Prebuilt rule changes per release

edit

The following lists prebuilt rule updates per release. Only rules with significant modifications to their query or scope are listed. For detailed information about a rule’s changes, see the rule’s description page.

7.12.1

edit

N/A

7.12.0

edit

Access to Keychain Credentials Directories

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Execution from Unusual Directory - Command Line

Execution with Explicit Credentials via Scripting

File and Directory Discovery

Investigation guide

Outbound Scheduled Task Activity via PowerShell

Persistence via Microsoft Office AddIns

Persistence via Microsoft Outlook VBA

Persistence via Update Orchestrator Service Hijack

Potential Command and Control via Internet Explorer

Potential Remote Desktop Tunneling Detected

Potential Secure File Deletion via SDelete Utility

Prompt for Credentials with OSASCRIPT

Remote SSH Login Enabled via systemsetup Command

Scheduled Task Created by a Windows Script

Service Command Lateral Movement

Setuid / Setgid Bit Set via chmod

Sudoers File Modification

Suspicious Cmd Execution via WMI

Suspicious Image Load (taskschd.dll) from MS Office

Suspicious PowerShell Engine ImageLoad

Suspicious Process from Conhost

Suspicious RDP ActiveX Client Loaded

Suspicious WMI Image Load from MS Office

Suspicious WMIC XSL Script Execution

Tampering of Bash Command-Line History

Timestomping using Touch Command

UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer

UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface

Windows Script Interpreter Executing Process via WMI

Windows Suspicious Script Object Execution

7.11.2

edit

Investigation guide

File and Directory Discovery

Persistence via WMI Event Subscription

Potential Remote Desktop Tunneling Detected

7.11.0

edit

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

FTP (File Transfer Protocol) Activity to the Internet

GCP Firewall Rule Creation

GCP Firewall Rule Deletion

GCP Firewall Rule Modification

GCP IAM Custom Role Creation

GCP IAM Role Deletion

GCP IAM Service Account Key Deletion

GCP Logging Bucket Deletion

GCP Logging Sink Deletion

GCP Logging Sink Modification

GCP Pub/Sub Subscription Creation

GCP Pub/Sub Subscription Deletion

GCP Pub/Sub Topic Creation

GCP Pub/Sub Topic Deletion

GCP Service Account Creation

GCP Service Account Deletion

GCP Service Account Disabled

GCP Service Account Key Creation

GCP Storage Bucket Configuration Modification

GCP Storage Bucket Deletion

GCP Storage Bucket Permissions Modification

GCP Virtual Private Cloud Network Deletion

GCP Virtual Private Cloud Route Creation

GCP Virtual Private Cloud Route Deletion

Investigation guide

Investigation guide

Microsoft Build Engine Loading Windows Credential Libraries

Microsoft Build Engine Using an Alternate Name

Microsoft IIS Connection Strings Decryption

Microsoft IIS Service Account Password Dumped

Multi-Factor Authentication Disabled for an Azure User

Persistence via TelemetryController Scheduled Task Hijack

Possible Consent Grant Attack via Azure-Registered Application

Potential DLL SideLoading via Trusted Microsoft Programs

Potential Modification of Accessibility Binaries

Potential Secure File Deletion via SDelete Utility

Potential Windows Error Manager Masquerading

Proxy Port Activity to the Internet

RDP (Remote Desktop Protocol) from the Internet

RDP (Remote Desktop Protocol) to the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

Remote File Download via Desktopimgdownldr Utility

Remote File Download via MpCmdRun

Renamed AutoIt Scripts Interpreter

SMB (Windows File Sharing) Activity to the Internet

SMTP to the Internet

SQL Traffic to the Internet

SSH (Secure Shell) from the Internet

SSH (Secure Shell) to the Internet

Suspicious .NET Code Compilation

Suspicious Endpoint Security Parent Process

Suspicious MS Office Child Process

Suspicious Process Execution via Renamed PsExec Executable

Suspicious Zoom Child Process

TCP Port 8000 Activity to the Internet

Tor Activity to the Internet

UAC Bypass via DiskCleanup Scheduled Task Hijack

Unusual Child Processes of RunDLL32

Unusual File Modification by dns.exe

Unusual Network Connection via RunDLL32

Unusual Parent-Child Relationship

User Added as Owner for Azure Application

User Added as Owner for Azure Service Principal

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet

7.10.0

edit

AWS EC2 Snapshot Activity

AWS Execution via System Manager

AWS IAM Assume Role Policy Update

AWS IAM Brute Force of Assume Role Policy

AWS Management Console Root Login

AWS Root Login Without MFA

AWS WAF Rule or Rule Group Deletion

Administrator Privileges Assigned to an Okta Group

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Microsoft Build Engine Using an Alternate Name

Modification or Removal of an Okta Application Sign-On Policy

MsBuild Making Network Connections

Net command via SYSTEM account

Netcat Network Activity

Network Connection via Certutil

Network Connection via Compiled HTML File

Network Connection via MsXsl

Network Connection via Registration Utility

Network Connection via Signed Binary

Okta Brute Force or Password Spraying Attack

Possible Okta DoS Attack

Potential Application Shimming via Sdbinst

Potential Evasion via Filter Manager

Potential Modification of Accessibility Binaries

Process Activity via Compiled HTML File

Process Discovery via Tasklist

PsExec Network Connection

Suspicious Activity Reported by Okta User

Threat Detected by Okta ThreatInsight

Trusted Developer Application Usage

Unusual Network Connection via RunDLL32

Unusual Parent-Child Relationship

Unusual Process Network Connection

Whoami Process Activity

7.9.0

edit

Adding Hidden File Attribute via Attrib

Adobe Hijack Persistence

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Encoding or Decoding Files via CertUtil

Enumeration of Kernel Modules

Execution via Regsvcs/Regasm

FTP (File Transfer Protocol) Activity to the Internet

File Deletion via Shred

File Permission Modification in Writable Directory

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Microsoft Build Engine Loading Windows Credential Libraries

Microsoft Build Engine Started an Unusual Process

Microsoft Build Engine Started by a Script Process

Microsoft Build Engine Started by a System Process

Microsoft Build Engine Started by an Office Application

Microsoft Build Engine Using an Alternate Name

Mknod Process Activity

Modification of Boot Configuration

MsBuild Making Network Connections

Net command via SYSTEM account

Netcat Network Activity

Network Connection via Certutil

Network Connection via Compiled HTML File

Network Connection via MsXsl

Network Connection via Registration Utility

Network Connection via Signed Binary

Network Sniffing via Tcpdump

Nmap Process Activity

Nping Process Activity

PPTP (Point to Point Tunneling Protocol) Activity

Persistence via Kernel Module Modification

Potential DNS Tunneling via Iodine

Potential Disabling of SELinux

Potential Shell via Web Server

PowerShell spawning Cmd

Proxy Port Activity to the Internet

PsExec Network Connection

RDP (Remote Desktop Protocol) from the Internet

RDP (Remote Desktop Protocol) to the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

SMB (Windows File Sharing) Activity to the Internet

SMTP on Port 26/TCP

SMTP to the Internet

SQL Traffic to the Internet

SSH (Secure Shell) from the Internet

SSH (Secure Shell) to the Internet

Setuid / Setgid Bit Set via chmod

Socat Process Activity

Strace Process Activity

Sudoers File Modification

Suspicious MS Office Child Process

Suspicious MS Outlook Child Process

Suspicious PDF Reader Child Process

Svchost spawning Cmd

System Shells via Services

TCP Port 8000 Activity to the Internet

Telnet Port Activity

Tor Activity to the Internet

Unusual Network Connection via RunDLL32

Unusual Parent-Child Relationship

Unusual Process Execution - Temp

Unusual Process Network Connection

User Account Creation

User Discovery via Whoami

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet

Virtual Machine Fingerprinting

Volume Shadow Copy Deletion via VssAdmin

Volume Shadow Copy Deletion via WMIC

Windows Script Executing PowerShell

7.8.0

edit

Potential Shell via Web Server

Unusual Network Connection via RunDLL32

7.7.0

edit

These prebuilt rules have been removed:

  • Execution via Signed Binary
  • Suspicious Process spawning from Script Interpreter
  • Suspicious Script Object Execution

These prebuilt rules have been updated:

Adding Hidden File Attribute via Attrib

Adversary Behavior - Detected - Elastic Endgame

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Encoding or Decoding Files via CertUtil

Exploit - Detected - Elastic Endgame

Exploit - Prevented - Elastic Endgame

FTP (File Transfer Protocol) Activity to the Internet

Investigation guide

Investigation guide

Investigation guide

Investigation guide

Malware - Detected - Elastic Endgame

Malware - Prevented - Elastic Endgame

Mknod Process Activity

MsBuild Making Network Connections

Netcat Network Activity

Network Connection via Compiled HTML File

Network Connection via Registration Utility

Network Connection via Signed Binary

Network Sniffing via Tcpdump

Nmap Process Activity

Nping Process Activity

Permission Theft - Detected - Elastic Endgame

Permission Theft - Prevented - Elastic Endgame

Persistence via Kernel Module Modification

Potential DNS Tunneling via Iodine

Potential Modification of Accessibility Binaries

Process Injection - Detected - Elastic Endgame

Process Injection - Prevented - Elastic Endgame

Proxy Port Activity to the Internet

PsExec Network Connection

RDP (Remote Desktop Protocol) from the Internet

RDP (Remote Desktop Protocol) to the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

Ransomware - Detected - Elastic Endgame

Ransomware - Prevented - Elastic Endgame

SMB (Windows File Sharing) Activity to the Internet

SMTP to the Internet

SQL Traffic to the Internet

SSH (Secure Shell) from the Internet

SSH (Secure Shell) to the Internet

Socat Process Activity

Strace Process Activity

Suspicious MS Office Child Process

Suspicious MS Outlook Child Process

System Shells via Services

TCP Port 8000 Activity to the Internet

Tor Activity to the Internet

Trusted Developer Application Usage

Unusual Network Connection via RunDLL32

Unusual Parent-Child Relationship

Unusual Process Execution - Temp

Unusual Process Network Connection

User Account Creation

User Discovery via Whoami

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet

Volume Shadow Copy Deletion via VssAdmin

Volume Shadow Copy Deletion via WMIC

Web Application Suspicious Activity: No User Agent

Windows Script Executing PowerShell

7.6.2

edit

Adobe Hijack Persistence

7.6.1

edit

Investigation guide

FTP (File Transfer Protocol) Activity to the Internet

Investigation guide

Investigation guide

PPTP (Point to Point Tunneling Protocol) Activity

Potential Shell via Web Server

Proxy Port Activity to the Internet

RDP (Remote Desktop Protocol) from the Internet

RDP (Remote Desktop Protocol) to the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

SMB (Windows File Sharing) Activity to the Internet

SMTP on Port 26/TCP

SMTP to the Internet

SQL Traffic to the Internet

SSH (Secure Shell) from the Internet

SSH (Secure Shell) to the Internet

TCP Port 8000 Activity to the Internet

Telnet Port Activity

Tor Activity to the Internet

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet