Update v8.5.6

edit

This section lists all updates associated with version 8.5.6 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

Unusual File Creation - Alternate Data Stream

Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.

update

107

Remote System Discovery Commands

Discovery of remote system information using built-in commands, which may be used to move laterally.

update

106

Suspicious PowerShell Engine ImageLoad

Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.

update

105

WMI Incoming Lateral Movement

Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.

update

104