Rule Release and Changelog

Product Enhancements and New Releases

This document provides details regarding recent rule updates and releases as well as recent web user interface enhancements and changes.

New Rules: July 2022

Release: July 19, 2022

These new rules are made available in your rule selection upon release:


Rule Type Rule Title Rule Filter Purpose Initial Severity
Linux: Audit Host: Potential Nimbuspwn Exploitation event_type = "audit" and command starts_with "networkd-dispat" and arguments starts_with "/etc/networkd-dispatcher/../" This rule alerts on potential exploitation of Nimbuspwn (CVE-2022-29799 and CVE-2022-29800) by alerting on a potential escape from the /etc/networkd-dispatcher/ using directory traversal. Severity 1
Windows Registry Event: Windows Defender Features Disabled event_type = "winsec" AND win_event_id = "13" AND reg_event = "SetValue" AND target_reg_key starts_with "HKLM\\SOFTWARE\\Microsoft\\Windows Defender" AND (((target_reg_key ends_with "SpyNetReporting" and new_value = "DWORD (0x00000000)") OR target_reg_key ends_with "SubmitSamplesConsent" AND new_value = "DWORD (0x00000000)") or (target_reg_key ends_with "DisableRealtimeMonitoring" AND new_value = "DWORD (0x00000001)")) Alerts when one of the following Windows Defender features is disabled: Real Time Protection, Cloud-delivered Protection, Automatic Sample Submission. Severity 1
Windows Potential CVE-2022–30190 Follina Exploitation Detected (win_event_id = "1" or win_event_id = "4688") and exe ends_with "msdt.exe" and (parent_name ends_with "WINWORD.EXE" or parent_name ends_with "EXCEL.EXE" or parent_name ends_with "POWERPNT.EXE" or parent_name ends_with "OUTLOOK.EXE" or parent_name ends_with "MSPUB.EXE" or parent_name ends_with "VISIO.EXE") This rule alerts on potential exploitation of CVE-2022–30190 Follina by looking for execution of the Microsoft Windows Support Diagnostic Tool with a MS Office parent executable. Severity 1
Windows Suspicious MSDT Execution, Potential CVE-2022–30190 Follina Exploitation exe ends_with "msdt.exe" and (command like "IT_RebrowseForFile" and command like "IT_BrowseForFile") This rule alerts on suspicious execution of the Microsoft Windows Support Diagnostic Tool which may indicate exploitation of CVE-2022–30190 Follina. Severity 1
Windows Host: Potential Kerberos Relay attack win_event_id = "4624" AND src_port != "0" AND src_ip = "127.0.0.1" and auth_package = "Kerberos" and logon_type = "3" and sid ends_with "500"

Signature based rule to capture potential kerbero relay attack.

Severity 1
Windows Sysmon: MSDT Usage event_type = "winsec" and win_event_id = "1" and exe ends_with "msdt.exe"

This rule alerts on usage of the Microsoft Support Diagnostic Tool. While it is a legitimate tool it has been exploited resulting in code execution and can be used to bypass Application Whitelisting.

Severity 1
Windows Host: MSDT Usage event_type = "winsec" and win_event_id = "4688" and exe ends_with "msdt.exe"

This rule alerts on usage of the Microsoft Support Diagnostic Tool. While it is a legitimate tool it has been exploited resulting in code execution and can be used to bypass Application Whitelisting.

Severity 2
Windows File File: Windows Host File Activity C:\Windows\System32\drivers\etc\hosts

"Captures modifications of the windows host file"

Severity 2
Cloudtrail CloudTrail: S3: Successful Anonymous Bucket Access event_type = "cloudtrail" AND eventSource = "s3.amazonaws.com" AND (error = null or error = "") AND (eventName starts_with "Delete" OR eventName starts_with "Put") AND (userIdentityaccountId = "ANONYMOUS_PRINCIPAL" and (user = "" OR user = null))

Captures S3 anonymous access on buckets that are successful.

Severity 1
Cloudtrail CloudTrail: S3 bucket Encryption Changes Filter: eventSource = "s3.amazonaws.com" and (eventName = "PutBucketEncryption" or eventName = "DeleteBucketEncryption")

The rule alerts when a user makes changes to an S3 bucket's encryption settings.

Severity 2
Cloudtrail "CloudTrail: Root User Programmatic Access" Filter: user = "root" and event_type = "cloudtrail" and accessKey starts_with "AKIA"

Captures root user programmatic activity, which does not align with AWS best practices.

Severity 1
Docker Audit Container: Exploit: Process Activity from /dev/shm "containerId != null and ((event_type=""audit"" and (type = ""connect"" or type=""accept"" or type = ""start"") and (exe starts_with ""/dev/shm/"")) or (event_type=""audit"" and (type = ""connect"" or type=""accept"" or type = ""start"") and (cwd starts_with ""/dev/shm/"" or cwd = ""/dev/shm"")) or ((exe = ""/bin/bash"" or exe = ""/bin/sh"") and arguments like ""/dev/shm/""))"

This rule captures the potential malicious activity of a process running from a "/dev/shm" directory inside of a container.

Severity 1
Container: File Container: Containerd File Change

"/var/lib/containerd/io.containerd.snapshotter.
v1.overlayfs/snapshots/*/fs/etc *recursive* /var/lib/containerd/io.containerd.snapshotter.
v1.overlayfs/snapshots/*/fs/usr/bin /var/lib/containerd/io.containerd.snapshotter.
v1.overlayfs/snapshots/*/fs/usr/sbin /var/lib/containerd/io.containerd.snapshotter.
v1.overlayfs/snapshots/*/fs/lib /var/lib/
containerd/io.containerd.snapshotter
.v1.overlayfs/snapshots/*/fs/bin /var/lib/containerd/io.containerd.snapshotter.
v1.overlayfs/snapshots/*/fs/sbin /run/
containerd/io.containerd.runtime.
v2.task/*/*/rootfs/bin /run/containerd/
io.containerd.runtime.v2.task
/*/*/rootfs/sbin/run/containerd/
io.containerd.runtime.v2.task
/*/*/rootfs/lib/run/containerd/
io.containerd.runtime.v2.task/*/*/
rootfs/etc *recursive* /run/containerd
/io.containerd.runtime.v2.task
/*/*/rootfs/usr/bin /run/containerd/io.containerd
.runtime.v2.task/*/*/rootfs/usr/sbin"

This filter monitors FIM activity for containerized environments leveraging containerd. Requires agent 3.0 or higher.

Severity 2

Updated Filters

Release: July 19, 2022

Rule Type Rule Title Old Filter New Filter Purpose of Change
Cloudtrail CloudTrail: EC2 Wide Open Security Group eventName=
"AuthorizeSecurityGroup
Ingress" and cidrIp = "0.0.0.0/0"
eventName=
"AuthorizeSecurityGroup
Ingress" and (cidrIpv6 = "::/0" OR cidrIp = "0.0.0.0/0")
Capture ipv6 open IP addresses as well.
Cloudtrail CloudTrail: S3 eventSource = "s3.amazonaws.com" and (eventName = "PutBucketPolicy" or eventName = "DeleteBucketPolicy" or eventName = "PutBucketAcl" or eventName="DeleteBucketLifeCycle" or eventName= "PutBucketLifecycle" or eventName = "PutBucketReplication" or eventName = "PutBucketLogging") eventSource = "s3.amazonaws.com" AND (eventName like "Bucket" AND (eventName starts_with "Put" OR eventName starts_with "Delete" OR eventName starts_with "Create")) AND (eventName != "DeleteBucket" AND eventName != "CreateBucket") Updated filters to be more inclusive of additional events.
Login - Linux Root Login from LAN "login" and user != "root" and address != null and (address = "10.0.0.0/8" or address = "172.16.0.0/12" or address = "192.168.0.0/16" or address = "fd00::/8" or address = "169.254.0.0/16" or address = "fc00::/7") "login" and user != "root" and address != null and (address = "10.0.0.0/8" or address = "172.16.0.0/12" or address = "192.168.0.0/16" or address = "fd00::/8" or address = "169.254.0.0/16" or address = "fc00::/7") Addressed syntax issues with our login filters.
Windows Sysmon: Image Loaded Possible Mimikatz event_type = "winsec" and win_event_id = "10" and parent_exe = "C:\\windows\\system32\\lsass.exe" and access = "0x1410" event_type = "winsec" and win_event_id = "10"
and target_exe = "C:\\Windows
\\system32\\
lsass.exe"
and (access = "0x1410"
or access
= "0x1010")
Addressed syntax issues.
New Rules: March 2022

Release: April 18, 2022

These new rules are made available in your rule selection upon release:

Rule Type Rule Title Rule Filter Purpose Initial Severity
Linux: Audit Exploit: Potential CVE-2022-25636 Exploit command = "unshare" and arguments starts_with "unshare -Urnm" Captures and alerts on potential indication of CVE 2022-25636. https://github.com/Bonfee/CVE-2022-25636  Severity 1

Release: April 18, 2022

These default filter modifications are available via a cloned update of the rule, which you can obtain from your Security Solution Engineer or directly apply to your existing rules by editing the default filters in your rulesets. Please reach out to your Customer Success team for further assistance with this.

Updated Filters

Rule Type Rule Title Old Filter New Filter Purpose of Change
Windows: Host Host: Potential CVE-2021-1675 Print Nightmare Detected win_event_id
= "11" and exe =
"C:\\Windows\\System32
\\spoolsv.exe" and
target_file
starts_with "C:\\Windows
\\System32\\spool
\\drivers\\x64\\3\\"
win_event_id
= "11" and exe =
"C:\\Windows\\System32
\\spoolsv.exe" and
target_file
starts_with "C:\\Windows
\\System32\\spool
\\drivers\\x64
\\3\\Old\\"
Remediates false positive issues associated with benign Windows updates.
New Rules: February 2022

Release: February 28, 2022

These new rules are made available in your rule selection upon release

Rule Type Rule Title Rule Filter Purpose
Windows: Host Host: Pastebin Connection (win_event_id = "1" and command like "pastebin") OR ((win_event_id = "3" or win_event_id = "22") and dst_host like "pastebin") Captures connections to pastebin, which can be used to host malware that is then downloaded and executed on a machine.
Windows: Host Host: Process execution out of C:\Users\Public\Documents (win_event_id = "4688" or win_event_id = "1") and exe starts_with "C:\\Users\\Public\\Documents\\" Captures execution of processes outside of the "C:\Users\Public\Documents" directory, which is a common place for malware to execute in Windows Environments.
Windows: Host Host: Connection to Discord CDN (win_event_id = "22" or win_event_id = "3") and dst_host = "cdn.discordapp.com" Captures connections to the discord CDN, which has been used to host malware that is then downloaded and executed on a machine.
Linux: Audit Host: Download from Pastebin (command = "wget" or command = "curl") and arguments like "pastebin" Captures connections to pastebin, which can be used to host malware that is then downloaded and executed on a machine.
Cloudtrail Delete VPC Flow Logs event_type = "cloudtrail" AND eventName = "DeleteVPCFlowLogs" Captures VPC Flow logs being deleted, which contains important telemetry about IP traffic to and from VPCs.
CloudTrail Retrieve EC2 Password Data event_type = "cloudtrail" AND eventName = "GetPasswordData" Captures users attempting to retrieve the encrypted administrator credential for Windows EC2 Instances.
New Rules: January 2022

Release: January 31, 2022

These new rules are made available in your rule selection upon release

Rule Type Rule Title Rule Filter Purpose
Linux: Audit Exploit: PHP File created with Base64 String arguments starts_with "sh -c echo \"<?php eval(base64_decode" and arguments ends_with "php" Captures php files created with a base64 string, which is a common mechanism to obfuscate malware.
Linux: Audit Exploit: PTrace Activity Detected event_type = "audit" AND type = "ptrace" Captures “ptrace” system call activity, which does have periodic legitimate uses, but is rare and is associated with command injection.
Windows: Host Host: Potential CVE 2021-1675 Print Nightmare Detected win_event_id = "11" and exe = "C:\Windows\System32\spoolsv.exe" and target_file starts_with "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\" Captures signatures associated with the CVE 2021-1675 affecting windows domain controllers.
Linux: Audit Exploit: pkexec activity by a non root user (command = "pkexec" or parent_metadata.exe = /usr/bin/pkexec) and user != "root" Captures use of “pkexec” by a non root user which is anomalous activity, and a signature of a associated pwnkit CVE(CVE-2021-4034)
Cloudtrail CloudTrail: AWS Config Activity event_type = "cloudtrail" AND eventSource = "config.amazonaws.com" AND (eventName starts_with "Delete" OR eventName starts_with "Put" OR eventName starts_with "Start" OR eventName starts_with "Stop" OR eventName starts_with "Select") Captures AWS Config activity.
Linux: Host Host: Failed Authentication event_type = "host" AND group = "authentication_failed" Captures failed authentication attempts

Updated Filters

Release: January 31, 2022

These default filter modifications are available via a cloned update of the rule which can be obtained from your Security Solution Engineer or can be directly applied to your existing rules by editing the default filters in your rulesets. Please reach out to your Customer Success team for further assistance with this.

Rule Type Rule Title Old Filter New Filter Purpose of Change
Linux: Audit Docker: Kubectl Commands event_type = "audit" and containerId != null and  tty != null and command = "kubectl" containerId != null and event_type = "audit" and (command = "cloud-controller-manager" or command = "federation-apiserver" or command = "federation-controller-manager" or command = "kube-apiserver" or command = "kube-controller-manager" or command = "kube-proxy" or command = "kube-scheduler" or command = "kubelet" or command = "kubectl" or command = "kubeadm" or command = "kubefed") Expand collection of potential commands to flag/review associated with interacting with a kubernetes cluster.

Default Suppressions

Release: January 31, 2022

These default suppression modifications are available via a cloned update of the rule which can be obtained from your Security Solution Engineer or can be directly applied to your existing rules by editing the default suppressions in your rulesets. Please reach out to your Customer Success team for further assistance with this.

Rule Suppression Value Purpose
All File Alerts(Linux, Docker, Windows) arguments = "" and command = "" and (session > 4294967200 or (session = 0 and pid = 0) or (session = 0 and uid = "-1") or (session = 0 and uid = "0") or (session = null and uid = null)) Suppress out false positives associated with how the agent captures FIM events as well as inode flips within the linux file system.
Cloudtrail: EC2 Service Changes user = "ElasticLoadBalancing" AND ip = "elasticloadbalancing.amazonaws.com" AND eventSource = "http://ec2.amazonaws.com " AND arnRole = "assumed-role/AWSServiceRoleForElasticLoadBalancing/ElasticLoadBalancing" AND eventName like "NetworkInterface" Suppress out Elastic Load Balancing Activity
Cloudtrail: VPC Interface Changes user = "ElasticLoadBalancing" AND ip = "elasticloadbalancing.amazonaws.com" AND arnRole = "assumed-role/AWSServiceRoleForElasticLoadBalancing/ElasticLoadBalancing" Suppress out Elastic Load Balancing Activity

Assorted Syntax Fixes

Release: January 31, 2022

These modifications are available via a cloned update of the rule which can be obtained from your Security Solution Engineer or can be directly applied to your existing rules by editing the associated rules. Please reach out to your Customer Success team for further assistance with this.

Renamed “Docker: EC2 Instance Metadata Communication” to “Docker: Cloud Instance Metadata Communication” as the 169.254.169.254 IP address is used by both Azure and GCP in addition to Amazon.

Added {arguments} as a default aggregate field for all linux and docker alert titles under the “base” and “docker” rulesets for improved alert grouping

Was this article helpful?
0 out of 0 found this helpful