Update v8.13.16
editUpdate v8.13.16
editThis section lists all updates associated with version 8.13.16 of the Fleet integration Prebuilt Security Detection Rules.
| Rule | Description | Status | Version |
|---|---|---|---|
Identifies the first occurrence of an AWS Security Token Service (STS) |
new |
1 |
|
Identifies when a single AWS resource is making |
new |
1 |
|
Identifies when a single AWS resource is making |
new |
1 |
|
Identifies when a federated user logs into the AWS Management Console without using multi-factor authentication (MFA). Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to the authentication process. This could also indicate the abuse of STS tokens to bypass MFA requirements. |
new |
1 |
|
Detects the use of the AWS CLI with the |
new |
1 |
|
Adversaries may attempt to disable the Auditd service to evade detection. Auditd is a Linux service that provides system auditing and logging. Disabling the Auditd service can prevent the system from logging important security events, which can be used to detect malicious activity. |
new |
1 |
|
This rule detects the creation or rename of the Doas configuration file on a Linux system. Adversaries may create or modify the Doas configuration file to elevate privileges and execute commands as other users while attempting to evade detection. |
new |
1 |
|
This rule detects the creation or renaming of the SELinux configuration file. SELinux is a security module that provides access control security policies. Modifications to the SELinux configuration file may indicate an attempt to impair defenses by disabling or modifying security tools. |
new |
1 |
|
This rule detects the deletion of SSL certificates on a Linux system. Adversaries may delete SSL certificates to subvert trust controls and negatively impact the system. |
new |
1 |
|
This rule identifies when the openssl client or server is used to establish a connection. Attackers may use openssl to establish a secure connection to a remote server or to create a secure server to receive connections. This activity may be used to exfiltrate data or establish a command and control channel. |
new |
1 |
|
Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score |
A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model’s blocklist identified the event as being malicious. |
update |
8 |
Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score |
A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model’s blocklist identified the event as being malicious. |
update |
8 |
Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. |
update |
209 |
|
Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users. |
update |
313 |
|
Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution. |
update |
3 |