Update v8.10.3

edit

This section lists all updates associated with version 8.10.3 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

GitHub Protected Branch Settings Changed

This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization’s security posture and leave you exposed for future attacks.

new

1

GitHub Repository Deleted

This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it’s validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.

new

1

Network Activity Detected via cat

This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process.

new

1

Potential Meterpreter Reverse Shell

This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.

new

1

Potential Reverse Shell via UDP

This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.

new

1

Threat Intel IP Address Indicator Match

This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.

update

3

Threat Intel Hash Indicator Match

This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.

update

4

Threat Intel Windows Registry Indicator Match

This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.

update

3

Threat Intel URL Indicator Match

This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.

update

3

Unusual Parent Process for cmd.exe

Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.

update

107

Uncommon Registry Persistence Change

Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary’s attempt to persist in a stealthy manner.

update

105

Persistent Scripts in the Startup Directory

Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.

update

108