From 0c66fd9e033d4950ada2aa1317f4b3ac142f497d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 10 Feb 2022 15:06:49 -0600 Subject: [PATCH] Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (#1768) * Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 * Trigger Build * Remove change to trigger build Co-authored-by: DefSecSentinel Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 8f36346139779ca36ec6617d4d1a2489e3abb4de) --- etc/version.lock.json | 465 +++++++++++++++++++++++++----------------- 1 file changed, 275 insertions(+), 190 deletions(-) diff --git a/etc/version.lock.json b/etc/version.lock.json index c7c0baacf..233e57384 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -17,8 +17,8 @@ }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "014249347355e7f94d184ef92a149ccdaac362ebec04f4f51e80d9368eb0782c", - "version": 1 + "sha256": "982cd5446f2364c8297740d85ae9e707dafb0ba78e9c08622405313d96b4ae10", + "version": 2 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "rule_name": "Potential Cookies Theft via Browser Debugging", @@ -37,8 +37,8 @@ }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "0fe6db05d5bf9752a0ea1b245411830426bd39989f3dbf6855b38b8aaa12eb4b", - "version": 4 + "sha256": "56fde644941c8dc935907706539c6147e325aa11263d94d18329ebf769ee7838", + "version": 5 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", @@ -55,6 +55,11 @@ "sha256": "b98a066f2cf74984ac8e04ea0db6503d30605711ac54d6d341f42c09a64bb515", "version": 7 }, + "04c5a96f-19c5-44fd-9571-a0b033f9086f": { + "rule_name": "Azure AD Global Administrator Role Assigned", + "sha256": "7a015cad38d39de1f85abbcd1c66f94779b16769f63b8c6155453e53a2f2fd94", + "version": 1 + }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "sha256": "bae7f8ff4ba6ea634982a368fedf0384ba3e9912ae10a1c22dab21a49056cb74", @@ -122,8 +127,8 @@ }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", - "sha256": "b8219972b17dded095e28cdfd69085a06332bb11be4b4124d29a76a054750ccb", - "version": 1 + "sha256": "d2affe457c5a635a572b2b85ae763252a0f0269f17e458d5821017b17de7a9ca", + "version": 2 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", @@ -143,13 +148,13 @@ "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "min_stack_version": "8.0", "rule_name": "Threat Intel Indicator Match", - "sha256": "437c87698788e433f03dba9a4ed5ed87cdedb826faa42b8035ba301cc2e5fed4", - "version": 1 + "sha256": "644597db423c57ceb689e808957d7850f1838b69d883630234f110141c63606f", + "version": 2 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "88ba94c428250342f829c23c844e0d491354bb5b845c5a8caf1bdc92ab3faeca", - "version": 1 + "sha256": "584f6799b8d5a9a6c941ab48c63d054a539546425843ab0192ff084ffcae3c0f", + "version": 2 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", @@ -161,6 +166,11 @@ "sha256": "0f9353d514e91fcd914ee39f1c8abb89094025670de8bb9ddac6a07baf25365a", "version": 5 }, + "0e52157a-8e96-4a95-a6e3-5faae5081a74": { + "rule_name": "SharePoint Malware File Upload", + "sha256": "48df4cd6be0661df2216bfc2d74a9df628a612d04495422423eed07656ad1a47", + "version": 1 + }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", "sha256": "a9f964b598c41ad6f015eaff73303e9f70e8c87ce2bef2eeca17742e02ec14f5", @@ -194,8 +204,8 @@ }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", - "sha256": "c42302d38db5185ee51e15b0f8e51a0876b04ac1faf813bf4cc194331622f2e9", - "version": 5 + "sha256": "b1ff9083e41b85fbc22c312e1c5407ff831202a02bf5a4f620a25f4109aa99d6", + "version": 6 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", @@ -300,8 +310,8 @@ }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", - "sha256": "f03abc33d51ec1f27adc73a01b69a305fa7cb0d73d21ae6b9ddee53ddc5e7c40", - "version": 6 + "sha256": "d8a7a1b1bc8fedcd6d1ed0b5140a74ad097b382d1b33516d6dd4b476ed086ab3", + "version": 7 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", @@ -385,8 +395,8 @@ }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "6217f37d9bac2de2323c05583eaf202ca7d48c5f450f270fc66d675631a9575f", - "version": 1 + "sha256": "3a5d842001943ed5db6ed5374d80c132f413d534608f6ddaddc2ea66b39ac2ff", + "version": 2 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", @@ -485,8 +495,8 @@ }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "de748771b0f8b17880428ba8fb0d03c3d1e2e359fdf241aba7593c3334d6c2d7", - "version": 5 + "sha256": "75a57f1c9430b9bdb9d55f9a4fff16d0dc5f6d7ac51ae2012e3afa5bce80cb1f", + "version": 6 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", @@ -520,13 +530,13 @@ }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "f0d04d20b2c11a0ebe206fe8773ea13430da51c1da73a9cf755fd344fa983d15", - "version": 5 + "sha256": "b719addb4a6a57230aae3cc40562471814fa8acd231367bd19680f1898915bdc", + "version": 6 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "60461c35cdcd0a470e1bff0cfcb9901456a6a5ce40894cd430216cc2b474923f", - "version": 4 + "sha256": "b0561460404e467a6624cb6966703895e888d6dfa8ff1700ff3a94fcfde9c5c5", + "version": 5 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", @@ -540,13 +550,13 @@ }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "7f4f776206e7ea26e377cf5665556bb3d6268796fc06023b7b85d58502783e2b", - "version": 4 + "sha256": "2128fba8e36ba35ec3b5e45def2d5ec1cef564aff7859deaa5891a458edd7576", + "version": 5 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "rule_name": "Account Password Reset Remotely", - "sha256": "9a0279c4a36e65635f36ce3bd7807cbffb2a10c01b5b6fed1a3eb1292c15e53a", - "version": 1 + "sha256": "5204940ed9faa7c63a7a0085cbc43c3f6873c63e917c5cb5ec3644572c5cf9ca", + "version": 2 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Net command via SYSTEM account", @@ -565,8 +575,8 @@ }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "19504cdc2f2149a7cf1d68afad3fff11132b00621e39c9cb25d8a193ca4737f3", - "version": 2 + "sha256": "e612f03f7184fa5ee1e8c62b3508e133ac925898424f7350dd6fa8550331ceb7", + "version": 3 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", @@ -590,8 +600,8 @@ }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "381882b7e3fc0c078a4a643809c5fcf7a923054acfd931ac251c6ac4e67edb36", - "version": 5 + "sha256": "86c10cc273bb5574a224ca30d1328be55d25c8c2b6fb7b02aa04e84f65778038", + "version": 6 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", @@ -605,8 +615,8 @@ }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "4e5ff52ed8fdbabd1d8fc01191105a74215d848b0181d0c588b5ace7bb0dbf46", - "version": 3 + "sha256": "83edd5ea4f7c27a4c4dbe143e79f097c6974e9b6641a6c4e7ad6cc709c75d4ca", + "version": 4 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed AutoIt Scripts Interpreter", @@ -630,8 +640,8 @@ }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "rule_name": "GCP Kubernetes Rolebindings Created or Patched", - "sha256": "7610e908f43c07edb189e630d82850923bd31af83e007f3db90a5d6bd62e4536", - "version": 1 + "sha256": "db6cd2a29bf48936d744aa3859daa68606c4d83a43bf252be9930a0fabb253e3", + "version": 2 }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", @@ -676,13 +686,13 @@ }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "f6e6b7e74c48f962508febf502668b78eda08a89e4cda91aa9c8e616fe9f04d7", - "version": 5 + "sha256": "a1de315cc54aa0aaf8d5b2db8091cf72a7f1ff49d92e382fb790fec77a936ab5", + "version": 6 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure Network Watcher Deletion", - "sha256": "538db24a6c9fd8552fbd7a8dfc4002b7ccb6273ee79f3936eb16ced1b251ebf3", - "version": 5 + "sha256": "d42fae44d101f779758e4abaaac8cca749d7db643f3b825cdd3787e5c6a81355", + "version": 6 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", @@ -691,8 +701,8 @@ }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", - "sha256": "ebbaac4af6d54565731b8500a4056718a4388b992d023176c9014cc30728b46f", - "version": 5 + "sha256": "100633b626385b80ba08306d8456dba05e19987f73a770f60c48334a04297eb2", + "version": 6 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", @@ -741,8 +751,8 @@ }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "AWS RDS Security Group Creation", - "sha256": "458bd4a26d74d730cc56b319afd64aa29cf080594c3f95ece9784017c02d23ad", - "version": 2 + "sha256": "e0b50ed0cc754b83365d57fc0892ad795403b066b1f2b6e833f37723a3286e70", + "version": 3 }, "37994bca-0611-4500-ab67-5588afe73b77": { "rule_name": "Azure Active Directory High Risk Sign-in", @@ -786,8 +796,8 @@ }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "2d105671b4b978e9620b0c65cb4159ec78655dbd4d55fa6a2a10bef3a8f7629a", - "version": 6 + "sha256": "0e1cb80e58a1861ea1f891e1daf7b671e106f90d3d75fddb64c368b2dedf709a", + "version": 7 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", @@ -856,8 +866,8 @@ }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", - "sha256": "963f664114823b11c4a4728f07135d64b207cc28e9181a0ed1536682458cec56", - "version": 4 + "sha256": "7994f8c47774c0f02a84d4fbc196bbbd74efed6cfd4cc23a0c536e81d619f36e", + "version": 5 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { "min_stack_version": "7.14.0", @@ -952,8 +962,8 @@ }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "a76e2afa15de19ec33e17a27311c9b44df498fbae6d2b30ac9ff94705f314dcf", - "version": 1 + "sha256": "282abf66ee7d89bd9c9170c0f5d02b637eb154a7dcbe465cd3650a2229bd489e", + "version": 2 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", @@ -1008,8 +1018,8 @@ }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "95ae1bb42d6cb5c5eb8d3e43dc25d1a2110d1f9636e6c018baa87826f7373762", - "version": 1 + "sha256": "589c24ca630a77bad17ad6c4b8036cce404b7a1186da052793b448c75bb06371", + "version": 2 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", @@ -1023,13 +1033,13 @@ }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "68f1b81ce8b704e61cff1cb2a43c197043816098bc12bfa2c10a1506cd3a92ec", - "version": 4 + "sha256": "7e5f0b340dfbf69334022656802c3cc8dd99a9acd0ca288a87a1cbf73425f305", + "version": 5 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", - "sha256": "72654c880412c884a2b237d810c85bc30a68ec0d32fb122b3db8443f40fcf36f", - "version": 5 + "sha256": "f080f65773cf86f0dcf7b5d2234c7b3123961338d5d11310d2bc007d0f5978c0", + "version": 6 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", @@ -1038,8 +1048,8 @@ }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "50f743f8c1dc8535da9536a6d64553823078d1600bcdc133bf616fbab76c162b", - "version": 6 + "sha256": "6c543d844a90fd931a4c36a1fcaaca7a7608ac2a2f6127382844943ddee4f71c", + "version": 7 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", @@ -1063,8 +1073,8 @@ }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "0634f98a6b3f7c0ce986b597cdb1efff2a43bb76cb00fedea4c3e8ffedc035dd", - "version": 1 + "sha256": "306a95f7b751a3c125d43dd4d56e8bc2df8d9ac55b9a76fef8a1e60ac3ee799c", + "version": 2 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deletion", @@ -1108,8 +1118,8 @@ }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", - "sha256": "57391425e8c8e4d0c0c905061d6a9cf78cc26d40e4ff5aaf1afc44d6d4c2761f", - "version": 5 + "sha256": "b9d492bbf9e35665b2a22d0f90716d61faf78153b20c09c8183e7336b4c1bd65", + "version": 6 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "rule_name": "PowerShell PSReflect Script", @@ -1128,13 +1138,13 @@ }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { "rule_name": "Azure Virtual Network Device Modified or Deleted", - "sha256": "bf510c9aa685e115cc351c4a543b89bd5d3376f7a3956412e65e90b5411aeb17", - "version": 1 + "sha256": "6fc943ed6a7460824b62403a5a15857757bf17110c30528291bd3feedfbd1bca", + "version": 2 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "rule_name": "PowerShell MiniDump Script", - "sha256": "39d651294ad23b72fb2617d6b7b25da704b7ebf8b705c19798e2e326d8eda681", - "version": 3 + "sha256": "1ce48872d69315c8737dbfaad85cfbfafeb6605864d782c1e3d5ce01a7c6d29f", + "version": 4 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", @@ -1161,10 +1171,15 @@ "sha256": "c4966675fed8b27f672aca65ba0bac58e7c0b6d3f47cfc4805b4d1b9a95e4bba", "version": 1 }, + "5930658c-2107-4afc-91af-e0e55b7f7184": { + "rule_name": "O365 Email Reported by User as Malware or Phish", + "sha256": "7ccd4d8f110c738a2b76576a8e8789744375b7af919a2d9fb8eaff54efb4c23a", + "version": 1 + }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", - "sha256": "2bf52d927482feb03cac04824cdb09a4ffb538f59150d472a2f3be5b52f0726b", - "version": 5 + "sha256": "85d74e77cea83a788a7e8ff5cecbec7170d475c2191813cc38a9f76fac5f0001", + "version": 6 }, "59756272-1998-4b8c-be14-e287035c4d10": { "rule_name": "Unusual Linux System Owner or User Discovery Activity", @@ -1198,8 +1213,8 @@ }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "24a4a0cac51bdf0233f74876118b5e8041c2e80ec746286e65d13191179de4a2", - "version": 6 + "sha256": "3e550cf60b7bdbefd8793ba92498409e7170c4e56cb1b56abc47eeb6a9f81eaa", + "version": 7 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "rule_name": "Unusual Linux Process Discovery Activity", @@ -1233,8 +1248,8 @@ }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "b9d412c9321b3e83222714985fa57d21f61c631f0c564e171a5e934724fba4b8", - "version": 4 + "sha256": "dfffdd35d5aea389d17a849f0a12cb31558b2660b2a20485892c53848ded6543", + "version": 5 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -1253,8 +1268,8 @@ }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "13f394be840a09fd6e98a54fd6d019e58b817fecfc3b751359a485ffdcaa3565", - "version": 4 + "sha256": "8861a21144a2ea4eb4575801530892df3fff673dc4701f49c4863bf3f0bec8e6", + "version": 5 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", @@ -1323,8 +1338,8 @@ }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "4c45673d1e1ee1af8cfda15ceaafcad3f4571383ebfdce45289fa32c4c915d73", - "version": 1 + "sha256": "160bfa9db1e328fb3835851bf40e9d43c7f8553adaf8b426db137604d0862649", + "version": 2 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", @@ -1349,8 +1364,8 @@ }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "New or Modified Federation Domain", - "sha256": "b61f976f927391636b1c2e4f41fdf84dae2d3c93a06d314511f715d67e0591fd", - "version": 1 + "sha256": "a7b96a488a076900caca95e6820769a0f0d3d8a4d0d6cda8e543408c1f94f6c8", + "version": 2 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "rule_name": "Threat Detected by Okta ThreatInsight", @@ -1368,7 +1383,7 @@ "7.13.0": { "rule_name": "Google Workspace Admin Role Assigned to a User", "sha256": "a9e5fed2c237cba481fd05a38576032d3cddf5a3b67341030a4a77725c478b22", - "version": 5 + "version": 7 } }, "rule_name": "Google Workspace Admin Role Assigned to a User", @@ -1382,8 +1397,8 @@ }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "5def5ae6b739035c9ae3c5d16f1390b916a50842c36f8eba0ecd96a6385c6d17", - "version": 6 + "sha256": "fde09756526a918a6e12316e4a86f8771eb5269f2b2caf1d407e0a5802d872b7", + "version": 7 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", @@ -1393,8 +1408,8 @@ "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "min_stack_version": "8.0", "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", - "sha256": "f919b1cd06b017360565a34377bada8062d0bf8828ae7faa981a34c5acda69e4", - "version": 1 + "sha256": "15235311ffee1cf2973283364bc89d87f4c5cf3b53bcfc10448c7af106a7f383", + "version": 2 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", @@ -1428,14 +1443,19 @@ }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "rule_name": "Unusual Process For a Windows Host", - "sha256": "783573ab02fc9196d1609a2542041f7126beb62c1a5576457827848982e3d1b7", - "version": 8 + "sha256": "cf57ba8d293696a2da6468acbd3af10bfc461d24f0283c80e614ec4266fe3f52", + "version": 9 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "rule_name": "Anomalous Process For a Windows Population", "sha256": "265db12570310439b937bb99bc1a58f1e6ad99c7bc17a2fcde50e05cf11b03bd", "version": 7 }, + "6e9130a5-9be6-48e5-943a-9628bfc74b18": { + "rule_name": "AdminSDHolder Backdoor", + "sha256": "5e649f8e7810090f97354f1b0425628afc6c2d3308751967e5fca172eb679b7f", + "version": 1 + }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", "sha256": "fa4544dbc92b6766522593e44bb10e0036b4824f8d70f381698fc38d56a08aa3", @@ -1467,7 +1487,7 @@ "7.13.0": { "rule_name": "Google Workspace Role Modified", "sha256": "4776d80c0d1069ed8363242d7b09b4934c3efc58c9db2b87fb5045eda98284e1", - "version": 5 + "version": 7 } }, "rule_name": "Google Workspace Role Modified", @@ -1476,8 +1496,8 @@ }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "f62e04fe67fd11c43b10a59046afff2cff7a90d027f220619ce85068c759a5df", - "version": 6 + "sha256": "6897e1e8f7b9944fbeb558e0232b7a6cff15c0e14bf002b9bd4699a4350468c6", + "version": 7 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "rule_name": "AWS Config Service Tampering", @@ -1511,8 +1531,8 @@ }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "7ab2fe8714a0ef0afab2f9ec17d92b5d4a579c7fd7714746d068e6348868ee7c", - "version": 2 + "sha256": "c2f7bf9712e7b52b568aa4ff657e6cb033c602ea071e2fcfcc37247605f999e0", + "version": 3 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", @@ -1581,7 +1601,7 @@ "7.13.0": { "rule_name": "Application Added to Google Workspace Domain", "sha256": "43a87b2b542b409c6cfbe267485d8b1ba8e32e9ea553f6180b7d0362c46ea2d9", - "version": 5 + "version": 7 } }, "rule_name": "Application Added to Google Workspace Domain", @@ -1595,14 +1615,19 @@ }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", - "sha256": "f9740325f3e0b5993028fde7431dc516168cf619d5040542ef56a57a385a5c89", - "version": 7 + "sha256": "27c3d706d0b03424992adb2365dfc910ae1a366c39b31f6ef23bd70b93df5233", + "version": 8 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", "sha256": "739693e9483eba009ac5ee8d2fd3c4da0f3637baa84dd3be947e4e455d60e0e2", "version": 5 }, + "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { + "rule_name": "Potential Shadow Credentials added to AD Object", + "sha256": "14bd23cd43ef9c08357b87dffef5a16b7f40e6ceed857515b50210876529f162", + "version": 1 + }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", "sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426", @@ -1615,8 +1640,8 @@ }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "cc08cb27e005034b14c5c0157a08b6bc92d0ef1ca0842363510a89f1ba1a70d2", - "version": 1 + "sha256": "14042b6c7716c8acdb6338aed6238ce1e8422f1717bce3b4a3969a382d9b2202", + "version": 2 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "rule_name": "Windows Network Enumeration", @@ -1640,8 +1665,8 @@ }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "bf602350bac0c1b0bb608932184a4c059aff662530b1e19cd095b753e1bb84c1", - "version": 2 + "sha256": "5f9880c56b50fd6f10c9e092181344d89f39e264561062c8c34d2b811b766721", + "version": 3 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", @@ -1653,6 +1678,11 @@ "sha256": "1664db594a454af4890a7ec808978fdd268088b8b9f21f3956900c607de66cd3", "version": 7 }, + "818e23e6-2094-4f0e-8c01-22d30f3506c6": { + "rule_name": "PowerShell Script Block Logging Disabled", + "sha256": "acfba4ee9c92663a86a9a9ea8df686e2efba7ce3491930a45a946285f09ee724", + "version": 1 + }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", "sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86", @@ -1670,8 +1700,8 @@ }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Pods Deleted", - "sha256": "7a29d3e80ad2758ed25d1b794fbce0c90c7f6a54c67017cd7fc1f8a4a7f9fad0", - "version": 2 + "sha256": "315f0c609385f4ef62c8a23ebd01250630792d3acf1a85a78f37a594a6e1202b", + "version": 3 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "7.13.0", @@ -1681,18 +1711,18 @@ }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "3449f44c9a5177d0452aa0f21d1f8623a3e11180cb49cf76fdf227ee1f8be526", - "version": 6 + "sha256": "5118602879dc1df7dc9f3120f7fc0d393448b861d0ad4ff3ad57e40505bd6ac6", + "version": 7 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "rule_name": "AWS RDS Security Group Deletion", - "sha256": "4141a3902da441644d6fcb2eda409d3878b4784c3e2681934238497fb6e35032", - "version": 2 + "sha256": "81346c952b5ea1ef59195fe979282495f1bfc0578a043e4702e30911879560d4", + "version": 3 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "rule_name": "AWS IAM Group Deletion", - "sha256": "ffaa732069c6a1b16566f70e5098d4564f451e921161a6a860a3b34c0c4e1825", - "version": 5 + "sha256": "49b5381fa47e4fbc5e74d84264a7b41d0253bd4c62d2131fce97453e885668a0", + "version": 6 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "rule_name": "Security Software Discovery via Grep", @@ -1706,14 +1736,19 @@ }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "ef8a2abe81a1b39e1ef54fd252e39f1c165f1e40827a338b7252b6a77874aec7", - "version": 2 + "sha256": "49529bf8713ae032ea90a2bd741304fc3073aa411d60f1731fcd86fbd75c3d47", + "version": 3 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", "sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7", "version": 8 }, + "88671231-6626-4e1b-abb7-6e361a171fbb": { + "rule_name": "Microsoft 365 Global Administrator Role Assigned", + "sha256": "4d10c98c0349b65cb88d0bd42fc5d8cc6a8e2646ec4d27f9fb79db6be9ba03dd", + "version": 1 + }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", "sha256": "d89a2f8c0e73fe51b3f8dcb1b1fdd398f5b9eb9d4277bf19ec14fd8ebd4f2237", @@ -1772,8 +1807,8 @@ }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Events Deleted", - "sha256": "af0bd091d52ef5b33b45a680f0a56654284f464970538a56c69571223491fcb1", - "version": 2 + "sha256": "c425a28b60e23b0d43a2b54d2fc861c42225a3bc7c2ac7f1243f7bb298784bfc", + "version": 3 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", @@ -1795,6 +1830,11 @@ "sha256": "8fba9c51ee81de527fa5ed0c36181b73cd00b2bbab183c0e26834e693659d001", "version": 8 }, + "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { + "rule_name": "Potential Privilege Escalation via PKEXEC", + "sha256": "7a56ece573a2e7340ff71758fab173b542a2d7063efece0d05078354bc3ac4c9", + "version": 1 + }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", "sha256": "c457f1f1b2813439401359cec7480f53b710fb09f8a3af76de317538e47377ff", @@ -1822,8 +1862,8 @@ }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS Cluster Deletion", - "sha256": "3208f7d39ab5979335729467dd5c020daf1d3a47a1bae5aaadd08e9a8df3d5b8", - "version": 5 + "sha256": "814bd87ddb20bb57f1d35ce8e4e8265e2a4915fc68d659aeb8d3fd6adfe68fcb", + "version": 6 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", @@ -1842,8 +1882,8 @@ }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "bf1c0c7a179545122e94628d2766b68125249f4dbd3d1a4c6edd30be67ed589d", - "version": 6 + "sha256": "206d5aa1384191583bac19ff057f907ada6d4a79a91ee47c974487013ecd74c0", + "version": 7 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "rule_name": "Unusual Web User Agent", @@ -1862,8 +1902,8 @@ }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "e3474858022371a4edaaa39fd660b12f67e6c649bdb7e5c38ee4d4d567776a4d", - "version": 1 + "sha256": "86b425a524a1db4dfc1c5ee933f99ef66307f6fba8d6070b2a27bbbfe1275316", + "version": 2 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", @@ -1872,8 +1912,8 @@ }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS EC2 Flow Log Deletion", - "sha256": "92408aef719a265fd8137637ae156974a9b529940914de7a8654a081f52c2a75", - "version": 6 + "sha256": "98ebcee9a4b929baa3c37d53f589bbce227b1f2446f3f3c7c356add09b1dff31", + "version": 7 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "rule_name": "Suspicious SolarWinds Child Process", @@ -1891,7 +1931,7 @@ "7.13.0": { "rule_name": "Google Workspace Admin Role Deletion", "sha256": "3c0f93a51365de485043e4961faba1a74302db6036510abbde8f1b0b60e4de3b", - "version": 5 + "version": 7 } }, "rule_name": "Google Workspace Admin Role Deletion", @@ -1905,8 +1945,8 @@ }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", - "sha256": "403e3baaa2cb611b3b2f78ea9736c8cccf88fe56344b692f47e537258fdf1c83", - "version": 6 + "sha256": "26cfaadd55aa2fc9557f5080015fe75330c144123bae3e90a76582d2114f2690", + "version": 7 }, "959a7353-1129-4aa7-9084-30746b256a70": { "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", @@ -1925,8 +1965,8 @@ }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "d5703823dd5ddb6dc16bc0ab45fc539fe73ca80c722cabaf6a140cec3461ddd8", - "version": 4 + "sha256": "a665ef9f68409a2e93c611f82010ce20c46eaad3789062f5a6ddc85f3c522981", + "version": 5 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", @@ -1935,7 +1975,12 @@ }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS SAML Activity", - "sha256": "becac153f02e4578bcfc536ff9635c9e75cbcab41684051300d2f271d1352bd0", + "sha256": "db73bb49c842b6e76bc78b2f090869034d732417e7e2588dcc6afcaec00be4f2", + "version": 2 + }, + "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { + "rule_name": "Potential Abuse of Repeated MFA Push Notifications", + "sha256": "db6fc652133f94ed3b56312ed656e59574f6060596c8663a150999b25c8fb3e9", "version": 1 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { @@ -1955,13 +2000,13 @@ }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "68aa4d42f2f2bffd7b162017a2cd9ce719abce7722467cd08b9c2aa4864ae6b6", - "version": 5 + "sha256": "b9684cdb75a2a1269bf2e791e60465bb5fe8c0155cababa9c3bb4711ae5bd1d9", + "version": 6 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "edba1170aa4156e96ed8e257319a8c947ffc532bc8adac01d334fe23a50c2395", - "version": 4 + "sha256": "5ee29abad0dcdcae5a013c3f3d55a4276d2e3dc2aeee0926e24157f90944a777", + "version": 5 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "AWS EC2 Snapshot Activity", @@ -1980,8 +2025,8 @@ }, "9960432d-9b26-409f-972b-839a959e79e2": { "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "e56e3d4a7c4dd9ad1938a2f2aa18a9b023a50edf3d216d227fb9ee24d2b73571", - "version": 1 + "sha256": "c51ed24a67a2dee5ef5e778e2fb2960fc5a7a8b03c931ad0942691f1dc37c823", + "version": 2 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "7.14.0", @@ -2081,8 +2126,8 @@ }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "9c7b365badd0e4749cdf8c368cd825a41d9246e97b0c5cb92fd9755fbc801f1e", - "version": 5 + "sha256": "ff689b3bd1c5bb0b4f157cc38be2b84d8d17823bac91935c763b0b3d984352d9", + "version": 6 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", @@ -2166,8 +2211,8 @@ }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "7a890a45f6645a6041921b529de7bab0abfac3cf0eb877763a2dbea6938e94e5", - "version": 4 + "sha256": "ffcf3a23ecf79db330993ab61cde6b83bcd1e767ff5c2f1ef06eaa13e17a8a1f", + "version": 5 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "min_stack_version": "8.0", @@ -2175,7 +2220,7 @@ "7.13.0": { "rule_name": "Google Workspace Password Policy Modified", "sha256": "cadc95b5eb7938b3b7310150089830d4dad51e3499916cd2f5c82446659b4051", - "version": 6 + "version": 8 } }, "rule_name": "Google Workspace Password Policy Modified", @@ -2194,8 +2239,8 @@ }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", - "sha256": "b6c540b68a41f7216a8d8b4af6d01b2cd03a17584ca7b8cc097fd74067dea719", - "version": 5 + "sha256": "202bc852ab071859636c80b729cda9593499618b3f2dc34c38e267c76a453f6b", + "version": 6 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "rule_name": "System Log File Deletion", @@ -2238,7 +2283,7 @@ "7.13.0": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", "sha256": "01a8beca2e8f570d63e7614d558243b1d0b9c42d9e0ce9f439b10016f06eaea3", - "version": 5 + "version": 7 } }, "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", @@ -2271,7 +2316,7 @@ "7.13.0": { "rule_name": "Google Workspace Custom Admin Role Created", "sha256": "8b04328630ae74389a2b77d23700d2bfd3900c6008bf0aa9654c2432b427b9c9", - "version": 5 + "version": 7 } }, "rule_name": "Google Workspace Custom Admin Role Created", @@ -2325,8 +2370,8 @@ }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "4a15c4e54783c9e2e4ff522b2cf99daaee98b480161b1b0be8230d659383cb58", - "version": 1 + "sha256": "c1217476aff9f395f81ab6d124984ece66187ecdc92c7519c7cddcce25d69bb1", + "version": 2 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", @@ -2439,10 +2484,15 @@ "sha256": "adb8ef40d1bdb8dc542122c628457232cfa38a8e3cfa3154dbc75847eed0012f", "version": 6 }, + "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { + "rule_name": "OneDrive Malware File Upload", + "sha256": "e6c68dc60c27ef6e892718a4e3a1071d1d22afb2050b249e94e4ffd94d91185c", + "version": 1 + }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "4afbeb67bbc9007999a0c1b63060ebd6481a1fe0f6c220a1d437d4f4c98e4315", - "version": 4 + "sha256": "cf4ab6152eb828c653990718827e21f607f56f75618bd5f39f07e9ce0297f0b6", + "version": 5 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "AWS Root Login Without MFA", @@ -2451,8 +2501,8 @@ }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "rule_name": "GCP Storage Bucket Deletion", - "sha256": "43e5316b633caa29ce029d7bab8ed1d5feca21db7904c079be8acadffbefb45a", - "version": 5 + "sha256": "5346621003185f9e9f4f4bf9caf8ec32cd996948cd76122ccbfeb4fe19e92908", + "version": 6 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "rule_name": "Attempt to Install Root Certificate", @@ -2479,6 +2529,11 @@ "sha256": "21294393322c72a5945721897592b4efd0dc6745d42a1d6a33492120398d13fb", "version": 2 }, + "bdcf646b-08d4-492c-870a-6c04e3700034": { + "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", + "sha256": "1ab2d4264e5364a263cf0fa8de1fa0560dd6e7bc17b7da303eb226263f58c3b7", + "version": 1 + }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "992fc3eb2005070d0a2eb094b89e093b57426cbe863e2c35c946265fb8f0d23c", @@ -2486,8 +2541,8 @@ }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS Snapshot Restored", - "sha256": "e31fbf67365ca48acc62bfbf2ca2a9142619b731cf83aa45a72024fb8ab72d73", - "version": 2 + "sha256": "4f5ffad0a0704fa36742992383f0ddc019d7cccaca8810bb8ff864f791f3699d", + "version": 3 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", @@ -2544,6 +2599,11 @@ "sha256": "15021e6cafece04e5c66ecb8390c4a899e2cd9d5728ff2a165a0ff303dc24d4e", "version": 1 }, + "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { + "rule_name": "Potential JAVA/JNDI Exploitation Attempt", + "sha256": "693df7d5173a8307da3c937d1bbb6e29f69db99529a960ce4fe9bcae2c331c5b", + "version": 1 + }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "fd98829f6683e70e5a3d3fe8ed5fe7ea2a35a9eb323b012ee895ea1e3b563c46", @@ -2652,8 +2712,8 @@ }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "18d0de4ff6f850a79fbaa5298d906a404a9ea579a8fd19df694f6e5c5b0b6120", - "version": 2 + "sha256": "cdfd1a33f452b52a351411d7c67ed22dd4013559dc4b494576b0b28d0345725f", + "version": 3 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", @@ -2667,8 +2727,8 @@ }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "84cd19aa5eb8159517cac17c44198881d28f9d3277f732e4d158d4eb342d4a04", - "version": 4 + "sha256": "648947b1b1ff3cf148413b8bd0b3b53bf36c5505da5988a23ec993fa3083b313", + "version": 5 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -2681,7 +2741,7 @@ "7.13.0": { "rule_name": "Google Workspace MFA Enforcement Disabled", "sha256": "f8496e8188b47da802b79dba6b01c3f9f4e4d7fe9c0adf98503ec33e0a2f6747", - "version": 6 + "version": 8 } }, "rule_name": "Google Workspace MFA Enforcement Disabled", @@ -2705,8 +2765,8 @@ }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "46e1de9c9821ca79f473124ba6484cb5c30e3f71ad90c8fa4a4cd0d8a86ac589", - "version": 5 + "sha256": "88d5829dab8d3f0f92799ccdd422cd9f521302270dd2c81d5ddb41b60b1550d9", + "version": 6 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "rule_name": "Attempt to Deactivate an Okta Policy Rule", @@ -2759,7 +2819,7 @@ "7.13.0": { "rule_name": "Domain Added to Google Workspace Trusted Domains", "sha256": "5cbeb7ba36d4bca274e78516b67aa418552a39af7ff07d0605a306cacb27a1ef", - "version": 5 + "version": 7 } }, "rule_name": "Domain Added to Google Workspace Trusted Domains", @@ -2844,13 +2904,13 @@ }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "3abec5a7b069cc59b63e4b4d55b7660745db9297afb748a15844eaf5e56f2a47", - "version": 6 + "sha256": "2f43c3628e1f8540a1c844cef4b679344bf077381ccc1f8acdea765c8f3c63a7", + "version": 7 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "606882e2efe620c60006ab35520e3562df9c1094f047bf712664f4646dea8716", - "version": 5 + "sha256": "ff495b8181b94c67024c06bd2b1b9b4e52e571de47f5946026c188d07772e0a9", + "version": 6 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", @@ -2859,13 +2919,13 @@ }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "28051e514a52881f0903f3ae2754b955823c73d50708b2e0c1837fe5d981ac61", - "version": 4 + "sha256": "99f23f66b2d5168fc92a02d94e79cfe27e1e7e3b869a4fbe1c8bc605c158fcd0", + "version": 5 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", - "sha256": "186d80b60ea736c787a1ca61ef2b41e6506683d3cd70811a82d39e6132ebddbc", - "version": 1 + "sha256": "cf76266315915f3366228a95730f540c6069fac0024bee0055de9054f16c5c1c", + "version": 2 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", @@ -2874,8 +2934,8 @@ }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "c02de415919eba4b61ceac86fbc4f06fcd4cba96eb271b027885d41bbaa6314a", - "version": 4 + "sha256": "e1c1c4384395fe59e788f530caefc25c56cbb6b0af0d06d448c7095b47643b7d", + "version": 5 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", @@ -2935,8 +2995,8 @@ }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", - "sha256": "01ac7e2483d04374dbe5454e88e83ccd2dc9f6fc5309f072147b6da99f6c6bad", - "version": 7 + "sha256": "f63e24c5a39e77b1e2b0464b83698f95e46229dfcaee35404a06ca3d23e91ce6", + "version": 8 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", @@ -2970,8 +3030,13 @@ }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure Firewall Policy Deletion", - "sha256": "31e0903dea50c51c1f410db000a6989625140cea792e6cc154a6e51002d2c9bd", - "version": 5 + "sha256": "a1d4f0fa9407969fc217c89005688467e15ce80b501d09f91d9eebda0756b9da", + "version": 6 + }, + "e052c845-48d0-4f46-8a13-7d0aba05df82": { + "rule_name": "KRBTGT Delegation Backdoor", + "sha256": "e49f5cada4a25f4e15cc4ab4eec1aa0f7bb9dadacfd9c37059fe0a39bdd8cf2e", + "version": 1 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "rule_name": "Attempts to Brute Force an Okta User Account", @@ -2993,18 +3058,18 @@ }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deletion", - "sha256": "64e549b8b5703062cd3bd1677df0e23c99eb1a924b818a819267abdbd5248488", - "version": 5 + "sha256": "0f7dfa6f861c221ea106353380859eee6f1a047f463f39fbacf7de07af246e71", + "version": 6 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "rule_name": "AWS Route Table Created", - "sha256": "99e6091a7fa21fe0e7bf5add82d9f9b8fb1e4a87b7faabd8aacc8786e0f5886e", - "version": 1 + "sha256": "c2d3c4f677cfdfa69ef9ba32f1d771d62809253c641ffea2d75fa7b2e85f559d", + "version": 2 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", - "sha256": "7de7854de44a80b0bd2a2a0197d6ebb3213a89c8f2f2257284f1948d008f4760", - "version": 6 + "sha256": "d234e6465e48075455eee2f94a978eeead53a68f150231dc941a6ca4d1db897c", + "version": 7 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "rule_name": "Connection to External Network via Telnet", @@ -3034,8 +3099,8 @@ }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", - "sha256": "19a86cc9ac6669998a4fafb86a6d799bff7dabd879076d5214900421681ea297", - "version": 5 + "sha256": "5031da57a37dd009a981fac97fab322c1464d65b3f518b11934a4deb79d9730c", + "version": 6 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", @@ -3067,13 +3132,18 @@ "sha256": "8d8985d87033dc11c0e673c1d9963cf89369e11468d2d4ea2c786fe7ed03b518", "version": 6 }, + "e514d8cd-ed15-4011-84e2-d15147e059f1": { + "rule_name": "Kerberos Preauthentication Disabled for User", + "sha256": "6da2733caeb41cd77fe6dab1b5fd5441349cef2efd8c0d39481f0cf8f454461e", + "version": 1 + }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "min_stack_version": "8.0", "previous": { "7.13.0": { "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "1b8f18bfcd5ebd6a7ef2cad523000d799d2cba09cde203a94541c9ad03327c82", - "version": 6 + "version": 8 } }, "rule_name": "MFA Disabled for Google Workspace Organization", @@ -3117,8 +3187,8 @@ }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "dfc3d05667713b082859c690e61f72dbf5e3c650c4b8d1abe77544657c34ac5c", - "version": 1 + "sha256": "24310c50c362c030cd18b5fc424495faff6d0a8124112c0c786911fc8ae10ae6", + "version": 2 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Service Control Spawned via Script Interpreter", @@ -3175,6 +3245,11 @@ "sha256": "3c761c7b1a22a38d6334369cd822c00a6b2d954f9c650ffc564cf84ff8f8f403", "version": 4 }, + "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { + "rule_name": "PowerShell Kerberos Ticket Request", + "sha256": "3b60bd1e0f1c27fe50d75322e0e94e81d6569d94d048a2382ea656abc9e4dcaf", + "version": 1 + }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", "sha256": "062c1916cf85ed48401162e51109dc371e142f7983c9f404ab00cbc1846a3a40", @@ -3196,9 +3271,9 @@ "version": 3 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { - "rule_name": "Microsoft 365 New Inbox Rule Created", - "sha256": "d9a9c04470d880e9ee6f62e370377653bd27823145528495347993bd0511e499", - "version": 1 + "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", + "sha256": "607732c4fa53c679773c0154a36d176db4fc120c4d05c90139bc610165d853b7", + "version": 2 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "AWS RDS Instance/Cluster Stoppage", @@ -3212,8 +3287,8 @@ }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", - "sha256": "e00f8844f4cd9dae87d650fcf2c3ea31b66cdbe8d9a951cef452f49d469e78f5", - "version": 5 + "sha256": "aa759afe354ea02b1178b85a62e449549a60c66f29fa1f9bbc36cc6ecc03c7ab", + "version": 6 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "rule_name": "Attempt to Deactivate an Okta Application", @@ -3287,8 +3362,8 @@ }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "AWS RDS Instance Creation", - "sha256": "f359082c81ed687bb0fd222764315f15f6249a1690fa7fbc692035c882ce576b", - "version": 2 + "sha256": "0ec2175d57448fcee88f8c0959e36d170fb2c4316bbeb2724bc03fc65de12ae1", + "version": 3 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", @@ -3305,6 +3380,11 @@ "sha256": "e10cd34197457df5ffa89b628dfbd7d9ccbb89c295b5b2de5d3a305df3a8d158", "version": 3 }, + "f494c678-3c33-43aa-b169-bb3d5198c41d": { + "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", + "sha256": "f289922736ffd6e74e180daa7f30a3b93686535463b8d9949f29722388e2a75f", + "version": 1 + }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", "sha256": "9675f6c2d6b7bc26b770ed6f8bb5668058bb865b782423786a1ebb70bf5de797", @@ -3312,8 +3392,8 @@ }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "5508f0b8c9ae59dbe1d7a20d8147f51eb24fc9d562b290be27f28256e143428c", - "version": 1 + "sha256": "1b97736892e78fbfe77574ada29decaab3531656dda142d994201283b043d5de", + "version": 2 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", @@ -3332,8 +3412,8 @@ }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "83bd482803cdbcf79f22ae7c03238a8783130b4a702cf5996896ad74fe45cd14", - "version": 6 + "sha256": "5ba0f707d95e1455ba5ceaf33d751de1607ba2d8b4dca34d3c938c7768003ac4", + "version": 7 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", @@ -3410,6 +3490,11 @@ "sha256": "bb76fcc217e41bd48148eebf78438baeb8f5052ddfbce1cdd316a589d6b5d4a2", "version": 1 }, + "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { + "rule_name": "MS Office Macro Security Registry Modifications", + "sha256": "5fdc6d766a59b36c16b02377c9284e22b5a2df1d9d3fcca9e215378f032e4e59", + "version": 1 + }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "20fa3931651c3cd2a65942d63e382bf5e5a7faf3f3274c700fcea9cdcb94e099", @@ -3417,8 +3502,8 @@ }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "294224cbc1a5d95a5fa349fb0e4f7f241d79f04636eeee63c2c3174896068699", - "version": 4 + "sha256": "ccdc2ee09712e2a2ea42f40d9aa8bbb35835b6251cfc22ca520f2f5eec5ae28e", + "version": 5 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion",