Update v8.13.5edit
This section lists all updates associated with version 8.13.5 of the Fleet integration Prebuilt Security Detection Rules.
| Rule | Description | Status | Version |
|---|---|---|---|
This rule monitors the creation/alteration of a shell configuration by a previously unknown process executable using the new terms rule type. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user’s environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family. |
new |
1 |
|
Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution. |
new |
1 |
|
This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel’s workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. |
update |
4 |
|
This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. |
update |
7 |