Update v8.11.16

edit

This section lists all updates associated with version 8.11.16 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

AWS EC2 Admin Credential Fetch via Assumed Role

Identifies the first occurrence of a user identity in AWS using GetPassword for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances.

new

2

Route53 Resolver Query Log Configuration Deleted

Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete query log configurations to evade detection or cover their tracks.

new

1

EC2 AMI Shared with Another Account

Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.

new

1

Potential File Download via a Headless Browser

Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions.

new

1

Alternate Data Stream Creation/Execution at Volume Root Directory

Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities.

new

1

Unusual Execution via Microsoft Common Console File

Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands.

new

1

Potential PowerShell HackTool Script by Author

Detects known PowerShell offensive tooling author’s name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.

new

1

Potential Ransomware Behavior - High count of Readme files by System

This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period.

new

1

Suspicious File Renamed via SMB

Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol.

new

1

Potential Ransomware Note File Dropped via SMB

Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol.

new

1

Container Workload Protection

Generates a detection alert each time a Container Workload Protection alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts.

update

4

Endpoint Security

Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.

update

103

Access to Keychain Credentials Directories

Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.

update

207

Keychain Password Retrieval via Command Line

Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.

update

108

WebProxy Settings Modification

Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.

update

206

Prompt for Credentials with OSASCRIPT

Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.

update

207

Suspicious Web Browser Sensitive File Access

Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

update

207

SystemKey Access via Command Line

Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.

update

206

Quarantine Attrib Removed by Unsigned or Untrusted Process

Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple’s Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.

update

108

Modification of Environment Variable via Unsigned or Untrusted Parent

Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.

update

206

Enumeration of Users or Groups via Built-in Commands

Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.

update

207

Suspicious Browser Child Process

Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is typically targeted for exploitation.

update

107

MacOS Installer Package Spawns Network Event

Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.

update

107

Shell Execution via Apple Scripting

Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.

update

107

Suspicious macOS MS Office Child Process

Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.

update

206

Authorization Plugin Modification

Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.

update

107

Persistence via Docker Shortcut Modification

An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.

update

107

Finder Sync Plugin Registered and Enabled

Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.

update

206

Persistence via Folder Action Script

Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.

update

107

Potential Persistence via Login Hook

Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.

update

108

Apple Scripting Execution with Administrator Privileges

Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.

update

207

Potential Admin Group Account Addition

Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.

update

206

Credential Dumping - Detected - Elastic Endgame

Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Credential Dumping - Prevented - Elastic Endgame

Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Adversary Behavior - Detected - Elastic Endgame

Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

104

Malware - Detected - Elastic Endgame

Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Malware - Prevented - Elastic Endgame

Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Ransomware - Detected - Elastic Endgame

Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Ransomware - Prevented - Elastic Endgame

Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Exploit - Detected - Elastic Endgame

Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Exploit - Prevented - Elastic Endgame

Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

External Alerts

Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.

update

103

Credential Manipulation - Detected - Elastic Endgame

Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Credential Manipulation - Prevented - Elastic Endgame

Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Permission Theft - Detected - Elastic Endgame

Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Permission Theft - Prevented - Elastic Endgame

Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Process Injection - Detected - Elastic Endgame

Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Process Injection - Prevented - Elastic Endgame

Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

update

103

Connection to Commonly Abused Web Services

Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.

update

113

Component Object Model Hijacking

Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.

update

113