Update v0.13.2
editUpdate v0.13.2
editThis section lists all updates associated with version 0.13.2 of the Fleet integration Prebuilt Security Detection Rules.
Included in this release are 3 new rules for the recently observed REvil activity as well as 4 new rules covering the recent PrintNightmare vulnerability.
| Rule | Description | Status | Version |
|---|---|---|---|
Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |
new |
1 |
|
Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |
new |
1 |
|
Identifies the deletion of an Amazon Relational Database Service (RDS) Security Group. |
new |
1 |
|
Identifies the creation of an Amazon Relational Database Service (RDS) Security Group. |
new |
1 |
|
Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |
new |
1 |
|
Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |
new |
1 |
|
Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |
new |
1 |
|
Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements. |
new |
1 |
|
Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings. |
new |
1 |
|
Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings. |
new |
1 |
|
Potential DLL Side-Loading via Microsoft Antimalware Service Executable |
Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes. |
new |
1 |
Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated. |
new |
1 |
|
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated. |
new |
1 |
|
Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities. |
new |
1 |
|
Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows. |
new |
1 |
|
Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |
update |
2 |
|
Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. |
update |
3 |
|
A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. |
update |
3 |
|
Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. |
update |
5 |
|
Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts. |
update |
4 |
|
This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration. |
update |
9 |