--- title: Deprecated prebuilt detection rules description: Deprecated - AWS EC2 Snapshot Activity Deprecated - AWS EC2 VM Export Failure Deprecated - AWS ElastiCache Security Group Created Deprecated - AWS... url: https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/deprecated-detection-rules products: - Elastic Security --- # Deprecated prebuilt detection rules ## Cloud [Deprecated - AWS EC2 Snapshot Activity](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/exfiltration_ec2_snapshot_change_activity) [Deprecated - AWS EC2 VM Export Failure](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/exfiltration_ec2_vm_export_failure) [Deprecated - AWS ElastiCache Security Group Created](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_elasticache_security_group_creation) [Deprecated - AWS ElastiCache Security Group Modified or Deleted](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_elasticache_security_group_modified_or_deleted) [Deprecated - AWS RDS Cluster Creation](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_rds_cluster_creation) [Deprecated - AWS RDS Instance Creation](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_rds_instance_creation) [Deprecated - AWS RDS Instance/Cluster Stoppage](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/impact_rds_instance_cluster_stoppage) [Deprecated - AWS RDS Security Group Creation](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_rds_group_creation) [Deprecated - AWS RDS Security Group Deletion](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/impact_rds_group_deletion) [Deprecated - AWS Redshift Cluster Creation](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_redshift_instance_creation) [Deprecated - AWS Root Login Without MFA](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/privilege_escalation_root_login_without_mfa) [Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source) [Deprecated - Azure Virtual Network Device Modified or Deleted](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/impact_virtual_network_device_modified) [Deprecated - Potential Password Spraying of Microsoft 365 User Accounts](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/credential_access_microsoft_365_potential_password_spraying_attack) ## Container [Deprecated - SSH Connection Established Inside A Running Container](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/initial_access_ssh_connection_established_inside_a_container) [Deprecated - SSH Process Launched From Inside A Container](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container) [Deprecated - SSH Process Launched From Inside A Container via Elastic Defend](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/lateral_movement_ssh_process_launched_inside_container) ## Endpoint [Deprecated - CAP_SYS_ADMIN Assigned to Binary](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_cap_sys_admin_added_to_new_binary) [Deprecated - Creation of Kernel Module](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_creation_of_kernel_module) [Deprecated - Execution of File Written or Modified by PDF Reader](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_pdf_written_file) [Deprecated - LaunchDaemon Creation or Modification and Immediate Loading](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_creation_modif_launch_deamon_sequence) [Deprecated - Modification of Standard Authentication Module or Configuration](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_credential_access_modify_auth_module_or_config) [Deprecated - Network Connection via Sudo Binary](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/privilege_escalation_netcon_via_sudo_binary) [Deprecated - Potential DNS Tunneling via Iodine](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_linux_iodine_activity) [Deprecated - Potential Non-Standard Port HTTP/HTTPS connection](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_non_standard_http_port) [Deprecated - Potential Non-Standard Port SSH connection](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_non_standard_ssh_port) [Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/privilege_escalation_linux_uid_int_max_bug) [Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection) [Deprecated - Potential Protocol Tunneling via Chisel Server](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_linux_chisel_server_activity) [Deprecated - Potential Pspy Process Monitoring Detected](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/discovery_pspy_process_monitoring_detected) [Deprecated - Potential Reverse Shell via Suspicious Parent Process](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux) [Deprecated - Potential Successful Linux FTP Brute Force Attack Detected](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/credential_access_potential_successful_linux_ftp_bruteforce) [Deprecated - Potential Successful Linux RDP Brute Force Attack Detected](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/credential_access_potential_successful_linux_rdp_bruteforce) [Deprecated - Potential curl CVE-2023-38545 Exploitation](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_curl_cve_2023_38545_heap_overflow) [Deprecated - Process Termination followed by Deletion](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_process_termination_followed_by_deletion) [Deprecated - Remote File Creation on a Sensitive Directory](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/lateral_movement_remote_file_creation_in_sensitive_directory) [Deprecated - Suspicious File Creation in /etc for Persistence](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_etc_file_creation) [Deprecated - Suspicious JAVA Child Process](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_suspicious_jar_child_process) [Deprecated - Suspicious Renaming of ESXI index.html File](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_rename_esxi_index_file) [Malicious Remote File Creation](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/lateral_movement_malicious_remote_file_creation) [Potential Linux Reverse Connection through Port Knocking](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection) [Potential Process Herpaderping Attempt](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_potential_processherpaderping) [Potential SSH Brute Force Detected on Privileged Account](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root) [Reverse Shell Created via Named Pipe](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_reverse_shell_via_named_pipe) [Suspicious File Changes Activity Detected](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/impact_potential_linux_ransomware_file_encryption) [Suspicious Network Connection Attempt by Root](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session) ## Unspecified [AWS RDS Snapshot Export](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/exfiltration_rds_snapshot_export) [Attempt to Disable IPTables or Firewall](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall) [Auditd Login Attempt at Forbidden Time](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/initial_access_login_time) [Auditd Login from Forbidden Location](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/initial_access_login_location) [Auditd Max Failed Login Attempts](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/initial_access_login_failures) [Auditd Max Login Sessions](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/initial_access_login_sessions) [Base64 Encoding/Decoding Activity](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity) [DNS Activity to the Internet](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_dns_directly_to_the_internet) [Deprecated - Agent Spoofing - Mismatched Agent ID](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_agent_spoofing_mismatched_id) [Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/threat_intel_filebeat8x) [Deprecated - Threat Intel Indicator Match](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/threat_intel_fleet_integrations) [Execution via Regsvcs/Regasm](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_via_net_com_assemblies) [FTP (File Transfer Protocol) Activity to the Internet](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet) [File and Directory Discovery](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/discovery_file_dir_discovery) [GCP Kubernetes Rolebindings Created or Patched](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched) [Google Workspace User Group Access Modified to Allow External Access](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access) [Hex Encoding/Decoding Activity](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity) [IRC (Internet Relay Chat) Protocol Activity to the Internet](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet) [Linux Restricted Shell Breakout via apt/apt-get Changelog Escape](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_apt_binary) [Linux Restricted Shell Breakout via awk Commands](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_awk_binary_shell) [Linux Restricted Shell Breakout via busybox Shell Evasion](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_busybox_binary) [Linux Restricted Shell Breakout via c89/c99 Shell evasion](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_c89_c99_binary) [Linux Restricted Shell Breakout via cpulimit Shell Evasion](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_cpulimit_binary) [Linux Restricted Shell Breakout via crash Shell evasion](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_crash_binary) [Linux Restricted Shell Breakout via env Shell Evasion](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_env_binary) [Linux Restricted Shell Breakout via flock Shell evasion](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_flock_binary) [Linux Restricted Shell Breakout via the SSH command](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_ssh_binary) [Linux Restricted Shell Breakout via the expect command](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_expect_binary) [Linux Restricted Shell Breakout via the find command](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_find_binary) [Linux Restricted Shell Breakout via the gcc command](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_gcc_binary) [Linux Restricted Shell Breakout via the mysql command](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_mysql_binary) [Linux Restricted Shell Breakout via the vi command](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_vi_binary) [Mknod Process Activity](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/linux_mknod_activity) [Network Connection via Mshta](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_mshta_making_network_connections) [Network Sniffing via Tcpdump](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/credential_access_tcpdump_activity) [Nmap Process Activity](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/linux_nmap_activity) [PPTP (Point to Point Tunneling Protocol) Activity](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_pptp_point_to_point_tunneling_protocol_activity) [Persistence via Kernel Module Modification](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_kernel_module_activity) [Potential Cross Site Scripting (XSS)](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/initial_access_cross_site_scripting) [Potential Persistence via Cron Job](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_cron_jobs_creation_and_runtime) [Potential PrintNightmare Exploit Registry Modification](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/privilege_escalation_printspooler_malicious_registry_modification) [Potential PrintNightmare File Modification](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/privilege_escalation_printspooler_malicious_driver_file_changes) [Potential Privilege Escalation via Local Kerberos Relay over LDAP](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon) [Potential Shell via Web Server](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/persistence_shell_activity_by_web_server) [PowerShell spawning Cmd](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_command_shell_started_by_powershell) [Process Discovery via Tasklist](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/discovery_process_discovery_via_tasklist_command) [Proxy Port Activity to the Internet](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_proxy_port_activity_to_the_internet) [Query Registry via reg.exe](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/discovery_query_registry_via_reg) [RDP (Remote Desktop Protocol) to the Internet](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/initial_access_rdp_remote_desktop_protocol_to_the_internet) [SMTP to the Internet](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_smtp_to_the_internet) [SQL Traffic to the Internet](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_sql_server_port_activity_to_the_internet) [SSH (Secure Shell) from the Internet](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet) [SSH (Secure Shell) to the Internet](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_ssh_secure_shell_to_the_internet) [Setgid Bit Set via chmod](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/privilege_escalation_setgid_bit_set_via_chmod) [Socat Process Activity](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/linux_socat_activity) [Strace Process Activity](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/privilege_escalation_linux_strace_activity) [Suspicious Process from Conhost](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_code_injection_conhost) [TCP Port 8000 Activity to the Internet](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_port_8000_activity_to_the_internet) [Threat Intel Filebeat Module (v7.x) Indicator Match](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/threat_intel_filebeat7x) [Tor Activity to the Internet](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/command_and_control_tor_activity_to_the_internet) [Trusted Developer Application Usage](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities) [Unusual Process Execution - Temp](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_linux_process_started_in_temp_directory) [User Discovery via Whoami](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/discovery_whoami_commmand) [Web Application Suspicious Activity: No User Agent](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/apm_null_user_agent) [Whitespace Padding in Process Command Line](https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_whitespace_padding_in_command_line)