Update v8.10.17

edit

This section lists all updates associated with version 8.10.17 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

Shell Configuration Modification

This rule monitors the creation/alteration of a shell configuration by a previously unknown process executable using the new terms rule type. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user’s environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.

new

1

Potential privilege escalation via CVE-2022-38028

Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.

new

1

Network Activity Detected via Kworker

This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel’s workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.

update

4

Potential Linux Tunneling and/or Port Forwarding

This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.

update

7