Start free trial Contact Sales

The Search AI Company

Search, Security, Observability

Build tailored experiences with Elastic.

Elastic Search AI Platform overview

Scale your business with Elastic Partners

Partner overview

ELK Stack

Search and analytics, data ingestion, and visualization – all at your fingertips.

ELK Stack overview

By developers, for developers

Elastic Cloud

Unlock the power of real-time insights with Elastic on your preferred cloud provider.

Elastic Cloud overview

Generative AI

Prototype and integrate with LLMs faster using search AI.

Generative AI overview

Search

Discover a world of AI possibilities — built with the power of search.

Search Labs

Search overview

Security

Protect, investigate, and respond to cyber threats with AI-driven security analytics.

Security Labs

Security overview

Observability

Unify app and infrastructure visibility to proactively resolve issues.

Observability Labs

Observability overview

By solution

See how customers search, solve, and succeed — all on one Search AI Platform.

All customer stories

Industries

Exceed customer expectations and go to market faster.

Industries overview

Customer spotlight

Cisco saves 5,000 support engineer hours per month

Sitecore automates 96 percent of security workflows with Elastic

Comcast transforms customer experiences with Elastic Observability

Research

Stay at the forefront of innovation with technical tips from the experts.

Build

Code with other developers to create a better Elastic, together.

Learn

Unleash the possibilities of your data and grow your skill set.

Connect

Keep informed about the latest tech and news from Elastic.

Have questions?

New

The executive guide to generative AI

About us Partners Support|Login

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Update v8.13.17 Update v8.13.19 »

› › ›

Update v8.13.18

Update v8.13.18

This section lists all updates associated with version 8.13.18 of the Fleet integration Prebuilt Security Detection Rules.

Rule	Description	Status	Version
ROT Encoded Python Script Execution	Identifies the execution of a Python script that uses the ROT cipher for letters substitution. Adversaries may use this method to encode and obfuscate part of their malicious code in legit python packages.	new	1
Network Connection by Cups or Foomatic-rip Child	This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects network connections initiated by a child processes of foomatic-rip. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.	new	1
File Creation by Cups or Foomatic-rip Child	This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects suspicious file creation events executed by child processes of foomatic-rip. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.	new	1
Printer User (lp) Shell Execution	This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the foomatic-rip parent process through the default printer user (lp). These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.	new	1
Cupsd or Foomatic-rip Shell Execution	This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the foomatic-rip parent process. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.	new	1
Suspicious Execution from Foomatic-rip or Cupsd Parent	This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects suspicious process command lines executed by child processes of foomatic-rip and cupsd. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.	new	1
Tampering of Shell Command-Line History	Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.	update	107
Potential Reverse Shell Activity via Terminal	Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.	update	109
Potential Privilege Escalation via Sudoers File Modification	A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.	update	104
SUID/SGID Bit Set	An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they’re able to execute in elevated contexts in the future.	update	105
Sudoers File Modification	A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.	update	205
AWS STS GetCallerIdentity API Called for the First Time	An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using.	update	2
AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session	Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.	update	2
Potential Persistence via File Modification	This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.	update	4
Google Drive Ownership Transferred via Google Workspace	Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.	update	107
Google Workspace Custom Gmail Route Created or Modified	Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain’s mail server for inbound and outbound mail.	update	107
Google Workspace Drive Encryption Key(s) Accessed from Anonymous User	Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.	update	4
Application Removed from Blocklist in Google Workspace	Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.	update	107
Domain Added to Google Workspace Trusted Domains	Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls.	update	206
Google Workspace Bitlocker Setting Disabled	Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.	update	107
First Time Seen Google Workspace OAuth Login from Third-Party Application	Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.	update	5
Google Workspace Restrictions for Marketplace Modified to Allow Any App	Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.	update	108
Forwarded Google Workspace Security Alert	Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace’s security alert center provides an overview of actionable alerts that may be affecting an organization’s domain. An alert is a warning of a potential security issue that Google has detected.	update	3
Google Workspace Admin Role Deletion	Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.	update	206
Google Workspace MFA Enforcement Disabled	Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls.	update	208
External User Added to Google Workspace Group	Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.	update	3
Google Workspace Suspended User Account Renewed	Detects when a previously suspended user’s account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.	update	3
Google Workspace Object Copied to External Drive with App Consent	Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where "copy" is included in the URI, thus copying the object to the victim’s drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.	update	7
Application Added to Google Workspace Domain	Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.	update	206
Google Workspace 2SV Policy Disabled	Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.	update	107
Google Workspace Admin Role Assigned to a User	Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.	update	207
Google Workspace API Access Granted via Domain-Wide Delegation	Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data.	update	207
Google Workspace Custom Admin Role Created	Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.	update	206
Google Workspace Password Policy Modified	Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.	update	206
Google Workspace Role Modified	Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.	update	206
Google Workspace User Organizational Unit Changed	Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.	update	107
MFA Disabled for Google Workspace Organization	Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.	update	206
Attempts to Brute Force a Microsoft 365 User Account	Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services.	update	310
Microsoft 365 Portal Logins from Impossible Travel Locations	Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from a different location.	update	2
Microsoft 365 Portal Login from Rare Location	Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not commonly associated with the user’s account. This behavior may indicate an adversary attempting to access a Microsoft 365 account from an unusual location or behind a VPN.	update	2
Attempted Bypass of Okta MFA	Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.	update	208
Attempts to Brute Force an Okta User Account	Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.	update	209
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy	Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.	update	3
Multiple Device Token Hashes for Single Okta Session	This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.	update	103
Multiple Okta User Authentication Events with Client Address	Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.	update	2
Multiple Okta User Authentication Events with Same Device Token Hash	Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.	update	2
Okta Brute Force or Password Spraying Attack	Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.	update	209
Potential Okta MFA Bombing via Push Notifications	Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.	update	4
High Number of Okta Device Token Cookies Generated for Authentication	Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.	update	2
Potentially Successful MFA Bombing via Push Notifications	Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.	update	210
Okta User Session Impersonation	A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.	update	208
Attempt to Deactivate an Okta Network Zone	Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.	update	207
Attempt to Delete an Okta Network Zone	Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.	update	207
Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials	Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an adversary is attempting to obtain an access token for unauthorized scopes. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule where the `okta.actor.display_name` field value has not been seen in the last 14 days regarding this event.	update	2
Attempt to Deactivate an Okta Policy	Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization’s security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.	update	207
Attempt to Deactivate an Okta Policy Rule	Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization’s security controls.	update	208
Attempt to Delete an Okta Policy	Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization’s security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.	update	207
Attempt to Delete an Okta Policy Rule	Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization’s security controls.	update	207
Attempt to Modify an Okta Network Zone	Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.	update	207
Attempt to Modify an Okta Policy	Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization’s security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.	update	207
Attempt to Modify an Okta Policy Rule	Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization’s security controls.	update	208
High Number of Okta User Password Reset or Unlock Attempts	Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target’s environment and evade detection.	update	209
Attempt to Revoke Okta API Token	Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization’s business operations.	update	207
Attempt to Deactivate an Okta Application	Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.	update	207
Attempt to Delete an Okta Application	Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.	update	206
Attempt to Modify an Okta Application	Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.	update	206
Possible Okta DoS Attack	Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization’s business operations by performing a DoS attack against its Okta service.	update	206
First Occurrence of Okta User Session Started via Proxy	Identifies the first occurrence of an Okta user session started via a proxy.	update	2
New Okta Authentication Behavior Detected	Detects events where Okta behavior detection has identified a new authentication behavior.	update	3
Okta FastPass Phishing Detection	Detects when Okta FastPass prevents a user from authenticating to a phishing website.	update	104
Unauthorized Access to an Okta Application	Identifies unauthorized access attempts to Okta applications.	update	207
Okta User Sessions Started from Different Geolocations	Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.	update	102
Okta Sign-In Events via Third-Party IdP	Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).	update	3
Suspicious Activity Reported by Okta User	Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.	update	206
Multiple Okta Sessions Detected for a Single User	Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user’s session cookie and is using it to access the user’s account from a different location.	update	3
Okta ThreatInsight Threat Suspected Promotion	Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta’s internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.	update	206
Administrator Privileges Assigned to an Okta Group	Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.	update	206
Administrator Role Assigned to an Okta User	Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target’s environment.	update	206
Attempt to Create Okta API Token	Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization’s network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.	update	206
Attempt to Reset MFA Factors for an Okta User Account	Detects attempts to reset an Okta user’s enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user’s account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim’s environment.	update	207
MFA Deactivation with no Re-Activation for Okta User Account	Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.	update	208
New Okta Identity Provider (IdP) Added by Admin	Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.	update	2
Modification or Removal of an Okta Application Sign-On Policy	Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization’s security controls.	update	207
Stolen Credentials Used to Login to Okta Account After MFA Reset	Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.	update	2
Attempt to Disable IPTables or Firewall	Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.	update	9
Attempt to Disable Syslog Service	Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.	update	110
System Binary Moved or Copied	This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.	update	12
System Log File Deletion	Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.	update	112
SUID/SGUID Enumeration Detected	This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.	update	6
Yum/DNF Plugin Status Discovery	This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an attacker is attempting to establish persistence in a YUM or DNF plugin.	update	2
Network Connection from Binary with RWX Memory Region	Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed thoroughly.	update	2
Linux Restricted Shell Breakout via Linux Binary(s)	Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.	update	113
Potential Meterpreter Reverse Shell	This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.	update	7
Potential Reverse Shell via UDP	This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.	update	7
Unknown Execution of Binary with RWX Memory Region	Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.	update	3
Suspicious APT Package Manager Execution	Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.	update	4
APT Package Manager Configuration File Creation	Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.	update	3
Suspicious APT Package Manager Network Connection	Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.	update	4
At Job Created or Modified	This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.	update	2
Cron Job Created or Modified	This rule monitors for (ana)cron jobs being created or renamed. Linux cron jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.	update	13
DNF Package Manager Plugin File Creation	Detects file creation events in the plugin directories for the Yum package manager. In Linux, DNF (Dandified YUM) is a command-line utility used for handling packages on Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor DNF to gain persistence by injecting malicious code into plugins that DNF runs, thereby ensuring continued unauthorized access or control each time DNF is used for package management.	update	3
Suspicious File Creation in /etc for Persistence	Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.	update	116
Git Hook Command Execution	This rule detects the execution of a potentially malicious process from a Git hook. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute arbitrary commands on the system and establish persistence.	update	2
Git Hook Created or Modified	This rule detects the creation or modification of a Git hook file on a Linux system. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. They are used to automate tasks, enforce policies, and customize Git’s behavior. Attackers can abuse Git hooks to maintain persistence on a system by executing malicious code whenever a specific Git event occurs.	update	2
Git Hook Egress Network Connection	This rule detects a suspicious egress network connection attempt from a Git hook script. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse these features to execute arbitrary commands on the system, establish persistence or to initialize a network connection to a remote server and exfiltrate data or download additional payloads.	update	2
Git Hook Child Process	This rule detects child processes spawned by Git hooks. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. The rule identifies child processes spawned by Git hooks that are not typically spawned by the Git process itself. This behavior may indicate an attacker attempting to hide malicious activity by leveraging the legitimate Git process to execute unauthorized commands.	update	2
System V Init Script Created	Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.	update	12
Persistence via KDE AutoStart Script or Desktop File Modification	Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.	update	113
Potential Linux Backdoor User Account Creation	Identifies the attempt to create a new backdoor user by setting the user’s UID to 0. Attackers may alter a user’s UID to 0 to establish persistence on a system.	update	8
Linux Group Creation	Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.	update	6
Linux User Account Creation	Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.	update	6
Linux User Added to Privileged Group	Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.	update	7
Message-of-the-Day (MOTD) File Creation	This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command.	update	12
Executable Bit Set for Potential Persistence Script	This rule monitors for the addition of an executable bit for scripts that are located in directories which are commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set interval to gain persistence onto the system.	update	4
Suspicious rc.local Error Message	This rule monitors the syslog log file for error messages related to the rc.local process. The rc.local file is a script that is executed during the boot process on Linux systems. Attackers may attempt to modify the rc.local file to execute malicious commands or scripts during system startup. This rule detects error messages such as "Connection refused," "No such file or directory," or "command not found" in the syslog log file, which may indicate that the rc.local file has been tampered with.	update	2
Potential Execution of rc.local Script	This rule detects the potential execution of the `/etc/rc.local` script through the `already_running` event action created by the `rc-local.service` systemd service. The `/etc/rc.local` script is a legacy initialization script that is executed at the end of the boot process. The `/etc/rc.local` script is not enabled by default on most Linux distributions. The `/etc/rc.local` script can be used by attackers to persistently execute malicious commands or scripts on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the execution event is not ingested, and therefore the `already_running` event is leveraged to provide insight into the potential execution of `rc.local`.	update	2
rc.local/rc.common File Creation	This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the system.	update	114
Shell Configuration Creation or Modification	This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user’s environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.	update	4
SSH Key Generated via ssh-keygen	This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.	update	3
Potential Execution via XZBackdoor	It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.	update	3
Systemd Generator Created	This rule detects the creation of a systemd generator file. Generators are small executables executed by systemd at bootup and during configuration reloads. Their main role is to convert non-native configuration and execution parameters into dynamically generated unit files, symlinks, or drop-ins, extending the unit file hierarchy for the service manager. Systemd generators can be used to execute arbitrary code at boot time, which can be leveraged by attackers to maintain persistence on a Linux system.	update	2
Systemd Timer Created	Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.	update	14
Systemd Service Created	This rule detects the creation or renaming of a new Systemd file in all of the common Systemd service locations for both root and regular users. Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.	update	14
Systemd Service Started by Unusual Parent Process	Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.	update	3
Systemd-udevd Rule File Creation	Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.	update	6
User or Group Creation/Modification	This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system.	update	3
Shadow File Modification	This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system.	update	2
Network Connections Initiated Through XDG Autostart Entry	Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based Linux distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. This rule helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts to establish persistence on the system.	update	3
Yum Package Manager Plugin File Creation	Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.	update	3
Privilege Escalation via SUID/SGID	Identifies instances where a process is executed with user/group ID 0 (root), and a real user/group ID that is not 0. This is indicative of a process that has been granted SUID/SGID permissions, allowing it to run with elevated privileges. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root, or establish a backdoor for persistence.	update	2
Potential Sudo Hijacking	Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user’s password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.	update	107
Suspicious Emond Child Process	Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.	update	107
Accepted Default Telnet Port Connection	This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.	update	106
Roshal Archive (RAR) or PowerShell File Downloaded from the Internet	Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.	update	104
Possible FIN7 DGA Command and Control Behavior	This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target’s network.	update	106
IPSEC NAT Traversal Port Activity	This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.	update	105
SMTP on Port 26/TCP	This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.	update	105
RDP (Remote Desktop Protocol) from the Internet	This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.	update	104
VNC (Virtual Network Computing) from the Internet	This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.	update	105
VNC (Virtual Network Computing) to the Internet	This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.	update	105
Potential Network Sweep Detected	This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.	update	8
Potential Network Scan Detected	This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.	update	7
Potential SYN-Based Network Scan Detected	This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.	update	7
RPC (Remote Procedure Call) from the Internet	This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.	update	104
RPC (Remote Procedure Call) to the Internet	This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.	update	104
SMB (Windows File Sharing) Activity to the Internet	This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.	update	104
Exporting Exchange Mailbox via PowerShell	Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.	update	316
Encrypting Files with WinRar or 7z	Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.	update	113
Connection to Commonly Abused Web Services	Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.	update	116
Attempt to Establish VScode Remote Tunnel	Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance.	update	2
Potential Credential Access via Windows Utilities	Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.	update	114
NTDS or SAM Database File Copied	Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.	update	114
Potential Credential Access via DCSync	This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.	update	115
Potential Credential Access via LSASS Memory Dump	Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.	update	210
Clearing Windows Event Logs	Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.	update	114
Windows Defender Exclusions Added via PowerShell	Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.	update	112
Disabling Windows Defender Security Settings via PowerShell	Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.	update	112
Process Execution from an Unusual Directory	Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.	update	112
Potential Windows Error Manager Masquerading	Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.	update	109
Microsoft Windows Defender Tampering	Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.	update	114
Mshta Making Network Connections	Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.	update	108
Parent Process PID Spoofing	Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.	update	107
Suspicious .NET Reflection via PowerShell	Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.	update	214
Suspicious CertUtil Commands	Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.	update	110
Unsigned DLL Side-Loading from a Suspicious Folder	Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.	update	9
Execution from Unusual Directory - Command Line	Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.	update	114
Outbound Scheduled Task Activity via PowerShell	Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.	update	109
Suspicious Cmd Execution via WMI	Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.	update	113
Suspicious PowerShell Engine ImageLoad	Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.	update	211
Windows Script Executing PowerShell	Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.	update	112
SMB Connections via LOLBin or Untrusted Process	Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections.	update	112
Potential Lateral Tool Transfer via SMB Share	Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.	update	109
Execution via TSClient Mountpoint	Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.	update	111
Remote Execution via File Shares	Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.	update	114
Potential SharpRDP Behavior	Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.	update	108
Remote File Copy to a Hidden Share	Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.	update	111
Remotely Started Services via RPC	Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.	update	113
Remote Scheduled Task Creation	Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.	update	110
Suspicious RDP ActiveX Client Loaded	Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.	update	110
Lateral Movement via Startup Folder	Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.	update	109
Suspicious Startup Shell Folder Modification	Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.	update	113
Local Scheduled Task Creation	Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.	update	108
Startup or Run Key Registry Modification	Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.	update	113
Unsigned DLL Loaded by Svchost	Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.	update	7
Startup Persistence by a Suspicious Process	Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.	update	111
Suspicious Execution via Scheduled Task	Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.	update	109
Disabling User Account Control via Registry Modification	User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.	update	112
Service Control Spawned via Script Interpreter	Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.	update	111
Unusual Parent-Child Relationship	Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.	update	113
Windows Service Installed via an Unusual Client	Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.	update	111

« Update v8.13.17 Update v8.13.19 »

Was this helpful?

Feedback