GenAI Configuration File

Detects unusual modification of GenAI tool configuration files. Adversaries may inject malicious MCP server configurations to hijack AI agents for persistence, C2, or data exfiltration. Attack vectors include malware or scripts directly poisoning config files, supply chain attacks via compromised dependencies, and prompt injection attacks that abuse the GenAI tool itself to modify its own configuration. Unauthorized MCP servers added to these configs execute arbitrary commands when the AI tool is next invoked.

update

7

Multiple Alerts in Different ATT&CK Tactics on a Single Host

This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

update

7

Microsoft Graph Request Email Access by Unusual User and Client

Identifies access to email resources via Microsoft Graph API using an first-party application on behalf of a user principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as /me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been seen doing this activity in the last 14 days.

update

7

Entra ID OAuth Device Code Phishing via AiTM

Detects successful Microsoft Entra ID sign-ins that use the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources (Exchange Online, Microsoft Graph, or SharePoint) while flagged as interactive. This pattern is associated with adversary-in-the-middle (AiTM) phishing kits such as Tycoon 2FA, where victims complete device code flows that ultimately broker tokens for mail and collaboration APIs.

update

2

Kubernetes Secret get or list from Node or Pod Service Account

Kubernetes audit identities for kubelet (system:node:*) and workloads (system:serviceaccount:*) are meant to operate with tight, predictable API usage. Direct get or list on the Secrets API from those principals is often a sign of credential access. Attackers who stole a pod service-account token or node credentials sweep Secret objects for tokens, registry credentials, TLS keys, or application configuration. Even denied attempts still reveal intent to reach sensitive material. Legitimate controllers do read secrets they mount or manage, so this signal is most valuable when paired with triage (namespace scope, user agent, RBAC, and whether the identity should touch those secret names at all).

update

3

Base64 Decoded Payload Piped to Interpreter

This rule detects when a base64 decoded payload is piped to an interpreter on Linux systems. Adversaries may use base64 encoding to obfuscate data and pipe it to an interpreter to execute malicious code. This technique may be used to evade detection by host- or network-based security controls.

update

8

Suspicious Child Execution via Web Server

Identifies suspicious child processes executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.

update

116

Persistence via Suspicious Launch Agent or Launch Daemon

Identifies the creation of a launch agent or daemon property list file containing abnormal or suspicious values. An adversary may establish persistence by installing a new launch agent or daemon which executes at login. This rule looks for plist files created in LaunchAgents/LaunchDaemons directories with paths commonly used by malware.

update

2

IPSEC NAT Traversal Port Activity

This rule detects outbound IPSEC NAT Traversal (NAT-T) tunnels established from an internal host to an external destination. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal encapsulates IPSEC ESP traffic in UDP and, once a NAT device is detected, both peers float to UDP port 4500 for the tunnel data channel. The rule keys on this NAT-T signature, UDP traffic where both the source and destination port are 4500, from an internal source to an external destination, rather than on any UDP traffic to port 4500. This may be common on your network, but this technique is also used by threat actors to tunnel command and control or exfiltration traffic over the Internet to avoid detection.

update

112

RDP (Remote Desktop Protocol) from the Internet

This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.

update

112

SMTP to the Internet on Port 26/TCP

This rule detects events that may indicate use of SMTP on TCP port 26 from an internal host to an external destination. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems. The rule is scoped to outbound traffic (internal source to external destination) to focus on the command and control and exfiltration use cases, rather than benign internal mail relays or unrelated transit traffic observed by the sensor.

update

113

First Time Seen DNS Query to RMM Domain

Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. Intended to surface RMM clients, scripts, or other non-browser activity contacting these services.

update

5

Potential DNS Tunneling via NsLookup

This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.

update

317

Multiple Remote Management Tool Vendors on Same Host

Identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access. Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count.

update

4

First Time Seen Remote Monitoring and Management Tool

Adversaries may install legitimate remote monitoring and management (RMM) tools or remote access software on compromised endpoints for command-and-control (C2), persistence, and execution of native commands. This rule detects when a process is started whose name or code signature matches commonly abused RMM or remote access tools. New Terms type: the host.id and process.name pair has not been seen before within the configured 7-day history window.

update

118

Suspicious ScreenConnect Client Child Process

Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.

update

316

Credential Acquisition via Registry Hive Dumping

Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.

update

318

Untrusted Driver Loaded

Identifies an untrusted driver loaded by the Windows kernel. Adversaries may modify code signing policies to enable execution of unsigned or self-signed kernel code.

update

15

Suspicious Kerberos Authentication Ticket Request

Correlates network connections to the standard Kerberos port by an unusual process from the source machine with a Kerberos authentication ticket request from the target domain controller.

update

6

Unusual Parent-Child Relationship

Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.

update

323

Privileges Elevation via Parent Process PID Spoofing

Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.

update

13