Update v8.12.22

edit

This section lists all updates associated with version 8.12.22 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

AWS SSM SendCommand with Run Shell Command Parameters

Identifies the use of the AWS Systems Manager (SSM) SendCommand API with the either AWS-RunShellScript or AWS-RunPowerShellScript parameters. The SendCommand API call allows users to execute commands on EC2 instances using the SSM service. Adversaries may use this technique to execute commands on EC2 instances without the need for SSH or RDP access. This behavior may indicate an adversary attempting to execute commands on an EC2 instance for malicious purposes. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time on a host in the last 7 days.

new

1

Microsoft 365 Portal Logins from Impossible Travel Locations

Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from a different location.

new

1

Microsoft 365 Portal Login from Rare Location

Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not commonly associated with the user’s account. This behavior may indicate an adversary attempting to access a Microsoft 365 account from an unusual location or behind a VPN.

new

1

Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials

Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an adversary is attempting to obtain an access token for unauthorized scopes. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule where the okta.actor.display_name field value has not been seen in the last 14 days regarding this event.

new

1

Unusual Instance Metadata Service (IMDS) API Request

This rule identifies potentially malicious processes attempting to access the cloud service provider’s instance metadata service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID, public IP address, and even temporary security credentials if role’s are assumed by that instance. The rule monitors for various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API.

new

1

Root Certificate Installation

This rule detects the installation of root certificates on a Linux system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate.

new

1

Suspicious pbpaste High Volume Activity

Identifies a high volume of pbpaste executions, which may indicate a bash loop continuously collecting clipboard contents, potentially allowing an attacker to harvest user credentials or other sensitive information.

new

1

User Added to the Admin Group

Identifies users being added to the admin group. This could be an indication of privilege escalation activity.

new

1

MsiExec Service Child Process With Network Connection

Identifies the execution of an MsiExec service child process followed by network or dns lookup activity. Adversaries may abuse Windows Installers for initial access and delivery of malware.

new

1

Script Execution via Microsoft HTML Application

Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe. Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries.

new

1

Potential Foxmail Exploitation

Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via a malicious email.

new

1

WPS Office Exploitation via DLL Hijack

Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler.

new

1

Suspicious PowerShell Execution via Windows Scripts

Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).

new

1

Suspicious Windows Command Shell Arguments

Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is often observed during malware installation.

new

1

Suspicious Windows Powershell Arguments

Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware installation leveraging PowerShell.

new

1

Persistence via a Windows Installer

Identifies when the Windows installer process msiexec.exe creates a new persistence entry via scheduled tasks or startup.

new

1

Potential Escalation via Vulnerable MSI Repair

Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. This may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup.

new

1

Deprecated - Potential Password Spraying of Microsoft 365 User Accounts

Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.

update

208

Potential Execution via XZBackdoor

It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.

update

2

Connection to Commonly Abused Web Services

Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.

update

115

Unusual Network Activity from a Windows System Binary

Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.

update

113

Remote Execution via File Shares

Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.

update

113