Update v8.12.25

edit

This section lists all updates associated with version 8.12.25 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

Untrusted DLL Loaded by Azure AD Sync Service

Identifies the load of a DLL without a valid code signature by the Azure AD Sync process, which may indicate an attempt to persist or collect sensitive credentials passing through the Azure AD synchronization server.

new

1

Active Directory Forced Authentication from Linux Host - SMB Named Pipes

Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.

update

3

Full User-Mode Dumps Enabled System-Wide

Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.

update

8

Suspicious Module Loaded by LSASS

Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs.

update

9

Modification of WDigest Security Provider

Identifies attempts to modify the WDigest security provider in the registry to force the user’s password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.

update

111

Network Logon Provider Registry Modification

Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.

update

112

Windows Defender Disabled via Registry Modification

Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.

update

115

Microsoft Build Engine Using an Alternate Name

An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.

update

113

Potential DLL Side-Loading via Trusted Microsoft Programs

Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.

update

111

Potential DLL Side-Loading via Microsoft Antimalware Service Executable

Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.

update

111

Renamed AutoIt Scripts Interpreter

Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.

update

111

Suspicious Microsoft Diagnostics Wizard Execution

Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.

update

110

Suspicious Script Object Execution

Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.

update

109

Renamed Utility Executed with Short Program Name

Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.

update

110

Enumeration of Administrator Accounts

Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.

update

114

Enumerating Domain Trusts via NLTEST.EXE

Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.

update

113

Svchost spawning Cmd

Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe

update

217

Mofcomp Activity

Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.

update

3

Suspicious Process Execution via Renamed PsExec Executable

Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.

update

112

Rare SMB Connection to the Internet

This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.

update

7

Potential Ransomware Behavior - High count of Readme files by System

This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period.

update

6

First Time Seen Removable Device

Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.

update

8

Potential Modification of Accessibility Binaries

Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

update

112

Potential LSA Authentication Package Abuse

Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.

update

106

Suspicious DLL Loaded for Persistence or Privilege Escalation

Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.

update

113

Potential Port Monitor or Print Processor Registration Abuse

Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.

update

108

Suspicious PrintSpooler Service Executable File Creation

Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE’s - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.

update

113

Suspicious Print Spooler SPL File Created

Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.

update

113

Service Control Spawned via Script Interpreter

Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.

update

112

UAC Bypass via ICMLuaUtil Elevated COM Interface

Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.

update

110