Update v8.14.10

edit

This section lists all updates associated with version 8.14.10 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

First Occurrence of STS GetFederationToken Request by User

Identifies the first occurrence of an AWS Security Token Service (STS) GetFederationToken request made by a user within the last 10 days. The GetFederationToken API call allows users to request temporary security credentials to access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not normally have access to.

new

1

AWS EC2 Multi-Region DescribeInstances API Calls

Identifies when a single AWS resource is making DescribeInstances API calls in more than 10 regions within a 30-second window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target’s infrastructure.

new

1

AWS Service Quotas Multi-Region GetServiceQuota Requests

Identifies when a single AWS resource is making GetServiceQuota API calls for the EC2 service quota L-1216C47A in more than 10 regions within a 30-second window. Quota code L-1216C47A represents on-demand instances which are used by adversaries to deploy malware and mine cryptocurrency. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance.

new

1

AWS Signin Single Factor Console Login with Federated User

Identifies when a federated user logs into the AWS Management Console without using multi-factor authentication (MFA). Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to the authentication process. This could also indicate the abuse of STS tokens to bypass MFA requirements.

new

1

AWS CLI Command with Custom Endpoint URL

Detects the use of the AWS CLI with the --endpoint-url argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations.

new

1

Attempt to Disable Auditd Service

Adversaries may attempt to disable the Auditd service to evade detection. Auditd is a Linux service that provides system auditing and logging. Disabling the Auditd service can prevent the system from logging important security events, which can be used to detect malicious activity.

new

1

Potential Defense Evasion via Doas

This rule detects the creation or rename of the Doas configuration file on a Linux system. Adversaries may create or modify the Doas configuration file to elevate privileges and execute commands as other users while attempting to evade detection.

new

1

SELinux Configuration Creation or Renaming

This rule detects the creation or renaming of the SELinux configuration file. SELinux is a security module that provides access control security policies. Modifications to the SELinux configuration file may indicate an attempt to impair defenses by disabling or modifying security tools.

new

1

SSL Certificate Deletion

This rule detects the deletion of SSL certificates on a Linux system. Adversaries may delete SSL certificates to subvert trust controls and negatively impact the system.

new

1

Openssl Client or Server Activity

This rule identifies when the openssl client or server is used to establish a connection. Attackers may use openssl to establish a secure connection to a remote server or to create a secure server to receive connections. This activity may be used to exfiltrate data or establish a command and control channel.

new

1

Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score

A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model’s blocklist identified the event as being malicious.

update

8

Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score

A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model’s blocklist identified the event as being malicious.

update

8

Suspicious Web Browser Sensitive File Access

Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

update

209

Enumeration of Privileged Local Groups Membership

Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.

update

313

Potential privilege escalation via CVE-2022-38028

Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.

update

3