Prebuilt rule changes per releaseedit

The following lists prebuilt rule updates per release. Only rules with significant modifications to their query or scope are listed. For detailed information about a rule’s changes, see the rule’s description page.

8.6.0edit

A scheduled task was created

A scheduled task was updated

Abnormal Process ID or Lock File Created

Accepted Default Telnet Port Connection

Account Password Reset Remotely

Adversary Behavior - Detected - Elastic Endgame

Clearing Windows Console History

Component Object Model Hijacking

Connection to Commonly Abused Web Services

Creation or Modification of Root Certificate

File Transfer or Listener Established via Netcat

Kubernetes Anonymous Request Authorized

Kubernetes Exposed Service Created With Type NodePort

Kubernetes Pod Created With HostIPC

Kubernetes Pod Created With HostNetwork

Kubernetes Pod Created With HostPID

Kubernetes Pod created with a Sensitive hostPath Volume

Kubernetes Privileged Pod Created

Kubernetes Suspicious Assignment of Controller Service Account

Kubernetes Suspicious Self-Subject Review

Kubernetes User Exec into Pod

MS Office Macro Security Registry Modifications

Modification of AmsiEnable Registry Key

Modification of WDigest Security Provider

Network Logon Provider Registry Modification

NullSessionPipe Registry Modification

Port Forwarding Rule Addition

Potential Application Shimming via Sdbinst

Potential Remote Credential Access via Registry

Potential Shadow Credentials added to AD Object

Potential Shadow File Read via Command Line Utilities

PowerShell Script Block Logging Disabled

Process Creation via Secondary Logon

Process Termination followed by Deletion

Remote Computer Account DnsHostName Update

SIP Provider Modification

Scheduled Tasks AT Command Enabled

SolarWinds Process Disabling Services via Registry

Suspicious File Creation in /etc for Persistence

Suspicious PowerShell Engine ImageLoad

Suspicious WMI Image Load from MS Office

System Log File Deletion

Temporarily Scheduled Task Creation

Windows Defender Disabled via Registry Modification

Windows Registry File Creation in SMB Share

8.5.0edit

Abnormal Process ID or Lock File Created

Account Discovery Command via SYSTEM Account

AdFind Command Activity

Adding Hidden File Attribute via Attrib

Attempt to Disable Gatekeeper

Azure Automation Runbook Deleted

Binary Executed from Shared Memory Directory

Bypass UAC via Event Viewer

Chkconfig Service Add

Clearing Windows Event Logs

Command Execution via SolarWinds Process

Conhost Spawned By Suspicious Parent Process

Control Panel Process with Unusual Arguments

Creation of Hidden Shared Object File

Creation or Modification of Root Certificate

Creation or Modification of a new GPO Scheduled Task or Service

Credential Acquisition via Registry Hive Dumping

Delete Volume USN Journal with Fsutil

Deleting Backup Catalogs with Wbadmin

Direct Outbound SMB Connection

Disable Windows Event and Security Logs Using Built-in Tools

Disable Windows Firewall Rules via Netsh

Elastic Agent Service Terminated

Encrypting Files with WinRar or 7z

Enumerating Domain Trusts via NLTEST.EXE

Enumeration Command Spawned via WMIPrvSE

Enumeration of Administrator Accounts

Execution from Unusual Directory - Command Line

Execution of COM object via Xwizard

Execution of File Written or Modified by Microsoft Office

Execution of File Written or Modified by PDF Reader

Execution of Persistent Suspicious Program

Execution via MSSQL xp_cmdshell Stored Procedure

Execution via TSClient Mountpoint

Exporting Exchange Mailbox via PowerShell

Finder Sync Plugin Registered and Enabled

Google Workspace Admin Role Assigned to a User

IIS HTTP Logging Disabled

Image File Execution Options Injection

ImageLoad via Windows Update Auto Update Client

Incoming DCOM Lateral Movement via MSHTA

Incoming DCOM Lateral Movement with MMC

Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows

InstallUtil Process Making Network Connections

Installation of Custom Shim Databases

Interactive Terminal Spawned via Python

Kubernetes Pod created with a Sensitive hostPath Volume

Kubernetes Suspicious Self-Subject Review

Kubernetes User Exec into Pod

Launch Agent Creation or Modification and Immediate Loading

MacOS Installer Package Spawns Network Event

Microsoft 365 Inbox Forwarding Rule Created

Microsoft Build Engine Started an Unusual Process

Microsoft Build Engine Started by a System Process

Microsoft Build Engine Started by an Office Application

Microsoft Build Engine Using an Alternate Name

Microsoft IIS Connection Strings Decryption

Microsoft IIS Service Account Password Dumped

Modification of Boot Configuration

Modification of Standard Authentication Module or Configuration

Mounting Hidden or WebDav Remote Shares

Mshta Making Network Connections

NTDS or SAM Database File Copied

New ActiveSyncAllowedDeviceID Added via PowerShell

Parent Process PID Spoofing

Peripheral Device Discovery

Persistence via Docker Shortcut Modification

Persistence via TelemetryController Scheduled Task Hijack

Persistence via Update Orchestrator Service Hijack

Persistence via WMI Event Subscription

Persistence via WMI Standard Registry Provider

Potential Application Shimming via Sdbinst

Potential Credential Access via Windows Utilities

Potential Evasion via Filter Manager

Potential Kerberos Attack via Bifrost

Potential Local NTLM Relay via HTTP

Potential Modification of Accessibility Binaries

Potential Remote Desktop Tunneling Detected

Potential SharpRDP Behavior

Privilege Escalation via Named Pipe Impersonation

Privilege Escalation via Windir Environment Variable

Process Activity via Compiled HTML File

Process Execution from an Unusual Directory

Process Termination followed by Deletion

Remote Desktop Enabled in Windows Firewall by Netsh

Remote Execution via File Shares

Remote File Copy to a Hidden Share

Remote File Download via Desktopimgdownldr Utility

Remote File Download via PowerShell

Remote System Discovery Commands

Remotely Started Services via RPC

Renamed AutoIt Scripts Interpreter

SSH Authorized Keys File Modification

SUNBURST Command and Control Activity

Searching for Saved Credentials via VaultCmd

Security Software Discovery using WMIC

Service Command Lateral Movement

Signed Proxy Execution via MS Work Folders

SoftwareUpdate Preferences Modification

Startup Folder Persistence via Unsigned Process

Startup or Run Key Registry Modification

Suspicious .NET Code Compilation

Suspicious Browser Child Process

Suspicious Child Process of Adobe Acrobat Reader Update Service

Suspicious Cmd Execution via WMI

Suspicious CronTab Creation or Modification

Suspicious Endpoint Security Parent Process

Suspicious Execution via Scheduled Task

Suspicious Explorer Child Process

Suspicious MS Office Child Process

Suspicious MS Outlook Child Process

Suspicious Managed Code Hosting Process

Suspicious Microsoft Diagnostics Wizard Execution

Suspicious PDF Reader Child Process

Suspicious Process Execution via Renamed PsExec Executable

Suspicious SolarWinds Child Process

Suspicious WMIC XSL Script Execution

Suspicious WerFault Child Process

Suspicious Zoom Child Process

Suspicious macOS MS Office Child Process

Svchost spawning Cmd

System Shells via Services

UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer

UAC Bypass Attempt via Windows Directory Masquerading

UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface

UAC Bypass via ICMLuaUtil Elevated COM Interface

UAC Bypass via Windows Firewall Snap-In Hijack

Uncommon Registry Persistence Change

Unusual Child Process from a System Virtual Process

Unusual Child Processes of RunDLL32

Unusual File Creation - Alternate Data Stream

Unusual Network Activity from a Windows System Binary

Unusual Network Connection via DllHost

Unusual Network Connection via RunDLL32

Unusual Parent Process for cmd.exe

Unusual Parent-Child Relationship

Unusual Service Host Child Process - Childless Service

User Account Creation

Volume Shadow Copy Deleted or Resized via VssAdmin

Volume Shadow Copy Deletion via PowerShell

Volume Shadow Copy Deletion via WMIC

WMI Incoming Lateral Movement

Whoami Process Activity

Windows Defender Disabled via Registry Modification

Windows Network Enumeration

Windows Script Executing PowerShell

Windows Script Interpreter Executing Process via WMI

8.4.0edit

AWS Deletion of RDS Instance or Cluster

AWS EC2 Full Network Packet Capture Detected

AWS EFS File System or Mount Deleted

AWS ElastiCache Security Group Created

AWS ElastiCache Security Group Modified or Deleted

AWS EventBridge Rule Disabled or Deleted

AWS Route Table Created

AWS Route53 private hosted zone associated with a VPC

AWS SAML Activity

AWS STS GetSessionToken Abuse

AWS Security Group Configuration Change Detection

AWS Security Token Service (STS) AssumeRole Usage

Access of Stored Browser Credentials

Access to Keychain Credentials Directories

Account Discovery Command via SYSTEM Account

Account Password Reset Remotely

AdFind Command Activity

Attempt to Install Root Certificate

Attempt to Mount SMB Share via Command Line

Attempt to Remove File Quarantine Attribute

Authorization Plugin Modification

Azure Alert Suppression Rule Created or Modified

Azure Automation Runbook Deleted

Azure Blob Permissions Modification

Azure Full Network Packet Capture Detected

Azure Kubernetes Events Deleted

Azure Kubernetes Pods Deleted

Azure Kubernetes Rolebindings Created

Azure Virtual Network Device Modified or Deleted

Binary Executed from Shared Memory Directory

Bypass UAC via Event Viewer

Component Object Model Hijacking

Connection to Commonly Abused Free SSL Certificate Providers

Control Panel Process with Unusual Arguments

Creation of Hidden Files and Directories via CommandLine

Creation of Hidden Launch Agent or Daemon

Delete Volume USN Journal with Fsutil

Disable Windows Event and Security Logs Using Built-in Tools

Elastic Agent Service Terminated

Enumeration of Privileged Local Groups Membership

Enumeration of Users or Groups via Built-in Commands

Executable File Creation with Multiple Extensions

Execution from Unusual Directory - Command Line

Execution with Explicit Credentials via Scripting

GCP Firewall Rule Creation

GCP Firewall Rule Deletion

GCP Firewall Rule Modification

GCP IAM Custom Role Creation

GCP IAM Role Deletion

GCP IAM Service Account Key Deletion

GCP Logging Bucket Deletion

GCP Logging Sink Deletion

GCP Logging Sink Modification

GCP Pub/Sub Subscription Creation

GCP Pub/Sub Subscription Deletion

GCP Pub/Sub Topic Creation

GCP Pub/Sub Topic Deletion

GCP Service Account Creation

GCP Service Account Deletion

GCP Service Account Disabled

GCP Service Account Key Creation

GCP Storage Bucket Configuration Modification

GCP Storage Bucket Deletion

GCP Storage Bucket Permissions Modification

GCP Virtual Private Cloud Network Deletion

GCP Virtual Private Cloud Route Creation

GCP Virtual Private Cloud Route Deletion

Google Workspace MFA Enforcement Disabled

Group Policy Abuse for Privilege Addition

Incoming DCOM Lateral Movement via MSHTA

Installation of Security Support Provider

Kerberos Traffic from Unusual Process

Kubernetes User Exec into Pod

LSASS Memory Dump Creation

Lateral Movement via Startup Folder

LaunchDaemon Creation or Modification and Immediate Loading

Linux Restricted Shell Breakout via Linux Binary(s)

MS Office Macro Security Registry Modifications

MacOS Installer Package Spawns Network Event

Microsoft 365 Inbox Forwarding Rule Created

Microsoft Exchange Server UM Spawning Suspicious Processes

Microsoft IIS Service Account Password Dumped

Modification of Boot Configuration

Modification of Environment Variable via Launchctl

Modification of OpenSSH Binaries

Modification of WDigest Security Provider

New or Modified Federation Domain

O365 Exchange Suspicious Mailbox Right Delegation

Outbound Scheduled Task Activity via PowerShell

Peripheral Device Discovery

Persistence via Folder Action Script

Persistence via Hidden Run Key Detected

Persistence via KDE AutoStart Script or Desktop File Modification

Persistence via Update Orchestrator Service Hijack

Persistent Scripts in the Startup Directory

Possible Consent Grant Attack via Azure-Registered Application

Potential Cookies Theft via Browser Debugging

Potential Credential Access via DCSync

Potential Credential Access via DuplicateHandle in LSASS

Potential Credential Access via LSASS Memory Dump

Potential Credential Access via Trusted Developer Utility

Potential Evasion via Filter Manager

Potential Microsoft Office Sandbox Evasion

Potential OpenSSH Backdoor Logging Activity

Potential Password Spraying of Microsoft 365 User Accounts

Potential Persistence via Login Hook

Potential Privacy Control Bypass via Localhost Secure Copy

Potential Privacy Control Bypass via TCCDB Modification

Potential Privilege Escalation via InstallerFileTakeOver

Potential Process Injection via PowerShell

Potential Remote Credential Access via Registry

Potential Remote Desktop Shadowing Activity

Potential Reverse Shell Activity via Terminal

PowerShell Kerberos Ticket Request

PowerShell Keylogging Script

PowerShell PSReflect Script

PowerShell Script Block Logging Disabled

PowerShell Suspicious Discovery Related Windows API Functions

PowerShell Suspicious Payload Encoded and Compressed

PowerShell Suspicious Script with Audio Capture Capabilities

PowerShell Suspicious Script with Screenshot Capabilities

Privilege Escalation via Named Pipe Impersonation

Process Activity via Compiled HTML File

Process Execution from an Unusual Directory

Process Termination followed by Deletion

PsExec Network Connection

Registry Persistence via AppInit DLL

Remote File Copy to a Hidden Share

Remote SSH Login Enabled via systemsetup Command

Remotely Started Services via RPC

Scheduled Task Created by a Windows Script

Scheduled Task Execution at Scale via GPO

Scheduled Tasks AT Command Enabled

SolarWinds Process Disabling Services via Registry

Startup Persistence by a Suspicious Process

Sublime Plugin or Application Script Modification

Suspicious .NET Reflection via PowerShell

Suspicious Calendar File Modification

Suspicious CertUtil Commands

Suspicious DLL Loaded for Persistence or Privilege Escalation

Suspicious Endpoint Security Parent Process

Suspicious Execution via Scheduled Task

Suspicious Image Load (taskschd.dll) from MS Office

Suspicious MS Office Child Process

Suspicious Microsoft Diagnostics Wizard Execution

Suspicious Portable Executable Encoded in Powershell Script

Suspicious PowerShell Engine ImageLoad

Suspicious Process Access via Direct System Call

Suspicious Process Creation CallTrace

Suspicious RDP ActiveX Client Loaded

Suspicious Remote Registry Access via SeBackupPrivilege

Suspicious Script Object Execution

Suspicious WMI Image Load from MS Office

Suspicious WMIC XSL Script Execution

Svchost spawning Cmd

Symbolic Link to Shadow Copy Created

System Log File Deletion

System Shells via Services

Unusual Service Host Child Process - Childless Service

User account exposed to Kerberoasting

Virtual Machine Fingerprinting via Grep

Volume Shadow Copy Deletion via PowerShell

Web Shell Detection: Script Process Child of Common Web Processes

WebServer Access Logs Deleted

Windows Script Interpreter Executing Process via WMI

8.3.0edit

AdminSDHolder SDProp Exclusion Added

Attempts to Brute Force a Microsoft 365 User Account

Component Object Model Hijacking

Connection to Commonly Abused Web Services

Emond Rules Creation or Modification

Microsoft 365 Inbox Forwarding Rule Created

Potential Password Spraying of Microsoft 365 User Accounts

Remote System Discovery Commands

SSH Authorized Keys File Modification

Suspicious MS Office Child Process

Tampering of Bash Command-Line History

8.2.0edit

AWS Deletion of RDS Instance or Cluster

AWS Security Group Configuration Change Detection

AWS WAF Rule or Rule Group Deletion

Account Discovery Command via SYSTEM Account

Azure Conditional Access Policy Modified

Azure Service Principal Credentials Added

Enumeration of Users or Groups via Built-in Commands

Interactive Terminal Spawned via Python

Local Scheduled Task Creation

Microsoft Windows Defender Tampering

Network Connection via Registration Utility

Potential Privilege Escalation via InstallerFileTakeOver

Potential Process Injection via PowerShell

PowerShell Keylogging Script

PowerShell PSReflect Script

PowerShell Suspicious Payload Encoded and Compressed

PowerShell Suspicious Script with Audio Capture Capabilities

PowerShell Suspicious Script with Screenshot Capabilities

Svchost spawning Cmd

Symbolic Link to Shadow Copy Created

SystemKey Access via Command Line

Unusual Print Spooler Child Process

8.1.0edit

Account Discovery Command via SYSTEM Account

Account Password Reset Remotely

Attempts to Brute Force a Microsoft 365 User Account

Azure Virtual Network Device Modified or Deleted

Disabling User Account Control via Registry Modification

Installation of Security Support Provider

Kerberos Traffic from Unusual Process

Local Scheduled Task Creation

Microsoft 365 Inbox Forwarding Rule Created

Microsoft Windows Defender Tampering

Modification of AmsiEnable Registry Key

Modification of WDigest Security Provider

Network Connection via Registration Utility

O365 Exchange Suspicious Mailbox Right Delegation

Persistence via Hidden Run Key Detected

Port Forwarding Rule Addition

Potential Command and Control via Internet Explorer

Potential Credential Access via LSASS Memory Dump

Potential Password Spraying of Microsoft 365 User Accounts

Potential Port Monitor or Print Processor Registration Abuse

Potential Privilege Escalation via InstallerFileTakeOver

RDP Enabled via Registry

Registry Persistence via AppCert DLL

Scheduled Tasks AT Command Enabled

Service Control Spawned via Script Interpreter

SolarWinds Process Disabling Services via Registry

Unusual Print Spooler Child Process

Volume Shadow Copy Deleted or Resized via VssAdmin

Windows Defender Disabled via Registry Modification

8.0.0edit

Application Added to Google Workspace Domain

Component Object Model Hijacking

Connection to Commonly Abused Web Services

Domain Added to Google Workspace Trusted Domains

Google Workspace API Access Granted via Domain-Wide Delegation of Authority

Google Workspace Admin Role Assigned to a User

Google Workspace Admin Role Deletion

Google Workspace Custom Admin Role Created

Google Workspace MFA Enforcement Disabled

Google Workspace Password Policy Modified

Google Workspace Role Modified

Incoming DCOM Lateral Movement via MSHTA

Incoming DCOM Lateral Movement with MMC

Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows

Incoming Execution via PowerShell Remoting

Incoming Execution via WinRM Remote Shell

LaunchDaemon Creation or Modification and Immediate Loading

MFA Disabled for Google Workspace Organization

O365 Excessive Single Sign-On Logon Errors

Persistence via Folder Action Script

Potential Lateral Tool Transfer via SMB Share

Potential SharpRDP Behavior

PowerShell MiniDump Script

PowerShell Suspicious Discovery Related Windows API Functions

PowerShell Suspicious Script with Audio Capture Capabilities

Remote Scheduled Task Creation

Remotely Started Services via RPC

Suspicious CertUtil Commands

Suspicious JAVA Child Process

Suspicious Portable Executable Encoded in Powershell Script

WMI Incoming Lateral Movement

Windows Defender Exclusions Added via PowerShell

7.16.0edit

Clearing Windows Event Logs

Disabling Windows Defender Security Settings via PowerShell

Exporting Exchange Mailbox via PowerShell

Hosts File Modified

Incoming DCOM Lateral Movement via MSHTA

Incoming DCOM Lateral Movement with MMC

Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows

Incoming Execution via PowerShell Remoting

Incoming Execution via WinRM Remote Shell

InstallUtil Process Making Network Connections

Kerberos Traffic from Unusual Process

Local Scheduled Task Creation

Microsoft Build Engine Started by a Script Process

Microsoft Exchange Worker Spawning Suspicious Processes

Network Connection via Signed Binary

New ActiveSyncAllowedDeviceID Added via PowerShell

Outbound Scheduled Task Activity via PowerShell

Potential DLL Side-Loading via Microsoft Antimalware Service Executable

Potential Lateral Tool Transfer via SMB Share

Potential SharpRDP Behavior

Potential Windows Error Manager Masquerading

Process Activity via Compiled HTML File

Remote File Download via PowerShell

Remote File Download via Script Interpreter

Remote Scheduled Task Creation

Remotely Started Services via RPC

Scheduled Task Created by a Windows Script

Suspicious MS Office Child Process

Suspicious Zoom Child Process

System Shells via Services

Volume Shadow Copy Deleted or Resized via VssAdmin

WMI Incoming Lateral Movement

Web Shell Detection: Script Process Child of Common Web Processes

Windows Defender Exclusions Added via PowerShell

7.15.0edit

Azure Active Directory High Risk Sign-in

NTDS or SAM Database File Copied

Windows Network Enumeration

7.14.0edit

Accepted Default Telnet Port Connection

Apple Script Execution followed by Network Connection

Attempts to Brute Force a Microsoft 365 User Account

Attempts to Brute Force an Okta User Account

Cobalt Strike Command and Control Beacon

Command Prompt Network Connection

Component Object Model Hijacking

Connection to External Network via Telnet

Connection to Internal Network via Telnet

Creation of Hidden Files and Directories via CommandLine

Default Cobalt Strike Team Server Certificate

Executable File Creation with Multiple Extensions

External Alerts

External IP Lookup from Non-Browser Process

Google Workspace MFA Enforcement Disabled

Google Workspace Password Policy Modified

Halfbaked Command and Control Beacon

High Number of Okta User Password Reset or Unlock Attempts

IPSEC NAT Traversal Port Activity

Image File Execution Options Injection

Inbound Connection to an Unsecure Elasticsearch Node

MFA Disabled for Google Workspace Organization

MacOS Installer Package Spawns Network Event

Mshta Making Network Connections

Network Connection via Certutil

Network Connection via Compiled HTML File

Network Connection via MsXsl

Network Connection via Registration Utility

Network Connection via Signed Binary

Persistence via Folder Action Script

Possible FIN7 DGA Command and Control Behavior

Potential Credential Access via Windows Utilities

Potential Password Spraying of Microsoft 365 User Accounts

RDP (Remote Desktop Protocol) from the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

Roshal Archive (RAR) or PowerShell File Downloaded from the Internet

SMB (Windows File Sharing) Activity to the Internet

SMTP on Port 26/TCP

Shell Execution via Apple Scripting

Suspicious CertUtil Commands

Suspicious DLL Loaded for Persistence or Privilege Escalation

Suspicious PowerShell Engine ImageLoad

Unusual Network Connection via RunDLL32

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet

Web Application Suspicious Activity: POST Request Declined

Web Application Suspicious Activity: Unauthorized Method

Web Application Suspicious Activity: sqlmap User Agent

7.13.0edit

AWS CloudTrail Log Created

AWS CloudTrail Log Deleted

AWS CloudTrail Log Suspended

AWS CloudTrail Log Updated

AWS CloudWatch Alarm Deletion

AWS CloudWatch Log Group Deletion

AWS CloudWatch Log Stream Deletion

AWS Config Resource Deletion

AWS Configuration Recorder Stopped

AWS Deletion of RDS Instance or Cluster

AWS EC2 Encryption Disabled

AWS EC2 Network Access Control List Creation

AWS EC2 Network Access Control List Deletion

AWS GuardDuty Detector Deletion

AWS IAM Deactivation of MFA Device

AWS IAM Group Creation

AWS IAM Group Deletion

AWS IAM Password Recovery Requested

AWS IAM User Addition to Group

AWS Management Console Root Login

AWS RDS Cluster Creation

AWS RDS Instance/Cluster Stoppage

AWS S3 Bucket Configuration Deletion

AWS VPC Flow Logs Deletion

AWS WAF Access Control List Deletion

Access to Keychain Credentials Directories

Account Discovery Command via SYSTEM Account

Adding Hidden File Attribute via Attrib

Adobe Hijack Persistence

Bypass UAC via Event Viewer

Clearing Windows Event Logs

Command Shell Activity Started via RunDLL32

Conhost Spawned By Suspicious Parent Process

Connection to Commonly Abused Web Services

Creation or Modification of Domain Backup DPAPI private key

Creation or Modification of a new GPO Scheduled Task or Service

Delete Volume USN Journal with Fsutil

Deleting Backup Catalogs with Wbadmin

Disable Windows Firewall Rules via Netsh

Enumeration of Users or Groups via Built-in Commands

Execution from Unusual Directory - Command Line

Execution via MSSQL xp_cmdshell Stored Procedure

External IP Lookup from Non-Browser Process

GCP Storage Bucket Configuration Modification

GCP Storage Bucket Deletion

GCP Storage Bucket Permissions Modification

GCP Virtual Private Cloud Route Creation

Hosts File Modified

IIS HTTP Logging Disabled

Keychain Password Retrieval via Command Line

LSASS Memory Dump Creation

Local Scheduled Task Creation

Microsoft Build Engine Started an Unusual Process

Microsoft Build Engine Started by a Script Process

Microsoft Build Engine Started by a System Process

Microsoft Build Engine Started by an Office Application

Microsoft Build Engine Using an Alternate Name

Microsoft Exchange Server UM Writing Suspicious Files

Mimikatz Memssp Log File Detected

Modification of Boot Configuration

Modification of Environment Variable via Launchctl

Modification of Standard Authentication Module or Configuration

Network Connection via Registration Utility

Persistence via Login or Logout Hook

Persistence via TelemetryController Scheduled Task Hijack

Potential Application Shimming via Sdbinst

Potential Command and Control via Internet Explorer

Potential Credential Access via Trusted Developer Utility

Potential Evasion via Filter Manager

Process Activity via Compiled HTML File

Program Files Directory Masquerading

Remote File Copy via TeamViewer

Remote File Download via Desktopimgdownldr Utility

Remote File Download via MpCmdRun

SUNBURST Command and Control Activity

Security Software Discovery via Grep

Service Control Spawned via Script Interpreter

Setuid / Setgid Bit Set via chmod

Startup or Run Key Registry Modification

Suspicious CertUtil Commands

Suspicious Explorer Child Process

Suspicious MS Outlook Child Process

Suspicious Managed Code Hosting Process

Suspicious PDF Reader Child Process

Suspicious Print Spooler SPL File Created

Suspicious PrintSpooler Service Executable File Creation

Suspicious Script Object Execution

Suspicious WerFault Child Process

Suspicious macOS MS Office Child Process

Svchost spawning Cmd

System Shells via Services

Timestomping using Touch Command

UAC Bypass via DiskCleanup Scheduled Task Hijack

Unusual Child Process from a System Virtual Process

Unusual Child Process of dns.exe

Unusual Executable File Creation by a System Critical Process

<<unusual-file-modification-by-dns→>

Unusual Network Connection via RunDLL32

<<unusual-parent-process-for-cmd→>

Unusual Persistence via Services Registry

Unusual Process Execution Path - Alternate Data Stream

User Account Creation

User Added to Privileged Group

Volume Shadow Copy Deleted or Resized via VssAdmin

Volume Shadow Copy Deletion via WMIC

WebProxy Settings Modification

Whoami Process Activity

Windows Script Executing PowerShell

7.12.1edit

7.12.0edit

Access to Keychain Credentials Directories

Attempt to Remove File Quarantine Attribute

Azure Automation Account Created

Azure Automation Runbook Created or Modified

Azure Automation Runbook Deleted

Azure Automation Webhook Created

Azure Blob Container Access Level Modification

Azure Command Execution on Virtual Machine

Azure Diagnostic Settings Deletion

Azure Event Hub Authorization Rule Created or Updated

Azure Event Hub Deletion

Azure Firewall Policy Deletion

Azure Key Vault Modified

Azure Network Watcher Deletion

Azure Resource Group Deletion

Azure Storage Account Key Regenerated

Connection to Commonly Abused Web Services

Credential Acquisition via Registry Hive Dumping

Execution from Unusual Directory - Command Line

Execution with Explicit Credentials via Scripting

Installation of Custom Shim Databases

Outbound Scheduled Task Activity via PowerShell

Persistence via Microsoft Office AddIns

Persistence via Microsoft Outlook VBA

Persistence via Update Orchestrator Service Hijack

Potential Command and Control via Internet Explorer

Potential Remote Desktop Tunneling Detected

Potential Secure File Deletion via SDelete Utility

Prompt for Credentials with OSASCRIPT

Remote SSH Login Enabled via systemsetup Command

Scheduled Task Created by a Windows Script

Service Command Lateral Movement

Setuid / Setgid Bit Set via chmod

Sudoers File Modification

Suspicious Cmd Execution via WMI

Suspicious Image Load (taskschd.dll) from MS Office

Suspicious PowerShell Engine ImageLoad

Suspicious RDP ActiveX Client Loaded

Suspicious Script Object Execution

Suspicious WMI Image Load from MS Office

Suspicious WMIC XSL Script Execution

Tampering of Bash Command-Line History

Timestomping using Touch Command

UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer

UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface

Windows Script Interpreter Executing Process via WMI

7.11.2edit

Credential Acquisition via Registry Hive Dumping

Persistence via WMI Event Subscription

Potential Remote Desktop Tunneling Detected

7.11.0edit

Attempt to Modify an Okta Network Zone

Attempt to Modify an Okta Policy Rule

Azure Automation Account Created

Azure Automation Runbook Created or Modified

Azure Automation Runbook Deleted

Azure Automation Webhook Created

Azure Blob Container Access Level Modification

Azure Command Execution on Virtual Machine

Azure Conditional Access Policy Modified

Azure Diagnostic Settings Deletion

Azure Event Hub Authorization Rule Created or Updated

Azure Event Hub Deletion

Azure External Guest User Invitation

Azure Firewall Policy Deletion

Azure Global Administrator Role Addition to PIM User

Azure Key Vault Modified

Azure Network Watcher Deletion

Azure Privilege Identity Management Role Modified

Azure Resource Group Deletion

Azure Storage Account Key Regenerated

Clearing Windows Event Logs

GCP Firewall Rule Creation

GCP Firewall Rule Deletion

GCP Firewall Rule Modification

GCP IAM Custom Role Creation

GCP IAM Role Deletion

GCP IAM Service Account Key Deletion

GCP Logging Bucket Deletion

GCP Logging Sink Deletion

GCP Logging Sink Modification

GCP Pub/Sub Subscription Creation

GCP Pub/Sub Subscription Deletion

GCP Pub/Sub Topic Creation

GCP Pub/Sub Topic Deletion

GCP Service Account Creation

GCP Service Account Deletion

GCP Service Account Disabled

GCP Service Account Key Creation

GCP Storage Bucket Configuration Modification

GCP Storage Bucket Deletion

GCP Storage Bucket Permissions Modification

GCP Virtual Private Cloud Network Deletion

GCP Virtual Private Cloud Route Creation

GCP Virtual Private Cloud Route Deletion

IIS HTTP Logging Disabled

Microsoft Build Engine Using an Alternate Name

Microsoft IIS Connection Strings Decryption

Microsoft IIS Service Account Password Dumped

Multi-Factor Authentication Disabled for an Azure User

Persistence via TelemetryController Scheduled Task Hijack

Possible Consent Grant Attack via Azure-Registered Application

Potential Credential Access via Trusted Developer Utility

Potential Modification of Accessibility Binaries

Potential Secure File Deletion via SDelete Utility

Potential Windows Error Manager Masquerading

RDP (Remote Desktop Protocol) from the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

Remote File Download via Desktopimgdownldr Utility

Remote File Download via MpCmdRun

Renamed AutoIt Scripts Interpreter

SMB (Windows File Sharing) Activity to the Internet

Suspicious .NET Code Compilation

Suspicious Endpoint Security Parent Process

Suspicious MS Office Child Process

Suspicious Process Execution via Renamed PsExec Executable

Suspicious Zoom Child Process

UAC Bypass via DiskCleanup Scheduled Task Hijack

Unusual Child Processes of RunDLL32

Unusual File Modification by dns.exe

Unusual Network Connection via RunDLL32

Unusual Parent-Child Relationship

User Added as Owner for Azure Application

User Added as Owner for Azure Service Principal

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet

7.10.0edit

AWS EC2 Snapshot Activity

AWS Execution via System Manager

AWS IAM Assume Role Policy Update

AWS IAM Brute Force of Assume Role Policy

AWS Management Console Root Login

AWS Root Login Without MFA

AWS WAF Rule or Rule Group Deletion

Account Discovery Command via SYSTEM Account

Administrator Privileges Assigned to an Okta Group

Attempt to Create Okta API Token

Attempt to Deactivate an Okta Policy

Attempt to Deactivate an Okta Policy Rule

Attempt to Delete an Okta Policy

Attempt to Modify an Okta Network Zone

Attempt to Modify an Okta Policy

Attempt to Modify an Okta Policy Rule

Attempt to Reset MFA Factors for an Okta User Account

Attempt to Revoke Okta API Token

Attempted Bypass of Okta MFA

Command Prompt Network Connection

Connection to External Network via Telnet

Connection to Internal Network via Telnet

Direct Outbound SMB Connection

File Transfer or Listener Established via Netcat

Microsoft Build Engine Using an Alternate Name

Modification or Removal of an Okta Application Sign-On Policy

MsBuild Making Network Connections

Network Connection via Certutil

Network Connection via Compiled HTML File

Network Connection via MsXsl

Network Connection via Registration Utility

Network Connection via Signed Binary

Okta Brute Force or Password Spraying Attack

Possible Okta DoS Attack

Potential Application Shimming via Sdbinst

Potential Evasion via Filter Manager

Potential Modification of Accessibility Binaries

Process Activity via Compiled HTML File

PsExec Network Connection

Suspicious Activity Reported by Okta User

Unusual Network Connection via RunDLL32

Unusual Parent-Child Relationship

Unusual Process Network Connection

Whoami Process Activity

7.9.0edit

Accepted Default Telnet Port Connection

Account Discovery Command via SYSTEM Account

Adding Hidden File Attribute via Attrib

Adobe Hijack Persistence

Attempt to Disable Syslog Service

Base16 or Base32 Encoding/Decoding Activity

Bypass UAC via Event Viewer

Clearing Windows Event Logs

Command Prompt Network Connection

Connection to External Network via Telnet

Connection to Internal Network via Telnet

Delete Volume USN Journal with Fsutil

Deleting Backup Catalogs with Wbadmin

Direct Outbound SMB Connection

Disable Windows Firewall Rules via Netsh

Enumeration of Kernel Modules

File Deletion via Shred

File Permission Modification in Writable Directory

File Transfer or Listener Established via Netcat

Hping Process Activity

IPSEC NAT Traversal Port Activity

Interactive Terminal Spawned via Perl

Interactive Terminal Spawned via Python

Kernel Module Removal

Local Scheduled Task Creation

Microsoft Build Engine Started an Unusual Process

Microsoft Build Engine Started by a Script Process

Microsoft Build Engine Started by a System Process

Microsoft Build Engine Started by an Office Application

Microsoft Build Engine Using an Alternate Name

Modification of Boot Configuration

MsBuild Making Network Connections

Network Connection via Certutil

Network Connection via Compiled HTML File

Network Connection via MsXsl

Network Connection via Registration Utility

Network Connection via Signed Binary

Nping Process Activity

Potential Credential Access via Trusted Developer Utility

Potential Disabling of SELinux

PsExec Network Connection

RDP (Remote Desktop Protocol) from the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

SMB (Windows File Sharing) Activity to the Internet

SMTP on Port 26/TCP

Service Control Spawned via Script Interpreter

Setuid / Setgid Bit Set via chmod

Sudoers File Modification

Suspicious CertUtil Commands

Suspicious MS Office Child Process

Suspicious MS Outlook Child Process

Suspicious PDF Reader Child Process

Svchost spawning Cmd

System Shells via Services

Unusual Network Connection via RunDLL32

Unusual Parent-Child Relationship

Unusual Process Network Connection

User Account Creation

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet

Virtual Machine Fingerprinting

Volume Shadow Copy Deleted or Resized via VssAdmin

Volume Shadow Copy Deletion via WMIC

Windows Script Executing PowerShell

7.8.0edit

Unusual Network Connection via RunDLL32

7.7.0edit

These prebuilt rules have been removed:

  • Execution via Signed Binary
  • Suspicious Process spawning from Script Interpreter
  • Suspicious Script Object Execution

These prebuilt rules have been updated:

Adding Hidden File Attribute via Attrib

Adversary Behavior - Detected - Elastic Endgame

Clearing Windows Event Logs

Command Prompt Network Connection

Credential Dumping - Detected - Elastic Endgame

Credential Dumping - Prevented - Elastic Endgame

Credential Manipulation - Detected - Elastic Endgame

Credential Manipulation - Prevented - Elastic Endgame

Delete Volume USN Journal with Fsutil

Deleting Backup Catalogs with Wbadmin

Direct Outbound SMB Connection

Disable Windows Firewall Rules via Netsh

Exploit - Detected - Elastic Endgame

Exploit - Prevented - Elastic Endgame

File Transfer or Listener Established via Netcat

Hping Process Activity

Local Scheduled Task Creation

Malware - Detected - Elastic Endgame

Malware - Prevented - Elastic Endgame

MsBuild Making Network Connections

Network Connection via Compiled HTML File

Network Connection via Registration Utility

Network Connection via Signed Binary

Nping Process Activity

Permission Theft - Detected - Elastic Endgame

Permission Theft - Prevented - Elastic Endgame

Potential Modification of Accessibility Binaries

Process Injection - Detected - Elastic Endgame

Process Injection - Prevented - Elastic Endgame

PsExec Network Connection

RDP (Remote Desktop Protocol) from the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

Ransomware - Detected - Elastic Endgame

Ransomware - Prevented - Elastic Endgame

SMB (Windows File Sharing) Activity to the Internet

Service Control Spawned via Script Interpreter

Suspicious CertUtil Commands

Suspicious MS Office Child Process

Suspicious MS Outlook Child Process

System Shells via Services

Unusual Network Connection via RunDLL32

Unusual Parent-Child Relationship

Unusual Process Network Connection

User Account Creation

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet

Volume Shadow Copy Deleted or Resized via VssAdmin

Volume Shadow Copy Deletion via WMIC

Windows Script Executing PowerShell

7.6.2edit

Adobe Hijack Persistence

7.6.1edit

Accepted Default Telnet Port Connection

IPSEC NAT Traversal Port Activity

RDP (Remote Desktop Protocol) from the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

SMB (Windows File Sharing) Activity to the Internet

SMTP on Port 26/TCP

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet