diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 7b00832a1..ebbf2c56e 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -7,15 +7,15 @@ }, "00140285-b827-4aee-aa09-8113f58a08f3": { "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "2d0d2aab14f6820318d2d580ab212ecacd2dd9da502d4d0af749a8d092f2d655", + "sha256": "9fa5bb58f3f3b4c55a18dcad65a001a8a4217afcc2ced7112a1e295bcb5a79a2", "type": "eql", - "version": 320 + "version": 321 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", - "sha256": "a205cef434fbf0d0d84f26733b53e949d9a58f1632332b890a8f21dde8e8c9dd", + "sha256": "2fa22b5ffca90b0b5dda594ac010099051455bf90a1290e366e75c3f6c31f353", "type": "eql", - "version": 421 + "version": 422 }, "0049cf71-fe13-4d79-b767-f7519921ffb5": { "rule_name": "System Binary Path File Permission Modification", @@ -25,9 +25,9 @@ }, "00546494-5bb0-49d6-9220-5f3b4c12f26a": { "rule_name": "Uncommon Destination Port Connection by Web Server", - "sha256": "d66a80e6e6ca1221629a7e83ea80f4049b04fb3621a3e157094b7a9ae187e8e6", + "sha256": "7dc587f4807bf20137a0a7d3a415b2807d481a1dd245b423be1d9addca63dff9", "type": "eql", - "version": 5 + "version": 6 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", @@ -104,9 +104,9 @@ }, "02a4576a-7480-4284-9327-548a806b5e48": { "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "62e97c7d00aad9eb5dba5a59ca2ea7e2ef5f9d11050504af0511e9efd98ac08f", + "sha256": "6089c2d9e1a728c906a10e30c7d3eca6eb9962492dde251a805ef9e7b97f8ee6", "type": "eql", - "version": 311 + "version": 312 }, "02b4420d-eda2-4529-9e46-4a60eccb7e2d": { "min_stack_version": "9.4", @@ -150,9 +150,9 @@ }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "c836e54087ae1a8a3025909185da467587d5d132e8768294fe6772628655b8b4", + "sha256": "65e29cfdd640c3d225586aceda29585c5bc3a9e76ff34a0764f403094b8c9ade", "type": "threshold", - "version": 217 + "version": 218 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { "rule_name": "Potential Memory Seeking Activity", @@ -244,9 +244,9 @@ }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "rule_name": "Suspicious Microsoft Antimalware Service Execution", - "sha256": "93d329e98993f74917716c1cbea7708ebbe928e0462d3ae4e8452abe7d55a5c9", + "sha256": "c4b43d411a14ed5441f18c7ac996e4d2ca17ce62a46155c9b8ef8a35e8e612f9", "type": "eql", - "version": 218 + "version": 219 }, "054853f3-2ce0-41f3-a6eb-4a4867f39cdc": { "rule_name": "M365 Defender Alerts Signal", @@ -262,9 +262,9 @@ }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "d45133e84dadf2565b8c9a77c4d1aaeb9da6db1a4c0e9d34f47abe0d7f132150", + "sha256": "489f0b6d8e4c6a6b209771bd6fe6a15862f20fa603d6b726a5b1c1446bfb9099", "type": "eql", - "version": 219 + "version": 220 }, "05a50000-9886-4695-ad33-3f990dc142e2": { "min_stack_version": "9.3", @@ -333,9 +333,9 @@ }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "5692672842a48f71b5253c44265eadb1b0fe0e9353616597fe1608fe528785cd", + "sha256": "61186ac011e99a690ffc2ca0232ca0d4c1a56577cd1b882fc838f4adec3b1372", "type": "eql", - "version": 214 + "version": 215 }, "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": { "rule_name": "Dynamic Linker (ld.so) Creation", @@ -345,9 +345,9 @@ }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", - "sha256": "3fcc019c9f5bafedd7220926e16a82edef38b3eeca1d87114c9896a1ae0dd7f7", + "sha256": "e0fc6fce12b37afcc2729cc67ce98534a81f241684b19f9763e9f1220fd3d190", "type": "eql", - "version": 219 + "version": 220 }, "06f3a26c-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Memory Threat - Prevented- Elastic Defend", @@ -357,9 +357,9 @@ }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "60dd574dfe52985d607114c10bf8314dc37801dd9564da1880d7b939d3deef13", + "sha256": "b61bad8552dae17b256c73cb62eb7e5240586363ca2bdfae7dce74ffc35cb129", "type": "eql", - "version": 317 + "version": 318 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { "rule_name": "GitHub Protected Branch Settings Changed", @@ -375,9 +375,9 @@ }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "418d19ba1253b26f0ecc3538338efad9c21c676ed4e9c4febe14c040a2c3c0ea", + "sha256": "e5ead4056278a234ee157310599f05d05e66fe7be04c4658c711e90a8fbfdd8e", "type": "eql", - "version": 320 + "version": 321 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", @@ -399,9 +399,9 @@ }, "083383af-b9a4-42b7-a463-29c40efe7797": { "rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", - "sha256": "331bb08ecfb91660802ea7596bce628106de1d55504aa794724136799f9689e2", + "sha256": "df58a717def18bd6b87e4ee7c0b9b92e104cfaef8714f6029f3f4cc26a4c2f7a", "type": "esql", - "version": 10 + "version": 11 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", @@ -411,9 +411,9 @@ }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "rule_name": "First Time Seen Removable Device", - "sha256": "9d8dee0764bf2d1de0f34a639b583202562518bd60359cc1e1da1c4188135df1", + "sha256": "8d49ac6a7e4266309a445287ddba7de4a7c3953b54030f6bb1b22a2579d6e607", "type": "new_terms", - "version": 213 + "version": 214 }, "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db": { "rule_name": "Node.js Pre or Post-Install Script Execution", @@ -561,9 +561,9 @@ }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", - "sha256": "61bf77d6035d6c58759497860fd9dd5490f830db4c9aa91188271e861a7dcc9f", + "sha256": "02414f778b92b4c687768c61989adb3f2b632c354674ecf7c580d1e549cdba9b", "type": "query", - "version": 220 + "version": 221 }, "0b76ad27-c3f3-4769-9e7e-3237137fdf06": { "rule_name": "Systemd Shell Execution During Boot", @@ -585,9 +585,9 @@ }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "b45c9b32d0985a63a0b8a30e5fce78e9384ffa3ab2505761bd8bf9c987ca5449", + "sha256": "438c321a47c109bde474d6eeb1ea633ec7f60705edf876aaaa4b0a8dfec1af2b", "type": "eql", - "version": 111 + "version": 112 }, "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": { "rule_name": "Elastic Defend and Network Security Alerts Correlation", @@ -627,9 +627,9 @@ }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "rule_name": "Peripheral Device Discovery", - "sha256": "4f07ea069c2931b241dbf307642e681d91e8f159163bbb1a57d9ed0f4f88eeff", + "sha256": "156bd381d564774d81e1860d26cfc6d4a84a75a320968e06ed2b550945efaa1c", "type": "eql", - "version": 315 + "version": 316 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "rule_name": "Deprecated - Threat Intel Indicator Match", @@ -655,9 +655,9 @@ }, "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", - "sha256": "9d095c731b4c2d46ef473af7f62cb760bc1290a8a9ef4788e231d9ecebfdaecf", + "sha256": "b8b8dd78b8c6c7dc7963683187e44adf10d7f96d6f8fb08ea9d8a6f1015f376b", "type": "esql", - "version": 7 + "version": 8 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "M365 Exchange Mailbox High-Risk Permission Delegated", @@ -673,9 +673,9 @@ }, "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { "rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph", - "sha256": "8b4df6f62ced7df33133c2b7bf594a3898364a219f4befbc8f671bf99e073c69", + "sha256": "51e32252c859489884ccd4518fe7dae46ab0cea3f05342fccdf9a5b466fc0e2c", "type": "esql", - "version": 9 + "version": 10 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", @@ -695,27 +695,27 @@ "8.19": { "max_allowable_version": 204, "rule_name": "AWS Access Token Used from Multiple Addresses", - "sha256": "e8e890e29bae445289f8b01d876a2e1d4ac019f41b7a8a5192b0a53d6e20c1dc", + "sha256": "26ed2013c1d78f46c69814d77905908c7c0bb10e421da7bd59937e75d0f01fef", "type": "esql", - "version": 106 + "version": 107 } }, "rule_name": "AWS Access Token Used from Multiple Addresses", - "sha256": "630d7857ba7bfc940f96a7fd106a6ac040e6a4a6e39bbf8e84d7acdb27704e01", + "sha256": "77f473d39331e99c4f5139d471dc7043828fe6b9f3f0cddcf60878264857b71a", "type": "esql", - "version": 207 + "version": 208 }, "0e1af929-42ed-4262-a846-55a7c54e7c84": { "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", - "sha256": "7aff08d29ead13e4514a8f4d8ec07442b5d0682d2fcfc0107c6f5e7fb64e7567", + "sha256": "6319c31a290d00e0983d81b1971155caa96f3687a61721f79286857c1bbbbab0", "type": "esql", - "version": 4 + "version": 5 }, "0e42f920-047d-4568-b961-2a50db6c4713": { "rule_name": "Potential Persistence via Mandatory User Profile", - "sha256": "12e7983cbf86322df7efb2239c16032fdaa348da475137cad5eb129c5a54d4dc", + "sha256": "b8d61454cd6ec06100946627852de41f7198a191f70683750b03297e6247a441", "type": "eql", - "version": 2 + "version": 3 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", @@ -749,9 +749,9 @@ }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", - "sha256": "2d92ab04902fb83022f6920b2f0d2a5458f43dc2e662048624e594963673c582", + "sha256": "1d2f40489c68453c001300064c4191b3c1118961bcbf8f98ef0ae3d7af2a7f6a", "type": "eql", - "version": 215 + "version": 216 }, "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { "min_stack_version": "9.3", @@ -765,9 +765,9 @@ } }, "rule_name": "Sensitive Audit Policy Sub-Category Disabled", - "sha256": "fbff6a0aa16505d2d8cb07a9632dbef91e5d416239e7681efd02a5a1ccfc5830", + "sha256": "ab3e71024a071b7fdfe5a78867ce7b97ee798a14a25a3ad4d5f93579c8d00be5", "type": "esql", - "version": 106 + "version": 107 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", @@ -801,15 +801,15 @@ }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "a22ce5b0813ff129839c6ae3330c9cb4a64b73879125342eecbf840e3c1f2c35", + "sha256": "877b148eb16e5925faa6420c7ce4e5af877518280357765cf8b26d314d4866a4", "type": "threshold", - "version": 313 + "version": 314 }, "0fb25791-d8d4-42ab-8fc7-4954642de85f": { "rule_name": "Kubernetes Creation or Modification of Sensitive Role", - "sha256": "d431f464078e8ba6df2d879cf09611ed71bb66449f85d3d04c20acaf59179284", + "sha256": "b9c97990e6ca915c311408c981892865fdd39e7032758dd0bf98eb9c14eb5af0", "type": "esql", - "version": 2 + "version": 3 }, "0fb83aa0-3d17-41e9-b09c-56397bf7a7d9": { "min_stack_version": "9.3", @@ -872,21 +872,21 @@ }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", - "sha256": "ab55013a294910af157320c72f929d63b0fde2d711fdef1f5225460860ead3d2", + "sha256": "be1fc253ed58440f6af839e8e5f79978eba0a908da3adb6fa9713f774fb8a7c0", "type": "query", - "version": 109 + "version": 110 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "cf5ea7a420443d103bfd583bfa334be57cad024bf5c3a3fbb93390f6b2f6976a", + "sha256": "f9bf3e298b294a41bb1856889477dcec525ec04804459de0294f14714ad143eb", "type": "eql", - "version": 218 + "version": 219 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "e453b11a4c39805389424db8939d22278809fec08e6172c79bb7cf87ae26c5cd", + "sha256": "1224c28727d499af370240ca8e5ed7432294872e5d5258d9eedba7a8d8b72bb1", "type": "eql", - "version": 317 + "version": 318 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "rule_name": "AWS RDS Snapshot Export", @@ -908,9 +908,9 @@ }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "064c4ddec156a1b2ea065455a460a17c81974239e07c623f01ea2d4f20bba2d5", + "sha256": "e2639febbe6e8a624a43a1a5782021cc15db735aef9129b0760de784416247ab", "type": "eql", - "version": 216 + "version": 217 }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", @@ -954,9 +954,9 @@ }, "128468bf-cab1-4637-99ea-fdf3780a4609": { "rule_name": "Suspicious Lsass Process Access", - "sha256": "8fc33262811096f6ebaf8b7fad2b6eed5f0b75c788cdac1c3ca035ea465b07ef", + "sha256": "13ea12c18b065bc285ea95a16119242a9882ef4c3103f521a1c701921ec69cd5", "type": "eql", - "version": 211 + "version": 212 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent", @@ -972,9 +972,9 @@ }, "12de29d4-bbb0-4eef-b687-857e8a163870": { "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "a4b04a8ff5f2d74ee9e1c5ee8ec133bc74d8ad935cca91ed57dc5f42919de5b9", + "sha256": "d32351494ff1b9ffd9ba55acf3ca09d761a8cc3d4944657b331a3e2cd0c2a611", "type": "eql", - "version": 210 + "version": 211 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "rule_name": "Suspicious Cmd Execution via WMI", @@ -984,9 +984,9 @@ }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "ba6cd7ad1cf9481e24a018cad2d535555cd18ee7f679dc59af979e8ec704498a", + "sha256": "a4cef089a97baa377ce98b7cb50c1a47a4a67b0f74e854692264582b8a57614e", "type": "eql", - "version": 415 + "version": 416 }, "135abb91-dcf4-48aa-b81a-5ad036b67c68": { "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", @@ -1028,9 +1028,9 @@ }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "rule_name": "Potential Ransomware Behavior - Note Files by System", - "sha256": "634a2275fe6932fbcf9514a9c9f71bacb655d75a8f0437e3c7bbb947c34553d8", + "sha256": "a4773853ce1ea436c93f739ecc375ebc074829200e0ed449ee0e3bec0becb585", "type": "esql", - "version": 214 + "version": 215 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -1052,15 +1052,15 @@ }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "0b281e8e82d4661b97cd6af7e181d4dd64824ee8db87f2facfd3a23526e92397", + "sha256": "0ad5c2e271c9001326aa27dfc63f6c35a4138bc03e6a1e4db48aaeac803e30f6", "type": "query", - "version": 110 + "version": 111 }, "14dab405-5dd9-450c-8106-72951af2391f": { "rule_name": "Office Test Registry Persistence", - "sha256": "de38197afabe0ec8c706691eb2ffd5ecc4d06c09433315e4bf0692a57590212a", + "sha256": "6ae151273f3904946010828516f37ea7cb7152e34ac5eebb85174cd704f59d78", "type": "eql", - "version": 108 + "version": 109 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "rule_name": "Kubernetes User Exec into Pod", @@ -1070,9 +1070,9 @@ }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "b8be5282c728a2e9b27bf03d158ab52c0a392cc22d73af245848db7e0c85b5cf", + "sha256": "5fb9943cdf453b43370e6f92b8be06a5dfe213e2bcd3566aa2e2bd08e9d21e7b", "type": "eql", - "version": 316 + "version": 317 }, "14fa0285-fe78-4843-ac8e-f4b481f49da9": { "rule_name": "Entra ID OAuth Phishing via First-Party Microsoft Application", @@ -1094,9 +1094,9 @@ }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "rule_name": "Execution from a Removable Media with Network Connection", - "sha256": "9a4f4276c90368c6a8826ebb5a400f92dcee779b4ecfa447e64fec3a3d6441e7", + "sha256": "4f8dae1671164a15e104cf7087d42d6a879f2c0809501137ee183c0f3f3ee364", "type": "eql", - "version": 6 + "version": 7 }, "15606250-449d-46a8-aaff-4043e42aefb9": { "rule_name": "Suspicious StartupItem Plist Creation", @@ -1106,15 +1106,15 @@ }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "21792bd878e448ec862da9cc5bf6e3b5f64978c7a1e9ad278a91cd0dd908326d", + "sha256": "7c14ff284718226ea6475885fa3d285019ef181a69705bed2afb9f25ce81b4fc", "type": "eql", - "version": 215 + "version": 216 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "9691ff0522d8ff26f5181a8eece5d0bb641efa1550ae3630f08e46a606d4d573", + "sha256": "62c79ce5bae7cf736a51c50a7e07508e4a50999a807161a4e0c68835b2a29780", "type": "eql", - "version": 319 + "version": 320 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", @@ -1174,9 +1174,9 @@ }, "166727ab-6768-4e26-b80c-948b228ffc06": { "rule_name": "Potential Timestomp in Executable Files", - "sha256": "141a26e1964995ca85bbc37b582076f5a4d13eff6f252e85569630fe95aee60f", + "sha256": "d412a6320c3b63e9d14e2897865c8df7a907154312cbc26891375687109ccfa0", "type": "eql", - "version": 110 + "version": 111 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", @@ -1192,27 +1192,27 @@ }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", - "sha256": "437f8b15f0baa696bdadcf1b5d6da3bb8548f56cdf75c8baeb6b1e3562e6e7a2", + "sha256": "d4267bbb2896541227ff0042bb5fd07bf0d5d673472429d931cda1a80f41b666", "type": "eql", - "version": 119 + "version": 120 }, "16acac42-b2f9-4802-9290-d6c30914db6e": { "rule_name": "AWS S3 Static Site JavaScript File Uploaded", - "sha256": "cd60cea70299ec12558b2136864b0035da03a0dd42b4dd2280780e9bc41e6f2f", + "sha256": "6b1835065de149596f5514acac7116d616ab69afd1ff4bd6c3187a13fe27493f", "type": "esql", - "version": 7 + "version": 8 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "8a09c3ace5f964fb2b20640db4f17aff78b00b30d85088a92619aba22f982766", + "sha256": "e9d66fb58444a717fbb2b15ebf5f7ed7e2d888737fdf681a8537349fb9d7f291", "type": "eql", - "version": 215 + "version": 216 }, "1719ee47-89b8-4407-9d55-6dff2629dd4c": { "rule_name": "Persistence via a Windows Installer", - "sha256": "c5c4efbc0177d7f664f65f7a2c0854002a571cac05289aabc98d4707694e6a43", + "sha256": "96017fdffa7b8eafbd4630fac4ec0b8079bee2375bcd6ab550558ff48cf9bf1f", "type": "eql", - "version": 6 + "version": 7 }, "171a4981-9c1a-4a03-9028-21cff4b27b38": { "rule_name": "Suspected Lateral Movement from Compromised Host", @@ -1222,9 +1222,9 @@ }, "17261da3-a6d0-463c-aac8-ea1718afcd20": { "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", - "sha256": "852bbf9498b8b722277364bbd060e191e04de17966cf39f928840e4974f232cc", + "sha256": "2eeb4a2916c11aeca4185ded593f86975317296adad1f32d19f4d5f39f380f53", "type": "esql", - "version": 6 + "version": 7 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "9.4", @@ -1336,9 +1336,9 @@ }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "bb3548f931c019e5a37efd6dd7f1953464866b7df29b21bf0ebedda27825fab1", + "sha256": "11eedb38f0535b593e7587c7ae9c0c9b1f11713712345cb14aa032c4251e687b", "type": "eql", - "version": 217 + "version": 218 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "min_stack_version": "9.4", @@ -1358,9 +1358,9 @@ }, "181f6b23-3799-445e-9589-0018328a9e46": { "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "f4ba8781fb84ae3a347b2d2647b45a6eb41ecd5750e9453a7697157fb02ccd93", + "sha256": "f5b07367a229e2cc48754deee2bffbec577230719548e1c91cb73bd36b064536", "type": "eql", - "version": 209 + "version": 210 }, "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { "rule_name": "Simple HTTP Web Server Connection", @@ -1428,9 +1428,9 @@ }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region GetServiceQuota Requests", - "sha256": "3fc864b2b6cb6d2b19dd6cdb17c1cba4aedc02ac2ab30c5493dd863d3cf7bf95", + "sha256": "34009951e545cd9d705e6cac58d2af9dba570cc5dcec0e69c192d165f28be6d3", "type": "esql", - "version": 9 + "version": 10 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", @@ -1502,9 +1502,9 @@ }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "rule_name": "Execution of COM object via Xwizard", - "sha256": "c725e6a7e3475298e151a097dc5c9b9319f746789dae41427246e978eec627e2", + "sha256": "7aff4b19617d22e58a7bba7919b719dbbec4df85308564a1cd3fee9363798ae2", "type": "eql", - "version": 319 + "version": 320 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", @@ -1514,9 +1514,9 @@ }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", - "sha256": "2e3c41d3c73b84a6ff5058ca6b56124892b93ac8df1a7460b5ab0691af6b44d9", + "sha256": "12119420da1871b99202f57ec10904ffc1deee90adab67e4719a1a7207bbc500", "type": "eql", - "version": 316 + "version": 317 }, "1ac027c2-8c60-4715-af73-927b9c219e20": { "rule_name": "Windows Server Update Service Spawning Suspicious Processes", @@ -1532,9 +1532,9 @@ }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "rule_name": "Process Created with a Duplicated Token", - "sha256": "2d3d874eed0f3d13992e5dbaec2e6f002a36fb0df39992d174abd1d48f5610c0", + "sha256": "2f7562c182467d14f7652d3abb6608ddb866a662c35c85f285c8fd5b91f6f892", "type": "eql", - "version": 6 + "version": 7 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", @@ -1544,9 +1544,9 @@ }, "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d": { "rule_name": "Remote Management Access Launch After MSI Install", - "sha256": "001bd6481577ef6818802f143b55dc573592d55255c45279e6eff1651ef1e3c0", + "sha256": "54c52e1583a70f0e58886c3834476d8a301420a103cebf085744e0b227eabe61", "type": "eql", - "version": 3 + "version": 4 }, "1b65429e-bd92-44c0-aff8-e8065869d860": { "rule_name": "BPF Program Tampering via bpftool", @@ -1572,6 +1572,12 @@ "type": "eql", "version": 16 }, + "1c28becc-ec0b-4e6d-81a5-899d00348089": { + "rule_name": "Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket", + "sha256": "b9af69ebbbeff32bb2101e0acdf8c98dc60ca99cddc9b2ecbb16b47c394956d6", + "type": "eql", + "version": 1 + }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { "rule_name": "Potential Process Injection from Malicious Document", "sha256": "ce6e5c0d567af464050071029e7ca367ab9b070855f566cda0626a678b8c95ef", @@ -1604,9 +1610,9 @@ }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "6acfd449e15d1064ff19e9f8a3ed2f814e77e39a7baa5be696eb049d192e2fe6", + "sha256": "2d10043a1aa6786aef98747241a102b2e31aae347ae8a451f5e468c9d52f7e35", "type": "eql", - "version": 213 + "version": 214 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "rule_name": "Okta Sign-In Events via Third-Party IdP", @@ -1628,9 +1634,9 @@ }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", - "sha256": "3e72b8912cd758c1e66ce4cd5024917e71825acfbc2048f1a41cf1a093cbc557", + "sha256": "e9575c364fc387c6707b5d37b4870192b76de5fab2e194b70bc4691ef96b498f", "type": "eql", - "version": 215 + "version": 216 }, "1d306bf0-7bcf-4acd-83fd-042f5711acc9": { "rule_name": "Initial Access via File Upload Followed by GET Request", @@ -1658,9 +1664,9 @@ }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", - "sha256": "263926e41cc042363726da99ea6d39b8c612261d890730e12ed614b018497a98", + "sha256": "398b3d88b1753b2d476720085736b2bdfe86fb195e47981a3e582f66397ced53", "type": "query", - "version": 113 + "version": 114 }, "1dc56174-5d02-4ca4-af92-e391f096fb21": { "min_stack_version": "9.3", @@ -1671,9 +1677,9 @@ }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "2ee5832a6b03cfcb8f3188be99ff1ea3ee74672c2e55998bc8417c1932c05804", + "sha256": "280c95cf73f0b4d05908dee4ef63654696f4b55a5040e86f1f69d1455aab9cd4", "type": "eql", - "version": 317 + "version": 318 }, "1dd99dbf-b98d-4956-876b-f13bc0ce017f": { "rule_name": "Alerts From Multiple Integrations by User Name", @@ -1683,9 +1689,9 @@ }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "rule_name": "Suspicious Inter-Process Communication via Outlook", - "sha256": "390bc042a612982783d6f66639e318555d5edbcbbcd41b6203d0a4c312c2aa05", + "sha256": "bdf02d8405b38f96f1a6314cda5e1200914160197006090f7af12146810ca2cb", "type": "eql", - "version": 11 + "version": 12 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "rule_name": "Deprecated - Execution of File Written or Modified by PDF Reader", @@ -1713,9 +1719,9 @@ }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "rule_name": "Creation of a DNS-Named Record", - "sha256": "1089578e25a1c2c14ab8fa84102e1fdafa39beba0b6dbd4f48c35a0cad5f7a73", + "sha256": "f122d418e9dafbe14b2ca383cd8a6184aaa9aaaca6d46160e742e081b941bc9b", "type": "eql", - "version": 108 + "version": 109 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "rule_name": "Creation of SettingContent-ms Files", @@ -1763,9 +1769,9 @@ }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "53392e691b44808f9a8515ed8957b0731dca4f7f815904befb16700270092350", + "sha256": "5f229ee4fa489867da43771533ebd54f07045dbf3c671e4edec7850f6e2ff04d", "type": "query", - "version": 117 + "version": 118 }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "rule_name": "AWS Sign-In Console Login with Federated User", @@ -1787,9 +1793,9 @@ }, "1fa350e0-0aa2-4055-bf8f-ab8b59233e59": { "rule_name": "High Number of Egress Network Connections from Unusual Executable", - "sha256": "babe7b00f8c17b6f7c019fb3e52f3acd124bdc6490da993892140aa4941c0fb3", + "sha256": "b7c5e8e2683c1a9405ab334ea64b6abd11051146461d97a00a006a8a114ac5e3", "type": "esql", - "version": 11 + "version": 12 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "9.4", @@ -1809,9 +1815,9 @@ }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "b540efcf8defc61b47ff3dde63f5d7a2c85f82795da8be78c3820bf1ddb62a05", + "sha256": "ce63eff5ee6329ed0d754e18e681e094db4edd4554e6c5857c4a7e4eec55a7f3", "type": "eql", - "version": 219 + "version": 220 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", @@ -1821,9 +1827,9 @@ }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "rule_name": "Suspicious .NET Code Compilation", - "sha256": "3e8a4a0639da9faf8ad8d2583d8bbe24e4ad6576965d547481cca13d55b64b6d", + "sha256": "718eb4049a2a7d326275953bcb81b6108f6af2f80cf5681605b01c2156773965", "type": "eql", - "version": 318 + "version": 319 }, "202829f6-0271-4e88-b882-11a655c590d4": { "rule_name": "Executable Masquerading as Kernel Process", @@ -1833,9 +1839,9 @@ }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "rule_name": "Creation or Modification of Root Certificate", - "sha256": "3aa8d3bf4c0ecd6f0f97e539bbd67ea18b1d65216ce018a08def21d67e713760", + "sha256": "da1e0288bfbf5cf9a5a637c2ff71e7b786124de06dafdd88afc745cf802cfbec", "type": "eql", - "version": 316 + "version": 317 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "rule_name": "AWS Route 53 Domain Transferred to Another Account", @@ -1851,15 +1857,15 @@ }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "70cf2629f8cf74296ace3eef9c5e688355dc05d9da909ff0c389f306c73a2cbb", + "sha256": "acfa894d6162e141d87059ad8f6bf9ab526faf4bb7d294c1c9559d4a696d8c5a", "type": "eql", - "version": 208 + "version": 209 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "591b6b1f70000a85406841ab2da5998d65bbb536ca44563cf9739d26d2467844", + "sha256": "95ec166b973e8fa95beb4a3ed8c8005380916540f7218d2b4fcddf1f761a8e97", "type": "new_terms", - "version": 216 + "version": 217 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -1869,9 +1875,9 @@ }, "210d4430-b371-470e-b879-80b7182aa75e": { "rule_name": "Mofcomp Activity", - "sha256": "73377f66084b1b6f83dae6d763f34bca4b5521dd0aa27ccb836843da0e4edacc", + "sha256": "c0049f673475e17a60c9243c445c9cc0740541dd02cedb0ad8ad2af6aa0ec463", "type": "eql", - "version": 10 + "version": 11 }, "2112ecce-cd34-11ef-873f-f661ea17fbcd": { "rule_name": "AWS SNS Topic Message Publish by Rare User", @@ -1905,9 +1911,9 @@ }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "eca7c868189a61e5cf6cc042fae273a0d9e014524dca042d3c65462cf7cdd36e", + "sha256": "2e948782f65666ac3d10796a6baf18110e533c7911ec87b4302958666ded5115", "type": "eql", - "version": 112 + "version": 113 }, "220d92c6-479d-4a49-9cc0-3a29756dad0c": { "rule_name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy", @@ -2000,9 +2006,9 @@ }, "23e5407a-b696-4433-9297-087645f2726c": { "rule_name": "Potential NTLM Relay Attack against a Computer Account", - "sha256": "49224a1d4f9dd6793aaf01e3e60bbd0e26b0c0efa3fdd05e7a58bac235c0d5f0", + "sha256": "f0d7a8f00c28cdc603cdf2f3a222453dc87d3c585871a04289e06d7d65e12363", "type": "eql", - "version": 1 + "version": 2 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "rule_name": "Potential Okta Brute Force (Device Token Rotation)", @@ -2079,9 +2085,9 @@ }, "263481c8-1e9b-492e-912d-d1760707f810": { "rule_name": "Potential Computer Account NTLM Relay Activity", - "sha256": "6e3289d45024e4d880f10179b6094e2c94afd47352c36eaa34a002c376a5b034", + "sha256": "c6466b3359e6b53e8f7baa6dc0c0a8268893292d2e8c70cf97aaf503f935e4f2", "type": "eql", - "version": 109 + "version": 110 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Storage Container Access Level Modified", @@ -2103,9 +2109,9 @@ }, "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { "rule_name": "Unusual High Denied Topic Blocks Detected", - "sha256": "f402dc7309dd06392ef91427f1cb93e23a9faae48cc56345bad56494e78803fb", + "sha256": "eb93685370370e45763a4c643fb482b438ac57fbe5bb1cae4f02da532dec3ddc", "type": "esql", - "version": 4 + "version": 5 }, "267dace3-a4de-4c94-a7b5-dd6c0f5482e5": { "rule_name": "Successful SSH Authentication from Unusual SSH Public Key", @@ -2140,9 +2146,9 @@ }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "M365 Identity User Brute Force Attempted", - "sha256": "9c58ec3123760ea459436000dc14ff9614ede8b7e9bb3615243dd1e7df201d00", + "sha256": "ebb4f079a3090c488a142f1c993638ab122995c8ec1213052b508848e1fc433d", "type": "esql", - "version": 417 + "version": 418 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "rule_name": "PowerShell Script with Archive Compression Capabilities", @@ -2180,9 +2186,9 @@ }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "0b92fa2b539cd8298139f4fc871d9deaf90e1cfeee5e16fdca9e0246f72e12f3", + "sha256": "c46e02d9df71ee1e22ed5ac8f5ba1d5afab07283bd6ea70286a84474f4017c06", "type": "eql", - "version": 214 + "version": 215 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", @@ -2205,9 +2211,9 @@ }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "rule_name": "Account Password Reset Remotely", - "sha256": "ffe585779ed8bc8e90664110fc24c5f82e480fc0b761763450369e714f0ac7b5", + "sha256": "7b6619e4799f5c51aac53ea894d15478f84f6ed434bf2f15f94fdf0570761aa1", "type": "eql", - "version": 221 + "version": 222 }, "283683eb-f2ce-40a5-be16-fa931cb5f504": { "rule_name": "Newly Observed Palo Alto Network Alert", @@ -2217,15 +2223,15 @@ }, "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", - "sha256": "4b406b760e32e9a412057481852ee5187afe0ca95f051e000e375a52f6da5f6d", + "sha256": "b8cf9700d169c0901439e2d0562728548640e7e876af9ac5968766217cb1f804", "type": "esql", - "version": 5 + "version": 6 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "525b714ab72a6ec9763b6f3728f543b80b837e8fbdbc7d991e186849d6f88bd1", + "sha256": "27990b18c9a88be12901538e00f7518df2e6955d7e6825b3e6c043688e68414d", "type": "eql", - "version": 215 + "version": 216 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", @@ -2265,9 +2271,9 @@ }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "93526ab19a120dcce1e1f514bed302cf80ec75b023f0065f4eabf74853b0d18a", + "sha256": "46f7be3e59656893dfb3bcec2a1f30e7e118a703b4c52bfa1c61fee7207354ef", "type": "eql", - "version": 111 + "version": 112 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation", @@ -2295,15 +2301,15 @@ }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "0de08935d7b273c2883aff48269919228f3954a001f1b8a630d6c5b6a67de4e2", + "sha256": "4cacb8f8a73738c053cb1f103e94a0cc342a31b5e595c2d0c90538fa08e8238b", "type": "new_terms", - "version": 420 + "version": 421 }, "29531d20-0e80-41d4-9ec6-d6b58e4a475c": { "rule_name": "Alerts in Different ATT&CK Tactics by Host", - "sha256": "89d0958894efc5800bc1c37dbe4e22073f736ad6f2e95ae99a95e83421e0f3b3", + "sha256": "c5405c7e3f88cfc2000c94b4c7b8d38c9d2a26b546e452f9ed097e0da1aaa240", "type": "esql", - "version": 4 + "version": 5 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "rule_name": "New Okta Identity Provider (IdP) Added by Admin", @@ -2347,6 +2353,12 @@ "type": "eql", "version": 113 }, + "2b9a3b7a-0891-4a89-abbe-dca753c403cd": { + "rule_name": "Multi-Cloud CLI Token and Credential Access Commands", + "sha256": "61952dce699974e95e7f7709554d81d3e2ab7e7bee7a9126f8a648e53b3da84f", + "type": "esql", + "version": 1 + }, "2bca4fcd-5228-4472-9071-148903a31057": { "min_stack_version": "9.4", "previous": { @@ -2365,21 +2377,21 @@ }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Deprecated - Adobe Hijack Persistence", - "sha256": "c39c39dad78c75217ccc7ae773fe15ad4209cd1942561a8aec4334a3a4d5479b", + "sha256": "d554c3a9b2cbb27ce03d73fe4c984d648404006ad784e24039acee69e3f2b78f", "type": "eql", - "version": 420 + "version": 421 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "0d92fc45d3b510335ab010084fce86259f5a97be4efba9d4e0dcc39a186a39f6", + "sha256": "a0709d688ae05f8fc435bd8ca93dda11365bc4a4a944b23ff637780dac62b701", "type": "eql", - "version": 318 + "version": 319 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "71bee316718a7503183f188206ee519a517752ffe52329a99d25178569a76e4a", + "sha256": "8d94d7fb85ae6118469b64123048223e518e64558377b9e2e140fdf98ece2a16", "type": "eql", - "version": 217 + "version": 218 }, "2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": { "rule_name": "Newly Observed FortiGate Alert", @@ -2413,9 +2425,9 @@ }, "2d58f67c-156e-480a-a6eb-a698fd8197ff": { "rule_name": "Potential Kerberos Relay Attack against a Computer Account", - "sha256": "5e09e657da69ef3fb73e3795a8733b629201781c989c5407e927d1e39ef0e0b3", + "sha256": "9535ca2df0f4875a40fddd9343363a41368fc737d08a1ae532dccc3fbb98f4ff", "type": "eql", - "version": 2 + "version": 3 }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "rule_name": "Command and Scripting Interpreter via Windows Scripts", @@ -2429,9 +2441,9 @@ "8.19": { "max_allowable_version": 105, "rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected", - "sha256": "725ad252d09012d134cb181871423681d29b14c890ee1288e768f23fd7ed72e2", + "sha256": "18afa7b414ac8a132c2035e7223b544aa80b53a5f72a0209b98f390f3de16805", "type": "esql", - "version": 7 + "version": 8 }, "9.0": { "max_allowable_version": 205, @@ -2467,9 +2479,9 @@ }, "2dd480be-1263-4d9c-8672-172928f6789a": { "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "fcd23614b99095e148def771cb5dfbe0da249760f4f43c054a3abb6ea13c18ac", + "sha256": "58b8a1746c1b88f41ce38c583a0eb3520a1689f8a019913516571f21b3c095fa", "type": "eql", - "version": 315 + "version": 316 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { "rule_name": "Potential THC Tool Downloaded", @@ -2485,15 +2497,15 @@ }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "08b959c36b2fe977428f38fd2a631f354a18d196a41d271526a150016bf3277d", + "sha256": "0e40b02258f08b8dd3d44d58c4d7ea172b3879f29c4811844a892121c0fed325", "type": "eql", - "version": 216 + "version": 217 }, "2e0051cb-51f8-492f-9d90-174e16b5e96b": { "rule_name": "Potential File Transfer via Curl for Windows", - "sha256": "2727f7933f8eeba04d375c0fb4d6f81aeb767cf77de5af9f5a02dec3d3c84c14", + "sha256": "4d04954b58f65d7b8123c4875c6283eb3f8855e6fdbb706299800c4893aede50", "type": "eql", - "version": 7 + "version": 8 }, "2e08f34c-691c-497e-87de-5d794a1b2a53": { "min_stack_version": "9.4", @@ -2513,15 +2525,15 @@ }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed Automation Script Interpreter", - "sha256": "3686069f5759f5620730b4857af75e3bb324b82244964d8e5975bf7aba19b609", + "sha256": "3412a61dea3f79000826b1ee35082aa9044c9d26e298c59e772d420c3d4fa016", "type": "eql", - "version": 218 + "version": 219 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", - "sha256": "eb0a61ec96fa7d830c2895b364f80245d8d62fbf1cdfb07e27cf10484d54b6f1", + "sha256": "1f1201ba99d2842ffbcad3d15b1dcb747040fe2b58cd03c3b0438ef39413824f", "type": "query", - "version": 218 + "version": 219 }, "2e311539-cd88-4a85-a301-04f38795007c": { "rule_name": "Accessing Outlook Data Files", @@ -2531,9 +2543,9 @@ }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "a0e669920a05447833a36602262826c5a72fc5c685f0acc4e056c3dc50702987", + "sha256": "4abe9b19327d050b9a6b99c9ba1b465c25650d2afc82f39672d95f6cf38625d6", "type": "esql", - "version": 310 + "version": 311 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -2573,15 +2585,15 @@ }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "ca7ce2c52ed307c8e0dfdc3196ada1ba7743edbe12ba4c4f6a5ee659403fa32b", + "sha256": "b9b13ab82fce4582270516eb4103335c297e09ba1fb18b9305104084893f8432", "type": "eql", - "version": 112 + "version": 113 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "fc228f1ed3c5f7bc63093176ace4c1391dd9b9d4242e1e14c6c33b45c524ce3b", + "sha256": "20024501f2158ecc1863a29ac71a7d5452d113ceaf3da322ec0b480574f1f462", "type": "eql", - "version": 218 + "version": 219 }, "301571f3-b316-4969-8dd0-7917410030d3": { "rule_name": "Malicious Remote File Creation", @@ -2621,9 +2633,9 @@ }, "30f9d940-7d55-4fff-a8b9-4715d20eb204": { "rule_name": "Windows Script Execution from Archive", - "sha256": "9769b1271974f7678be7b87ba170a8788616081376dcdc121eeff38f837c3617", + "sha256": "67a5e91404e6ae67e3f18a6dcfdac04ab77bc9dc55998558cbd6060067d8b9ab", "type": "eql", - "version": 3 + "version": 4 }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", @@ -2663,15 +2675,15 @@ }, "32144184-7bfa-4541-9c3f-b65f16d24df9": { "rule_name": "Potential Web Shell ASPX File Creation", - "sha256": "62af95c1449ba7223ea15911806eb60b24ff18d95cfd2a529de8db785480464d", + "sha256": "620c207c86f94a7f5fa5ac75c072ca7504ecdc374a9a45ffaa54cfafe6ac449a", "type": "eql", - "version": 3 + "version": 4 }, "3216949c-9300-4c53-b57a-221e364c6457": { "rule_name": "Unusual High Word Policy Blocks Detected", - "sha256": "c065de140770b25338ed259f21b0ba2ceba8fa855f7ea4c6532010e88a4b77e7", + "sha256": "07e7e04210b862e96b27eee443227c6a1fbed5882d062ae1d78886a0a1d0da3e", "type": "esql", - "version": 4 + "version": 5 }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", @@ -2703,15 +2715,15 @@ }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "aeea0438498c335f924d5024e2d93d26df009adae1297efdeabdffcd66a49aa2", + "sha256": "2d2ccd5ca54ed008472b8563442cef7bcbcfcca9773cf6cde8664d01bbf84c78", "type": "query", - "version": 109 + "version": 110 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", - "sha256": "5434996d5953e2a75f6195c4b3f0be3e76a6b137358f992107e47bad171f93b2", + "sha256": "62c090223fc384970eab9eccabb23b4fe6793807b12491b26d209885275a6838", "type": "eql", - "version": 320 + "version": 321 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Atypical Travel Location", @@ -2721,9 +2733,9 @@ }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "c1f88ad08b1275d2beb8997e9a4bef9759d9a7c24926c458ddaff240589ea5c6", + "sha256": "2b1d36af98d52e7c651c30532ec344b2145caeebab5862029eebf1639017c1e6", "type": "eql", - "version": 421 + "version": 422 }, "32f95776-6498-4f3c-a90c-d4f6083e3901": { "min_stack_version": "9.2", @@ -2737,9 +2749,9 @@ } }, "rule_name": "Potential Masquerading as Svchost", - "sha256": "7f4183d88c3307824d8ea2bbb7da2223c260019f0cf9cc86dffaf273ac0960cd", + "sha256": "0ae3b4874845b5b362efeaabd67d839e505a3c44968966093c21c4555b3d02d5", "type": "esql", - "version": 103 + "version": 104 }, "3302835b-0049-4004-a325-660b1fba1f67": { "rule_name": "Directory Creation in /bin directory", @@ -2767,9 +2779,9 @@ }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", - "sha256": "3503b23c3c18c821b2fe161a47d818e80df0be7b955e0702f34dae35cebbd1ab", + "sha256": "ba3fdfb67c7a505e71feb3c1bb53052fa31ed7aeb2b5b9c5f1951cec0c9d3f92", "type": "eql", - "version": 115 + "version": 116 }, "33ff31e9-3872-4944-8394-81dae76c12d9": { "min_stack_version": "9.3", @@ -2833,9 +2845,9 @@ }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", - "sha256": "15f2eb8e59ad6f73f52dc09bd128406057e069f99940823c50c3864bfc57158c", + "sha256": "3ced595dce2cd24c4727be69b9fa601479fd2f2f80457f720c694e678a28b875", "type": "eql", - "version": 418 + "version": 419 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "min_stack_version": "9.4", @@ -2855,9 +2867,9 @@ }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { "rule_name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)", - "sha256": "0df6b6334cd27b6de86fc9609cb747ecfa635d0c0051591db6e2c199ad87f4e3", + "sha256": "07c165d99fb8e82989dfd95f7c238c2624bf70169acdf0a73405eb1cb4353b39", "type": "esql", - "version": 110 + "version": 111 }, "35c029c3-090e-4a25-b613-0b8099970fc1": { "rule_name": "File System Debugger Launched Inside a Container", @@ -2867,9 +2879,9 @@ }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", - "sha256": "9200577706bf27015cee581aa26408b2aacd038becc06c64f46059f7c30498bc", + "sha256": "e3d3be616bcb1a086a207ba505b838f699ef299089fdeaab832fca7e48b4df09", "type": "eql", - "version": 321 + "version": 322 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", @@ -2885,9 +2897,9 @@ }, "36188365-f88f-4f70-8c1d-0b9554186b9c": { "rule_name": "M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs", - "sha256": "2df20a3faf287100f7908a110473c47694aeb15ef43981bb24b38ee67c8c948f", + "sha256": "57d3c6aff18828252ee65176a27549f6eee324fd1ce7552e0823c3f487c57852", "type": "esql", - "version": 8 + "version": 9 }, "36755b43-a1f9-4f2c-9b61-6b240dd0e164": { "rule_name": "Executable File Download via Wget", @@ -2925,9 +2937,9 @@ }, "37148ae6-c6ec-4fe4-88b1-02f40aed93a9": { "rule_name": "Command Obfuscation via Unicode Modifier Letters", - "sha256": "5009a478ad36abb9aae19914fb9ebb9b7c0d339adfc90f5eb3e76951f4dd5fac", + "sha256": "45fa53855ae8537315bde347efa3cf473c4337ad0ebf67a01599501247d6c287", "type": "eql", - "version": 2 + "version": 3 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "rule_name": "Potential Suspicious File Edit", @@ -2937,9 +2949,9 @@ }, "375132c6-25d5-11f0-8745-f661ea17fbcd": { "rule_name": "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)", - "sha256": "0affd785d42637b808f650a7103797d5a6bb2c5fc66f186318013a4e888e9cd8", + "sha256": "771ca76a55853827aa9d3ea8bd44a66201d54913b3bc91e9e331a2dbdf94e5e7", "type": "esql", - "version": 8 + "version": 9 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "Deprecated - AWS RDS Security Group Creation", @@ -2967,9 +2979,9 @@ }, "37cb6756-8892-4af3-a6bd-ddc56db0069d": { "rule_name": "Disabling Lsa Protection via Registry Modification", - "sha256": "baccf6f03e6b31a9bff677bee667021b4a21f7c8f7ebddfec74e1770a9a30704", + "sha256": "c647076f76477dd2aa512614840acda934b1f94328c2a08ba9db4111d921b1c2", "type": "eql", - "version": 6 + "version": 7 }, "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": { "min_stack_version": "9.4", @@ -3029,6 +3041,13 @@ "type": "eql", "version": 7 }, + "39029450-8e2d-4034-81b0-15af8e4e3a4e": { + "min_stack_version": "9.3", + "rule_name": "Nsenter Execution with Target Flag Inside Container", + "sha256": "012976abca9dfba1327ea6926edf0cf40d0126e26937b9ba13570d2367d1af56", + "type": "eql", + "version": 1 + }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", "sha256": "fd463b53155f11c4465a2ebddd880793fb50c8d7cbb164ae7e172dae791842f3", @@ -3037,21 +3056,21 @@ }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "rule_name": "Downloaded Shortcut Files", - "sha256": "ded93faac0894e933d7149edc58d04b9fc25d90319023229ca2ac82a295aab13", + "sha256": "0cd2d8329df50935d117f1e8f8cbd8a6b749d5098aea10fb2ce8095fd4b8e0ce", "type": "eql", - "version": 6 + "version": 7 }, "393ef120-63d1-11ef-8e38-f661ea17fbce": { "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", - "sha256": "a2ae354dd666a1ae571d0b286934c5d03358e88ab0e6ed648b6e49e82281940a", + "sha256": "ea50abca6b44953d8810e58b35a4ab0f2e456efc1ccb2adb65d1840d162060f7", "type": "esql", - "version": 7 + "version": 8 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "96df8547dca02823e81194f8774b0ad1fa26f204bf59394cdbb1ea0dff583de7", + "sha256": "d1265b8223c6c20063ff460b62984e6ca6f864de6a66513d32508de2ade0d0bb", "type": "eql", - "version": 313 + "version": 314 }, "39c06367-b700-4380-848a-cab06e7afede": { "rule_name": "Systemd Generator Created", @@ -3067,15 +3086,15 @@ }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "254da9f4693aee17ff97de904a4e488f8512f82976e5376f7487778c3b241268", + "sha256": "046338d3b95b4b4a22498cb8fdd538e20619623197e2a583d8477e82f2f07c9c", "type": "eql", - "version": 315 + "version": 316 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "rule_name": "Suspicious Module Loaded by LSASS", - "sha256": "6afa970ae8a58f793a98cb40a96c4500722761afb610be21815ab223a4df1c8e", + "sha256": "5131b9101ab93a6759d129fbfc00a0aee661266e47e4be8ba38766b1a8d3f4af", "type": "eql", - "version": 13 + "version": 14 }, "3a657da0-1df2-11ef-a327-f661ea17fbcc": { "rule_name": "Rapid7 Threat Command CVEs Correlation", @@ -3091,9 +3110,9 @@ }, "3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": { "rule_name": "WDAC Policy File by an Unusual Process", - "sha256": "fdaaec3f67a8543a962e70dbb7d1cff87e5e18c3917ea44b899e7a46ddaac771", + "sha256": "bd13988291b5cb72058e02ddbb6ad4616961a1b28e358601ef15c1d62837d8e6", "type": "eql", - "version": 6 + "version": 7 }, "3ad362a9-40cb-4536-8f8b-6a8b5cc24d3c": { "rule_name": "External IP Address Discovery via Curl", @@ -3133,15 +3152,15 @@ }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "be3ca1dd8f6c1fec5379d8d1f57adc596065bc4c1ddf8849c0b0cd8da4312d9a", + "sha256": "ad8c4fc9a44c93f4c1ca79d8954e509b790c3bd3199a8ea3bcdc21e55aee6a8d", "type": "eql", - "version": 417 + "version": 418 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", - "sha256": "4724c47390291263a89197eb96a4e29f421ecf2548516a11ddbd954d926efff6", + "sha256": "9354b45311be9fe16a9acb746a33c1bd4a40f927d7efdef1f097f9708c29702d", "type": "eql", - "version": 320 + "version": 321 }, "3c216ace-2633-4911-9aac-b61d4dc320e8": { "rule_name": "SSH Authorized Keys File Deletion", @@ -3266,9 +3285,9 @@ }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "1f39583c1b6369b865b3cec2fc817eb7fa4cac54043993345add12138b6db8dd", + "sha256": "d63e463099820ef415fca37e369392f17e227ba4229ff8aa8e48ff9dac348e8b", "type": "eql", - "version": 212 + "version": 213 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { "rule_name": "Kernel Driver Load", @@ -3284,9 +3303,9 @@ }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "rule_name": "Potential Remote File Execution via MSIEXEC", - "sha256": "41781f89453ed5af276e36687b1faf932f4e9e3cb8cfa75c6bcff4de95d68519", + "sha256": "5dc58754cc4f82d45abfe4dc812f1a4e4823e795adf94e534fd630f2b61d6105", "type": "eql", - "version": 7 + "version": 8 }, "3e528511-7316-4a6e-83da-61b5f1c07fd4": { "rule_name": "Remote File Creation in World Writeable Directory", @@ -3302,9 +3321,9 @@ }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "9ec21aef0cac269b3807b436ccb086477f229090150d007cc77ce1b657695569", + "sha256": "eac8a62ca1cd0d0965dc5352545dc9eb7341fceab8cbfa3a9d801b1534511f08", "type": "eql", - "version": 311 + "version": 312 }, "3ee526ce-1f26-45dd-9358-c23100d1121f": { "rule_name": "Linux Audio Recording Activity Detected", @@ -3338,9 +3357,9 @@ }, "3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e": { "rule_name": "Potential Data Exfiltration via Rclone", - "sha256": "ff83a2e78c8fdd0fa7bfc58af6d997e97daefc49b9ca031a3907a26a34f20bce", + "sha256": "654c6762675bbe2e86e2cdc5f2883647739cb1d40a8231cdd3156fd69752ad41", "type": "eql", - "version": 3 + "version": 4 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "rule_name": "Process Discovery via Built-In Applications", @@ -3366,15 +3385,15 @@ }, "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { "rule_name": "Command Execution via ForFiles", - "sha256": "78f26d181e59439ad90202e43409f326d099c71cb8dd9ee5470f06178912a6a2", + "sha256": "02b65a2a6c93487298996a9bfedaedb4d1436598cb4267292ef241ebc36be63e", "type": "eql", - "version": 6 + "version": 7 }, "3fac01b2-b811-11ef-b25b-f661ea17fbce": { "rule_name": "Entra ID MFA TOTP Brute Force Attempted", - "sha256": "4549f277c1e6b7c9104b7e344042dd83bba99e71b560d0704278cecc583f15e2", + "sha256": "0c901fa65426f1462fb80e4ca2d1faf929654f311d89f202a3280dc35c9ab403", "type": "esql", - "version": 8 + "version": 9 }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { "rule_name": "DNF Package Manager Plugin File Creation", @@ -3400,9 +3419,9 @@ }, "4021e78d-5293-48d3-adee-a70fa4c18fab": { "rule_name": "Potential Azure OpenAI Model Theft", - "sha256": "785d2c7d8206511fdb0a93798255102ab0b1c900ab4d7bc907fb1e30dde95ab4", + "sha256": "95545a1f85bdb02d2df6d31c2bd4f9fc0c6ad61f606abc56c7b749ec0823064c", "type": "esql", - "version": 4 + "version": 5 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { "rule_name": "GitHub User Blocked From Organization", @@ -3412,9 +3431,9 @@ }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", - "sha256": "db6b78b0609271518bcfd9560dfe5bd4c8ea223360d3bd031fe0992248bded11", + "sha256": "8672a0625e04b58e7bbe56de0f48ddd08dee74082cfb85e5dc0eb2a5fe9209a2", "type": "eql", - "version": 317 + "version": 318 }, "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1": { "rule_name": "New GitHub Self Hosted Action Runner", @@ -3454,9 +3473,9 @@ }, "416697ae-e468-4093-a93d-59661fa619ec": { "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "0b5288b232f12dda6f96de22366b55f6309bbc366dc521ee9960265bdceaa7fb", + "sha256": "ecc40ef6f1887e2552a67ac50b893a78045aa90c933ed8ef9dba6dbc5db45679", "type": "eql", - "version": 318 + "version": 319 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { "rule_name": "First Occurrence of User-Agent For a GitHub User", @@ -3541,9 +3560,9 @@ }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "rule_name": "Process Creation via Secondary Logon", - "sha256": "3c3c993e8730eb3546b9a22b493dcf55eba6a7e9215c41c15ce7dbb82a53e283", + "sha256": "dbeba92d4f831b5f36a5a0d99766eb50182c1b60eade9a6452880f4ceb9db0d0", "type": "eql", - "version": 115 + "version": 116 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "min_stack_version": "9.4", @@ -3575,9 +3594,9 @@ }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "a96f247d9bddf464a3cbf64241437fcbfbe1926dd7dd985312520f6c372b7a87", + "sha256": "faa296ace7afe520ea4ef4a8f94e73bdaabf18a3fdff2491b9411910a92c7b26", "type": "eql", - "version": 315 + "version": 316 }, "444c8fad-874f-4f59-b0ea-cf26cea478bd": { "min_stack_version": "9.2", @@ -3654,33 +3673,33 @@ "45d099b4-a12e-4913-951c-0129f73efb41": { "min_stack_version": "9.2", "rule_name": "Web Server Potential Remote File Inclusion Activity", - "sha256": "7b879ed09a001f09082376f510753308b5182359730c5dc07397c191919664c7", + "sha256": "eac6dd3f878185bf383aa944ce7171b5ac8f06bbac00216eda18a5633aaef77c", "type": "esql", - "version": 4 + "version": 5 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "49ec1f0c7058261fafbe928089c1b3898c3757ff633e638f8b54619accd7fba0", + "sha256": "0ccdfbb0e5e5ffd32a9233c3ddf4f8302da0fb0f0850ce2f8d4581d3fbb3b3e5", "type": "eql", - "version": 219 + "version": 220 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "95df7b5a614e15a2757d5a73ff1245888c06e5aef83dbaf3affeec2c18f5c1a3", + "sha256": "564bb0d746bd663f81363cdf9ac732590b9f53cb2de5ba98a67f800fb3539a31", "type": "eql", - "version": 320 + "version": 321 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "fcb2383594f0fb4dd75f8735b7fd9729eabd95ab5b7df4571e47f6072d1c6c5e", + "sha256": "930128205c02f5c7f26427faefeb2d4bab4bebdacf586a93b0aa5017bef1e78b", "type": "eql", - "version": 317 + "version": 318 }, "46b01bb5-cff2-4a00-9f87-c041d9eab554": { "rule_name": "Browser Process Spawned from an Unusual Parent", - "sha256": "977af3e64fcc40b130001d57d83585d3b5fd0dc8ed09329bbcbc6dcd9ac3ed97", + "sha256": "9b29139c1b7fd40c89143857a62a03aa09c8e7963ef54f650fff4224dc441f21", "type": "eql", - "version": 3 + "version": 4 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "9.4", @@ -3753,9 +3772,9 @@ }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "90b9fc3123d3194581564b32a92e5e7fb3829e1070cf2b0f19d17d3c32ba8034", + "sha256": "a5af415e1f2c7a456ca9118e3e4597cc2b0b71a212a73a2fa72bda8e0830cac8", "type": "eql", - "version": 217 + "version": 218 }, "47e46d85-3963-44a0-b856-bccff48f8676": { "rule_name": "DNS Request for IP Lookup Service via Unsigned Binary", @@ -3790,9 +3809,9 @@ }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "436f45d623c1f92e90c8f8293b9bd4b9f9d7736ef1f9c0d90b4c05ed0b951639", + "sha256": "5a1aba147a9b9f814d2d1b09cd541b22ae6d611c7fd6f3188f5920edab8078c0", "type": "eql", - "version": 317 + "version": 318 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "rule_name": "M365 Exchange Mailbox Accessed by Unusual Client", @@ -3808,9 +3827,9 @@ }, "48b6edfc-079d-4907-b43c-baffa243270d": { "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "80aaccc263883da16479de247fa05463955050b307d6afcf01a64ce744b68f7c", + "sha256": "13da83ae4ff6203a49a32508015f5afa1857f4551dfcaad34b06c929cf1e6a56", "type": "esql", - "version": 118 + "version": 119 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", @@ -3820,9 +3839,9 @@ }, "48e60a73-08e8-42aa-8f51-4ed92c64dbea": { "rule_name": "Suspicious Microsoft HTML Application Child Process", - "sha256": "31a61bd9848f272f7d4bcfa1ce96cfa86e6c2c208faa5b17ea0230ce6f03f716", + "sha256": "7c56c9e26607fba3339913474442ef3d7bfbf6293b5c99f54d2eb96881fade95", "type": "eql", - "version": 3 + "version": 4 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", @@ -3832,9 +3851,9 @@ }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "rule_name": "Remote XSL Script Execution via COM", - "sha256": "556e66c84eba3c0cf7ea59d8d28a859a82096c3baff3a123dd6eeddf5c151609", + "sha256": "f1c328ae4209f8dd970135e0448fcc4570c22a584600e6623a6e7b834d57b7a0", "type": "eql", - "version": 7 + "version": 8 }, "491651da-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint/OneDrive File Access via PowerShell", @@ -3844,9 +3863,9 @@ }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "2c097873f1a10be45423e1b2e15f63d090c3579776255ab93bc16742e4a8d5e1", + "sha256": "d94a4754a0bac94045cb963405493f79639e4750d53db7855347719f027c7a91", "type": "esql", - "version": 106 + "version": 107 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "rule_name": "Potential Linux Backdoor User Account Creation", @@ -3940,9 +3959,9 @@ }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "1dd177179153675e4f49be04cac02a32b89581992bddd707b323031dcdf94ce8", + "sha256": "712e9f27b5d709ea5f42c73b492a3eb4b4c9d9a749c11b25a0c40218cf62765a", "type": "eql", - "version": 316 + "version": 317 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "min_stack_version": "9.3", @@ -4002,9 +4021,9 @@ }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "25b90a6ea0ae4b7aaeb348ef557859fc3a582b543701d6eb60534307e899efd4", + "sha256": "ed8dcb92cfeba3e300ed4a8d4692886005db714dc1ec5c71e5b68c0da285cde6", "type": "eql", - "version": 315 + "version": 316 }, "4bd306f9-ee89-4083-91af-e61ed5c42b9a": { "min_stack_version": "9.3", @@ -4021,9 +4040,9 @@ }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "rule_name": "PowerShell Share Enumeration Script", - "sha256": "26c370c500763204d1c4ce8130f04b1598d572b21a9846450b74d92c48b08943", + "sha256": "53e870fdfb17df75e77e5625dad994b7014b21b3b90229e0436817acaa6aad78", "type": "query", - "version": 115 + "version": 116 }, "4c5a4e8b-3f2d-4a6e-9b5c-7d8f9e0a1b2c": { "rule_name": "Azure Storage Account Blob Public Access Enabled", @@ -4033,9 +4052,9 @@ }, "4d169db7-0323-4157-9ad3-ea5ece9019c9": { "rule_name": "Potential NetNTLMv1 Downgrade Attack", - "sha256": "5d59168e802041fc2d8fca82713b3e00ae67bb869dfff26ee15f1920c8cd0894", + "sha256": "66c44401346ad331eee974206935f1739356fbdfa1c05b5c43a96d00aa7cf0d2", "type": "eql", - "version": 4 + "version": 5 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "rule_name": "Kernel Load or Unload via Kexec Detected", @@ -4063,15 +4082,15 @@ }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "5d431fa8f91fbe76fab715cde124a2848b218f2c547f03ff99b30355d27334e6", + "sha256": "2547fbd8709d4cf9e8f4bd0048a897e98859ec4f7ab564261d6a52e38f94d2ef", "type": "eql", - "version": 319 + "version": 320 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "4f540063885c56e9d5964c0feaec926d03e793ef575ab8567f0878ce2bbb307a", + "sha256": "18af43592e9ea1cab61766146cc9e4060b3d000eea41d6ed6b5e839350b3e422", "type": "eql", - "version": 116 + "version": 117 }, "4ec47004-b34a-42e6-8003-376a123ea447": { "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", @@ -4081,15 +4100,15 @@ }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "b89e8d1d8a4c4ed145e778a6535e5f954f7e017ae924603a8a173b3eb7343e3d", + "sha256": "fee10156d1f4a3f29bc42acbf1ad6ee3ba381b251d656d9705905328d11f7503", "type": "new_terms", - "version": 318 + "version": 319 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "rule_name": "Suspicious Script Object Execution", - "sha256": "d8c89ed2742bddca86741e2f6489bb305b4b6745abf23042db4bc95ad0c78bf0", + "sha256": "8b925f4de064a926ab17d2911e80bf6947d6e864da4aad5afcebc3491a482ecb", "type": "eql", - "version": 213 + "version": 214 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "rule_name": "Unauthorized Access to an Okta Application", @@ -4111,9 +4130,9 @@ }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "rule_name": "Unusual High Confidence Content Filter Blocks Detected", - "sha256": "182bc938e327e6c65baf1a2fa6331963551b438902b9978d4d203832c22df4d6", + "sha256": "bbed7d005c3add1b1f91865e98385a1db6bab42d2c50a6f304be8f9987154da8", "type": "esql", - "version": 8 + "version": 9 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", @@ -4159,9 +4178,9 @@ }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "6fd64720109c2e09c97b6a4e988da7e80ee584e28558ce57dc51e5eeec79ae7e", + "sha256": "f08796645892a9fa8f7c3b67c11e0245ae79f43f1da29dc7f672653ebf69815b", "type": "eql", - "version": 417 + "version": 418 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "M365 Exchange DKIM Signing Configuration Disabled", @@ -4177,9 +4196,9 @@ }, "5188c68e-d3de-4e96-994d-9e242269446f": { "rule_name": "Service DACL Modification via sc.exe", - "sha256": "28527aefe5fe7c0c8de9c21140c346130426079acfb9322df723707b2ef44b14", + "sha256": "7b9b5cddfe539d530a81415222048a2f5018ed718b45baabb26fda249de04fbd", "type": "eql", - "version": 208 + "version": 209 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { "rule_name": "Tainted Out-Of-Tree Kernel Module Load", @@ -4226,9 +4245,9 @@ }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "90812c1c9901f3f69bc370a453a057fbf7475807091099873d900dc451e7c486", + "sha256": "cde1e6487ebcc56f9050150c0378e2da7deff62ad47b9dab28c2794674535116", "type": "eql", - "version": 213 + "version": 214 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "min_stack_version": "9.4", @@ -4306,9 +4325,9 @@ }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "416708619d4f194738827aae6ef44865a1176fbdf5d7fef320ab7d709e806387", + "sha256": "792ed5fc6b0a36233bde6b5f3b81cb38c17352d64cb05bf7695a121087c373c2", "type": "eql", - "version": 318 + "version": 319 }, "53dedd83-1be7-430f-8026-363256395c8b": { "rule_name": "Binary Content Copy via Cmd.exe", @@ -4330,9 +4349,9 @@ }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", - "sha256": "df81b470e8c0d3518f8f24477c2f41c9d874a09f50aa751c968b959540e6e066", + "sha256": "04bf11d21b2237ee52b0b88167f0cfa4fc196dde2f4fbfda8b651395b6ef1329", "type": "eql", - "version": 216 + "version": 217 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "rule_name": "Exchange Mailbox Export via PowerShell", @@ -4342,9 +4361,9 @@ }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "rule_name": "Network Logon Provider Registry Modification", - "sha256": "4f8c9841fe99d399a4934f995654ed5ddf171ae223cf67b8f529c0a7d6364e80", + "sha256": "3cff6043bb08ad2cb24e8d37adc43a86a8670e3e4d63ab64da8590469e6d827d", "type": "eql", - "version": 218 + "version": 219 }, "55a372b9-f5b6-4069-a089-8637c00609a2": { "rule_name": "First-Time FortiGate Administrator Login", @@ -4360,9 +4379,9 @@ }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", - "sha256": "bad31009685857a7631fa0eda2334a199332fdb3698d8eb00f7e2ed62ae11c2b", + "sha256": "af8f8b17e077e18ee55fe944de4a17281aedb7f00d55333d69560c44623fcfd7", "type": "eql", - "version": 213 + "version": 214 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { "rule_name": "Windows Installer with Suspicious Properties", @@ -4400,9 +4419,9 @@ }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "3a242f21a87f21c464c0cfe42e52881f5dca8297e5ceb5cbb98215aaa42fe75d", + "sha256": "8cf3c09ba2db0c7300a67369106a28725e2c5cc57e9c57d8cf14fe64d7a8c303", "type": "query", - "version": 211 + "version": 212 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "rule_name": "Potential Admin Group Account Addition", @@ -4424,9 +4443,9 @@ }, "56d9cf6c-46ea-4019-9c7f-b1fdb855fee3": { "rule_name": "Windows Sandbox with Sensitive Configuration", - "sha256": "f4d4d1eefc4ebb9af6274ffc22bdec5b990fa06bf9f9981ed0052e80752281db", + "sha256": "cb4b6f0adb8773383e682fe16570cbca4179d222ed197d04b3d89fa29926d486", "type": "eql", - "version": 3 + "version": 4 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "rule_name": "PowerShell PSReflect Script", @@ -4466,9 +4485,9 @@ }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "rule_name": "PowerShell MiniDump Script", - "sha256": "98face230511c302dabda23c6bcb794a5acc16c97b7229bb982b298b421618d0", + "sha256": "5c5ee438716479240dd176d2f4b269ac7093f03e6ceffde51b86912f8b8d4ee2", "type": "query", - "version": 213 + "version": 214 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "rule_name": "File Staged in Root Folder of Recycle Bin", @@ -4478,9 +4497,9 @@ }, "57bfa0a9-37c0-44d6-b724-54bf16787492": { "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "ee3256c03cbc6a3f1b443e887462f57379d2b2c61a63033957b6c1658f96f1fd", + "sha256": "971eb40543306c60de5695b0c5c5323b2de381b23f1e442ce30cb39d29eb2c97", "type": "eql", - "version": 210 + "version": 211 }, "57e118c1-19eb-4c20-93a6-8a6c30a5b48b": { "rule_name": "Remote GitHub Actions Runner Registration", @@ -4490,15 +4509,15 @@ }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Backup Deletion with Wbadmin", - "sha256": "07bdaa41ff03e3b89676dab7ec128e06ffe3a0a7aa4f2f531ef6d65e01d87225", + "sha256": "ab7e97c915d3a23943a57f5610efdbf9dfa1c8b60f4a82155800f5eb754553dc", "type": "eql", - "version": 319 + "version": 320 }, "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": { "rule_name": "Unusual Web Config File Access", - "sha256": "2076d1d54ca2fb2a601ffb05b938cf5acfb824cf8d9afb3b11affa6dabb5958b", + "sha256": "d0e52d0a9d67db8bc963869c1db6a15171b3f593e995b5a08bc6bde2194de611", "type": "new_terms", - "version": 3 + "version": 4 }, "5889760c-9858-4b4b-879c-e299df493295": { "rule_name": "Potential Okta Brute Force (Multi-Source)", @@ -4508,9 +4527,9 @@ }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", - "sha256": "758f40ca7304434bd1db7e03734a5d514e09ffb281d494a73e420f69fa77d6ee", + "sha256": "80ca9aa2214417366e41ffd82cd9a7232496f7791e47f1fe0b600d0b8425bf40", "type": "eql", - "version": 316 + "version": 317 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", @@ -4520,9 +4539,9 @@ }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "47b60f124f8acd655a58e96f9d25ddaacdfec0e89d70fc600d8bba38e78f8950", + "sha256": "ac7bf2a46ba5a70e8f7adf24b3dff91fc99d215a6ead840ce7f034f27e013106", "type": "eql", - "version": 112 + "version": 113 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", @@ -4608,9 +4627,9 @@ }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "c857ed14ca09f8505114fd0edba3e1aebc519d4769ba8e166ba7663b168e4364", + "sha256": "8e98b708a9211e5d0ebef862842c54d085108d51b98842c091c5b26228dfa6ee", "type": "eql", - "version": 107 + "version": 108 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", @@ -4620,9 +4639,9 @@ }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "52b32d6c07872ce579e613e8d7d5d8cd1ca9a70f304ead35f716b38f94db14f2", + "sha256": "2cfbca1b129860895636735b8d15df004c74a582e3be5fc79d043ee9eb08bd50", "type": "eql", - "version": 313 + "version": 314 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", @@ -4656,9 +4675,9 @@ }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "rule_name": "Deprecated - Suspicious PrintSpooler Service Executable File Creation", - "sha256": "18c7e6db68770255ff3cad0f3c1fe15fc327df877f34a012180fdf12f0177df6", + "sha256": "8a47a48d97d6455444a465225652850ef188dd562e9f8c43f6fc8781a717f891", "type": "new_terms", - "version": 322 + "version": 323 }, "5bda8597-69a6-4b9e-87a2-69a7c963ea83": { "rule_name": "Boot File Copy", @@ -4703,10 +4722,10 @@ "version": 108 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { - "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "258ce18f9e3bfe08e0472e79e46a880d2f2efc413d2cfc53babcfac7f60655dc", + "rule_name": "First Time Seen Account Performing DCSync", + "sha256": "6efcf236f3f9c9963fb10ebd45d9b9de86581067dc5b3515bab1cdc720278271", "type": "new_terms", - "version": 118 + "version": 119 }, "5c81fc9d-1eae-437f-ba07-268472967013": { "rule_name": "Segfault Detected", @@ -4750,21 +4769,21 @@ }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "aca1fb8fd3ab6a6e65bb58f43f1f0d6dd1efb62e25bdb7b248a7a5f35c0a0e46", + "sha256": "26553adf03310ab42539ce968440da4d62fc1fd18788e3d2f13aab321c9255db", "type": "eql", - "version": 214 + "version": 215 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "rule_name": "User Added to Privileged Group in Active Directory", - "sha256": "7ae4f643336f4e1a1ab78af0263eb55b4e0c84737f7ff6f26bc6a1ecaeacb0d3", + "sha256": "f804eba2756db8092e43ff3affebdb403dbdc631098bebd3cdaf6ba3829b043e", "type": "eql", - "version": 216 + "version": 217 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "rule_name": "Persistence via PowerShell profile", - "sha256": "a8f65b0e862ccc3602854d6c59de958637d279fb804b1f92c2efcf328a07e50d", + "sha256": "bc50204842263093d6d6ad331922bf865f62b4a06b43ef3f9321955c32ad22ea", "type": "eql", - "version": 214 + "version": 215 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", @@ -4781,15 +4800,15 @@ }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "e52b20d0a6e626ac28133aab573b99bebcb41ce8c3f24117cfd84b235119ea53", + "sha256": "c06d312788de6b526b2eda5008ba2de688020524b0142b2a077d564b7141a2e8", "type": "eql", - "version": 215 + "version": 216 }, "5d676480-9655-4507-adc6-4eec311efff8": { "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "bc7fcf5dc1eb0cc2200f517fbce5e86470485c5dd4351885978ed25541e99a33", + "sha256": "ce96526f1173cee77a4a1a49988e5b43cac66b19bc7f0e268d904961da06ddc3", "type": "eql", - "version": 107 + "version": 108 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", @@ -4899,9 +4918,9 @@ }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", - "sha256": "0fe57677933b692a71d8349b4f6cbf10c7875257fb7837ae9686faddffb1e8b1", + "sha256": "20c0a63a1c617c1d92a564858fc23ec78f1cd2737c5ea492135d8d6d73d6cf20", "type": "eql", - "version": 212 + "version": 213 }, "61336fe6-c043-4743-ab6e-41292f439603": { "rule_name": "New User Added To GitHub Organization", @@ -4971,9 +4990,9 @@ }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "8f5451e26ac0b2ec8d6274f9cf8c4f90ead9a3b42453322334620f2e494bf627", + "sha256": "9b330c0df477e18fc4f7752d72e5b9bd2518f96989dc84c247943246459ff92c", "type": "eql", - "version": 216 + "version": 217 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "rule_name": "Deprecated - Potential Non-Standard Port HTTP/HTTPS connection", @@ -5025,15 +5044,15 @@ }, "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "rule_name": "Sensitive Registry Hive Access via RegBack", - "sha256": "79ac569d55644e0dabbb2fdd8052596be9d8f54d0ba514a54a93a7816d8853c0", + "sha256": "4fba1a906dc24aa562d7f26cec26c9dcda0607ed266e8b587cfddf5a6f683d29", "type": "eql", - "version": 6 + "version": 7 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", - "sha256": "9dc44d0287d85742433a237643de326b02cb67b5850c7c1cb67d39e39ff29d97", + "sha256": "ba4096f48f3a66bf6278a94d26beb5dd78a438641db6fc511bf73d79bbe9986d", "type": "eql", - "version": 212 + "version": 213 }, "640f0535-f784-4010-b999-39db99d2daeb": { "rule_name": "Potential Git CVE-2025-48384 Exploitation", @@ -5101,9 +5120,9 @@ }, "65432f4a-e716-4cc1-ab11-931c4966da2d": { "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "f57dea79c94f721b7f8cbc38f822f95a03a7020cbcef7591ff7b6834bf00038e", + "sha256": "d8cda461562a61f7ce64ed7629a070991b408f4432d740fc350a331768e162f6", "type": "eql", - "version": 205 + "version": 206 }, "65613f5e-0d48-4b55-ad61-2fb9567cb1ad": { "rule_name": "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments", @@ -5144,9 +5163,9 @@ }, "6631a759-4559-4c33-a392-13f146c8bcc4": { "rule_name": "Potential Spike in Web Server Error Logs", - "sha256": "319471d805dfa2a7447664a2aa86c3e7dec96ca6de3ffb39f7db4c64f6f603b2", + "sha256": "e61b3bdfbbae99ac498171b194cea724b8e328dca23b9288ceda1d39ac1355d0", "type": "esql", - "version": 3 + "version": 4 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "rule_name": "Suspicious Termination of ESXI Process", @@ -5174,9 +5193,9 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "43d0ac6c3447fd2acf017d3c2152f787341287f92ce0b82509305be74ff84081", + "sha256": "04483092ea7111ceb52a82ec96688eb7a5720d3ed3caf36c7e6e078b4713255c", "type": "eql", - "version": 130 + "version": 131 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", @@ -5192,9 +5211,9 @@ }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "cc03da002044bd059977e784373cd2c76b4aae1630ae306b3e92c5b77f546cbd", + "sha256": "a70d87036505f114e41a399e3573e388e43a05046ff89eea597353a7778de895", "type": "query", - "version": 119 + "version": 120 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "rule_name": "Attempt to Modify an Okta Policy", @@ -5210,9 +5229,9 @@ }, "6756ee27-9152-479b-9b73-54b5bbda301c": { "rule_name": "Rare Connection to WebDAV Target", - "sha256": "e5d3b39573d69c986872183396d628615b6c8a73ec566892063f154e05f2f738", + "sha256": "92dc23143cbc051ac463e1539ef050749a186cdfe3109f3ac86c9460ddd6f70b", "type": "esql", - "version": 7 + "version": 8 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", @@ -5240,9 +5259,9 @@ }, "6839c821-011d-43bd-bd5b-acff00257226": { "rule_name": "Image File Execution Options Injection", - "sha256": "98577dabfec38f164628871b9bb7fb8da7da64c1dc5fd38fbf3177e387f3693f", + "sha256": "4abbdf2842ee1bcb6bdcb3f3b63039758c8b7295afb207b98f0304bc9077d56b", "type": "eql", - "version": 314 + "version": 315 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "M365 Exchange Federated Domain Created or Modified", @@ -5270,9 +5289,9 @@ }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "d16ac49d6c15b783cff7f695326de41b63df37f6a44a4fb2840ac736b581fa1f", + "sha256": "f7eb5ecf08a0a74de530a080fd2441011bc3c38249a554220b2e2d15494fb386", "type": "eql", - "version": 211 + "version": 212 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", @@ -5282,9 +5301,9 @@ }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "0473ce103c98b50a752b3c71561170f786022a9cecd7fd4a23ddd91ff741aae5", + "sha256": "f279475dc730bc14f2dfd1ac9bc7084af731d369aaac73cf5fc818804da8e062", "type": "eql", - "version": 109 + "version": 110 }, "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { "rule_name": "AWS RDS DB Snapshot Created", @@ -5336,9 +5355,9 @@ }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", - "sha256": "8354a41d02ed3832503dfdff8191253036100d6a51a5c13e71517add5389a4b9", + "sha256": "afc10ab90f42c4075c81973e33977dfced66e7b5da2b5a85c40e181edfa63058", "type": "eql", - "version": 315 + "version": 316 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS Sign-In Root Password Recovery Requested", @@ -5360,15 +5379,15 @@ }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "5539eab07820ed60e51e720a05ed0dc076e60255efbe124fd01a7c33f8c996ce", + "sha256": "f7c6d6964c3063f4a75d0ad2dd294083ed44eb61f6393e97482687d8b587d708", "type": "eql", - "version": 314 + "version": 315 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "daced640af9a25daf0c116312924b7b3603258acfb8e8b4db92ff8719db4d43e", + "sha256": "0e421040f2de589edbc8b55db8ee6a3865f670eccc1b4c5e9cc39c27d5b2e377", "type": "eql", - "version": 422 + "version": 423 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "rule_name": "Suspicious Utility Launched via ProxyChains", @@ -5378,9 +5397,9 @@ }, "6b341d03-1d63-41ac-841a-2009c86959ca": { "rule_name": "Potential Port Scanning Activity from Compromised Host", - "sha256": "6ec8f4bf159dc48d6a32fd5c7b6cfcb8dff46b845ca65c6f60ad47e23ae20953", + "sha256": "e113a73efc518c41b6df6bd67190ab672c30b13dbda77e7e3445ed9d8e54c13f", "type": "esql", - "version": 11 + "version": 12 }, "6b82a0ce-10ac-4cb7-8a66-0ba4d24540cf": { "rule_name": "Suspicious Curl to Google App Script Endpoint", @@ -5418,9 +5437,9 @@ }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "f3614a07dfdade46e6c4790d03b3130608ed99a444e24057a541b80c0cea027d", + "sha256": "413515468916ea9977f82c881044a80545cce0cb54435a0b57493530e91809a5", "type": "eql", - "version": 313 + "version": 314 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { "rule_name": "GitHub Repo Created", @@ -5464,9 +5483,9 @@ }, "6ddb6c33-00ce-4acd-832a-24b251512023": { "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse", - "sha256": "0f29fe5a316d3be3647760940d0778e0a76946a010241a7154ce0faf36a1c9e3", + "sha256": "eff0f62ddd3e0af974bfb14ab0530dd3f3a2a50d19bb8323fca26a786c9f7542", "type": "esql", - "version": 11 + "version": 12 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "rule_name": "Root Certificate Installation", @@ -5476,9 +5495,9 @@ }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "rule_name": "First Time Seen Remote Monitoring and Management Tool", - "sha256": "0cebb0d5468a00c201258ecea11ecb78a034ade64ba90268854176e43d1b4832", + "sha256": "9ec7d753b697c54652c65201dc1dcd09e6fdc59686ea6113b73fc595265689fb", "type": "new_terms", - "version": 116 + "version": 117 }, "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "rule_name": "Loadable Kernel Module Configuration File Creation", @@ -5534,9 +5553,9 @@ }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "5c64c10228a0a54dc71ec736d0ceedf77938cee9b5bc4431aaa0997896c72131", + "sha256": "4f362555c866031271f8abb08e9f19566d14cb22bd946bed7430bca32e1d9ca1", "type": "eql", - "version": 214 + "version": 215 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "rule_name": "Security Software Discovery using WMIC", @@ -5564,9 +5583,9 @@ }, "6f024bde-7085-489b-8250-5957efdf1caf": { "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "da293aa9452ee7845abaf5b12c58972177020377e4cd25286313013d62cf57be", + "sha256": "76b7e15f05c16a73302c84e24542e26b21f45b57610fde617b93be59af49017c", "type": "eql", - "version": 107 + "version": 108 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -5600,9 +5619,9 @@ }, "6fa3abe3-9cd8-41de-951b-51ed8f710523": { "rule_name": "Web Server Potential Spike in Error Response Codes", - "sha256": "8925f6280b9f3ecb2a90fe8de866975f613687315d0cb7246e7d28ba6d14984e", + "sha256": "27e2f30dca9a09abd668da24cbc5efaf03c1466422e00b09ec2d3c29f085da0e", "type": "esql", - "version": 4 + "version": 5 }, "6fb2280a-d91a-4e64-a97e-1332284d9391": { "min_stack_version": "9.4", @@ -5694,15 +5713,15 @@ }, "71bccb61-e19b-452f-b104-79a60e546a95": { "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "bbb12bcf2f2c3b1e816baf547bd7920207f4a6ae79dd4a5727dec5c58d7c3592", + "sha256": "9b65d29fa4cc5f9c11bea2a136e01f88ea77400beade01ab8c4bd36dbed7bb4d", "type": "eql", - "version": 323 + "version": 324 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "1477e66dec703b018b8fa3520a35c332275b252a01e165852dbf34f41d35a41b", + "sha256": "7c65898dade61844fe46d042846acb9ef9efc5f9db5d01aa35cdffc5e0069b05", "type": "eql", - "version": 213 + "version": 214 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "rule_name": "Suspicious Passwd File Event Action", @@ -5730,9 +5749,9 @@ }, "725a048a-88c5-4fc7-8677-a44fc0031822": { "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", - "sha256": "4dd3bc4d2338df9e5861a9dd612da6fa7b5e626521e7802ad9e0b71c51f0d760", + "sha256": "9a4a0b4c3a7765a9f5aa08a40f32fe99e81d8e88a0251547e6e9c333931bdc14", "type": "esql", - "version": 6 + "version": 7 }, "7290be75-2e10-49ec-b387-d4ed55b920ff": { "rule_name": "Suspicious Network Tool Launched Inside A Container", @@ -5772,9 +5791,9 @@ }, "730ed57d-ae0f-444f-af50-78708b57edd5": { "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "7b0bda996ce883ad0b2b8d8b3527cd5ff9fb45fe1dcb8bdd7d64d475cf9103ca", + "sha256": "1e8acd425801d27306a75395ad7553fa89218783a9d5978e7cc46f96b06ee580", "type": "eql", - "version": 209 + "version": 210 }, "7318affb-bfe8-4d50-a425-f617833be160": { "rule_name": "Potential Execution of rc.local Script", @@ -5803,9 +5822,9 @@ }, "737b5532-cf2e-4d40-9209-d7aec9dd25d5": { "rule_name": "Potential PowerShell Obfuscated Script via High Entropy", - "sha256": "9347c53ea709d2f8074638ad997bbacc99a872189976d336c2433d069db69fdc", + "sha256": "5708605ae509a80e9e65f2dbe00db765afb07010b91d983c26301632cb269bf1", "type": "query", - "version": 2 + "version": 3 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", @@ -5892,15 +5911,15 @@ "8.19": { "max_allowable_version": 106, "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", - "sha256": "4375163beda09c681b27072b3aa5bdaa3555208e17922ecad6fda6c91a4f2bca", + "sha256": "e43ca4e552859a703fda789890e9beecc00906c3805250b4156acc7bc56b7cbc", "type": "esql", - "version": 8 + "version": 9 } }, "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", - "sha256": "65a454cc1fce718ec3654010e949dc303832981c0e2ff2728d17fee2c0760e21", + "sha256": "86a8f77e493766f2573af3fd44aa5355acd0aee0ec046bc6bee7f1022fea8ab1", "type": "esql", - "version": 108 + "version": 109 }, "751b0329-7295-4682-b9c7-4473b99add69": { "min_stack_version": "9.4", @@ -5942,6 +5961,12 @@ "type": "query", "version": 105 }, + "75f9b95f-370b-4ff3-a84c-66d9ec0b84eb": { + "rule_name": "Nsenter to PID Namespace via Auditd", + "sha256": "f88c26dc7d5fb9ad8dc2e4c143876eed2b3cdafaa896df247ffb58aa20da89be", + "type": "query", + "version": 1 + }, "76152ca1-71d0-4003-9e37-0983e12832da": { "rule_name": "Potential Privilege Escalation via Sudoers File Modification", "sha256": "b1b0ac8a275f03a9e4f9266bdecc75a46d294a978807e76dfa46eff651b47ddf", @@ -5956,9 +5981,9 @@ }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "4588e1ad8fb41b88c6cea0ea015d458eafe7b89a1c54c30d22e3d2e3316607f0", + "sha256": "99fbc0670843f40742c6738d7b65a175e21e572c0104971752b9a0481f21d03b", "type": "eql", - "version": 118 + "version": 119 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "rule_name": "Creation of Hidden Shared Object File", @@ -6002,15 +6027,15 @@ }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "e7afbb0e90528f88d44454c50d04d54ff59ec58fbb9155051deb7b8b84663f67", + "sha256": "0144659d5bb4aa17f606b5607bc2c8f3c8aa5e81be4a31afa402a200ff25cc34", "type": "eql", - "version": 320 + "version": 321 }, "77122db4-5876-4127-b91b-6c179eb21f88": { "rule_name": "Potential Malware-Driven SSH Brute Force Attempt", - "sha256": "ae6219be9490a0e14de2854af8b1c2505259fef2476f7d732cf9e98b665cc43f", + "sha256": "c2d560f60f74a23d2e584cb249c922e56a552e5f3a1c99eda122d4d0bff70fc0", "type": "esql", - "version": 11 + "version": 12 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "Entra ID User Added as Registered Application Owner", @@ -6068,9 +6093,9 @@ }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "75b51a3ef1302cdcab08d871e051a793a10903dff63584fbca09305e9a61993d", + "sha256": "2a433940966f2f0fe891fea3f39e6171fa12e90c3e5ad849e26484da381596f7", "type": "eql", - "version": 314 + "version": 315 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", @@ -6080,9 +6105,9 @@ }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "rule_name": "Unsigned DLL Loaded by Svchost", - "sha256": "21b66925e5b20f61404277c32caa3fe78101d5c5e6c62c75497373e3ea137086", + "sha256": "9ea32cdb4aba86e589f83ad01881254cc615057b09a596f8a1740009fe17a0ea", "type": "eql", - "version": 11 + "version": 12 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { "rule_name": "File Compressed or Archived into Common Format by Unsigned Process", @@ -6122,9 +6147,9 @@ } }, "rule_name": "Execution of a Downloaded Windows Script", - "sha256": "19f752a00fc030143b709c78f2366eede110a300af7bee98114e298c9bf5c22c", + "sha256": "b8466ad6bbac620f7b3c11957e157be4a1d5210c764eaefdf7289fda21a7f9d2", "type": "eql", - "version": 306 + "version": 307 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { "rule_name": "SSL Certificate Deletion", @@ -6146,15 +6171,15 @@ }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "rule_name": "Potential File Transfer via Certreq", - "sha256": "187a0d7e3c56dc3eff8e71a5765b3c8fe286478ffdb02c179a2c13b110e7887e", + "sha256": "9cc0e6419c073ff3ff662d338732b39dfadec281284f8660850c09294746617a", "type": "eql", - "version": 216 + "version": 217 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "d9d5f80c14fa4219776918c52f1586fd8de74dbd8c7bb558bb623285497d8901", + "sha256": "cb8b9a7be0c9d85f513c4b408bd065b0757c377d6e23ab723dc55a1741e20517", "type": "query", - "version": 218 + "version": 219 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -6212,9 +6237,9 @@ }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "e0970ad84e517e202db952ebde06a5d447c4632796391a9ff76564e69d0b1ab7", + "sha256": "dd30b5f7a318ad5565b52afd773e5291c49e0651eeb6c859d4b29d254f2a8ef4", "type": "eql", - "version": 311 + "version": 312 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Tampering of Shell Command-Line History", @@ -6290,21 +6315,33 @@ }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "fb1813b23c990778e2113f705cadaae578db421390da4bcb1e9be01eb81d56ab", + "sha256": "d223ec9ab8f7b8c61d6100d7408999304a0de71fe37a9e8eb43cbc6b4a7ed459", "type": "eql", - "version": 315 + "version": 316 + }, + "7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b": { + "rule_name": "Kubernetes Secrets List Across Cluster or Sensitive Namespaces", + "sha256": "91f40a360d614d4e374653898a06a606f41d52979be1f57ce06ddb453217f93c", + "type": "query", + "version": 1 + }, + "7e5c0e5a-95a5-404e-a5b0-278d35dc3325": { + "rule_name": "AWS EC2 Stop, Start, and User Data Modification Correlation", + "sha256": "5085178d8ef62259fb3d7a651f12d9b8070eec2122578fbd32b611c1df0df882", + "type": "esql", + "version": 1 }, "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", - "sha256": "ae3b0d26f8de970a947ef4c78b0874079e3c6f378ae0c0b7722248f3a8cf4835", + "sha256": "602390ce15528f3c17793e86c7683d855e54283b997afff2b59450a9133c229f", "type": "eql", - "version": 4 + "version": 5 }, "7eb54028-ca72-4eb7-8185-b6864572347db": { "rule_name": "System File Ownership Change", - "sha256": "7cfddf05ed43916407c837cb2467df1102044e05c4082006fc9a581488a2407f", + "sha256": "1e042eae7f87d61976c6c536ce63589d0e4f670101060411413e6cb718dd5017", "type": "eql", - "version": 3 + "version": 4 }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { "rule_name": "Security File Access via Common Utilities", @@ -6320,15 +6357,21 @@ }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "69dfb1e0f5d03ec1d65f9e5bb3a1e3447beee47c6a8cd7e499615db82def6721", + "sha256": "37d093b58d917e0eb1a4d8f9b92723a63feff6e1f14d8f8be3cfa3f2b9b5fb6a", "type": "eql", - "version": 213 + "version": 214 + }, + "7f3a9c2e-1d4b-5e6f-8a9b-0c1d2e3f4a5b": { + "rule_name": "Potential Root Effective Shell from Non-Standard Path via Auditd", + "sha256": "d0f106dcb3ff6ae76fa7b71147a962b1e967aa7e742d48988008a8e178d54fa9", + "type": "query", + "version": 1 }, "7f3e8b9a-2c4d-5e6f-8a1b-9c2d3e4f5a6b": { "rule_name": "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation", - "sha256": "d4e00709ce02e8ab4a968317d474a4f37a488131688236d120d31edc1e5b09ad", + "sha256": "6cf3054443a5d4ce4ad838455a77599f465d2a6d1b7aac00f871e31970d212ad", "type": "eql", - "version": 3 + "version": 4 }, "7f65f984-5642-4291-a0a0-2bbefce4c617": { "rule_name": "Python Path File (pth) Creation", @@ -6454,9 +6497,9 @@ }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "68ec1c5409871ffee3ab9e22a3efdbb509d98c1c566eec7d583ef51204ee534b", + "sha256": "b2573abd94d397aa342b54649a68d6dd61b1eab6fa2a85262d80622ade46a7e4", "type": "eql", - "version": 316 + "version": 317 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -6466,15 +6509,22 @@ }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "78ecc919099d037e5659de54e87c82ad17df389c27afd588da069af4a012318d", + "sha256": "7a4d5185d5e5d9b1908bab0d3aca30a9fd909de1e7ed5bd9973f17ea38c45131", "type": "query", - "version": 319 + "version": 320 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "739b4ff940e656c440d455ca916fb7a7619d4cb080a6a7ecebd1386e347a9de0", + "sha256": "19540fa8823bf220012c9be723cb349c87f01d6257c20b38423e67c4c11e70e2", "type": "eql", - "version": 113 + "version": 114 + }, + "8248323e-f888-4134-a26f-37a6362f7231": { + "min_stack_version": "9.3", + "rule_name": "DNS to Commonly Abused Web Services", + "sha256": "dbb5583417dd597c8f05b913273b53b8409710f3ae1eb6b9aa6e9eb4c83092fd", + "type": "eql", + "version": 1 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", @@ -6502,15 +6552,15 @@ }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "b8ef5115c9f54595fadd3f284a8b6ea0864837f5fb5bcd3d997bc801d7cb7fb6", + "sha256": "a2bb9648be410edc4f63b16588b57cd265841be85791537e0d4635d059306344", "type": "esql", - "version": 13 + "version": 14 }, "8383a8d0-008b-47a5-94e5-496629dc3590": { "rule_name": "Web Server Discovery or Fuzzing Activity", - "sha256": "a499f4a8ea232b85a55016c81a941b0cb43d922a742cb338e8788ace8506a2bb", + "sha256": "985bf66729f4fbb6875ca03651b5f088856495eb5e52ed0c62d9c950a63b5641", "type": "esql", - "version": 4 + "version": 5 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Pods Deleted", @@ -6526,9 +6576,9 @@ }, "83bf249e-4348-47ba-9741-1202a09556ad": { "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "6bc2edca28882f897a4e573a672f41b4a793b0dc029c402bd4ddc73b80171e9c", + "sha256": "f37d18299f2b6ae378e9ebbda386f621a87953d1876e6a1d5d05d56a2a42375e", "type": "eql", - "version": 213 + "version": 214 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "rule_name": "Attempt to Disable IPTables or Firewall", @@ -6562,21 +6612,21 @@ }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "a2fb338be09ab3380f8af87ac7ed2ffe9b6cefaf284290b3b8f8395f89946705", + "sha256": "910ab24992b092b670b8f46bc6acd50d1ebd6641c4c0afbe68cb426c5c30f8bc", "type": "eql", - "version": 218 + "version": 219 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "205dcbab529bfe7df0ee458c41dc53611d1634570eba8540c5243e4cca827912", + "sha256": "574d715b6ce4b597ea59f0da4cbc28681d04fd706bffc3261faddca6bb433510", "type": "eql", - "version": 113 + "version": 114 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "3d4e8b23caaf37cfeca9cb09bb5568d5eba46c78af72613b9b30c7f5e3043a03", + "sha256": "b3fd7ce2686a4da739298c81e33a67dfa9c63b11eb3976fa0b8c45ac55facc8a", "type": "new_terms", - "version": 216 + "version": 217 }, "85d9c573-ad77-461b-8315-9a02a280b20b": { "min_stack_version": "9.3", @@ -6587,15 +6637,15 @@ }, "85e2d45e-a3df-4acf-83d3-21805f564ff4": { "rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction", - "sha256": "e1622f5f1fa297b5f0a4cb3e691f41981673b2a1b436b4ef9501bf1b863c902f", + "sha256": "e2f5f510ca7a02c9742e8740fd5c6a609fdbff33b7d65d755b9a2a93ef2d248b", "type": "esql", - "version": 10 + "version": 11 }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "rule_name": "Potential Subnet Scanning Activity from Compromised Host", - "sha256": "186a06a03ae74eeb1b06bd9159f47a0821849d708c51ab72a89944535039494a", + "sha256": "10bbd6b833bdba66080b6ea0671751c89bbd7d3fc0518fa6f03c456539502df0", "type": "esql", - "version": 11 + "version": 12 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", @@ -6635,9 +6685,9 @@ }, "871ea072-1b71-4def-b016-6278b505138d": { "rule_name": "Enumeration of Administrator Accounts", - "sha256": "995b9d93f6f7ad1ddab3b2571cafe49df81da43d72ec4b4c13ec151139aa85ed", + "sha256": "4bbc068166c4cd467e8b63f0500aaddf001c6469a8ae6a620d661881570e619f", "type": "eql", - "version": 219 + "version": 220 }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", @@ -6699,21 +6749,21 @@ }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "09e1c7f150b87198870ffe8fc507a6dc726cee93d0b56ac28541e82f1e09fdf0", + "sha256": "79766485064b150c88c72e4318717a5ae5fbf67996a675b6a6fc90adc2bd6c35", "type": "eql", - "version": 211 + "version": 212 }, "894326d2-56c0-4342-b553-4abfaf421b5b": { "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "806992ca659709f31c282aa36432f26f3390a06a625c9a7a25de043e9d5f394d", + "sha256": "91e82c47e7296c7f031bd60c2e9a11cbad7708537f7897a41fc725b48242bcdb", "type": "eql", - "version": 107 + "version": 108 }, "894b7cc9-040b-427c-aca5-36b40d3667bf": { "rule_name": "Unusual File Creation by Web Server", - "sha256": "82cbb50093b7189e8055cf91877ce1bc99b834a542647687ac04ef91ea1da63a", + "sha256": "e571b65fc24fca4eca6d1be59574531c2d30099725b3b2636dfca04cf3dca1fd", "type": "esql", - "version": 7 + "version": 8 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -6729,15 +6779,15 @@ }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "9a1514fa2f7c2e178c7f302e262eef5082e37f640a372ca6cec31a365d8fa536", + "sha256": "997ff3e71d520c0732a123e1d0ad70cdd6bf378b08cb0676dcb3dc3b8be50005", "type": "eql", - "version": 214 + "version": 215 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Suspicious Command Prompt Network Connection", - "sha256": "d3a28ac5257797347250b3cefc1d7cddf75c74111a6c131fc90628798f269067", + "sha256": "78c4503367d09652a555301342470eda60e4bb0bbbdede4115675d26689da852", "type": "eql", - "version": 214 + "version": 215 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", @@ -6771,9 +6821,9 @@ }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "349ded4bcc9e6ba485b858b410906271ef2070655016a3b59de4611d2494c49e", + "sha256": "b1b9d970b94d1f0d33fee26a4679f1232d96921a54d9a4d0c247b861915dce0f", "type": "eql", - "version": 213 + "version": 214 }, "8a1db198-da6f-4500-b985-7fe2457300af": { "rule_name": "Kubernetes Unusual Decision by User Agent", @@ -6795,9 +6845,9 @@ }, "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": { "rule_name": "Unusual Command Execution from Web Server Parent", - "sha256": "fae45c38eb0708dc0f2096880ab919cd46343fd1c1823720cae26d411279bb76", + "sha256": "df522ce5e98dfecebb085a50f07d0317c34618922825d910d3e36754b4d631b9", "type": "esql", - "version": 11 + "version": 12 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -6813,9 +6863,9 @@ }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "20b91f19ec776d6f1179f96ae9d46395ac61e4b7b3be5fc2d317092da66d08ae", + "sha256": "0891db2139f619c3e12aa7ff813fb6c47c0b921921e10f68302d2cc5e09094fc", "type": "eql", - "version": 314 + "version": 315 }, "8b4d6c3a-2e9f-4b7c-9a5d-6f8e3c1b4d2a": { "rule_name": "Azure Storage Account Keys Accessed by Privileged User", @@ -6825,9 +6875,9 @@ }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "43e6b39859e36dc5181e71b0ca64e8e776726b6ad501c173e0c42bdb9e9d47df", + "sha256": "155748dc2cb03082c198d49c5b3a63d68bcbb946ac0249b60cdd1c0ad240e967", "type": "eql", - "version": 315 + "version": 316 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Events Deleted", @@ -6843,9 +6893,9 @@ }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "fd45ed32eef68eefb81f13d7cd4cdc4e12b2ca264c48297ba6efd89e13779907", + "sha256": "a116199798ce219c0aceb2948a7979d20498678ec9bb86abedd8ddb7e974d16b", "type": "query", - "version": 109 + "version": 110 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "rule_name": "Unusual Child Process of dns.exe", @@ -6907,9 +6957,9 @@ }, "8cd49fbc-a35a-4418-8688-133cc3a1e548": { "rule_name": "Proxy Execution via Windows OpenSSH", - "sha256": "161c7eed6e8ad23b0acbb5070135e31fe0572e89abebd989d5ea57f5f01044a4", + "sha256": "e08100fdb189d4a8d88e1b98e86124b022055743f5ea002e7c6e51addcb26261", "type": "eql", - "version": 2 + "version": 3 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "rule_name": "File with Suspicious Extension Downloaded", @@ -6971,9 +7021,9 @@ }, "8e2485b6-a74f-411b-bf7f-38b819f3a846": { "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "8de5d7598c49e7ede9c1872b705f1f807ca20b88f45edf7ddbe27f571f78ce7b", + "sha256": "753cd28018873970c400a8298c254ce1524a2b19087d022f3c34d946504e3669", "type": "eql", - "version": 212 + "version": 213 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", @@ -6995,21 +7045,21 @@ }, "8eeeda11-dca6-4c3e-910f-7089db412d1c": { "rule_name": "File Transfer Utility Launched from Unusual Parent", - "sha256": "86d4b8bff899870c31beb92eb469bb066b050c2d60b96d1ea4f924b46e27b5c1", + "sha256": "836b3c4bc02c3e85bb2f6eaa8fec7d019a33b393b55fb392dc33c9c865f2deb6", "type": "esql", - "version": 11 + "version": 12 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "148b2bc654243c7d2b288bd24935dfcf2bbe95f5389f6b3e61979400f65a353f", + "sha256": "79d2a9160017926198d637f08dc603fedbb7cd4fbd83d17b74b08580ee1474bd", "type": "eql", - "version": 107 + "version": 108 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "98bfdfffa8b7eb1d9c4ba3130777dade2c4f0998256aed659a1f8988095f51b7", + "sha256": "97d9b5554bd6133e3e4d7eab81bb0e47fff98c0f0126fc4f675c97058901bb29", "type": "eql", - "version": 112 + "version": 113 }, "8f8004e1-0783-485f-a3da-aca4362f74a7": { "rule_name": "Linux User or Group Deletion", @@ -7019,9 +7069,9 @@ }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "228c17439f27e613d0b772ab38c3e921ac3177b0cb0c85045797d3e7489e9316", + "sha256": "166e37431a08e33591ca315008ea56f76f0f709bf7e858c2dd2fe622cccd981e", "type": "eql", - "version": 211 + "version": 212 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", @@ -7043,9 +7093,9 @@ }, "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1": { "rule_name": "GenAI Process Connection to Unusual Domain", - "sha256": "ab16862be294a8cafb0878421a7b9aafabca479c054566f98ab72db037fcd213", + "sha256": "411e1e52013103268793186989a70512a23fff33bd76a04df70efccab5657b4f", "type": "new_terms", - "version": 4 + "version": 5 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS DB Instance or Cluster Deleted", @@ -7053,6 +7103,12 @@ "type": "query", "version": 212 }, + "9056d577-4da5-47bf-8c94-6c0b1bb3f8a5": { + "rule_name": "Chroot Execution in Container Context on Linux", + "sha256": "1327e72d0dfdb1e0f8b9b5f3fefee53813631ef25ed39a9bbba78105ed320c11", + "type": "query", + "version": 1 + }, "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { "rule_name": "Simple HTTP Web Server Creation", "sha256": "09d9d01561eb71ac979bff7232ba219371801a51e963720cbb333052c30acf43", @@ -7086,9 +7142,9 @@ "90e4ceab-79a5-4f8e-879b-513cac7fcad9": { "min_stack_version": "9.2", "rule_name": "Web Server Local File Inclusion Activity", - "sha256": "a77f8dd88a7a2f66a98b2c3300345871d32db3ec9348ef9a19395e98294d62a3", + "sha256": "03d1493423cf1eecb33f5c4bb9d629da961d04391cab206a3651b60855ddd1e8", "type": "esql", - "version": 4 + "version": 5 }, "90e5976d-ed8c-489a-a293-bfc57ff8ba89": { "rule_name": "Linux System Information Discovery via Getconf", @@ -7188,15 +7244,15 @@ }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "rule_name": "A scheduled task was created", - "sha256": "2ce457df9a671f64542590d29ec2bc1596c383270ec690af4ba166721023ef40", + "sha256": "7efafffc437abbe227a0503113191f580362de2d55f7d83279aa4718b2ad5227", "type": "eql", - "version": 114 + "version": 115 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "d684c85dc5d52b61cf3a00401b6d7b15bb24a6a8d501121605996315037983b5", + "sha256": "ba06cd9a60b678a177105f360eee0602b9dbae4dc739bd308111e4ccf706fe98", "type": "eql", - "version": 110 + "version": 111 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS STS Role Assumption by Service", @@ -7204,6 +7260,12 @@ "type": "new_terms", "version": 216 }, + "93120a05-caf5-47f6-a305-e8abee463fb9": { + "rule_name": "Kubernetes Pod Creation Using Common Debug or Base Images", + "sha256": "75899e6bc8d17dbb87ecafbe4e9e56a1a465d8e7dffd767f9a24ac2d03860358", + "type": "new_terms", + "version": 1 + }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Activity", "sha256": "bed251adfc37c827253140e4659e753a36a15717622a7081ab318cf765576578", @@ -7218,15 +7280,15 @@ }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "2f4bef09433201d5737c30386cbb965fe99bff5eb973d5f4b5d9e32905e035d5", + "sha256": "b1ca64a473159cace9469b404e6e212f76b072963ef57f2082259313d45d3b85", "type": "eql", - "version": 213 + "version": 214 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Deprecated - Encoded Executable Stored in the Registry", - "sha256": "5591519f37eb40593828317831871b06a4aea555bebe77fb9673d95ebe444d06", + "sha256": "f68b4a5cc0a9b8ae595d15919b1ce6607fa1a1b6e08ef5f73c6b91d35996c7ac", "type": "eql", - "version": 418 + "version": 419 }, "93dd73f9-3e59-45be-b023-c681273baf81": { "rule_name": "Linux Video Recording or Screenshot Activity Detected", @@ -7260,9 +7322,9 @@ }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "f17e7d83bdd45c1e35f6acd2012cb04fb0fab1599a5c7174423b616193122af9", + "sha256": "3507e4b16ab8077d5b8ded1a95748032027b442f316dbc78a0ac441986535426", "type": "eql", - "version": 215 + "version": 216 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Potential Okta Credential Stuffing (Single Source)", @@ -7278,9 +7340,9 @@ }, "951779c2-82ad-4a6c-82b8-296c1f691449": { "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "0667231065032d984269b8e7c38c6f897272af7ebfd80313727e1eb8faf5342b", + "sha256": "c0132ac1a7c0915024784aa3942547eb1ab31b0ca04f36d96800c8bd7ae1d279", "type": "query", - "version": 109 + "version": 110 }, "952c92af-d67f-4f01-8a9c-725efefa7e07": { "rule_name": "D-Bus Service Created", @@ -7290,9 +7352,9 @@ }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", - "sha256": "6da3743f708580488d3f5e70ddab86ceadad147350a9bde3f95229d0021ba8c3", + "sha256": "d806114e9175121535a78373c2f4f747985e6a90c11f6e960c3370037b71e866", "type": "eql", - "version": 214 + "version": 215 }, "9563dace-5822-11f0-b1d3-f661ea17fbcd": { "rule_name": "Entra ID OAuth user_impersonation Scope for Unusual User and Client", @@ -7308,9 +7370,9 @@ }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "9bbafc590b50bfd04f203f601c190c6e90803c1c8f1ff4875c4797b2b871fc06", + "sha256": "a266665d423c29eff07547ef4fd37eec7dc215b9f139f64484299c2a1bc49456", "type": "esql", - "version": 210 + "version": 211 }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", @@ -7372,9 +7434,9 @@ }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "fbebd44525dceef0ede4b04ea6dc25697c9905dcbe4212fe2c02f891abcb80a4", + "sha256": "3f327621ed0547019a5b5d0a878ab68f39d8bea7a021464559cbccee95018f77", "type": "eql", - "version": 113 + "version": 114 }, "9705b458-689a-4ec6-afe8-b4648d090612": { "rule_name": "Unusual D-Bus Daemon Child Process", @@ -7412,9 +7474,9 @@ }, "976b2391-413f-4a94-acb4-7911f3803346": { "rule_name": "Unusual Process Spawned from Web Server Parent", - "sha256": "a00d6b454618edd6f83bf6b94f54801e8b62da5ec958f1aba72bba4a4bdffc60", + "sha256": "5bf6380747f1cb95b184818ca866517ab8cd592d255de6dee340594eb30015d8", "type": "esql", - "version": 11 + "version": 12 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", @@ -7436,9 +7498,9 @@ }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "rule_name": "Suspicious Zoom Child Process", - "sha256": "b16f4503068a8e8a456ea9f63f32bbedb866b7b79a36e6ae4fa7785f402fb2d8", + "sha256": "1a18715f4ab14be5a645089d5e96d2d98eaf64d7c8b4239d84d2d0c8b518fbfa", "type": "eql", - "version": 422 + "version": 423 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -7460,9 +7522,9 @@ }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "rule_name": "Startup or Run Key Registry Modification", - "sha256": "3f693807be8d9f10dda45d8759ac626810c760ebf05dfebcc180a15a5094498d", + "sha256": "d7a6f3d9e2ace9040d8e06757f2efc2c06486ff524feba35e5e3a743560622d6", "type": "eql", - "version": 119 + "version": 120 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", @@ -7519,9 +7581,9 @@ "98cfaa44-83f0-4aba-90c4-363fb9d51a75": { "min_stack_version": "9.2", "rule_name": "AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts", - "sha256": "4d1eb0d8f54d6d9ca893701c2deb5d9a983041c19a1127b93848822120ab39a0", + "sha256": "36a458a86040717891dffe0223608c244d185d931205bbeee4113444efced15a", "type": "esql", - "version": 1 + "version": 2 }, "98ebd6a1-77db-4fe1-b4fd-1bd3c737b780": { "rule_name": "M365 SharePoint Site Administrator Added", @@ -7555,9 +7617,9 @@ }, "9960432d-9b26-409f-972b-839a959e79e2": { "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "8644c4d2fd74db78d00a78306bbc41d28e0fa36336de210c61211c8d3b8b4c9a", + "sha256": "97c6179e37d6a79ce2058fadfe181ef06473676782811c2c2c42619d9ef9d70f", "type": "eql", - "version": 313 + "version": 314 }, "999565a2-fc52-4d72-91e4-ba6712c0377e": { "rule_name": "Access Control List Modification via setfacl", @@ -7567,9 +7629,9 @@ }, "99ac5005-8a9e-4625-a0af-5f7bb447204b": { "rule_name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query", - "sha256": "b6cea4a0d0eee3e800098108eafb099e27c5451f75a5202a3d12408cb4e4916f", + "sha256": "a2d97fff1bd846c160d0686891ff780be940567b549646c42ea3501261c01f27", "type": "eql", - "version": 2 + "version": 3 }, "99c2b626-de44-4322-b1f9-157ca408c17e": { "rule_name": "Web Server Spawned via Python", @@ -7619,9 +7681,9 @@ }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "rule_name": "Suspicious Explorer Child Process", - "sha256": "5d19110cc2f46e206df1cccc8dc7e4592cd148e313efc696ec6c17e63fa43317", + "sha256": "df0048d2667b6c222cfdce393bfaed7e9c0b0ff9f393e1e2179394241e1acdf9", "type": "eql", - "version": 314 + "version": 315 }, "9a6f5d74-c7e7-4a8b-945e-462c102daee4": { "min_stack_version": "9.3", @@ -7641,9 +7703,9 @@ }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "724d3db917545c23628a1ca48afc61add24a5fdc65f8ce91d5735c838391a080", + "sha256": "3810a0fccc9e811440eae244a951df04360e69e721dfcf8f30aa58e24469f983", "type": "eql", - "version": 315 + "version": 316 }, "9aa4be8d-5828-417d-9f54-7cd304571b24": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", @@ -7653,9 +7715,9 @@ }, "9aeca498-1e3d-4496-9e12-6ef40047eb23": { "rule_name": "Suspicious Shell Execution via Velociraptor", - "sha256": "eb78275f8550af643da2fa1a16e9d2e49843ddb5d67da926272cb0f2e51e2b8c", + "sha256": "6b99269e68808661c7b097b7da16cf8d7325e44f45bb3d3d2420dc40f42bcdd8", "type": "eql", - "version": 3 + "version": 4 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "rule_name": "GitHub Owner Role Granted To User", @@ -7671,9 +7733,9 @@ }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "rule_name": "Persistence via WMI Event Subscription", - "sha256": "bb72fc009b5619a3f32e5104c274cf758853879186b712b2882c25cc6f13ea64", + "sha256": "374c1fe670e524331c98bbb4ec7592c692b262eb48d79de575d8a792ab4a3eb2", "type": "eql", - "version": 318 + "version": 319 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", @@ -7701,21 +7763,21 @@ }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "e6d216b19b6e5cd9fca8a136dce8a450515c8dafb5e2d0e9015ab2456807aebe", + "sha256": "19de9f9fc0e3eecf2d6c781ee13ed518693898c4ae017773ae00935a3c0461b8", "type": "eql", - "version": 114 + "version": 115 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { "rule_name": "Potential Enumeration via Active Directory Web Service", - "sha256": "66ad019e1cd62c66983ee960fdcbe80dd6be678bd2e81d87a998a9fa1850936a", + "sha256": "0c85320dda4c263897f73786db5f64709cee15a949bdeb737af5e0699732c8d8", "type": "eql", - "version": 6 + "version": 7 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "7b44a9ae01b478c9396159990d5e3a60ba0a814396ac5d734b8ae0e10c12a3cf", + "sha256": "b196224da05961cc60a8e23ab01d266096b0a93b7052944f664f549754b8f810", "type": "eql", - "version": 314 + "version": 315 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "rule_name": "Google Workspace User Group Access Modified to Allow External Access", @@ -7731,39 +7793,39 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "70c80d9fd4279270f44d1ebb99d57f193bf3a07b00ca30244a3eca0ae8091b39", + "sha256": "81212b96cde03acf5a34ba614c8863dcc6824d7342a7a9bb0de627b78ae23a56", "type": "new_terms", - "version": 317 + "version": 318 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "fa74f1ccd35ac20ec3f06710dfc85bfa783c3bcc354f7d1db23262f16b40111a", + "sha256": "a5a2120ba773b49b0c59e22922b4d05a1af99a127f4a6bdf1f9aee20e15bedcf", "type": "eql", - "version": 318 + "version": 319 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "ae2f50613dcf0ecc490032648a841e44c7fdcc987584c1b076a221826c54e4d1", + "sha256": "c7e89da2a2aa3a6c364cad023a1d462109ad48931c034f3dbd9796b13a413f5a", "type": "eql", - "version": 219 + "version": 220 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "c0a27cb947621baeb5635ca97bbe0d49655c9dc8093857231da6d79f7279c93b", + "sha256": "0982e8339b388a70826a63e397b5e247bacd15c4aa96fa2be11d965afd150e48", "type": "eql", - "version": 213 + "version": 214 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "077706fa97d8e176feb1fd774622b2256a6b8d0e93a5acefdaa7816e1069b803", + "sha256": "42048d40cc9b676d20a7f287ad562321f8a39036183d95d04b769aebead1de85", "type": "new_terms", - "version": 320 + "version": 321 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "a072afc3d6fd07513849b5a4100fd01811c2a7a1f13ddf178a7e069277df0073", + "sha256": "934d4f4f579d6487e86d38b573a7fedca4169097d8914b5859aedc7ba96931f5", "type": "eql", - "version": 211 + "version": 212 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading", @@ -7807,11 +7869,18 @@ "type": "new_terms", "version": 8 }, + "9e5dbd3b-5e19-4648-a1cf-c2649c91b015": { + "min_stack_version": "9.3", + "rule_name": "Namespace Manipulation Using Unshare in a Container", + "sha256": "e432f9cf681f15c99f6ef764b574776af1db178c2e2367382ffb482750acf8f5", + "type": "eql", + "version": 1 + }, "9e81b1fd-e9fb-49a7-8ebe-0d1a14090142": { "rule_name": "Potential Password Spraying Attack via SSH", - "sha256": "2cb5a636d4f3e41d3b6e9ba18f297882ae22cb5f69ef6905993a1548ab01758b", + "sha256": "3cbe10aca00d7c1efe266e506d7f5a7d57600ad6207ecce6d61f2bb650737630", "type": "esql", - "version": 2 + "version": 3 }, "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28": { "rule_name": "Potential SSH Password Grabbing via strace", @@ -7869,9 +7938,9 @@ }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", - "sha256": "58e3c0aea20cbb6bf38b5fc51576fdae9771ad92b74fb600c1c75aa17ea15d1d", + "sha256": "9c42ae537b615ded60d491c0690bcaa728c5fe70c54e4d67b5d0a21a63b88776", "type": "new_terms", - "version": 220 + "version": 221 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", @@ -7887,9 +7956,9 @@ }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "rule_name": "Unusual Scheduled Task Update", - "sha256": "be27942be42700441e3710adb1e8971797e4427df302caac077fb90e58cb5173", + "sha256": "c67025ab0d89afff2e717de898cb55d5689c8aad67826167a03b0cd4c9bc284b", "type": "new_terms", - "version": 117 + "version": 118 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "rule_name": "Potential Privilege Escalation via Python cap_setuid", @@ -7911,9 +7980,9 @@ }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "422c5f78e61e61a60f06cc1a38e9759242687246cda0c59c36ef24db0cbd5359", + "sha256": "e62636c003eda020e0336d2bf353771df79401bc70067f267bf5059c2bce00dc", "type": "eql", - "version": 211 + "version": 212 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", @@ -7923,15 +7992,15 @@ }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "e387af91f7e1e693d71caa63bc7a80a8cad970b65d3b9b3790eba5b894e71fae", + "sha256": "253c914e9293edebec6c7faf581b9cef1faa6bab72fc5ae1ce5284af5d7a0a04", "type": "eql", - "version": 212 + "version": 213 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "2839edbd2eef88ec655dfeaed2ad94d748e9196dd7842e600c10784e7f19fd4b", + "sha256": "015324413a84362600add02b8df771116af2de4f119d3868ab9425704251e0d8", "type": "eql", - "version": 214 + "version": 215 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", @@ -7957,11 +8026,17 @@ "type": "new_terms", "version": 2 }, + "a1b2c3d4-e5f6-4789-a0b1-c2d3e4f5a6b7": { + "rule_name": "AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity", + "sha256": "c3bf694ddbb0183b499e816bed860e55e57086d6f8bee87f6eead524f76a96ff", + "type": "esql", + "version": 1 + }, "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d": { "rule_name": "Potential Account Takeover - Logon from New Source IP", - "sha256": "8ac9e5ba81be809685d81c56be8945e7562564d2acda52497a6a52f9d76eba2f", + "sha256": "3eb049e7a57e256acae41fb8b3da9603ace0b0d8167ea059564a83f64cc7a5b2", "type": "esql", - "version": 2 + "version": 3 }, "a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": { "rule_name": "Entra ID Protection Admin Confirmed Compromise", @@ -7977,9 +8052,9 @@ }, "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35": { "rule_name": "Web Server Suspicious User Agent Requests", - "sha256": "5b2ed0b00a9cecc670d81984d3ed972c8781a96409beda27b3ae4ca5bb2e72e6", + "sha256": "f069dfa7e85bd95eea645793c221cb5329e75544f6b1b6646cc55a104a95ee7f", "type": "esql", - "version": 4 + "version": 5 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "rule_name": "Linux Group Creation", @@ -7989,9 +8064,9 @@ }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "d1742a8f6baeda422ac5e4599f7ad1604189781b7ea6d244389bfc4f0d6cc887", + "sha256": "1094a50c56d7017e3b7cacacb46da4f3f742a1927fcbbd986b23e9f2cb7b8632", "type": "eql", - "version": 316 + "version": 317 }, "a22b8486-5c4b-4e05-ad16-28de550b1ccc": { "rule_name": "Unusual Preload Environment Variable Process Execution", @@ -8053,9 +8128,9 @@ }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", - "sha256": "93b4860b7335468f8a8cb6caa81436cbab24af1f61565d355d12b1c0289bb85e", + "sha256": "45e496a5db75cfaeacfff862a81984feb874e83dda47302b806b3018d6b902b8", "type": "eql", - "version": 314 + "version": 315 }, "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { "rule_name": "AWS EC2 Instance Interaction with IAM Service", @@ -8081,9 +8156,15 @@ }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "1bb0110ad3d200b54abca7cf4469c34dfeb0097d5057b0ade9f484188955956c", + "sha256": "494c2ead2012b6ac1746c05e790ae1b33e01a2c4944d8d5ceea9b180635be2eb", "type": "eql", - "version": 113 + "version": 114 + }, + "a4c8e901-2b7f-4d6e-9a3c-8e1f0d5b6c2a": { + "rule_name": "Kubernetes Secret get or list with Suspicious User Agent", + "sha256": "e46a2fbbff2a97fc224bcfc204b6da19f6797f396c7f45d04837c9c0e237ffc6", + "type": "query", + "version": 1 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -8167,9 +8248,9 @@ }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", - "sha256": "2d47f8a8fe77ba2d20c1d0e420c8c0184d9fce8dec9eb42de083228ee7782763", + "sha256": "61beceda1e8d0cc9099934a9ad0a0bcae06126b1650941b03a8b4e36c8c1f191", "type": "eql", - "version": 319 + "version": 320 }, "a640ef5b-e1da-4b17-8391-468fdbd1b517": { "rule_name": "Execution via GitHub Actions Runner", @@ -8227,9 +8308,9 @@ "a7577205-88a1-4a08-85d4-7b72a9a2e969": { "min_stack_version": "9.2", "rule_name": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal", - "sha256": "ac58b82b1f4cd73a4d16a34212431268142b70229629c67b3e311aa707dcea98", + "sha256": "b08945299b2979bc5b4cb397789d41998ee6fc5b71db51bfe41012ad68ba8e2b", "type": "esql", - "version": 2 + "version": 3 }, "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": { "rule_name": "Execution via OpenClaw Agent", @@ -8239,15 +8320,15 @@ }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious Print Spooler SPL File Created", - "sha256": "05f6d2480b4abed5e937479badcf771d7424a8b6a021962e5fca3c12acc08963", + "sha256": "9a80dda429d15a1d127b965b832c36ae3ecc37b8d11e618da12fd5c3d7c2d9db", "type": "eql", - "version": 117 + "version": 118 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "2b21f27255a4ac81ad9f467d67b906ed16e22ba90bc5a29f86f4ac561fbf8afe", + "sha256": "09188e85df6c935a817c69aff47b5bb33c503487e0fb04907d556b52211719f9", "type": "eql", - "version": 316 + "version": 317 }, "a7e9e2e8-3c5d-4b9a-8e7f-1a2b3c4d5e6f": { "rule_name": "M365 Purview Security Compliance Signal", @@ -8319,9 +8400,9 @@ }, "a8b2c4d6-e8f0-12a4-b6c8-d0e2f4a6b8c0": { "rule_name": "Newly Observed ScreenConnect Host Server", - "sha256": "cabaeca9e2b181ef28dd279e76d8fede9fc1829cbcf8ee0cced3e387f9d1e653", + "sha256": "42aea7c755e89c2bd3dc07f143d1900120f97192aa9e1d3400c34f98c42e26eb", "type": "esql", - "version": 2 + "version": 3 }, "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": { "rule_name": "Azure Storage Blob Retrieval via AzCopy", @@ -8351,6 +8432,12 @@ "type": "machine_learning", "version": 109 }, + "a8f3c2e1-4d5b-4e6f-8a9b-0c1d2e3f4a5b": { + "rule_name": "AWS IAM Sensitive Operations via Lambda Execution Role", + "sha256": "722248fbd97f34880ac46f44b6881220135ab96b0ffbff1f45977226ab809dde", + "type": "query", + "version": 1 + }, "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": { "min_stack_version": "9.4", "previous": { @@ -8439,15 +8526,15 @@ }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "rule_name": "Remotely Started Services via RPC", - "sha256": "d41b2ce91143e8b5a36d2d9e2d2e08e32df9b2200511697cacf5f3bdecc18fee", + "sha256": "6044bf376ccf04ea41cce6830f9e16bb0e4e844f7476ebbddb782cf23d5f3dc4", "type": "eql", - "version": 217 + "version": 218 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { "rule_name": "Veeam Backup Library Loaded by Unusual Process", - "sha256": "b3a7cd498fd33ca79fa1c69681eed2d788109c32e03d62a5bebd236cc6300abd", + "sha256": "40212eadfc73ddc6d9f2fba89b444a4f0646b6c991c6f16e3b33e61216bb6cda", "type": "eql", - "version": 5 + "version": 6 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "rule_name": "Threat Intel Hash Indicator Match", @@ -8463,15 +8550,15 @@ }, "ab25369e-ea5e-46f1-9cd5-478a0a4a131a": { "rule_name": "Multiple Elastic Defend Alerts by Agent", - "sha256": "242ee3fae70ef07f142db55fd2fc4688fb001c1d263753660e29cb815de22402", + "sha256": "ca36982b65f983afbd58ef8087bb1e67f1468ce5ff36888897cfda5e08b2e4f6", "type": "esql", - "version": 1 + "version": 2 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", - "sha256": "8b21463695c549dc63e6b3954e76c01209042706c77dd47d184ace74d9df957f", + "sha256": "800ec5ed633507891479b778135ca7c8a5269e65744649d1d8a0ea40408dc5d7", "type": "eql", - "version": 122 + "version": 123 }, "ab7795cc-0e0b-4f9d-a934-1f17a58f869a": { "rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)", @@ -8481,9 +8568,9 @@ }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "rule_name": "AWS S3 Object Encryption Using External KMS Key", - "sha256": "96c2271144d138a553b4c8d8d6212b6d787da68435ae52b0b873834d5679cc43", + "sha256": "8ccdf67f1d4b379fa6cc68be39217c56969856cc4f90870f049c0942c6268d93", "type": "esql", - "version": 11 + "version": 12 }, "ab9a334a-f2c3-4f49-879f-480de71020d3": { "rule_name": "Unusual Library Load via Python", @@ -8527,9 +8614,9 @@ }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "rule_name": "Suspicious WerFault Child Process", - "sha256": "9510d6d1c33fde4f7387816386c4bb3efcac43bb4c7aaa9dbc936a69409c0f94", + "sha256": "f72e495d77718926a77986259bf53a198b1fd96ed96ead06aa95fc1b3bb9cd6d", "type": "eql", - "version": 419 + "version": 420 }, "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { "rule_name": "Git Hook Created or Modified", @@ -8573,9 +8660,9 @@ }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "aa82c73c60e38856083805edc8a6ae9bd585611711aa27e1243df74d655316fd", + "sha256": "3f9b5483fae2eb0413c7c38ead3683419d62efc4ed179f45151f5383ccff6ef4", "type": "query", - "version": 215 + "version": 216 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", @@ -8585,9 +8672,9 @@ }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "5585abed6562a24727d275419903615a3d29b9c2b4f10910d6394b1a0d471be5", + "sha256": "5df363ed16d64f340d500cc7c16cf64ac44edbe112391910d8559bcf4cfeede5", "type": "eql", - "version": 110 + "version": 111 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential macOS SSH Brute Force Detected", @@ -8597,15 +8684,15 @@ }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "f9f14d7bdc3f0ea9cb07ff8bf681e76bde3b7b5bddc09bd5586187e9d8f0168f", + "sha256": "6e6fcdde0fee19516c1e5836d84451a1720fa05f69d37486795cb309731a5d0f", "type": "eql", - "version": 314 + "version": 315 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "449fc1a0e4c9716e7f094c80e0ae792e8d7fc2b6c1ed1428f46cee96994f8410", + "sha256": "b2f6c9bec79b6a35c9205b12fefba6eea6a3d58cc512e07f94ff0aedc61f79d0", "type": "eql", - "version": 316 + "version": 317 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -8667,9 +8754,15 @@ }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", - "sha256": "3fc9c5c4759767185d5582e1bab598a681896a2df7753b4d3c91fb22c0527aa9", + "sha256": "25f56d2f9491f0092ef37953f27c85ac8fb17360040a148f54492118de0a5e17", "type": "eql", - "version": 13 + "version": 14 + }, + "ae32268b-bfd0-4c35-b002-13461b5830ca": { + "rule_name": "AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN", + "sha256": "16982d441cf7c3bd9a76f4382a9c20f7c5a0b6c0d541357c5d9ee793ea06855f", + "type": "query", + "version": 1 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "rule_name": "Suspicious File Creation via Kworker", @@ -8685,9 +8778,9 @@ }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "7ee292bade6c57524e7298455f1ee4cee4de58efd67b3d379e2a17e01861dcff", + "sha256": "883090677565ee7aa2d93b1e7f79a7aa9d9ea846e70568a4cba3893649ac00bd", "type": "eql", - "version": 210 + "version": 211 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "rule_name": "Shared Object Created by Previously Unknown Process", @@ -8727,9 +8820,9 @@ }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Creation", - "sha256": "b39882a9dab604277a59054b6df0d7b8110f25764a4dab64f049de9fe081793b", + "sha256": "29f6f4c86ee173e96f81e6df15192dbe3420e73d4bde62a8efc9a4a338676008", "type": "eql", - "version": 212 + "version": 213 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "rule_name": "Network Activity Detected via cat", @@ -8763,15 +8856,15 @@ }, "b0450411-46e5-46d2-9b35-8b5dd9ba763e": { "rule_name": "Potential Denial of Azure OpenAI ML Service", - "sha256": "5a86479548e1f4f7144d5006bfc38aad7c46f5d62ab025a804f899a4572ee5cf", + "sha256": "d051b64ad0087c58738ea692d5e4f34df38958811cba31ac68d403b214bdfb77", "type": "esql", - "version": 4 + "version": 5 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "rule_name": "Netsh Helper DLL", - "sha256": "e2f3ba9603ecde9fab5a70120bb939d2c302deb6e768f79fe28a7cab9af9d869", + "sha256": "b7f6e527b15faa58aea7339a5470321f39e1884c6936aae54c724743a99b9b66", "type": "eql", - "version": 207 + "version": 208 }, "b07f0fba-0a78-11f0-8311-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Web Service", @@ -8809,9 +8902,9 @@ }, "b1773d05-f349-45fb-9850-287b8f92f02d": { "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", - "sha256": "9e418c454131da6894a78ddf5a4953ab68e81617b619ef5fc4f5b413511a3efb", + "sha256": "e961ffee8a9b22251e73628ba1a1675421a7f04f8279b096b29fa3ec412f31c1", "type": "esql", - "version": 6 + "version": 7 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", @@ -8833,9 +8926,9 @@ }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", - "sha256": "b9290b1a6d982395b7ea3dab20adc846398f3fbf1226c1238bcc889627029f9a", + "sha256": "9cbdcf3fafd22659be1b5e8eea827bb8893cc7512c49d88c46dd4cde92880ee2", "type": "eql", - "version": 217 + "version": 218 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Deprecated - M365 Security Compliance Unusual Volume of File Deletion", @@ -8851,9 +8944,9 @@ }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", - "sha256": "f2a62ec8399d34841a66053ae048739a04aacf0c4fb6268a7d2c0f76f034d6ad", + "sha256": "df2d7525dd2d1f86cbcda0b5d9da2f2a62195e24e8a9a26ea63b47ecc7a2a7d4", "type": "eql", - "version": 213 + "version": 214 }, "b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e": { "rule_name": "Azure Storage Account Deletions by User", @@ -8863,9 +8956,9 @@ }, "b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e": { "rule_name": "Potential Account Takeover - Mixed Logon Types", - "sha256": "09c99a80ca039fd0666a6d10512f3feb61fe4b3aeab6c4f625ac892d13462fdb", + "sha256": "fec263f1a8e25a341fbc4d919058aefe36ed0aa33d27a7bef776cc039a301126", "type": "esql", - "version": 2 + "version": 3 }, "b2c3d4e5-f6a7-8901-bcde-f123456789ab": { "rule_name": "GenAI Process Compiling or Generating Executables", @@ -8879,6 +8972,12 @@ "type": "eql", "version": 3 }, + "b2f8c4e1-6a73-4f1e-9c2d-8e5b0a1d3f7c": { + "rule_name": "AWS EC2 Role GetCallerIdentity from New Source AS Organization", + "sha256": "24583dae8dc1aba73158f2983e7c0a370cbddc64cdf80ad1a3ed2b84d9ea8870", + "type": "new_terms", + "version": 1 + }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "min_stack_version": "9.4", "previous": { @@ -8903,21 +9002,21 @@ }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "81012af1ec2f5b6aca2a939f64af5618ba53ef128512f84a5fcb23d368081bcd", + "sha256": "378bd1d2c1a58cde20ec32623670281d8a2167d171f8bfd09ec3a767c466ab03", "type": "eql", - "version": 321 + "version": 322 }, "b42e4b88-fc4a-417b-a45e-4d4a3db9fd41": { "rule_name": "Suspicious Python Shell Command Execution", - "sha256": "c1cabe9f77f729b71ce8bfcf06dcb88571ca28f37d412abeba692fa11b86c1ef", + "sha256": "6cdfde87acbd94abc4aa15493236dc5cc3d5ba2b9477e6a84979cf1309c83e1f", "type": "esql", - "version": 3 + "version": 4 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "2d8c220853d43e485848bbcbc8a47d1696a882a2aeadc585c3723f1f7766c763", + "sha256": "572bc27e692189379dafcde1361251f5e3e288eabd3bf6783395dc77d479a941", "type": "eql", - "version": 215 + "version": 216 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", @@ -8950,6 +9049,12 @@ "type": "eql", "version": 2 }, + "b4c8e2a1-9f3d-4e7c-a2b1-0d5e6f7a8b9c": { + "rule_name": "Kubernetes Rapid Secret GET Activity Against Multiple Objects", + "sha256": "3116ce1fbded5e4cc884ac4a680158bc2822f8ed3e02e97ac4223252d5d278c3", + "type": "esql", + "version": 1 + }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", "sha256": "8184ab730ee2e991794ad836b1317d48d6b4ea0e58c4fc42fb00db88f9ca8bef", @@ -8974,9 +9079,9 @@ }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", - "sha256": "7e14c0cb8230746c7ba5053e283ff64b16bde1082cb789657d3a076a5dd63898", + "sha256": "ec49b73ddecb2a3d97ae0249883658375bafc409d58d3f59db1174f5aaeb3f85", "type": "eql", - "version": 319 + "version": 320 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", @@ -9004,21 +9109,21 @@ }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "1fc45823fd595615deb1b9e32ee0d8aac5faca18436a10e3a095dff25a42c403", + "sha256": "c8097fa09dce15e87aeff4ba80fdb83d373b329e1e3c1253d68ead481505686a", "type": "eql", - "version": 214 + "version": 215 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "rule_name": "Potential Veeam Credential Access Command", - "sha256": "76ad7097a9e21934640d465a1c8142aa93e208ca46b9f207d30650fa75e58674", + "sha256": "05e08f6a48db8458789f9657614baed791232ae181993e95ccdf444a38300d81", "type": "eql", - "version": 209 + "version": 210 }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "532e09d8ece61905719f3fc43adcae939124bba063c94681bac206f922fab6d1", + "sha256": "0a84161e37b3038a5efaae0ed7135d830767e9480bffeb05bdba6fb297f50e2c", "type": "eql", - "version": 109 + "version": 110 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", @@ -9071,15 +9176,15 @@ }, "b8386923-b02c-4b94-986a-d223d9b01f88": { "rule_name": "PowerShell Invoke-NinjaCopy script", - "sha256": "907dce619b274f26d19e9cafbef702e882b9c42666f0aeb54efc90d57b8a2610", + "sha256": "310b917a14e643bd8b9da746b930eca41250db760858b9591499e47052cc695e", "type": "query", - "version": 112 + "version": 113 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "15c376a0744fd0c3a4a36e2a0d55d94431d57e9a3c60e075522f0dd830326ef6", + "sha256": "372472e0e1be987ba5607f0b0985f7873818d79075d5d551094c911df93db55c", "type": "eql", - "version": 417 + "version": 418 }, "b84264aa-37a3-49f8-8bbc-60acbe9d4f86": { "min_stack_version": "9.3", @@ -9090,9 +9195,9 @@ }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", - "sha256": "3c4778b7d4cd766b8f6215dab5e2e2395ee5160237595ca472bcea1cc1c66b30", + "sha256": "8902326fd29e6491af0a64878eb8f4e07e31da66e984848dff33107dfc14dc6f", "type": "eql", - "version": 211 + "version": 212 }, "b8c3e5d0-8a1a-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Recovery Services Resource Deleted", @@ -9120,9 +9225,9 @@ }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "rule_name": "Kirbi File Creation", - "sha256": "1ba1c3f1fd42eca170f3ff7eb6912639769830e43c2bd28c9ad868defd6d905b", + "sha256": "ecaa3fb532fa9adc94bdd4490159fd87d162a316b180bcc92f9911131f8bbaa3", "type": "eql", - "version": 315 + "version": 316 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", @@ -9162,9 +9267,9 @@ }, "b9960fef-82c6-4816-befa-44745030e917": { "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "1dd8d1dbdda33b30bb0324c7779509081b3613c945afd183e5bb0aaa1c0be216", + "sha256": "5623b8facb7575ee89888665115a6288b762d8c7cae967408f985102c8808ddb", "type": "eql", - "version": 316 + "version": 317 }, "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { "rule_name": "File Creation by Cups or Foomatic-rip Child", @@ -9208,9 +9313,9 @@ }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "c36dfdebbc19fdfc76b9b10f57e4c6e51e9958d0e01c6889100cca94188cf35a", + "sha256": "6454e889c2cf1a148a8d04442b4e67982eff43b66dfcdbe6816253576c2ae7b6", "type": "eql", - "version": 213 + "version": 214 }, "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": { "rule_name": "AWS SQS Queue Purge", @@ -9368,9 +9473,9 @@ }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "323b023b910fe57bf68c4ee7c7f42ca105f711cba9f209b1d645d3aed26754b8", + "sha256": "caed468a427a737d9f364fbc48acbfd232a094fd7c94911ccb2b0d0c53acba07", "type": "eql", - "version": 110 + "version": 111 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "9.4", @@ -9412,9 +9517,9 @@ }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "853a34a2946e5ecec7fb8aa33493f0183af98ee1e12913a1f1ca34a825ff5e66", + "sha256": "eb48a9a1d6f3695d16aabc2eac3cb9e8194fb43afd70c67b86f37958aff0734e", "type": "eql", - "version": 317 + "version": 318 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", @@ -9452,9 +9557,9 @@ }, "c0136397-f82a-45e5-9b9f-a3651d77e21a": { "rule_name": "GenAI Process Accessing Sensitive Files", - "sha256": "134cfa1f39eb9de34659e1a3b3376c319f97cac34e9345822e80b746e87ef752", + "sha256": "7c9b692a829b9a52b6aad77ef0ca0d339f3a4ee67c3e4adddb2bafcc92231395", "type": "eql", - "version": 6 + "version": 7 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", @@ -9464,9 +9569,9 @@ }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "63b630a4079956218800fd38dd401b49b8fcbb14220e88d30244daf881f1fcc7", + "sha256": "b6eebc798b4afada8d3bfa956f8703fcae15edef82c4f929e74945195f9edfee", "type": "eql", - "version": 315 + "version": 316 }, "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { "rule_name": "AWS IAM Login Profile Added for Root", @@ -9476,9 +9581,9 @@ }, "c07f7898-5dc3-11f0-9f27-f661ea17fbcd": { "rule_name": "Azure Key Vault Excessive Secret or Key Retrieved", - "sha256": "1a9df36b88aa341eba95bb3b90d846a7070a161bef16b21afc3a02d9cadfb33b", + "sha256": "6a9647be6235ab05a6f7dfabd7f0d07837ac5d2715b017dd8a41615e3cbda393", "type": "esql", - "version": 8 + "version": 9 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", @@ -9528,9 +9633,9 @@ }, "c18975f5-676c-4091-b626-81e8938aa2ee": { "rule_name": "Potential RemoteMonologue Attack", - "sha256": "16d7957c1ba269d9800613670f3519ba0d0c45ab20abfbfd3ab60967da2d7b5c", + "sha256": "ca992e1b21d0fb0f0754149fd57b64002ad44fe7f9e500b94ef60dabd6554ff0", "type": "eql", - "version": 6 + "version": 7 }, "c1a3e2f0-8a1b-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Compute Restore Point Collection Deleted by Unusual User", @@ -9564,9 +9669,9 @@ }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "15c9365c2dc0db9a2589e15db7b4b7501e9c649fc3fbb9a88d897d259c436389", + "sha256": "fc40884b4f7c36580a2055b06ccce31e99c605042fc0bfad38e16a5124224c40", "type": "eql", - "version": 318 + "version": 319 }, "c28750fa-4092-11f0-aca6-f661ea17fbcd": { "rule_name": "Entra ID Sign-in BloodHound Suite User-Agent Detected", @@ -9602,11 +9707,17 @@ "type": "eql", "version": 7 }, + "c2a91e88-4f4b-4e1d-9c7b-8fde112a9403": { + "rule_name": "Kubernetes Multi-Resource Discovery", + "sha256": "ba3c836d664df993f5eb60a7daa1e03e7ba8979b31107abda39886337b6eb0fb", + "type": "esql", + "version": 1 + }, "c2d90150-0133-451c-a783-533e736c12d7": { "rule_name": "Mshta Making Network Connections", - "sha256": "6f3c1e9edde89e9c1fa7f4cec717c23b7fd08815ed56edde594db70cebd5207c", + "sha256": "67d1ef2cd2105b6cecf6813688a2ace55466bd1724113c42d7270a1b06b04c3f", "type": "eql", - "version": 212 + "version": 213 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", @@ -9628,9 +9739,9 @@ }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "b9c56c9a20ace3bc3fc78855f5384c2dec88d65867ea54fd2fd45a6624a047ce", + "sha256": "fe431606017738cc0bd512442d6aee9241821aa49a4476107d876e8521e564b3", "type": "eql", - "version": 414 + "version": 415 }, "c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f": { "rule_name": "Azure Compute Snapshot Deletion by Unusual User and Resource Group", @@ -9640,9 +9751,9 @@ }, "c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f": { "rule_name": "Suspicious Execution from VS Code Extension", - "sha256": "0ec69c03bb9d7456c9a93544cf20965e854e58b67cdeaaf9ca6f468cf54b22d2", + "sha256": "0f323f54766502b2aad2e8d828583874f64015a7eeec98250bf8732f25af760a", "type": "eql", - "version": 2 + "version": 3 }, "c3d4e5f6-a7b8-9012-cdef-123456789abc": { "rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity", @@ -9658,21 +9769,21 @@ }, "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c": { "rule_name": "Multiple Remote Management Tool Vendors on Same Host", - "sha256": "bb0004476c118e6a0783893ce621cedd20035c35d6205ba320c71448dd2b9e56", + "sha256": "a2a54475f704eefeffbf2dcbcf805691146faa7d3123844010c0c45770bd3871", "type": "esql", - "version": 2 + "version": 3 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "b69112b9cafbfcd365bebf2c22e596a99a63a10cf01180b523188c55ecc88f55", + "sha256": "b2f5778133cc8aec0658f483a77022ff1900c12bf95be595d306fb72db8ed0e5", "type": "eql", - "version": 316 + "version": 317 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "943b2811488cda0e376e6e9ef5c029b1def78495ec736595c845aed4b8336700", + "sha256": "6bacc434838270cd66c5fd783aca76bc1c83083165ba5a2b6dcff8bc6d8969a5", "type": "eql", - "version": 312 + "version": 313 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "rule_name": "Windows System Network Connections Discovery", @@ -9695,15 +9806,15 @@ }, "c562a800-cf97-464e-9d6f-84db91e86e10": { "rule_name": "Elastic Defend and Email Alerts Correlation", - "sha256": "528402d0123fdd13df1569d6585ab53fd0bf3472b4b499fef2548cbcfd86c95f", + "sha256": "1d45173532d147acd49f542150b35f7e6997ea1d1c48a6d1d776f8414cf10ed5", "type": "esql", - "version": 3 + "version": 4 }, "c5637438-e32d-4bb3-bc13-bd7932b3289f": { "rule_name": "Unusual Base64 Encoding/Decoding Activity", - "sha256": "da1f84e12659e94d662d1fb025bfd67cce98ae3d0dc8fc7569ab49e95a0c4e8a", + "sha256": "2d14a4c5396bcc49e6fe161442552ba4adf549a8847239fa8ecdb52c67edeb8c", "type": "esql", - "version": 10 + "version": 11 }, "c5677997-f75b-4cda-b830-a75920514096": { "rule_name": "Service Path Modification via sc.exe", @@ -9731,15 +9842,15 @@ }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "5d9696aa7470d82d5b341d9d9b1c9686dcf33bc837c741f96d4d9c92fb9d9ab8", + "sha256": "70e2670083262dede9e0ac99658ca19c7de178ec58e04799de51dd05c7de93a5", "type": "eql", - "version": 213 + "version": 214 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", - "sha256": "78689f6260a231bdf8d954f2a1592fb9a7483bb5d51d011e4d227c9095db6931", + "sha256": "c3c888b4c5012aed4c984e2bbe771206e5733964fdc51d7858755a9152742a52", "type": "eql", - "version": 314 + "version": 315 }, "c5da2519-160c-4cc9-bf69-b0223e99d0db": { "rule_name": "Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt", @@ -9749,9 +9860,9 @@ }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "b5e7d3011d917cca11ecc38c4bf883d12027810573c0f810b37ed63b177d26d1", + "sha256": "cf437520e3f654ae85ed65b5d0a9052889488f787bfefcf1a529f15710dd1037", "type": "eql", - "version": 317 + "version": 318 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "rule_name": "CyberArk Privileged Access Security Recommended Monitor", @@ -9767,9 +9878,9 @@ }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "rule_name": "Remote File Download via MpCmdRun", - "sha256": "51caec534b384653b57e7c49545a0af79935172597bcae1c48917fec69296cb3", + "sha256": "fb2fe11496bbfc2388fa376d8b542bf097de5191513c3955377d9ab1235a6d06", "type": "eql", - "version": 319 + "version": 320 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -9837,9 +9948,9 @@ }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "rule_name": "Unusual Network Connection via DllHost", - "sha256": "b0a32508095aa70040c9d8bf3ca82bc1e968dd033a273746e7225b568e964c84", + "sha256": "968760f56651ba90e6f5231336d0b45578d1163d2f2e90f692dffe853c7a96cf", "type": "eql", - "version": 212 + "version": 213 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", @@ -9849,9 +9960,9 @@ }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "rule_name": "Unusual File Operation by dns.exe", - "sha256": "e6471c46e4aa6f38d5ebc7c9128f2f7352361f9bd28640ed8cd1fe64060c0f41", + "sha256": "5e7a49ea7a36e33b0fee16211e255c693da22703192b2401d1fe49fe7ba2915f", "type": "new_terms", - "version": 217 + "version": 218 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", @@ -9867,15 +9978,15 @@ }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "42a1def48edf95e66bba9917968e37b02d107299091e27f6e56e91e279f010ff", + "sha256": "10648d7de1f37e2c2263dd57fc51389dffef0106a8e191d1c6011101668c0d04", "type": "new_terms", - "version": 110 + "version": 111 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "SMB Connections via LOLBin or Untrusted Process", - "sha256": "014c152133b6e7926869d0bc180327c50123ae2840f113890084f4af3d820118", + "sha256": "748d8e74b57ecaf308003adab7aad2e238595a50ae2ad8ab015b3f5553d1e10c", "type": "eql", - "version": 116 + "version": 117 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "rule_name": "Virtual Machine Fingerprinting via Grep", @@ -9891,9 +10002,9 @@ }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { "rule_name": "Parent Process PID Spoofing", - "sha256": "43124466259d6a488d240c7332f55565267d5fc744f9edd5f6f3ce4f3c7bb288", + "sha256": "df65039d7edf82d347ef415b2522979d9e33f3f6c9dfccfe777461e024aaf91f", "type": "eql", - "version": 110 + "version": 111 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "rule_name": "Potential Linux Ransomware Note Creation Detected", @@ -9909,9 +10020,15 @@ }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "a2220285e98be5aab8154e1950a90b23b8379d2a5f452444cc57a2b7334fcbb7", + "sha256": "352973abc5de6aa343cb0a43ebacdc47da892f5ab3ceaee64421d64f9d3f85d1", "type": "eql", - "version": 318 + "version": 319 + }, + "c8e4f1a2-9b3d-4c5e-a6f7-8b9c0d1e2f3a": { + "rule_name": "AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization", + "sha256": "8a3498f14621e9a31ea7d7aba56abfba0a48df0847f409fdbc1aa98c97650e11", + "type": "new_terms", + "version": 1 }, "c8e5f6a2-1234-4d5e-9f8a-b7c6d5e4f3a2": { "rule_name": "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource", @@ -9919,11 +10036,17 @@ "type": "new_terms", "version": 4 }, + "c8f4a2e1-9b3d-4c7e-8f2a-1d0e5b6c7a89": { + "rule_name": "Kubernetes RBAC Wildcard Elevation on Existing Role", + "sha256": "8be233686963dcee1e3681959cf8ee8ad11a290cf119c734323ac12993497b94", + "type": "esql", + "version": 1 + }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "b20069169dd6d3d7fa0c2379f88e78d4dddcb749c32319199910a7018bdabcb5", + "sha256": "cc426be014bfdaeb8153646d980d01ba3d006c7438be1bf1d22e0e29711ea1f6", "type": "eql", - "version": 12 + "version": 13 }, "c9636a6e-125e-11f1-9cd3-f661ea17fbce": { "rule_name": "M365 Exchange MFA Notification Email Deleted or Moved", @@ -9933,9 +10056,9 @@ }, "c9847fe9-3bed-4e6b-b319-f9956d6dd02a": { "rule_name": "Potential Remote Install via MsiExec", - "sha256": "f93b27bdd4b70cc82f1cf6f0a3fa8f2039075591b03ecdd285aed4eb6a1fab18", + "sha256": "1f8c37ec7d8732adc850d44f0551c23cc024a117e900d86c18eddc1e1f5037c1", "type": "eql", - "version": 4 + "version": 5 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", @@ -9957,9 +10080,9 @@ }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "fb6a11f3a9fb02a05961368d62c9db5f12cf99258f9083decba913f341320074", + "sha256": "2f434bb2fbc6b983bdb724b37e5d80a5191ada3fb55aee8ae2afd61e994acbd9", "type": "eql", - "version": 14 + "version": 15 }, "caaa8b78-367c-11f0-beb8-f661ea17fbcd": { "rule_name": "Entra ID User Reported Suspicious Activity", @@ -10057,9 +10180,9 @@ }, "cca64114-fb8b-11ef-86e2-f661ea17fbce": { "rule_name": "Entra ID User Sign-in Brute Force Attempted", - "sha256": "03733a40c7cef679b8f46e2d735e95dae23af1aef4b86abd1f8bcfcc58fb55b8", + "sha256": "504d60716fcab3c62c39017161592cd1f993a179ce83dd9c3d56a64b35a046c1", "type": "esql", - "version": 8 + "version": 9 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -10116,9 +10239,9 @@ }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", - "sha256": "3b971c7b326342ceecf24fb181f3d8ef5fb3f417813fdb7d5c7461b798d01463", + "sha256": "e7da9e328dc068e58d02c3588b1b8169288b6dc8641369ffef8fa2f3dd2a7da5", "type": "eql", - "version": 8 + "version": 9 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", @@ -10174,9 +10297,9 @@ }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "05fcf4923e2ab1c2028bc2b8bb3733a1d28ffc2e7f5bfa85808fdea3a03ed691", + "sha256": "d05044b0347897f56e49915d07ac39e23e1ccd2ce9e72cc40f427e958b496251", "type": "eql", - "version": 317 + "version": 318 }, "ce73954b-a0a4-4f05-b67b-294c500dac77": { "rule_name": "Kubernetes Service Account Secret Access", @@ -10191,6 +10314,12 @@ "type": "eql", "version": 1 }, + "cf2b8cf5-3364-4396-b551-42aae9b6d37e": { + "rule_name": "AWS SSM Session Manager Child Process Execution", + "sha256": "503d37331fe7187fb01b1d447fea2925952becaaadf1c18dccb8337fd23ad792", + "type": "query", + "version": 1 + }, "cf307a5a-d503-44a4-8158-db196d99c9df": { "rule_name": "Unusual Kill Signal", "sha256": "87b48799b45644f192a3001a0f4b89af47c77b4ee43ae485b40c621af5497e63", @@ -10223,9 +10352,9 @@ }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "6ba048efa26f81cf99074f9d5ab47e57a06aa6efc47587dc2da656e57cc53c0d", + "sha256": "1cf0003b3ca2311e92a88d6dfe5f2172d9c346610169fa2fe67cca1dbb6e51da", "type": "eql", - "version": 321 + "version": 322 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "rule_name": "Archive File with Unusual Extension", @@ -10235,9 +10364,9 @@ }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "bea2f089b581a7b037ab2f0e416094fc9f5f92ec207fed7243cef5ffe932e2d5", + "sha256": "7ce775edec6e2b9fd8f1f5e9790a1455232f7e73618d25ead665bd65ef08c238", "type": "eql", - "version": 115 + "version": 116 }, "d08ba1ed-a0a3-4fe0-9c02-e643b9a25a03": { "rule_name": "FortiGate Administrator Account Creation from Unusual Source", @@ -10263,15 +10392,15 @@ }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "7e7102b6d2aa5f3df0ba277e4de2f2ced080b82eba0b73f571febad41d3b7de9", + "sha256": "b4f7eba2bacf2674558ed2020f01ac7344ecff673f119c66d8bf69963e5bdcd2", "type": "eql", - "version": 316 + "version": 317 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "dfe87e82b95cd850ed842524e4d16719d5e78ff2a54aaa8a9d58abcbb72f32a8", + "sha256": "91f370c60039a671e72337449587aafc3949520d1bc4a0aad944f952d97292f6", "type": "eql", - "version": 318 + "version": 319 }, "d121f0a8-4875-11f0-bb2b-f661ea17fbcd": { "rule_name": "Entra ID ADRS Token Request by Microsoft Authentication Broker", @@ -10281,9 +10410,9 @@ }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "rule_name": "Expired or Revoked Driver Loaded", - "sha256": "0736c6f8243cbdbe153b9631ee71fb38f2c113ab8f5a97601a451de905402a3b", + "sha256": "5ce22bd1666f3e32e386cc8496062f37329380d440efdd91c6fe1802dc7323dc", "type": "eql", - "version": 9 + "version": 10 }, "d197478e-39f0-4347-a22f-ba654718b148": { "rule_name": "Compression DLL Loaded by Unusual Process", @@ -10357,9 +10486,9 @@ }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "9d7394a1e4a21cccec0748f65ac1a0f509f0a8bbff30c9057c877b2fd1b699cd", + "sha256": "d7a79c8c0bd79359418e9da37bf2de94c0807cd52386fb3373d97586dd42a0f4", "type": "eql", - "version": 317 + "version": 318 }, "d32f0c27-8edb-4bcf-975e-01696c961e08": { "rule_name": "AppArmor Policy Interface Access", @@ -10369,15 +10498,15 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "c110db8f631894bf1af9acb77a4b25e63ea0f70bc64d8684a10b9cee2659daa8", + "sha256": "5bc1c4710d8d050588cfa022146eb44a57881fee2248fe986267feba1f4b5e51", "type": "eql", - "version": 321 + "version": 322 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "rule_name": "Remote Windows Service Installed", - "sha256": "0e984edd1d08434ad42472f342632652f77b07c2ede678799d9aa2e0c2dedaba", + "sha256": "351040da536a8a222689ecf0d8ab1ba90a409e476f1222298de6b66d923d882d", "type": "eql", - "version": 113 + "version": 114 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { "rule_name": "WMI WBEMTEST Utility Execution", @@ -10393,9 +10522,9 @@ }, "d43f2b43-02a1-4219-8ce9-10929a32a618": { "rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", - "sha256": "507195f030dbfb333fdf4a137642e63632da2654b5a69d8f1b4552ec78585ce4", + "sha256": "5159602762205589013e36bbd555824dadecd1d06e4df9e447253d043ff44ff9", "type": "esql", - "version": 10 + "version": 11 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", @@ -10466,6 +10595,12 @@ "type": "esql", "version": 2 }, + "d4e8f0a1-2b3c-4d5e-a6f7-8b9c0d1e2f3a": { + "rule_name": "AWS IAM Customer Managed Policy Version Created or Default Version Set", + "sha256": "b358dbfbed4eaf573315c79ec108874c58ce7ac3db8f94f63f765622b36a20d4", + "type": "query", + "version": 1 + }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "rule_name": "Linux init (PID 1) Secret Dump via GDB", "sha256": "12504527fe33d0f0d50bdee315c515557afbc1166edfdce8c68ddf82b11d3817", @@ -10510,9 +10645,9 @@ }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "rule_name": "Service Command Lateral Movement", - "sha256": "ec792d8d6d68da3e40b7831bee052b65e3bc492647c62a9ccecc030221e53956", + "sha256": "f6e11ce06e76dae63a181eb541563bd9478e69b749f15e3a5ac84fdefd47e11d", "type": "eql", - "version": 211 + "version": 212 }, "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { "rule_name": "Unusual DPKG Execution", @@ -10558,15 +10693,21 @@ }, "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f": { "rule_name": "Potential Protocol Tunneling via Cloudflared", - "sha256": "76594b537309b62a6332acf25ec49b7c7616afa3252db592dcfec57246b789dc", + "sha256": "ce6454a80c785ff43356dc00ba0a798148f8a47cb228ba6ada6f7401d7741728", "type": "eql", - "version": 3 + "version": 4 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", - "sha256": "a72ea9c7944a2303732301622a236b1e0a7e378bd01ec1a5d51b697c657509e1", + "sha256": "6e66c624263fb09663f0683aee91a1c75afb76f643f116aa5e9eb16e8a6915d5", "type": "eql", - "version": 216 + "version": 217 + }, + "d70c966f-c5ef-4228-9548-346593cd422d": { + "rule_name": "Unusual Process Connection to Docker or Containerd Socket", + "sha256": "7d3b65bfb9efed8938e8d51a738e97060eb210b496bc611a1795c93ec01ffe47", + "type": "query", + "version": 1 }, "d7182e12-df8f-4ecf-b8f8-7cc0adcec425": { "rule_name": "Pbpaste Execution via Unusual Parent Process", @@ -10576,9 +10717,9 @@ }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", - "sha256": "4c02d68cba9c1e12bd6c5c82c6aa0353233a5bd74138dd786dec8c2ab7584ef6", + "sha256": "6c8f7e690fc992ad98b1a2c1101f2ba9ed50cca218d536e7c1884a8f52471e45", "type": "eql", - "version": 318 + "version": 319 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "M365 Exchange Malware Filter Policy Deleted", @@ -10640,15 +10781,15 @@ }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", - "sha256": "c178e9d7e36e0b5b1cf3a6ea0a34caf464db191f26285fddc7057024630851d4", + "sha256": "d525b40ecee5195fb6dd26c7e0a3b458d1002aa5d043016b236c48332cf0b40b", "type": "query", - "version": 110 + "version": 111 }, "d84a11c0-eb12-4e7d-8a0a-718e38351e29": { "rule_name": "Potential Machine Account Relay Attack via SMB", - "sha256": "c7f056a526e7ce81616db6acf82ab52e38bb997a5eef5833434a31172726d3d9", + "sha256": "dd7dbcab64a1af066709c965e6e904bd1f93c69923a1cde4221dbe5b39ceea64", "type": "eql", - "version": 3 + "version": 4 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "rule_name": "Untrusted Driver Loaded", @@ -10682,9 +10823,9 @@ }, "d93e61db-82d6-4095-99aa-714988118064": { "rule_name": "NTDS Dump via Wbadmin", - "sha256": "fc8d9dc1c85db27c1778ba643bc164fbce096808d9c5b24515b791f2f1ffe12d", + "sha256": "b5b01fd3137c66953523e88ed94247e81d9efe10e2782519d665bfeeb5e77648", "type": "eql", - "version": 208 + "version": 209 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", @@ -10737,9 +10878,9 @@ }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "ac80d6784eef014d5d717bd56c29935396cf714dca8daca8b0f19810e7f879d8", + "sha256": "f176da9360e2f2c3e8860fe15eb235214bcd1dcb323c49fd9e72e96df1a1b1aa", "type": "eql", - "version": 216 + "version": 217 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", @@ -10755,9 +10896,9 @@ }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "rule_name": "Suspicious Service was Installed in the System", - "sha256": "9a5fb2e46cf6489a1a39cd0be4a26dae1c3f91c4ab96dd6cece8cda288fe4de4", + "sha256": "674d5611f7c4e7c2d56833a0a0b8b8f7afb23a14664b0b58853854141dfebc4a", "type": "eql", - "version": 116 + "version": 117 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -10767,9 +10908,9 @@ }, "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "a870ddcacfd1e7bd5be05da72321e3e4bd47cc425834ebb71582d0504694ff7d", + "sha256": "c380424b1c7a8b15cd6c69f19e2aeb996b3c3fc438a6d4bf4b91a48d47e8f852", "type": "new_terms", - "version": 110 + "version": 111 }, "dacfbecd-7927-46a7-a8ba-feb65a2e990d": { "rule_name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access", @@ -10791,15 +10932,15 @@ }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "6e224c057167fa26aaa27a33f7bd811779c22f5ad9633700f609bb4370bf1391", + "sha256": "7bd11c1b9d14c0b64b5fc2d21036e0a4f3582a43c218da0a6826ca7aa6a33559", "type": "eql", - "version": 209 + "version": 210 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "f76ad7b9fb4847f6b40525245b0e29dacce2fa7d10d5ca716e68e408ea6bf73c", + "sha256": "c054d7bcf3340f3352424a90c89e9d0445764287f7293857c90eb806c386af43", "type": "eql", - "version": 216 + "version": 217 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", @@ -10878,10 +11019,10 @@ "version": 102 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { - "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "2b7957639fa00eb4accbdca13a0838679cdaf551e19fa110da943973ad6b4404", + "rule_name": "Attempt to Install or Run Kali Linux via WSL", + "sha256": "b4dec363cc87b83e8de55fe91c72957864534614c92d32f07c9a2356c8ea2b41", "type": "eql", - "version": 216 + "version": 217 }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", @@ -10913,9 +11054,9 @@ }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", - "sha256": "54670e3e1725944f088814f1b96f6ce63d4af85c48b306a86e95cb55363fb2d1", + "sha256": "57fc4d41f585e9622767d73c6374d8b6d69d72f69433691499262a4bf492032c", "type": "eql", - "version": 315 + "version": 316 }, "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", @@ -10931,15 +11072,15 @@ }, "de67f85e-2d43-11f0-b8c9-f661ea17fbcc": { "rule_name": "M365 Identity User Account Lockouts", - "sha256": "d7a4520dfbdd8876810e3d8b792491901fb5aed727157e67a92fe4b5c8d92212", + "sha256": "5e9c7aba985f7171c814ece90db1ada7159ce434f744a6aaedd5bb6ec9c1e41d", "type": "esql", - "version": 8 + "version": 9 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "db8b0f9495f33dd6f0ed0e0add94321c88265172b9fe68bff2cc99f47a0b8c91", + "sha256": "7791d75c96deb296d5cba1980599b03dd2283e6d586e2f8a6e12acdd83d40bb5", "type": "eql", - "version": 318 + "version": 319 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", @@ -10967,9 +11108,9 @@ }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "rule_name": "First Time Seen Driver Loaded", - "sha256": "0591510be58a74ccce29b7b2b3bc4998fbb59995f8bb09fd1388f2d8faf6ea39", + "sha256": "a86e29ad36c65e20a6de39029ef2fd2b315fa075aa314ff2142a7f24e4da833a", "type": "new_terms", - "version": 12 + "version": 13 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "9.4", @@ -11031,9 +11172,9 @@ }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", - "sha256": "5b4d8442b7b332ecaadb1671d1e54dd6ebaa53f78b2355c78cc5a002ca1b607c", + "sha256": "eda677d08740a19834e652dd899736788b11c6cd08b52433e01e03a32ff45778", "type": "eql", - "version": 8 + "version": 9 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure VNet Firewall Policy Deleted", @@ -11171,15 +11312,15 @@ }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "2a73aa1062382340b6d1c8b5feaa90b1586d271f8c6b877ba90e22197e5635ca", + "sha256": "04376f49d3990dd86495c5322be8f5874dcdbda9800cd52e23e796d938b71bff", "type": "eql", - "version": 214 + "version": 215 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "36b6b5019ee9b7a5b48f7670b52e9a166f90024d81f3bd64985d84d2426e79b1", + "sha256": "2a2acd0d225dd9d8108f917f710d14db75d681995fd899aa981695fd4099ed06", "type": "eql", - "version": 218 + "version": 219 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", @@ -11195,9 +11336,9 @@ }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", - "sha256": "658786f29cb72468ce246b59c6e70d5dcd04e3f37c00f382a463857d39a3335e", + "sha256": "060bd0e9905307e347187d0f7842f8203cb47e8722ab5137d88a4a17ee7fbf5a", "type": "eql", - "version": 318 + "version": 319 }, "e3a7b1c2-5d9f-4e8a-b6c3-2f1d4e5a6b7c": { "rule_name": "FortiGate SSO Login Followed by Administrator Account Creation", @@ -11207,9 +11348,9 @@ }, "e3bd85e9-7aff-46eb-b60e-20dfc9020d98": { "rule_name": "Entra ID Concurrent Sign-in with Suspicious Properties", - "sha256": "e230bd798b5393d0a466b893a16c79efaaaf4e3d9fdbc2065bd6e9b11125eec6", + "sha256": "a372e57ef0cef6f9c6715b56c0715f3e8ac8e1a4d65dc400f90aa6c3b39e9bfd", "type": "esql", - "version": 7 + "version": 8 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route 53 Private Hosted Zone Associated With a VPC", @@ -11223,11 +11364,17 @@ "type": "query", "version": 105 }, + "e3c7a891-4b2d-4e8c-a1f0-9d8e7c6b5a4d": { + "rule_name": "AWS Discovery API Calls from VPN ASN for the First Time by Identity", + "sha256": "902d233527477d56bcbc2c834c105bf68b4b29cb533c1e1b99a2b114cf40f1c8", + "type": "new_terms", + "version": 1 + }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "d0808046d0f021cc86ee33c736a3ec4929823a4b898788c98aea846d1d7326d1", + "sha256": "e31a7dca3b6a465b5101c181f1b879b428da800176d02b1221220729aaf0d431", "type": "eql", - "version": 210 + "version": 211 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "rule_name": "KDE AutoStart Script or Desktop File Creation", @@ -11249,9 +11396,9 @@ }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "1427e75700829bf8f8c5f393c446556c02e5016d04293bca9c2112a6d88fc352", + "sha256": "79becf1ff7996919b22b9cac49062931ff331b772499da8b3f52b527c7dfeb78", "type": "new_terms", - "version": 110 + "version": 111 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "rule_name": "Attempt to Modify an Okta Network Zone", @@ -11259,6 +11406,12 @@ "type": "query", "version": 415 }, + "e4c5d6e7-f8a9-4012-b3c4-d5e6f7a80912": { + "rule_name": "Sensitive Identity File Open by Suspicious Process via Auditd", + "sha256": "374ca4536093e555bbef4ff26ebe4be6c8bcbbab2c9b655caaecca14ce351224", + "type": "query", + "version": 1 + }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "a8d5740eabcbbb09f46fbfdeb0e4366b51fdccf32faeee210f7108501110e476", @@ -11283,9 +11436,9 @@ }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "7b70e3c40c147feab727f6d09ca74efe63a042f6716e4d8debd3066d7b1db93a", + "sha256": "23a60ea4249e0fcdf1f870c4a69bd461fdadf3f92058a07315813a7b88e72d3c", "type": "eql", - "version": 218 + "version": 219 }, "e516bf56-d51b-43e8-91ec-9e276331f433": { "rule_name": "Network Activity to a Suspicious Top Level Domain", @@ -11313,9 +11466,15 @@ }, "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b": { "rule_name": "First Time Seen DNS Query to RMM Domain", - "sha256": "852b7662551d2f31372bcde3d5232a889196a760de7cb2516e7ce37075e95609", + "sha256": "4572e3ea14df0faf4b8084faac4976128fcfc92c6bfc45ba262f2580675fd50c", "type": "esql", - "version": 3 + "version": 4 + }, + "e5f9a1b2-3c4d-4e6f-a7b8-9c0d1e2f3a4b": { + "rule_name": "AWS EC2 Instance Profile Associated with Running Instance", + "sha256": "226b26472af2c538610d1e0a15b1a952dd0fba90d63486b1e74c9a11f2ad4ea2", + "type": "query", + "version": 1 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "rule_name": "Bash Shell Profile Modification", @@ -11355,21 +11514,21 @@ }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "862ff12fae93833d4bafe92891d261d9deea8a23d8d8a3a6a8e4e514ef507e44", + "sha256": "17d574e7c23e80225a66e3a65e6914c036850e0db1f4e6e732f50f3c24f8f160", "type": "eql", - "version": 211 + "version": 212 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "c8ffadd7d5c18e26face0540aca44a270a072e30adab1cd36908ea93d648dd17", + "sha256": "4b20d1a797938d4bf6c8b100b8530798861aa4c34bac581498f7f945caa17d5d", "type": "eql", - "version": 312 + "version": 313 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { "rule_name": "Potential Windows Session Hijacking via CcmExec", - "sha256": "7dfd1488aad203d7c704c8ef37e805a93c2d2b6e0ad0c890e818cd989898489e", + "sha256": "a945f7bf00629ecb400737b7b14b28993acd3c43139ce6dd8fe3d023b380a938", "type": "eql", - "version": 5 + "version": 6 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "rule_name": "Unusual Process For MSSQL Service Accounts", @@ -11383,6 +11542,18 @@ "type": "eql", "version": 207 }, + "e7856173-6489-449f-80ec-c1f5fcd7b87c": { + "rule_name": "Suspicious SUID Binary Execution", + "sha256": "6bd584f1d16f040129a26cae8109dcf87db5067d5f2c179e516e43aed9b929d3", + "type": "query", + "version": 1 + }, + "e7b2c3d4-5a6b-4e8f-9c0d-1a2b3e4f5a6b": { + "rule_name": "Curl or Wget Execution from Container Context", + "sha256": "8f366e09f9e245ce0ba56adb44531b854bedb456939e125c7f713d7d02b76cc1", + "type": "query", + "version": 1 + }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "rule_name": "Potential Linux Credential Dumping via Unshadow", "sha256": "a04dbcb36c1f1c440b37f7cae577b3ece10b72efdbfcddb813460c826ebc9310", @@ -11403,9 +11574,9 @@ }, "e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a": { "rule_name": "Potential Protocol Tunneling via Yuze", - "sha256": "c698a5dd73aa46f5357b0934369395a3365cfc47415a97c748d0d46a2d1e3e08", + "sha256": "412e9aaeeb919c12903d28a97892e212d3f62b2429054811f7956dceb7871b7d", "type": "eql", - "version": 3 + "version": 4 }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", @@ -11421,15 +11592,15 @@ }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "d660ece482f75d7cd96afc32f328ef3da75e14c6210256367eff34e2422ec0f8", + "sha256": "d84f36a2afbc144fef44ad9e64b127adac38a0aa0a79935942cc31275e6af59f", "type": "eql", - "version": 219 + "version": 220 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", - "sha256": "7ad0ba6e374e56c67b42d003ece36599d8e4bf876721370e0186aabc23fd43c8", + "sha256": "96b67730d8ffb341e813867e0276ae18c765a4a89c3710d2963454743335821a", "type": "eql", - "version": 314 + "version": 315 }, "e882e934-2aaa-11f0-8272-f661ea17fbcc": { "rule_name": "Microsoft Graph Request Email Access by Unusual User and Client", @@ -11439,9 +11610,9 @@ }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "rule_name": "Host File System Changes via Windows Subsystem for Linux", - "sha256": "aa965b72f3af0a8b4f4a2c3b56a535088bf010909077efaccbd0de20a73ab017", + "sha256": "d3e0d905b618b1535f2deed8102de10f9c45d79e7038e76eab62094063d444b0", "type": "eql", - "version": 113 + "version": 114 }, "e8b37f18-4804-4819-8602-4aba1169c9f4": { "rule_name": "GitHub Actions Workflow Modification Blocked", @@ -11503,9 +11674,9 @@ }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "7344842c79c39ba6f55680e1dedd53f663835cb02806b42e6504959cc143270e", + "sha256": "d6c1aa3c45cbcc3f9d96b8f85efd889c870bb8993049a36ef372ca20e882d8c7", "type": "eql", - "version": 317 + "version": 318 }, "e9a3b2c1-d4f5-6789-0abc-def123456789": { "rule_name": "Ollama DNS Query to Untrusted Domain", @@ -11515,9 +11686,9 @@ }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "6a67a961d41cd19f8d2f02fd3b8e799c0900949f8b7de12b782a1299f0d580fe", + "sha256": "baa994c1fe7f4dc602b62d56e07acb6a0e3752a04ab6347f182416d3ae2a0465", "type": "eql", - "version": 110 + "version": 111 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "min_stack_version": "9.4", @@ -11613,9 +11784,9 @@ }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "76ee3184eccc1adb58829a3db55ed8a13a43cc08ce6f1e29cc4696c5b979c901", + "sha256": "eaa7dc28c0ba71007f9a46582afef0a8096c44e0a86adce631ad580e33bc8acc", "type": "query", - "version": 217 + "version": 218 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "rule_name": "Suspicious Network Connection Attempt by Root", @@ -11644,21 +11815,21 @@ }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "049ed275f9e00633360dfad95b59e9abe2f62709801aebb1d22d9a27065bf828", + "sha256": "faf606497245f3d7e09a8ae6abe6afb788c439573a1eae221c0786d44878c8a4", "type": "eql", - "version": 417 + "version": 418 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", - "sha256": "3ff4f50490412ad0eb518d45b5a7ba368f4fb9dee6cbaa53a7527d538a32f713", + "sha256": "15c46a24e64047ef68bd03a84b821a716b491971416ef9b02883d970c07d56c7", "type": "eql", - "version": 317 + "version": 318 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "rule_name": "Process Execution from an Unusual Directory", - "sha256": "637bb29efc1450770161fad323e0a381d7769cb0018aed79ca237ba22083e05d", + "sha256": "bc67d00162d4bd5880558c09ba1388898c1594d83fe5d71927eaed1a8669f51e", "type": "eql", - "version": 319 + "version": 320 }, "ec604672-bed9-43e1-8871-cf591c052550": { "min_stack_version": "9.3", @@ -11720,9 +11891,9 @@ }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", - "sha256": "bbe59d4874b08b8c66c95ee01c8f16869c994e1f101f7277be94a460c6c8b07d", + "sha256": "5da6851210dd75f83e92706270154d54c07273e615cfe18134a17e7bf4ee3969", "type": "eql", - "version": 318 + "version": 319 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "rule_name": "Attempt to Deactivate an Okta Application", @@ -11732,9 +11903,9 @@ }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "3b95f245108cb93bb029c7af37a858ccd74b435e44b2d3ab3f0278ea77b53cb7", + "sha256": "2ad58626d16eda853776294192c4b7c37d50f48d4f20496bcdbc93e9f3d61f2e", "type": "eql", - "version": 320 + "version": 321 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "rule_name": "Linux User Account Creation", @@ -11750,9 +11921,9 @@ }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "rule_name": "Unusual Print Spooler Child Process", - "sha256": "06c1d7ee0b1821eebdacfbd116ce652a18f22895052fb6c1cd5c386fffa4d507", + "sha256": "680b0b509c4530e793e2e495bc660350fca76194950aca3d7499505c0eed9ade", "type": "eql", - "version": 216 + "version": 217 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "rule_name": "Shortcut File Written or Modified on Startup Folder", @@ -11830,9 +12001,9 @@ }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", - "sha256": "488f47888a154ee51964246ab9cdc3b28cb10dec24eda5a50776d9de86ac7fc1", + "sha256": "1db39e102de230f0e5f11a6c3d8bc5633bbbb419481894a8935bb3421b5cf5c7", "type": "eql", - "version": 218 + "version": 219 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "min_stack_version": "9.4", @@ -11852,15 +12023,15 @@ }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "73689aac5e6dab00ff9d9e0b6cb0a4cf94ded423187205e46947d23a6b8fe7af", + "sha256": "90d47b1e899493d89143f8cd27fabf5811ebff7fe3c0fc8cefd0ad0f234155d4", "type": "eql", - "version": 213 + "version": 214 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "rule_name": "Suspicious HTML File Creation", - "sha256": "ac3989251772227e4d3652c9525222c25c158066126ed7fc2d5ed01da5500a50", + "sha256": "8f7b437675b9cbd0e34995768cab78c83a9aaf0aa77c6029975fa1df36288295", "type": "eql", - "version": 112 + "version": 113 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "rule_name": "Okta User Assigned Administrator Role", @@ -11882,9 +12053,9 @@ }, "f0cc239b-67fa-46fc-89d4-f861753a40f5": { "rule_name": "M365 or Entra ID Identity Sign-in from a Suspicious Source", - "sha256": "ac361b2d53e2dd03468b9afba8e5c3b38c6d1bda72d386736bc5ea72d23e4365", + "sha256": "b018cb831bab9746612fb38c1c6080689b2ab4bb4ccfa34a88b794eb86e4b5a7", "type": "esql", - "version": 6 + "version": 7 }, "f0dbff4c-1aa7-4458-9ed5-ada472f64970": { "rule_name": "dMSA Account Creation by an Unusual User", @@ -11976,6 +12147,12 @@ "type": "eql", "version": 215 }, + "f2a3b4c5-d6e7-4f89-a012-b3c4d5e6f789": { + "rule_name": "AWS STS GetFederationToken with AdministratorAccess in Request", + "sha256": "91174dba23bc43a851dead24976835e0676adbd66157638393d08f763e89f99e", + "type": "query", + "version": 1 + }, "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Malicious File - Detected - Elastic Defend", "sha256": "41ad2b2030986dcdd6d5acd828d369cbf10f4b53afd0cbc73f44834f48ac57aa", @@ -11990,15 +12167,15 @@ }, "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", - "sha256": "77898c5469949cfb73f4b6a3d6d0e02bceeb8e65bff93cf6a24f6a88223ffadf", + "sha256": "fb2f06600975682327919ea6da257a7190a1e93ff582838cf3175181d49386cd", "type": "esql", - "version": 4 + "version": 5 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "rule_name": "SIP Provider Modification", - "sha256": "125f47bc784113a03c612e7b861651d073becc924440dc043d8efa6158370cdb", + "sha256": "dd9efc0a3ffb4c20b6356fa5966046c6d5c8014667ba8d56f8028261e21cd508", "type": "eql", - "version": 315 + "version": 316 }, "f2e21713-1eac-4908-a782-1b49c7e9d53b": { "rule_name": "Kubernetes Service Account Modified RBAC Objects", @@ -12008,9 +12185,9 @@ }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", - "sha256": "f8b9f6caac301f48e046c4f63a72d06bcf1c6fb05d085325ca776a03987d4ca2", + "sha256": "e67746f8ea85b9aebd84e067fe5be4217f8d5382337a0a23661ea8202ab92a64", "type": "eql", - "version": 315 + "version": 316 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "Deprecated - AWS RDS Instance Creation", @@ -12032,9 +12209,9 @@ }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", - "sha256": "7e42d9a843e9f3734a065a80f5ab01eee5a9ffdf1a8dbaba1267258f24ddb88e", + "sha256": "79000745ecb9f28c29dc37aa11e735c6fd1e2071d72b6c828cdc06293ce6d97b", "type": "eql", - "version": 217 + "version": 218 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Deprecated - Sudo Heap-Based Buffer Overflow Attempt", @@ -12062,9 +12239,9 @@ }, "f3ac6734-7e52-4a0d-90b7-6847bf4308f2": { "rule_name": "Web Server Potential Command Injection Request", - "sha256": "296304247c0cfa14732b0ea9839a5688829341d4bfa67d6cce0efcd197107469", + "sha256": "5812c308169a8a574e71c2c86b2e0de69913521b67e5d655346bf0f7e65fb092", "type": "esql", - "version": 5 + "version": 6 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", @@ -12074,9 +12251,9 @@ }, "f401a0e3-5eeb-4591-969a-f435488e7d12": { "rule_name": "Remote Desktop File Opened from Suspicious Path", - "sha256": "7d16e8e51ca65715b14dd31e7a6ca959bb83460834cbd45523dea6410e1288a9", + "sha256": "8eb6f9850d1ca4101a9c31eef37742993dbb0a0b9ea08a5e1bd5e36338f86abe", "type": "eql", - "version": 8 + "version": 9 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Deprecated - Potential curl CVE-2023-38545 Exploitation", @@ -12097,10 +12274,10 @@ "version": 9 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { - "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "0b5d7f47e5c4ebb2acfbdfe0785732ab09dcf0424d53a6c2a309fab1432fbb38", + "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal", + "sha256": "fae91cdc5143504077c9cc353440c3df9dc19a9fb86b257633e5cee480d0754f", "type": "query", - "version": 218 + "version": 219 }, "f4b857b3-faef-430d-b420-90be48647f00": { "rule_name": "OpenSSL Password Hash Generation", @@ -12110,9 +12287,9 @@ }, "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", - "sha256": "32f734a7ca7c0ede2de12cee44877eff6f0c6b1fd835696e64e13f6376b52917", + "sha256": "f9eaf69ddd185f8b4c607c763db8ca5e3206d6599f48108b961d0a79fb572322", "type": "esql", - "version": 6 + "version": 7 }, "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { "rule_name": "DPKG Package Installed by Unusual Parent Process", @@ -12140,9 +12317,9 @@ }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", - "sha256": "20493eaeeb6c2a2bafdb4f8bcb92ac713feda3a6f78fe3c37d2a40e04c859c85", + "sha256": "f633d19c3abff0200df7cb8e9904664c8aac48f10ecf058e5eacbfc730a9c3d6", "type": "eql", - "version": 316 + "version": 317 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "rule_name": "Deprecated - SSH Connection Established Inside A Running Container", @@ -12152,9 +12329,9 @@ }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "rule_name": "Rare SMB Connection to the Internet", - "sha256": "bc595eea9fc115c39d005fb7bf071ada50f9accdda168f2460ccad87c8f0e53f", + "sha256": "7cba8d9dc86077834c99f4032ae1cfd0578a03e74b98f5af2a786a578f374476", "type": "new_terms", - "version": 213 + "version": 214 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "rule_name": "WRITEDAC Access on Active Directory Object", @@ -12211,9 +12388,9 @@ }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "e8100696d660a50d4596211f89033aee3ad648aeaa2febbd7f53d1a57151e03c", + "sha256": "dbf7164e7bc3f1a792a0e2ee5a048cbda99b3aed0d7af7693f32134c4bdab517", "type": "eql", - "version": 316 + "version": 317 }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", @@ -12230,9 +12407,9 @@ }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "735b5c0178f0d409186deaf61c88dfd9243bfa5af003ec187168d54632ca4823", + "sha256": "3eecb4705dfa3aca68572467da4f1e62c4ff2fa7df0aefd85aca9094d24a9f29", "type": "eql", - "version": 315 + "version": 316 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", @@ -12240,6 +12417,12 @@ "type": "eql", "version": 111 }, + "f6a0b2c3-4d5e-4f7a-8b9c-0d1e2f3a4b5c": { + "rule_name": "AWS KMS Key Policy Updated via PutKeyPolicy", + "sha256": "823e0533246b6570195a0c0456c4cbbe2a722ac375ce8f8b0c850026c5bdb314", + "type": "query", + "version": 1 + }, "f6d07a70-9ad0-11ef-954f-f661ea17fbcd": { "min_stack_version": "9.2", "previous": { @@ -12258,15 +12441,15 @@ }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", - "sha256": "a5be06782ebc2892b498e90d1562a35d2dc23a8685801a269f11c65230d8a223", + "sha256": "e9712cbae119495bbc148f3c7ddb66a6c11d34127865165f2a9572d6ecdff0ba", "type": "esql", - "version": 11 + "version": 12 }, "f701be14-0a36-4e9a-a851-b3e20ae55f09": { "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing", - "sha256": "eebdb2655e2b5099eff58e0d27a0579b6c4801de9985e30ec4caa4b8f5f0c59c", + "sha256": "55de9b4b300ea2acb263f1cc4cbed9585e7669be566e58e1fa22c6db3d9e7a9c", "type": "query", - "version": 3 + "version": 4 }, "f754e348-f36f-4510-8087-d7f29874cc12": { "rule_name": "AWS Sign-In Token Created", @@ -12288,9 +12471,9 @@ }, "f770ce79-05fd-4d74-9866-1c5d66c9b34b": { "rule_name": "Potential Malicious PowerShell Based on Alert Correlation", - "sha256": "4f767eb21c0e9bf26fdc415d37852193d399b3803909b03b97f98d81741f4054", + "sha256": "16873d6b08a266ce4c13f00b9cccef6dd41c64d850c8a5f83b593c93662d037c", "type": "esql", - "version": 4 + "version": 5 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", @@ -12322,9 +12505,9 @@ }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "ad8a2614746a15f6354d88c9390f104ef5d781450c281221c897f320cd94903d", + "sha256": "27b911863a0e93338b177cb55bbbcb19a306892e7f2ec0d6e264e1ae71959810", "type": "eql", - "version": 317 + "version": 318 }, "f7c64a1b-9d00-4b92-9042-d3bb4196899a": { "min_stack_version": "9.3", @@ -12371,9 +12554,9 @@ }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "11caa2095158cf12c8a5df4c3841957a839cba84b092d379e302513aa52a0b85", + "sha256": "01d3cd8eb31e61543055122ffea2e86a0bf0f5be3388459c2f465a0301c572cb", "type": "eql", - "version": 316 + "version": 317 }, "f87e6122-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Malicious File - Prevented - Elastic Defend", @@ -12383,15 +12566,21 @@ }, "f8822053-a5d2-46db-8c96-d460b12c36ac": { "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "6ad8153a0270d506806ee7548badabd6c58733c8a3ba72db790c95688dd6a4a6", + "sha256": "8b8cfdc1b6e853232d72a002e0d118a07d7b24e93ac97350d75f63492b64600f", "type": "query", - "version": 110 + "version": 111 + }, + "f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10": { + "rule_name": "Kubernetes Secret get or list from Node or Pod Service Account", + "sha256": "c8c9c251cc5939d6149f56787247eac3841a1012d35b82125ec7fc7bb70ab005", + "type": "query", + "version": 1 }, "f909075d-afc7-42d7-b399-600b94352fd9": { - "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", - "sha256": "1a739777354336f165335933f02b0862a00db8dcb86d7fd948ac59e3beaf7d06", + "rule_name": "Untrusted DLL Loaded by Azure AD Connect Authentication Agent", + "sha256": "1f3539efa4a2f15732756c9d225c458db94a94e3e76db2e5e75c56fc4ef25b98", "type": "eql", - "version": 106 + "version": 107 }, "f92171ed-a4d3-4baa-98f9-4df1652cb11b": { "rule_name": "Potential Secret Scanning via Gitleaks", @@ -12423,9 +12612,9 @@ }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS", - "sha256": "366cb6c3328cef16cb3c1cea540e261884f849c12470d35ec36d48668d76c807", + "sha256": "8f1a587012787e08bd7b994c54b371e5ff8d27a2cf4b52b93f0541c8eeb0a2a5", "type": "eql", - "version": 12 + "version": 13 }, "f960e8a4-31c1-4a6e-b172-8f5c8e5c8c2a": { "rule_name": "Okta Admin Console Login Failure", @@ -12435,9 +12624,9 @@ }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "rule_name": "Browser Extension Install", - "sha256": "6ddb9411dda1c2bc7aa23ca51558c14539baad53a95a2bc439320a38d13558da", + "sha256": "db212e9bc4d6e1742a38a366ddb3b13939e0bbe4e792978053b32dc4fafbcd64", "type": "eql", - "version": 209 + "version": 210 }, "f9753455-8d55-4ad8-b70a-e07b6f18deea": { "rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion", @@ -12447,9 +12636,9 @@ }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "rule_name": "Privileged Accounts Brute Force", - "sha256": "8fa3055e557162d0cd158764a538f0dc70116cc3ce0500980b9140e49da04ce3", + "sha256": "8afcd5fb546282c618329fe4b5405930b900d0c5f91b6a3894ab8f38df780dbd", "type": "esql", - "version": 118 + "version": 119 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "rule_name": "Suspicious Activity Reported by Okta User", @@ -12471,9 +12660,9 @@ }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "7a2c5d9cba8758b393e462c2aa3ce04e13a932e002eb0613de28ae480dadbc1b", + "sha256": "703a7a28c0e9d60ac345d7ff3b528565b332ae1f6e8e959878c741327fbc0108", "type": "eql", - "version": 319 + "version": 320 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "rule_name": "Potential External Linux SSH Brute Force Detected", @@ -12489,9 +12678,9 @@ }, "fa488440-04cc-41d7-9279-539387bf2a17": { "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "f24106e9a11ca37430da8afe3a284545f262b7c06db2297c9b470768e6810f25", + "sha256": "339af3c6decf44171d39eb6af3fe6a811d9c725f06886ed9865a5eabd9310f8d", "type": "eql", - "version": 320 + "version": 321 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "rule_name": "Potential Disabling of AppArmor", @@ -12507,9 +12696,9 @@ }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Registration Utility", - "sha256": "ccf026fc7183644829bbe566e34f7580033ac7c72f6f608881280dc1f70db8cf", + "sha256": "d3f5c7183ddff278c200bf2ed689942fb3e756bea5404573d607b22e0d90da44", "type": "eql", - "version": 211 + "version": 212 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { "rule_name": "High Number of Cloned GitHub Repos From PAT", @@ -12519,9 +12708,9 @@ }, "fb16f9ef-cb03-4234-adc2-44641f3b71ee": { "rule_name": "Azure OpenAI Insecure Output Handling", - "sha256": "be48db6e30b0170a36b5062f126e73ca47624d8431d7c42a25da373ec3441207", + "sha256": "6d7efa2625569a818bc649d0e39b3174fdce1739aa2da7102b945a217e3912e6", "type": "esql", - "version": 4 + "version": 5 }, "fb3ca230-af4e-11f0-900d-f661ea17fbcc": { "rule_name": "Okta Multiple OS Names Detected for a Single DT Hash", @@ -12605,9 +12794,9 @@ }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "acfd359f8bb2c6823f73b9e352ba057d766bf7ecf267bd531c05151b7147ffd1", + "sha256": "b9b40ca0af3b9ae7237ee58b9db28fdb68df1dc944e6582fc0cf91ee188b4e5d", "type": "eql", - "version": 314 + "version": 315 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", @@ -12617,9 +12806,9 @@ }, "fcd16fe8-eb29-42b3-8aee-6c9ad777a2f6": { "rule_name": "Proxy Execution via Console Window Host", - "sha256": "94198e75f89a28e942b81c0c6d4ec00bdef98a1a2d0363f36836df7118a4f9d3", + "sha256": "da23ef37ab245220584b0229ede378558147536d721124480c11f605078401a3", "type": "eql", - "version": 3 + "version": 4 }, "fcd2e4be-6ec4-482f-9222-6245367cd738": { "rule_name": "M365 Identity OAuth Flow by User Sign-in to Device Registration", @@ -12665,21 +12854,21 @@ }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "ee9592951cfba0c77e95c2d6dbcd69c923a9ce4d3b15d3f3fc8714437a6bbd8b", + "sha256": "ef85670df7af1d67434ee4a084dae6785d63ea6fad1da9fed5bfefceaed92178", "type": "eql", - "version": 318 + "version": 319 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Suspicious CertUtil Commands", - "sha256": "14edb9986ee69201de825852e22903b23b7135b82e16205305f25f9b0cf9c2cd", + "sha256": "33778ead57b302d2250b723cf23c47fec7f96b8dcff8dfd99fc8f806e4ed0484", "type": "eql", - "version": 317 + "version": 318 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", - "sha256": "0001466c3c028207fb1f7651389bfef6444f3e9cddc410004e2539e96c35fc4d", + "sha256": "17b5ec1f17eb3bdc6ba867893df9d9201b1818c50d9896f84da7c3d4c94db588", "type": "new_terms", - "version": 427 + "version": 428 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", @@ -12695,9 +12884,9 @@ }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "5c4a081737775e263f75482121cc7ace98104ad4bbf787e3e44b70235945369f", + "sha256": "44814458fede28b8e96ffe4731862abd5077e5562e02d387ad816b812454f814", "type": "query", - "version": 112 + "version": 113 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", @@ -12707,9 +12896,9 @@ }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "f445ad2da82be34ec4ccb27de355b041ace5ddef57a35205047543bd8361ab48", + "sha256": "49ad33faa96836050c4fe6962330a51b2947b18372a2c7614579d27da4012c4f", "type": "eql", - "version": 319 + "version": 320 }, "fe8d6507-b543-4bbc-849f-dc0da6db29f6": { "min_stack_version": "9.4", @@ -12729,9 +12918,9 @@ }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", - "sha256": "c5e9f8c709c0808958e145ec92d9317af9b254b2b3fcb319f673d2549a0e8e9d", + "sha256": "889fbc6f1fe7867a60c30e0988ce0a1ecca3b10ed4d68247409e0bbb156e228a", "type": "eql", - "version": 10 + "version": 11 }, "feba48f6-40ca-4d04-b41f-5dfa327de865": { "rule_name": "Data Encrypted via OpenSSL Utility", @@ -12747,9 +12936,9 @@ }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "7948809bbe71f84d5d24dd60e6d8525dc5667f49f8f6422eb66ca506798a35e5", + "sha256": "51805a54ccba7e11dd5249f3383c0faa260594148db400d814d4112d22e5b4ae", "type": "eql", - "version": 312 + "version": 313 }, "fef62ecf-0260-4b71-848b-a8624b304828": { "rule_name": "Potential Process Name Stomping with Prctl", @@ -12799,15 +12988,15 @@ }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API", - "sha256": "b9d7cc3c34196818c0328f0233de8067dfd91ff0a3deff37e351c25978e98d6e", + "sha256": "2c61b250e1b3df4306e4f76d4df13c3f7cd624151ef683d9746e1b5640096676", "type": "esql", - "version": 17 + "version": 18 }, "ff46eb26-0684-4da3-9dd6-21032c9878e1": { "rule_name": "Active Directory Discovery using AdExplorer", - "sha256": "353ffa18f8623074c6bcf5df58dde56ca9f55c429d7d473c7d29d8b79a4394f7", + "sha256": "e2bc14f1daa81650bb1547ff4439ba2e4f96fe3959eff2fe3d7e6aa1f47e84bd", "type": "eql", - "version": 2 + "version": 3 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "M365 Exchange Mail Flow Transport Rule Created", @@ -12817,9 +13006,9 @@ }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "2f7cfb8b088fdd67f95a4f6ed9fa6715582ba1ea6c790ca89e6749535eec27ea", + "sha256": "156d6c92921c8a78a426d13399acfc82335279f41bb1ca1b3b514f78e2d95be0", "type": "eql", - "version": 205 + "version": 206 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index 7d75334d1..e8630945d 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -122,6 +122,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-configuration-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-configuration-audit.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-configuration-auditing](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-configuration-auditing.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-container](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-container.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-containers](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-containers.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-credential-access](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-credential-access.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-crowdstrike](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-crowdstrike.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-cyberark-pas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cyberark-pas.json&leave_site_dialog=false&tabs=false)| diff --git a/pyproject.toml b/pyproject.toml index 2774b1692..ae81f5606 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.32" +version = "1.6.33" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"