Update v8.6.6

edit

This section lists all updates associated with version 8.6.6 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

Cron Job Created or Changed by Previously Unknown Process

Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.

new

1

New Systemd Timer Created

Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.

new

1

New Systemd Service Created by Previously Unknown Process

Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.

new

1

Unusual File Creation - Alternate Data Stream

Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.

update

107

Remote System Discovery Commands

Discovery of remote system information using built-in commands, which may be used to move laterally.

update

106

Suspicious PowerShell Engine ImageLoad

Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.

update

105

WMI Incoming Lateral Movement

Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.

update

104