Update v8.11.13

edit

This section lists all updates associated with version 8.11.13 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

Network-Level Authentication (NLA) Disabled

Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.

new

3

Potential Windows Session Hijacking via CcmExec

This detection rule identifies when SCNotification.exe loads an untrusted DLL, which is a potential indicator of an attacker attempt to hijack/impersonate a Windows user session.

new

1

Delayed Execution via Ping

Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often observed during malware installation and is consistent with an attacker attempting to evade detection.

new

2

Downloaded Shortcut Files

Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.

new

2

Downloaded URL Files

Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.

new

2

Mofcomp Activity

Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.

new

2

Browser Extension Install

Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.

new

2

Office Test Registry Persistence

Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.

new

3

Netsh Helper DLL

Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.

new

2

Werfault ReflectDebugger Persistence

Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed with the "-pr" parameter.

new

2

Potential Exploitation of an Unquoted Service Path Vulnerability

Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.

new

3

AWS CloudTrail Log Created

Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.

update

207

AWS IAM Brute Force of Assume Role Policy

Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.

update

210

AWS IAM User Addition to Group

Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).

update

209

First Time Seen AWS Secret Value Accessed in Secrets Manager

An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the GetSecretValue action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role’s assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service’s IAM role to access the secrets in Secrets Manager.

update

310

AWS Management Console Brute Force of Root User Identity

Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.

update

207

AWS CloudTrail Log Deleted

Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.

update

209

AWS CloudTrail Log Suspended

Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.

update

209

AWS CloudWatch Alarm Deletion

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

update

209

AWS Config Resource Deletion

Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.

update

209

AWS Configuration Recorder Stopped

Identifies an AWS configuration change to stop recording a designated set of resources.

update

206

AWS VPC Flow Logs Deletion

Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.

update

209

AWS EC2 Network Access Control List Deletion

Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.

update

206

AWS ElastiCache Security Group Created

Identifies when an ElastiCache security group has been created.

update

206

AWS ElastiCache Security Group Modified or Deleted

Identifies when an ElastiCache security group has been modified or deleted.

update

206

AWS SAML Activity

Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.

update

206

AWS GuardDuty Detector Deletion

Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.

update

206

AWS S3 Bucket Configuration Deletion

Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.

update

207

AWS WAF Access Control List Deletion

Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.

update

206

AWS WAF Rule or Rule Group Deletion

Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.

update

206

AWS EC2 Full Network Packet Capture Detected

Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.

update

206

AWS EC2 Snapshot Activity

An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.

update

209

AWS EC2 VM Export Failure

Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.

update

206

AWS RDS Snapshot Export

Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.

update

206

AWS RDS Snapshot Restored

Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.

update

206

AWS EventBridge Rule Disabled or Deleted

Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.

update

206

AWS CloudTrail Log Updated

Identifies an update to an AWS log trail setting that specifies the delivery of log files.

update

209

AWS CloudWatch Log Group Deletion

Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.

update

209

AWS CloudWatch Log Stream Deletion

Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.

update

209

AWS EC2 Encryption Disabled

Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.

update

206

AWS EFS File System or Mount Deleted

Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.

update

206

AWS IAM Deactivation of MFA Device

Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.

update

209

AWS IAM Group Deletion

Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.

update

206

AWS KMS Customer Managed Key Disabled or Scheduled for Deletion

Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.

update

106

AWS RDS Security Group Deletion

Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.

update

206

AWS Deletion of RDS Instance or Cluster

Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.

update

206

AWS RDS Instance/Cluster Stoppage

Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.

update

206

AWS Management Console Root Login

Identifies a successful login to the AWS Management Console by the Root user.

update

209

AWS IAM Password Recovery Requested

Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.

update

206

AWS Execution via System Manager

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

update

209

AWS EC2 Network Access Control List Creation

Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.

update

206

AWS Security Group Configuration Change Detection

Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.

update

206

AWS IAM Group Creation

Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.

update

206

AWS RDS Cluster Creation

Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.

update

206

AWS RDS Security Group Creation

Identifies the creation of an Amazon Relational Database Service (RDS) Security group.

update

206

AWS RDS Instance Creation

Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.

update

206

AWS Redshift Cluster Creation

Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.

update

206

AWS Route 53 Domain Transfer Lock Disabled

Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

update

206

AWS Route 53 Domain Transferred to Another Account

Identifies when a request has been made to transfer a Route 53 domain to another AWS account.

update

206

AWS Route53 private hosted zone associated with a VPC

Identifies when a Route53 private hosted zone has been associated with VPC.

update

206

AWS Route Table Created

Identifies when an AWS Route Table has been created.

update

207

AWS Route Table Modified or Deleted

Identifies when an AWS Route Table has been modified or deleted.

update

207

AWS Root Login Without MFA

Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.

update

209

AWS Security Token Service (STS) AssumeRole Usage

Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.

update

206

AWS STS GetSessionToken Abuse

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

update

206

AWS IAM Assume Role Policy Update

Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.

update

209

Potential External Linux SSH Brute Force Detected

Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.

update

7

Potential Internal Linux SSH Brute Force Detected

Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.

update

11

Potential Successful SSH Brute Force Attack

Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.

update

11

Linux Group Creation

Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.

update

5

Linux User Account Creation

Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.

update

5

Connection to Commonly Abused Web Services

Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.

update

112

Potential Command and Control via Internet Explorer

Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.

update

106

Remote File Download via PowerShell

Identifies powershell.exe being used to download an executable file from an untrusted remote destination.

update

110

Remote File Download via Script Interpreter

Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.

update

110

Potential Credential Access via Trusted Developer Utility

An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.

update

110

InstallUtil Process Making Network Connections

Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.

update

107

Potential Windows Error Manager Masquerading

Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.

update

108

Network Connection via Signed Binary

Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to live off the land and execute malicious files that could bypass application allowlists and signature validation.

update

108

MsBuild Making Network Connections

Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.

update

109

Mshta Making Network Connections

Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.

update

107

Network Connection via MsXsl

Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.

update

106

Unusual Network Activity from a Windows System Binary

Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.

update

111

Process Termination followed by Deletion

Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.

update

109

Suspicious WMIC XSL Script Execution

Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.

update

109

Untrusted Driver Loaded

Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.

update

8

Unusual Network Connection via DllHost

Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.

update

107

Unusual Network Connection via RunDLL32

Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.

update

109

Unusual Process Network Connection

Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.

update

108

Host Files System Changes via Windows Subsystem for Linux

Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.

update

7

Potential Enumeration via Active Directory Web Service

Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.

update

2

Command Prompt Network Connection

Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.

update

108

Svchost spawning Cmd

Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe

update

212

Network Connection via Compiled HTML File

Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).

update

108

Execution of File Written or Modified by Microsoft Office

Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.

update

110

Execution of File Written or Modified by PDF Reader

Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.

update

108

PsExec Network Connection

Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.

update

109

Network Connection via Registration Utility

Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.

update

108

Outbound Scheduled Task Activity via PowerShell

Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.

update

108

Suspicious HTML File Creation

Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.

update

107

Execution from a Removable Media with Network Connection

Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.

update

3

Potential Remote File Execution via MSIEXEC

Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files.

update

3

Windows Script Interpreter Executing Process via WMI

Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.

update

109

Remote XSL Script Execution via COM

Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.

update

3

Service Command Lateral Movement

Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.

update

107

Incoming DCOM Lateral Movement via MSHTA

Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.

update

107

Incoming DCOM Lateral Movement with MMC

Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.

update

108

Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows

Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.

update

107

Direct Outbound SMB Connection

Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.

update

110

Potential Remote Desktop Shadowing Activity

Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.

update

109

Potential Lateral Tool Transfer via SMB Share

Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.

update

108

Remote Execution via File Shares

Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.

update

111

Incoming Execution via WinRM Remote Shell

Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.

update

108

WMI Incoming Lateral Movement

Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.

update

110

Incoming Execution via PowerShell Remoting

Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.

update

109

Potential SharpRDP Behavior

Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.

update

106

Remotely Started Services via RPC

Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.

update

112

Remote Scheduled Task Creation

Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.

update

108

Scheduled Task Created by a Windows Script

A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.

update

107

Account Password Reset Remotely

Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.

update

114

Startup Folder Persistence via Unsigned Process

Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.

update

109