Prebuilt rule changes per release

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

The following lists prebuilt rule updates per release. Only rules with significant modifications to their query or scope are listed. For detailed information about a rule’s changes, see the rule’s description page.

7.9.0

edit

Adding Hidden File Attribute via Attrib

Adobe Hijack Persistence

Attempt to Disable IPTables or Firewall

Attempt to Disable Syslog Service

Base16 or Base32 Encoding/Decoding Activity

Base64 Encoding/Decoding Activity

Bypass UAC via Event Viewer

Clearing Windows Event Logs

Command Prompt Network Connection

Connection to External Network via Telnet

Connection to Internal Network via Telnet

DNS Activity to the Internet

Delete Volume USN Journal with Fsutil

Deleting Backup Catalogs with Wbadmin

Direct Outbound SMB Connection

Disable Windows Firewall Rules via Netsh

Encoding or Decoding Files via CertUtil

Enumeration of Kernel Modules

Execution via Regsvcs/Regasm

FTP (File Transfer Protocol) Activity to the Internet

File Deletion via Shred

File Permission Modification in Writable Directory

Hex Encoding/Decoding Activity

Hping Process Activity

IPSEC NAT Traversal Port Activity

IRC (Internet Relay Chat) Protocol Activity to the Internet

Interactive Terminal Spawned via Perl

Interactive Terminal Spawned via Python

Kernel Module Removal

Local Scheduled Task Commands

Local Service Commands

Microsoft Build Engine Loading Windows Credential Libraries

Microsoft Build Engine Started an Unusual Process

Microsoft Build Engine Started by a Script Process

Microsoft Build Engine Started by a System Process

Microsoft Build Engine Started by an Office Application

Microsoft Build Engine Using an Alternate Name

Mknod Process Activity

Modification of Boot Configuration

MsBuild Making Network Connections

Net command via SYSTEM account

Netcat Network Activity

Network Connection via Certutil

Network Connection via Compiled HTML File

Network Connection via MsXsl

Network Connection via Mshta

Network Connection via Regsvr

Network Connection via Signed Binary

Network Sniffing via Tcpdump

Nmap Process Activity

Nping Process Activity

PPTP (Point to Point Tunneling Protocol) Activity

Persistence via Kernel Module Modification

Potential DNS Tunneling via Iodine

Potential Disabling of SELinux

Potential Shell via Web Server

PowerShell spawning Cmd

Proxy Port Activity to the Internet

PsExec Network Connection

RDP (Remote Desktop Protocol) from the Internet

RDP (Remote Desktop Protocol) to the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

SMB (Windows File Sharing) Activity to the Internet

SMTP on Port 26/TCP

SMTP to the Internet

SQL Traffic to the Internet

SSH (Secure Shell) from the Internet

SSH (Secure Shell) to the Internet

Setgid Bit Set via chmod

Setuid Bit Set via chmod

Socat Process Activity

Strace Process Activity

Sudoers File Modification

Suspicious MS Office Child Process

Suspicious MS Outlook Child Process

Suspicious PDF Reader Child Process

Svchost spawning Cmd

System Shells via Services

TCP Port 8000 Activity to the Internet

Telnet Port Activity

Tor Activity to the Internet

Unusual Network Connection via RunDLL32

Unusual Parent-Child Relationship

Unusual Process Execution - Temp

Unusual Process Network Connection

User Account Creation

User Discovery via Whoami

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet

Virtual Machine Fingerprinting

Volume Shadow Copy Deletion via VssAdmin

Volume Shadow Copy Deletion via WMIC

Windows Script Executing PowerShell

7.8.0

edit

Potential Shell via Web Server

Unusual Network Connection via RunDLL32

7.7.0

edit

These prebuilt rules have been removed:

  • Execution via Signed Binary
  • Suspicious Process spawning from Script Interpreter
  • Suspicious Script Object Execution

These prebuilt rules have been updated:

Adding Hidden File Attribute via Attrib

Adversary Behavior - Detected - Elastic Endpoint Security

Clearing Windows Event Logs

Command Prompt Network Connection

Credential Dumping - Detected - Elastic Endpoint Security

Credential Dumping - Prevented - Elastic Endpoint Security

Credential Manipulation - Detected - Elastic Endpoint Security

Credential Manipulation - Prevented - Elastic Endpoint Security

DNS Activity to the Internet

Delete Volume USN Journal with Fsutil

Deleting Backup Catalogs with Wbadmin

Direct Outbound SMB Connection

Disable Windows Firewall Rules via Netsh

Encoding or Decoding Files via CertUtil

Exploit - Detected - Elastic Endpoint Security

Exploit - Prevented - Elastic Endpoint Security

FTP (File Transfer Protocol) Activity to the Internet

Hping Process Activity

IRC (Internet Relay Chat) Protocol Activity to the Internet

Local Scheduled Task Commands

Local Service Commands

Malware - Detected - Elastic Endpoint Security

Malware - Prevented - Elastic Endpoint Security

Mknod Process Activity

MsBuild Making Network Connections

Netcat Network Activity

Network Connection via Compiled HTML File

Network Connection via Mshta

Network Connection via Regsvr

Network Connection via Signed Binary

Network Sniffing via Tcpdump

Nmap Process Activity

Nping Process Activity

Permission Theft - Detected - Elastic Endpoint Security

Permission Theft - Prevented - Elastic Endpoint Security

Persistence via Kernel Module Modification

Potential DNS Tunneling via Iodine

Potential Modification of Accessibility Binaries

Process Injection - Detected - Elastic Endpoint Security

Process Injection - Prevented - Elastic Endpoint Security

Proxy Port Activity to the Internet

PsExec Network Connection

RDP (Remote Desktop Protocol) from the Internet

RDP (Remote Desktop Protocol) to the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

Ransomware - Detected - Elastic Endpoint Security

Ransomware - Prevented - Elastic Endpoint Security

SMB (Windows File Sharing) Activity to the Internet

SMTP to the Internet

SQL Traffic to the Internet

SSH (Secure Shell) from the Internet

SSH (Secure Shell) to the Internet

Socat Process Activity

Strace Process Activity

Suspicious MS Office Child Process

Suspicious MS Outlook Child Process

System Shells via Services

TCP Port 8000 Activity to the Internet

Tor Activity to the Internet

Trusted Developer Application Usage

Unusual Network Connection via RunDLL32

Unusual Parent-Child Relationship

Unusual Process Execution - Temp

Unusual Process Network Connection

User Account Creation

User Discovery via Whoami

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet

Volume Shadow Copy Deletion via VssAdmin

Volume Shadow Copy Deletion via WMIC

Web Application Suspicious Activity: No User Agent

Windows Script Executing PowerShell

7.6.2

edit

Adobe Hijack Persistence

7.6.1

edit

DNS Activity to the Internet

FTP (File Transfer Protocol) Activity to the Internet

IPSEC NAT Traversal Port Activity

IRC (Internet Relay Chat) Protocol Activity to the Internet

PPTP (Point to Point Tunneling Protocol) Activity

Potential Shell via Web Server

Proxy Port Activity to the Internet

RDP (Remote Desktop Protocol) from the Internet

RDP (Remote Desktop Protocol) to the Internet

RPC (Remote Procedure Call) from the Internet

RPC (Remote Procedure Call) to the Internet

SMB (Windows File Sharing) Activity to the Internet

SMTP on Port 26/TCP

SMTP to the Internet

SQL Traffic to the Internet

SSH (Secure Shell) from the Internet

SSH (Secure Shell) to the Internet

TCP Port 8000 Activity to the Internet

Telnet Port Activity

Tor Activity to the Internet

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet