security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5 (#2329)

Browse Source 
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5

* Update detection_rules/etc/deprecated_rules.json

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2022-09-26 14:24:12 -04:00
committed by GitHub
parent f5c992b6de
commit 1b6355eee9
2 changed files with 668 additions and 467 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/deprecated_rules.json
+5
View File
@@ -64,6 +64,11 @@
"rule_name": "Setgid Bit Set via chmod",
"stack_version": "7.13"
},
"43303fd4-4839-4e48-b2b2-803ab060758d": {
"deprecation_date": "2022/09/13",
"rule_name": "Web Application Suspicious Activity: No User Agent",
"stack_version": "8.5"
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"deprecation_date": "2021/03/17",
"rule_name": "Execution via Regsvcs/Regasm",
detection_rules/etc/version.lock.json
+663 -467
View File
@@ -27,9 +27,9 @@
}
},
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "757389a394cb78e03e5c5f4b3cd9410b864d294df7110135dad17b7c13c3f771",
"sha256": "d0456fb46a13a6bcab231c6a97d6a4c75cae7c3b65021b97dcc006818c58513a",
"type": "eql",
"version": 100
"version": 101
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.3",
@@ -43,9 +43,9 @@
}
},
"rule_name": "System Shells via Services",
"sha256": "f5fca5544409efa9be726ca0e0b1efcc9802cbd29a2890e2f612f30655bc5597",
"sha256": "9030af9779777809772931456c609cfd7719e5ee42b5564bc444474d8fc2e2ff",
"type": "eql",
"version": 100
"version": 101
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"min_stack_version": "8.3",
@@ -155,9 +155,9 @@
}
},
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "55455b766db2b90dcbc598a0b7474a3c2b226fcb1d6d03b9f6fe4e80fe170ac4",
"sha256": "25ec7cb90feb02124560e83d47c2051821be1d72524cbc9cd1a895072636621b",
"type": "threshold",
"version": 100
"version": 101
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"min_stack_version": "8.3",
@@ -235,9 +235,9 @@
}
},
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "9a71367ce47f6c9a0a69120cf743a61e12ffb4619cdc3e785fa76d2639853d1a",
"sha256": "7785e6b11756f1a60bee8778c46fde373131964d9b6e39229a83b22af79647f3",
"type": "eql",
"version": 100
"version": 101
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"min_stack_version": "8.3",
@@ -251,9 +251,9 @@
}
},
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "778153c9cbb4e140ee288ddea3f425a7b2d00771e7cb4f28d9a9d2f65df0d364",
"sha256": "75e8dac304fb6a8edaf7388d55d8b0f7985492c3bd323f64fa205335fdbfad62",
"type": "eql",
"version": 100
"version": 101
},
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
"min_stack_version": "8.3",
@@ -283,9 +283,9 @@
}
},
"rule_name": "Remote System Discovery Commands",
"sha256": "a7de1002d6f143e3652830157f48a969010b4f7702d3c4cb6b40b3b920e438d7",
"sha256": "008f83688d4d6095705aaa866c08ad5e944d856490fe068ae075b3d1581f834c",
"type": "eql",
"version": 100
"version": 101
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"min_stack_version": "8.3",
@@ -299,9 +299,9 @@
}
},
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "7bacbeef7e30a296210ae47a4d89084c9a061c575961862466dac562a92ad356",
"sha256": "2b364897ca53769a7088a0a30b555b2a360b48dc6e0894be286b9bb7b6895b82",
"type": "eql",
"version": 100
"version": 101
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"min_stack_version": "8.3",
@@ -315,9 +315,16 @@
}
},
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "bf0429e76fb9c1db6f809649d079add564548ab3be0cde7b59b0927794bb0535",
"sha256": "6abac6bdb953f843131c74427b2a2d7868be53e3d1ece8e42dbd69f7bd457896",
"type": "eql",
"version": 100
"version": 101
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
"sha256": "f8e05498e63a3fb10621fd91713a7f0995aaf07a9eb6fd5ef73b62c7a81458f6",
"type": "query",
"version": 1
},
"080bc66a-5d56-4d1f-8071-817671716db9": {
"min_stack_version": "8.3",
@@ -471,9 +478,9 @@
}
},
"rule_name": "User account exposed to Kerberoasting",
"sha256": "83f7382ba03556568e6ccdea4af57e3323b8f4d337eca24c65ecdcf0042b672e",
"sha256": "ea7a49ebd480148b62e1409cf3013e7961ecc863ea0fd6739dfc7b11032b3e23",
"type": "query",
"version": 100
"version": 101
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"min_stack_version": "8.3",
@@ -487,9 +494,9 @@
}
},
"rule_name": "Peripheral Device Discovery",
"sha256": "62bc9a1a7397ad3195956c7328708fb582678451ffe3cc782b1f85979b5bdf97",
"sha256": "0f131f20084bf9ff117f40fc1b93d6c6f2d317830971189536e87031bc7be75c",
"type": "eql",
"version": 100
"version": 101
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"min_stack_version": "8.3",
@@ -503,9 +510,9 @@
}
},
"rule_name": "Threat Intel Indicator Match",
"sha256": "08f8c238c50a92a88dbe751e24ae2b5cd38585ae57a0f026efa6cd46dbc395ec",
"sha256": "35422331ee86bff7cba5739cf0b8e7446df3fce8ccb08451418d15163f743c6f",
"type": "threat_match",
"version": 100
"version": 101
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"min_stack_version": "8.3",
@@ -551,9 +558,9 @@
}
},
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "8081e5edd181ca6ef4de519993eac692fb9e13b7a8331f493d8b5cba63d6678b",
"sha256": "c655a1153df364e076474e02b7608a83c129141a06ee03a108eecec42030ad6d",
"type": "eql",
"version": 100
"version": 101
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"min_stack_version": "8.3",
@@ -675,9 +682,9 @@
}
},
"rule_name": "Abnormally Large DNS Response",
"sha256": "51a774df9bf521db4ca5be0359b8f57f565c222434338eab826b87bb2135c9ac",
"sha256": "71ae7239629e1327674fb90a5113c25dfe9dbe95eac8e490ee511f676f8acad4",
"type": "query",
"version": 100
"version": 101
},
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"min_stack_version": "8.3",
@@ -707,9 +714,9 @@
}
},
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "d79170d1d2dc733f23fa76b4fa85341b05c92bf574721045be851326dbee79d9",
"sha256": "fd844ac52903a33e32c91999a760e1ec4c2f75b7b748a9cb1b63907c619853e2",
"type": "eql",
"version": 100
"version": 101
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"min_stack_version": "8.3",
@@ -733,6 +740,13 @@
"type": "query",
"version": 100
},
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "04b9e2a27817afd12d0d975b4d3c59897691d8d182ae8c72db0becd6cc7cc404",
"type": "query",
"version": 1
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"min_stack_version": "8.3",
"previous": {
@@ -745,9 +759,9 @@
}
},
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "419591e43cc4c101c42c537120a98b26c5a6760abfb24f6bba8fddbd20d524fc",
"sha256": "4b2fe4d5a803628fd2b662d13b09b9d05108fe3a2f4cc9554bfe79ac508835ff",
"type": "eql",
"version": 100
"version": 101
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"min_stack_version": "8.3",
@@ -821,9 +835,9 @@
}
},
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "b0ee983787f62183b3667f7047688f963bc0295b3724df34227e4b3f3a78000a",
"sha256": "1c66ca745212e6920c820ab7c7ef4c047dad7008230c62efd6e4ed4d9219f230",
"type": "eql",
"version": 100
"version": 101
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.3",
@@ -939,9 +953,9 @@
}
},
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "a02b14e0e4eecfb1f00811d8373dea27f41819134a1027b66d37d6cce4eb9696",
"sha256": "4d2b47b1d5625168b8362f28a9a266caac9cf70e0458341cd6f4cc94edb6c3df",
"type": "query",
"version": 100
"version": 101
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.3",
@@ -955,9 +969,9 @@
}
},
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "027f4016e7b011b1e1775524d011db0f3409297811bda118d962948325c35783",
"sha256": "560310be6d4234b54f2f87c670b25bb4c53540a17eecd6f93a2f0c3685288a01",
"type": "eql",
"version": 100
"version": 101
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"min_stack_version": "8.3",
@@ -1035,9 +1049,9 @@
}
},
"rule_name": "Component Object Model Hijacking",
"sha256": "c428fc531a25f1681bb3a26b13b8cf56b29d6c87093b3a8f14a7a6d49dc16219",
"sha256": "32154d783cd08ea852d6a32ef6b27f6b53cb6a74c89b5e933c1ab221e782f3c1",
"type": "eql",
"version": 100
"version": 101
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"min_stack_version": "8.3",
@@ -1051,9 +1065,9 @@
}
},
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "17e0c2bd35bde2a29a13b0c3601999bb1555fead5b45f0b11654ff859da8c8b6",
"sha256": "43cc58fd922e975740c567792897ede93f75cef6ec2291aa281df3dde4edb9e5",
"type": "query",
"version": 100
"version": 101
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"min_stack_version": "8.3",
@@ -1147,9 +1161,9 @@
}
},
"rule_name": "Suspicious Execution - Short Program Name",
"sha256": "f7a9602afd5c320d4f7e786cd81b89a06f9813891f1de9f73386345415fe17c2",
"sha256": "dee6649f24187e9b4297bfbbf7181b27e82a6cfdf2dd7a70de1639c624a4e2ee",
"type": "eql",
"version": 100
"version": 101
},
"17e68559-b274-4948-ad0b-f8415bb31126": {
"min_stack_version": "8.3",
@@ -1201,9 +1215,9 @@
}
},
"rule_name": "Rare AWS Error Code",
"sha256": "f2e04304395ab90b7580429890cf7e2e7ebe4d09c2a1777927222375f31c1bbc",
"sha256": "b35378255a816463aa6e7bb151f8fcd0457eaa0189327e7a35f3ff770fc96eed",
"type": "machine_learning",
"version": 100
"version": 101
},
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
"min_stack_version": "8.3",
@@ -1233,9 +1247,9 @@
}
},
"rule_name": "Execution of COM object via Xwizard",
"sha256": "44257ec40965e6ab0a48e4394db0bff1ea0ef3f7d5d3b41bb5d0fa409457be82",
"sha256": "c8621df9fdc867d538de65f67be4ff5b9bcf7cd5af96f040cfee75f2f5d3ce95",
"type": "eql",
"version": 100
"version": 101
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"min_stack_version": "8.3",
@@ -1249,9 +1263,9 @@
}
},
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "6d33570b7f5f13b7bfa3455e553534f7e704a74e0a7d562b402478fab02b9809",
"sha256": "01f0029caa8d6a301b7dab4562f20b9e41ac6aa399d19a0d12532d6efde56b6b",
"type": "query",
"version": 100
"version": 101
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"min_stack_version": "8.3",
@@ -1265,9 +1279,9 @@
}
},
"rule_name": "User Account Creation",
"sha256": "ce771b5fe692673c9406f8817adb67945f35fca9271439cd07325d772d3781eb",
"sha256": "fd69451622602ebcb50b05196ed535b62c4897963c7e28660f5799f45d844e74",
"type": "eql",
"version": 100
"version": 101
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"min_stack_version": "8.3",
@@ -1301,6 +1315,13 @@
"type": "query",
"version": 100
},
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux SSH Brute Force Detected",
"sha256": "88aec7293387d388699f95c255d82bd5b3a9152cf31fcd77413d2c21506f8547",
"type": "eql",
"version": 1
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"min_stack_version": "8.3",
"previous": {
@@ -1313,9 +1334,9 @@
}
},
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "b7cc5fbc078c10128f2bcbe13b7c4c861d3a9ed2810e6a42b2ae2d8cf7de2471",
"sha256": "3ecb70e746789a1c2d3133b92a8d04fa8be02d4403da7487ad7c0867053af775",
"type": "query",
"version": 100
"version": 101
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"min_stack_version": "8.3",
@@ -1377,9 +1398,9 @@
}
},
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "5c856b88cd99da9cc3234fbb92474ade21790debb6b3f9cea3084dfbab5ac401",
"sha256": "074a0926e1c3be18d66dc109559a0af1f998d93f3c1dfeb956b9317f7bc2256f",
"type": "eql",
"version": 100
"version": 101
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"min_stack_version": "8.3",
@@ -1393,9 +1414,9 @@
}
},
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "16796f9d1d8e8bbc8f8adaeb103a3e40551ccd80dfa261da294bb638fe2e8996",
"sha256": "37661b2147a456b4ece2cf2f60f9c4364142b23d189293d30ea868dbebb3fa1a",
"type": "eql",
"version": 100
"version": 101
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.3",
@@ -1425,9 +1446,9 @@
}
},
"rule_name": "Execution of File Written or Modified by PDF Reader",
"sha256": "f9c0f46093535eefb2c93305395d28e6913ee6c36ed641767b2daec212a19962",
"sha256": "6163f24c5d3aa556bd201072fa5d14346faa906d1cf09e73b6b04ace4b59bddf",
"type": "eql",
"version": 100
"version": 101
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"min_stack_version": "8.3",
@@ -1489,9 +1510,9 @@
}
},
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "9ec3a78cfe0b7eab7c138ac49a884c224a00491d0b64c0eee4dbd12493d33e8f",
"sha256": "9aaa17447c94f5c504286151fad957cf0b90d9e773d4837ca70fd4612c202a9c",
"type": "eql",
"version": 100
"version": 101
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"min_stack_version": "8.3",
@@ -1521,9 +1542,9 @@
}
},
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "97dc8e7e9d6f7c4863906556b2bf8afa6d1deb8b3274c2f5345b42fd092752ed",
"sha256": "d26c3a9c1df6cbf594a645a9e26d16311923ca2580de70627e5c7c7fa7ef9ccf",
"type": "eql",
"version": 100
"version": 101
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"min_stack_version": "8.3",
@@ -1537,9 +1558,9 @@
}
},
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "f74c750f35a340377bdedd1e030b78774573d90db73e7f7d4fc56b32a00198c6",
"sha256": "e739a5b5e3afbf00e7a2a7af027175ed7a5e96103eb7d267d515fb232ba04712",
"type": "eql",
"version": 100
"version": 101
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"min_stack_version": "8.3",
@@ -1585,9 +1606,9 @@
}
},
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "382d58e6dfe06d1311617f60fd4a251a23cbb5d63ada9943fb89552b5f26411e",
"sha256": "30dc1da92d4206f095081abe3f7ad377f2c8c996a5959f5ffb686cc15cb2a41e",
"type": "eql",
"version": 100
"version": 101
},
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
"rule_name": "Auditd Max Login Sessions",
@@ -1595,6 +1616,13 @@
"type": "query",
"version": 100
},
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"min_stack_version": "8.3",
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "e2bea6ca7de34bcfd7cb342a243a4b02bdeb8955e6fb42a894ee041f3ee9b9ca",
"type": "eql",
"version": 1
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"min_stack_version": "8.3",
"previous": {
@@ -1623,9 +1651,9 @@
}
},
"rule_name": "SUNBURST Command and Control Activity",
"sha256": "d33d74f0f5ed0b09a671003ee7a1672cf041ce88e69b9ca69e539dc48869e839",
"sha256": "0a489b08ad7626d3812dec3f86a795e81fcab3b92418108ad10d953b14919d29",
"type": "eql",
"version": 100
"version": 101
},
"227dc608-e558-43d9-b521-150772250bae": {
"min_stack_version": "8.3",
@@ -1655,9 +1683,9 @@
}
},
"rule_name": "Potential Shell via Web Server",
"sha256": "7002c42afeb6def92d223533bc109ec84aa817ee6a3f7601504388ec649824c1",
"sha256": "e7e3cc4724e1f2bca5659099992b917c0e62b3d926b8cad149a447d11efe747f",
"type": "query",
"version": 100
"version": 101
},
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
"min_stack_version": "8.3",
@@ -1735,9 +1763,9 @@
}
},
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "c26b7c08065554bbc3fd0106cdbc29198287f6f8784575135b2d2fcefdabf6d2",
"sha256": "0cdca6f6faa4c636ce760aa198df61671c58e1e4e13d4bc4e539a851cdbd49c9",
"type": "eql",
"version": 100
"version": 101
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"min_stack_version": "8.3",
@@ -1751,9 +1779,9 @@
}
},
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
"sha256": "eabd3d3d0f64bb20f419339688944736fd47405cae20f898a43ec2fc85b01de5",
"sha256": "62cd211fbabb33bdd0fe847d9e78af10462cc5e8a1dd3c8675bb6add5f1ee701",
"type": "query",
"version": 100
"version": 101
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"min_stack_version": "8.3",
@@ -1863,9 +1891,9 @@
}
},
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "e8ae7f22635132da7b5bf3533b25a8dc4f4f40bf2f7211baf9eeafdade399681",
"sha256": "332554db89e6dd413c6f1d0969db9c996129c2cf72d360eae4aa952226fad75c",
"type": "eql",
"version": 100
"version": 101
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"min_stack_version": "8.3",
@@ -1917,9 +1945,9 @@
}
},
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "cb7a286a493a075d27124fed9b54fdefbbdffc431f1ab7013cb3cc43a84cb5a6",
"sha256": "6004e014be74e9d34913da034d1bf58f6cbf698d93ad5746a320785251e0b0db",
"type": "eql",
"version": 100
"version": 101
},
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.3",
@@ -1932,10 +1960,10 @@
"version": 7
}
},
"rule_name": "Webshell Detection: Script Process Child of Common Web Processes",
"sha256": "8cc89a2f3954e9a94d134551b2c7e35824ddb4b0953aec193a7ccde465ac6c28",
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "10ff022c0a94d48841c1d572096762b66de0537940aede6dee7cb1b0df6d084a",
"type": "eql",
"version": 100
"version": 101
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.3",
@@ -1949,9 +1977,9 @@
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "2030c51413f73e84fd0d55c42d0dd2900b52766611dc614dd8dd7703db35ced1",
"sha256": "30f8106d967a67bd1fe88ffde5ada349cf954fd63cd3786c0d09a3fbc72e3ee4",
"type": "eql",
"version": 100
"version": 101
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"min_stack_version": "8.3",
@@ -1981,9 +2009,9 @@
}
},
"rule_name": "Adobe Hijack Persistence",
"sha256": "5a2f33680f5d3113713dd626971011549b97cc2b4350b07969eb59c02e9ee152",
"sha256": "4a4801e7470ca5e5679139c2a48f580610258c91c52131a22ba1049b4f8b2bc0",
"type": "eql",
"version": 100
"version": 101
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"min_stack_version": "8.3",
@@ -1997,9 +2025,9 @@
}
},
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "088e485e3d1aeb759eb92a66555505e50734785025cc47355e17829f84d82169",
"sha256": "c24b4c976b089f5f2b0a718853ba336db50c32296790b4cd01b752992b076bc4",
"type": "eql",
"version": 100
"version": 101
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"min_stack_version": "8.3",
@@ -2013,9 +2041,9 @@
}
},
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "9800bb69eecbff93889cc684d748b20774e825ee009dcc9cfddc9c0c0393e7e5",
"sha256": "18c0b16ed19cfc91df847e16e6d82e2f46826fb138e63ace629b67b6b85917f7",
"type": "eql",
"version": 100
"version": 101
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"min_stack_version": "8.3",
@@ -2045,9 +2073,9 @@
}
},
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "bc4e5b17b420342831d86fc15f5d8cef6867bf094c8f2724fac70a4b7ed13bc0",
"sha256": "f02488141624acacf42e1b94daebf74a3d7b0c9b7ef28ece2c20b5fe6029a36d",
"type": "eql",
"version": 100
"version": 101
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"min_stack_version": "8.3",
@@ -2077,9 +2105,9 @@
}
},
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "5c32cbb481613e7aaa4f329f37af1c5f6e0b9085744a72a79a6cdc7ab4d208eb",
"sha256": "cd00b270fc84942b3cd8a091aebb8977c4d60d2e6d6a0f811b41b8c8680c97c8",
"type": "eql",
"version": 100
"version": 101
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"min_stack_version": "8.3",
@@ -2093,9 +2121,9 @@
}
},
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "309aecd37f11dd3b2be99b60a7cdd396aa3fe063de5b5661080c78eb6431c22b",
"sha256": "8112cc5bdb7d1e500f0cb5c55e40ad7e808f1d21b371f31390e36381851be394",
"type": "query",
"version": 100
"version": 101
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"min_stack_version": "8.3",
@@ -2125,9 +2153,9 @@
}
},
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "b1bc45715ad3f67d0873f1022390ee9e80f1d55f616dea411a2a50739a1e271d",
"sha256": "3baeed0e8f333943a7e22f8844ed4d8ed0c4b5717265fe333e76a7377140aee6",
"type": "eql",
"version": 100
"version": 101
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"min_stack_version": "8.3",
@@ -2157,9 +2185,9 @@
}
},
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "8c3c41ca109dd2dea80139090de9ce09e5fae9f0a5e0318894115d944a8dd281",
"sha256": "5b14cf100cbd708f7b50dd73ad028e7caac9de574c96a104d356cc55d37e4e1f",
"type": "query",
"version": 100
"version": 101
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"min_stack_version": "8.3",
@@ -2189,9 +2217,9 @@
}
},
"rule_name": "Startup Folder Persistence via Unsigned Process",
"sha256": "ba6e81101e448cdaa0f2968b2b2f589da1939eeb5f26681d43e8df9462235880",
"sha256": "0497df6954abf2ebbd00a01e15ac07ff99a4e033c70fe71f281711bbb900ac59",
"type": "eql",
"version": 100
"version": 101
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"min_stack_version": "8.3",
@@ -2205,9 +2233,9 @@
}
},
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "343cfcace027b26bad90dbe6afee1851712f4891b988d569df88061f6dd33a46",
"sha256": "a0ba24235ed21ce57592ae7d533e360b0ac5423127f1599b32768fcdba2eea18",
"type": "eql",
"version": 100
"version": 101
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"min_stack_version": "8.3",
@@ -2269,9 +2297,9 @@
}
},
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "068c92f5c8e30f0c69131ac3eaee0a607fea95ece60e0a1df3bb995f43f679c4",
"sha256": "06ca38cbb883168d3dd1793c890ed4d144537d0ba2b20552efdb56413ac78c65",
"type": "eql",
"version": 100
"version": 101
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"min_stack_version": "8.3",
@@ -2349,9 +2377,9 @@
}
},
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "11e1b412fb1d15937ec2238742035c4c44f6f2e6263fd772b5ec902b2e596f22",
"sha256": "3bb573d33d39ebf8ce73ac91cd2e2c7807fcb3d06c046c5f1f84daffff8b62c3",
"type": "eql",
"version": 100
"version": 101
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"min_stack_version": "8.3",
@@ -2365,9 +2393,9 @@
}
},
"rule_name": "AWS IAM User Addition to Group",
"sha256": "82558f0d69b0a23d533d2ab57d661a858cb205ac3257196f4984150373f3078c",
"sha256": "cbcd96bed459634465d669fa2c81fe66f4e7731f0bcf635077efc930128d0c34",
"type": "query",
"version": 100
"version": 101
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"min_stack_version": "8.3",
@@ -2381,9 +2409,9 @@
}
},
"rule_name": "Remote File Download via PowerShell",
"sha256": "bb480a0099fe3a0a60f3446c0106054446235abfab255fa49d6801aaefbd319c",
"sha256": "a9ff45fe25c9b9c0b0e5fd80bcab308f275eacc9881819b10dd758a99ca13b8e",
"type": "eql",
"version": 100
"version": 101
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"min_stack_version": "8.3",
@@ -2436,9 +2464,9 @@
}
},
"rule_name": "Port Forwarding Rule Addition",
"sha256": "2faacebac328480c1a53b3958e1f5bed2b09a2c0d641f75e17937a491033b986",
"sha256": "30c1e029505f96f765875b8aa244b288d7d94504e3884baa67de302959c8b74f",
"type": "eql",
"version": 100
"version": 101
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"min_stack_version": "8.3",
@@ -2452,9 +2480,9 @@
}
},
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "af8852b1023601234ff897b8f5d1eeb58d02cb81ee32f46547b91478cddbba5d",
"sha256": "d6e503fa566aa64466ca9ffcbbb2953c0c41abf12d546187141eafd323bf268a",
"type": "eql",
"version": 100
"version": 101
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"min_stack_version": "8.3",
@@ -2538,9 +2566,9 @@
}
},
"rule_name": "Azure Active Directory High Risk Sign-in",
"sha256": "b38cf7790741aad498341ee0f143101b6fcdd430c2e9b740e3659e14a28946a5",
"sha256": "c8ac802a488e4abe790d49d56f35dfb73901dd252399b4fe079fb149f7505980",
"type": "query",
"version": 100
"version": 101
},
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
"rule_name": "Anomalous Kernel Module Activity",
@@ -2560,9 +2588,9 @@
}
},
"rule_name": "AWS Execution via System Manager",
"sha256": "8ab164b34bcbb449f1040d1b4d9427a14ca110ae445c752316da2dc962700ffc",
"sha256": "f22c9949a2a4bf592a657bd34ef3feb8987300782e79e261dac91bfb92327186",
"type": "query",
"version": 100
"version": 101
},
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"min_stack_version": "8.3",
@@ -2608,9 +2636,9 @@
}
},
"rule_name": "Network Connection via Certutil",
"sha256": "8619d4e24d08fdef2c26f7eaaa74b278e714d775103212fbb572036668ae542d",
"sha256": "691ce2d376fa45bc1e53d35c65ea8269f55e36bd45c59e7fbd218aced50fa18e",
"type": "eql",
"version": 100
"version": 101
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"min_stack_version": "8.3",
@@ -2688,9 +2716,9 @@
}
},
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "e8d5b9ae224dcfc8a91f31fa09aaa10122e856cd35facf81a2d70027ff2b00e2",
"sha256": "592752bbae091e003854d9d53e0b9d57ed82ca0288abda1349e1bf028e1e77c1",
"type": "threshold",
"version": 100
"version": 101
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
@@ -2758,9 +2786,9 @@
}
},
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "1c2f64afb040fbda999b1925ab0ee45c9d59b73d38ac1619be8afbe85553a818",
"sha256": "b5f0431fd230e67581f5754f4d37e0066a71255ab5a960c8e5bcff1c551d1be6",
"type": "eql",
"version": 100
"version": 101
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"min_stack_version": "8.3",
@@ -2774,9 +2802,9 @@
}
},
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "0f1389e561dd415dbf6768875f965cdaa2645f07949d8f62f18e5e4f722468cd",
"sha256": "ac10f6ccc24ce82be01f6f5fedce0c17a3935821fa1d30dd886d03a66c6387c8",
"type": "eql",
"version": 100
"version": 101
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"min_stack_version": "8.3",
@@ -2806,9 +2834,9 @@
}
},
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "45f58b5b1054e9f025c799101ac3c87b050379818ddb6e57f557398a30367ebe",
"sha256": "428ab9fdfdf45f8b78936be6e761223f7aa5dacba6db94c648f3ac20b1c69eb8",
"type": "query",
"version": 100
"version": 101
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"min_stack_version": "8.3",
@@ -2838,9 +2866,9 @@
}
},
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "5bcacdc2a7f872a967066f3497b12c82638bc3a659a27706adbff5cc5783eafc",
"sha256": "e6480c33d66da9ece489fcc7bb3564bf1a37b65e3d914cbb5072b81c6989c486",
"type": "eql",
"version": 100
"version": 101
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"min_stack_version": "8.3",
@@ -2854,9 +2882,9 @@
}
},
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "5d37b23cecbcecb6fd4e89491b1741f8d1d15b13b2474436e1fd5dadbd1b836f",
"sha256": "bb92799a242c6e20d935250ea0cbe1bfa3b9572f01a497225389947c74fb6af3",
"type": "eql",
"version": 100
"version": 101
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"min_stack_version": "8.3",
@@ -2934,9 +2962,9 @@
}
},
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "c6484020fa29382b8f864d5b5a4bbbbbad1c7ada1c9e3e9334a4e76f607accee",
"sha256": "66873bb69829d5951b8cebb2a33be10cec1e6a31b1090bc9a2d52a8d47c4c2d0",
"type": "eql",
"version": 100
"version": 101
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"min_stack_version": "8.3",
@@ -2986,6 +3014,13 @@
"type": "threshold",
"version": 100
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"min_stack_version": "8.3",
"rule_name": "Process Creation via Secondary Logon",
"sha256": "03a4685c7fd2543943d9d3ea3d1a70d7972c016c7068d40da5bdd8235512b7ed",
"type": "eql",
"version": 1
},
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
"min_stack_version": "8.3",
"previous": {
@@ -3030,9 +3065,9 @@
}
},
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "618ba466fd4613c40dac45fb5cae32a15e17dee64a222afcc72e6188f29f04d5",
"sha256": "3f7b7c353a183f954267934638a1e7cc9efd033fad2616b6472aff4e617b294f",
"type": "eql",
"version": 100
"version": 101
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"min_stack_version": "8.3",
@@ -3050,6 +3085,13 @@
"type": "machine_learning",
"version": 100
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"min_stack_version": "8.3",
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "3beb0463626eee5c772571787bdf1668ca12c57883640d11f08b0e033c5cfb77",
"type": "eql",
"version": 1
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"min_stack_version": "8.3",
"previous": {
@@ -3078,9 +3120,9 @@
}
},
"rule_name": "Windows Event Logs Cleared",
"sha256": "851e423813f44b73b33848927aea154be22e62daf4ecdd3379a6879149a06908",
"sha256": "c5f7cc0dcab227c127f10d25c051d81baf3375a047fa63166bde9e264f5308d8",
"type": "query",
"version": 100
"version": 101
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.3",
@@ -3094,9 +3136,9 @@
}
},
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "cb63bfb0c61803088becb44b9c3f8f1bc73e2260f0eea157a700f69a7437295d",
"sha256": "06a9107f4b386e10196ecbc083b1ebaf6e427ba7e94fc12ee66df5bcd3875db1",
"type": "eql",
"version": 100
"version": 101
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"min_stack_version": "8.3",
@@ -3117,9 +3159,9 @@
}
},
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "c69087be2366174103a5ac765084b05b5947745b58ca65590f709b73faabf6f7",
"sha256": "12d812b856650bca6e0369916820dfba4a0d23d6696756a0451d062d4d2386e4",
"type": "eql",
"version": 100
"version": 101
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"min_stack_version": "8.3",
@@ -3133,9 +3175,9 @@
}
},
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "f4ab7f933e115ff4e59ee64e8991fa6759313388c71e4933b0ce7a29249a420d",
"sha256": "3b7e28b4b12f84229519564c2686aebd08a9fc1364688b7d4381342f4a212ec9",
"type": "eql",
"version": 100
"version": 101
},
"46f804f5-b289-43d6-a881-9387cf594f75": {
"min_stack_version": "8.3",
@@ -3165,9 +3207,9 @@
}
},
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "9f2eeac234c93833d2f21839fbf0d7cc29501c7141357383639dfc7bff2f9e5e",
"sha256": "554a22cb45f8eb9175a243358970d02e9ededc8bca227a4e8b8c33828888e27f",
"type": "eql",
"version": 100
"version": 101
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"rule_name": "Execution via Regsvcs/Regasm",
@@ -3207,6 +3249,13 @@
"type": "eql",
"version": 100
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "c71b2f2111e1441a755e160389b90ad7c994f2955e54d25bdbc21e397839c34d",
"type": "eql",
"version": 1
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"min_stack_version": "8.3",
"previous": {
@@ -3255,6 +3304,13 @@
"type": "threshold",
"version": 100
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Application Removed from Blocklist in Google Workspace",
"sha256": "3374eeddf36189dea4b300570a391bea57dca4ee9e2f19f4edeb2317c44d1826",
"type": "query",
"version": 1
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"min_stack_version": "8.3",
"previous": {
@@ -3283,9 +3339,9 @@
}
},
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "86416e631a84457792ada6cecb10e4dc761dff8a81cc06e0dbfbe21ff1efd6fc",
"sha256": "3be0908e8ea93d381fdd04df00875de60f82aa51321b0e5fcc6d23e5518477ef",
"type": "eql",
"version": 100
"version": 101
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"min_stack_version": "8.3",
@@ -3303,6 +3359,13 @@
"type": "eql",
"version": 100
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "41d4a587e6396df429d6411f91540c4484859715070a8b1b531437706bc9a04e",
"type": "query",
"version": 1
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"min_stack_version": "8.3",
"previous": {
@@ -3347,9 +3410,16 @@
}
},
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "8a9495706a1456c58669b4d529cddec0e636b13416a3f2e94e9d71cc65519af4",
"sha256": "b31e30c9dc25e40da985cd39f3861186666b4d5d5adfa319eabebc591cc16760",
"type": "eql",
"version": 100
"version": 101
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "efa27aca86ffb57587ccd8f35ad830634129eef6ff08a650690ae49d1fc33c92",
"type": "eql",
"version": 1
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.3",
@@ -3363,9 +3433,9 @@
}
},
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "6fa750938202f64ef8627ffb8933cba171b5045d30c9da22bdba053d91006275",
"sha256": "24d70031983bf8892fa1f62c964d58c44131b44a22e09c19591212fcfeefd762",
"type": "eql",
"version": 100
"version": 101
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"min_stack_version": "8.3",
@@ -3411,9 +3481,9 @@
}
},
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "76b4b534df6142578ba17c139387f4338044983089f60686dda68091177e7b3b",
"sha256": "b66a06cec2fd11bf9ffe3d3fbd14b020a335edc2353f4f53a4d0a0d09742dcf2",
"type": "eql",
"version": 100
"version": 101
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.3",
@@ -3475,9 +3545,9 @@
}
},
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "587a34e68e4cdea134965146959fd12b2739ade64e6df2b2ec43fe25b3cab661",
"sha256": "8bd00106efad5dd7fa685bc33c82a345a079815e8453880e02ab001e8d0d1f39",
"type": "eql",
"version": 100
"version": 101
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"min_stack_version": "8.3",
@@ -3523,9 +3593,9 @@
}
},
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "1ccbdedae874405695c758eb5671221d5d68d6e5cf552c9b384f03e35a694a04",
"sha256": "6b6d553224dee6183191b7a780ca1da9a276134b5568711c360831fca73bd6a6",
"type": "eql",
"version": 100
"version": 101
},
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
"min_stack_version": "8.3",
@@ -3615,9 +3685,9 @@
}
},
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "ed2c9370862e7e9588290bd1220308cffac1b348546fd5baffd11deb67d9fa07",
"sha256": "8f4a15c80a5f7d11a176a31ca9ad4563335e833b2087e0a602f73c508ae80151",
"type": "eql",
"version": 100
"version": 101
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"min_stack_version": "8.3",
@@ -3686,9 +3756,9 @@
}
},
"rule_name": "PsExec Network Connection",
"sha256": "e679a602ffc602772cfe83319e32bea413a15bac34a553b9a78137cedbe4c233",
"sha256": "e21cf432ec27b99fa0cf830c93ad21d7eb822ee25315db431a4ad52452f1bfe5",
"type": "eql",
"version": 100
"version": 101
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"min_stack_version": "8.3",
@@ -3766,9 +3836,9 @@
}
},
"rule_name": "PowerShell PSReflect Script",
"sha256": "e83e1f173bc605e47f440c42e553b45dd28cda90abf6497e245678c6a7708458",
"sha256": "c72390355e0a04ec708a61acc3ddce3ec8d4db4f6c9d44cfcc631181eebacc81",
"type": "query",
"version": 100
"version": 101
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"min_stack_version": "8.3",
@@ -3830,9 +3900,9 @@
}
},
"rule_name": "PowerShell MiniDump Script",
"sha256": "cbdb31457c62480fd5c9dbf50a46f140aafd57d31ee5c2bf92d0baf962a3d480",
"sha256": "7ec5d73fae487dddb7e642cdd58c4652e6e616abbd11af3a8ab7d77e80b78dd0",
"type": "query",
"version": 100
"version": 101
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"min_stack_version": "8.3",
@@ -3846,9 +3916,9 @@
}
},
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "c1aec0b0b33c8a3075935263f0f719b0e21c7ba0bdfe187aab046b2de8a73393",
"sha256": "c37b854a6c3c01a4bcf07845daa8a68e58d2736ad09f03dc99144778fd6f0913",
"type": "eql",
"version": 100
"version": 101
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"min_stack_version": "8.3",
@@ -3862,9 +3932,9 @@
}
},
"rule_name": "RDP Enabled via Registry",
"sha256": "c78fc2e97a561744176f7e493729c4382c3f7057779a9176829384ebd3c3f2ca",
"sha256": "a6eb4c3ed852cc3c411daa991ef869b3cb925e69ec723e5e661ed3ec5efeb7ad",
"type": "eql",
"version": 100
"version": 101
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"min_stack_version": "8.3",
@@ -3894,9 +3964,9 @@
}
},
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
"sha256": "e90a1e07e34ea2f495f80b818ec08292d02a12b56a1ab8113c893adf20722fb0",
"sha256": "7037d376e1a6fb9a7dacd01ce947e02c9456897d0464354b95736d1979e9201c",
"type": "eql",
"version": 100
"version": 101
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"min_stack_version": "8.3",
@@ -3910,9 +3980,9 @@
}
},
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "d5594f7b8eedbb5ea3c923cb0cf51ae9618431b335128344238559784e938a87",
"sha256": "d7b00e3725166f61eefc3ecac25da8babe0ad5e46894cc4d0682f1188e6f181b",
"type": "eql",
"version": 100
"version": 101
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"min_stack_version": "8.3",
@@ -4102,9 +4172,9 @@
}
},
"rule_name": "User Added to Privileged Group in Active Directory",
"sha256": "cde8abeb5602cceec08fc0e7415ed285ff46f0c199567dc7b9dc2cc243672fff",
"sha256": "9e42d09c9e604b81ce6d51f0584da1b500697b26f5a6edfc75834f0b911a62d0",
"type": "eql",
"version": 100
"version": 101
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"min_stack_version": "8.3",
@@ -4154,6 +4224,13 @@
"type": "eql",
"version": 100
},
"5e161522-2545-11ed-ac47-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Google Workspace 2SV Policy Disabled",
"sha256": "fd5d32a38a6fcc1c2f9da9bc81f2b1a80916de40174c78913b05259325c6b639",
"type": "query",
"version": 1
},
"5e552599-ddec-4e14-bad1-28aa42404388": {
"min_stack_version": "8.3",
"previous": {
@@ -4204,9 +4281,9 @@
}
},
"rule_name": "Azure Service Principal Addition",
"sha256": "bf214c9f72e9dfa8ccd2be6ff173e12ad5c7f7bb86c95e731af9fa4fe47605a8",
"sha256": "42f4486306a4f314aa7c0579be6188e7e3f261ee72c27caedfd0832958e55896",
"type": "query",
"version": 100
"version": 101
},
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
"min_stack_version": "8.3",
@@ -4236,9 +4313,9 @@
}
},
"rule_name": "Unusual Process Network Connection",
"sha256": "621fd3c91f9762821b765a38822321c8536a7522037ff332ae4f18e0469de7d1",
"sha256": "97cfbd941b88485756921679da5f9f0414a9e43d7b3d92d149bd22a01352d08d",
"type": "eql",
"version": 100
"version": 101
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.3",
@@ -4252,9 +4329,9 @@
}
},
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "96c86ebf7124b5cf3b983a969ac7334dd3f702d1e63a3a3a98b183f193d4f675",
"sha256": "b294c5544f88b00704acf417a7a05d62ae93bd1936e3562977f97d767df558e6",
"type": "query",
"version": 100
"version": 101
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
@@ -4274,9 +4351,9 @@
}
},
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "384ea747a062c1e6197b9f85283fe5b766e6812db17234c78e527075e8a7a9b2",
"sha256": "960ce8bcbdb17af9ebb21f2e0552ca016366ac012d98141a6cf9f1c01a17cd44",
"type": "eql",
"version": 100
"version": 101
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.3",
@@ -4290,9 +4367,9 @@
}
},
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "ee6e88d5dbeb4c1e83885f6a95bf40c74f4b4f33bada19733a6e4b68694045de",
"sha256": "b780e2897d1af079ca264f8d31131fab358200df3dce5250225cac0db3edd7a7",
"type": "eql",
"version": 100
"version": 101
},
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"min_stack_version": "8.3",
@@ -4306,9 +4383,30 @@
}
},
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "323d4cd6580d5345a3d47924597c0d860fb1dba813e9aef86cf76e4558a03349",
"sha256": "5bc3884f85cb23ef9dcb68da3accd2c174e888f14003dd0120889a9e973072ed",
"type": "query",
"version": 100
"version": 101
},
"63c05204-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
"sha256": "6ff3774856f3a89c719426d0b0ad31e9476927c25e33ae9f1fb2c33a60262fe9",
"type": "query",
"version": 1
},
"63c056a0-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Denied Service Account Request",
"sha256": "206708bf073f5373d61076aff081083306733334434485a072a95127453c17f3",
"type": "query",
"version": 1
},
"63c057cc-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Anonymous Request Authorized",
"sha256": "a2254efd45c81509a0821dfe2637b59d41176b00bcf5e992e9667ec09a5053d0",
"type": "query",
"version": 1
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"min_stack_version": "8.3",
@@ -4424,9 +4522,9 @@
}
},
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "9074d32b67e1ae4dedee47ef68052d2de75e18e968836494eeee7db8ced3559c",
"sha256": "e44a6471cd9f3cb9f4ff2ff71b707d4b895e7111d26caf035fb73a7a649a74a6",
"type": "eql",
"version": 100
"version": 101
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"min_stack_version": "8.3",
@@ -4510,9 +4608,9 @@
}
},
"rule_name": "High Number of Process Terminations",
"sha256": "39e37ed6487827c23b34562be8be17f18cff230845a27b6d15181ae44ddbbd7f",
"sha256": "572bcc01029f280970b61a6a247c698227edb788c0f7a7a879001d76c5769030",
"type": "threshold",
"version": 100
"version": 101
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
@@ -4580,9 +4678,9 @@
}
},
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "06f4a7443048cea7bec58e46f208e942694f415dcc65320caf513b9715052ee6",
"sha256": "4e8326e617e597c6b2f4f141f526dcb83e91957ff940eb5fa34947cde13e662c",
"type": "eql",
"version": 100
"version": 101
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"min_stack_version": "8.3",
@@ -4603,9 +4701,9 @@
}
},
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "d9f56f436561f5e8d14e9dce38318bf3e08a582338ac24f244aa054fdbbd0cce",
"sha256": "545233dc9b965ee4f62840278af84bef551cdacf71cbce2552b8a9d2704615b5",
"type": "query",
"version": 100
"version": 101
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"min_stack_version": "8.3",
@@ -4635,9 +4733,9 @@
}
},
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "eadaa242e8c74faea653a0d6055f1cd65f796118e32fd864934eff13d33551b7",
"sha256": "ca37ae77a2a934249977d73567f63f4aa0372dd28c4332d3e67f3abb9714b631",
"type": "query",
"version": 100
"version": 101
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"min_stack_version": "8.3",
@@ -4651,9 +4749,9 @@
}
},
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "431cfd25e36329eafa008281313032e48969664302df3523a6f07754afbc677d",
"sha256": "215cf89741265dca0515216e0cd94bfce77484424243f69154156af5bc099f6b",
"type": "eql",
"version": 100
"version": 101
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"min_stack_version": "8.3",
@@ -4667,9 +4765,9 @@
}
},
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "32f883b9ccda701081df7ad7747f8d7ba939a23f7766b682130f07db73998f6b",
"sha256": "c3c9c7bd57d452b175e97c8fd10e3e5521fc159489800d7fcd7ec70b6131f5f9",
"type": "threat_match",
"version": 100
"version": 101
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"min_stack_version": "8.3",
@@ -4683,9 +4781,9 @@
}
},
"rule_name": "Modification of Boot Configuration",
"sha256": "ebcb54c25c02c260036c1db2f19a1e5b35ec0cb57e6fb5192d5c4dd3052b1805",
"sha256": "d47046dd3c6d7b2d81857cdb59c12e30632f4cb338bdee6d77017eeb7d905572",
"type": "eql",
"version": 100
"version": 101
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"min_stack_version": "8.3",
@@ -4715,9 +4813,9 @@
}
},
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "24a5e2bdad4552a26634f0a392bd7f64231ed12018f430bf08692fac52c206e1",
"sha256": "2dbac75d8122d27a776b5ebdeeed69b76dd3c337e7e9e53f605d4bd12c0aca31",
"type": "eql",
"version": 100
"version": 101
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.3",
@@ -4731,9 +4829,9 @@
}
},
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "88ce3666e6415c05ed475a138a1ad69be67c93f0fdb4dd5a0aba78831e6b4213",
"sha256": "15d304ca4610d3bdcdd5ccbf59f4557b33f5dcb4586d4f7aa0a9e0b02ceabde8",
"type": "eql",
"version": 100
"version": 101
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"min_stack_version": "8.3",
@@ -4795,9 +4893,9 @@
}
},
"rule_name": "Unusual Process For a Windows Host",
"sha256": "4e2bbfe5f472c1005d61a787175eeeb5392ecfb867b7039df22de58040ae3153",
"sha256": "c511cda4aa28a9b42656c38d2ca0b72f1a2a1867cebbac11e496ac7ff737ae06",
"type": "machine_learning",
"version": 100
"version": 101
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"min_stack_version": "8.3",
@@ -4875,9 +4973,9 @@
}
},
"rule_name": "Security Software Discovery using WMIC",
"sha256": "2e5f5ac59dea19e7af55d8f5a0db3a0bb5778cead96038507a5ffdce5601ea27",
"sha256": "405fe7f8c2a23925e7d2fe92930f1cdc3be8bf444e8eae0b1c1c123b6a8cf69a",
"type": "eql",
"version": 100
"version": 101
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
@@ -4932,9 +5030,9 @@
}
},
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "252bd838adede7937aef757f4542fb56c55424aa08f56d9f96c1c3bc9c37f647",
"sha256": "3ce48bd244eb8526b966ce1ead4d0487ae071f67d638c971ab2f7ae83ae5e274",
"type": "query",
"version": 100
"version": 101
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"min_stack_version": "8.3",
@@ -4948,9 +5046,9 @@
}
},
"rule_name": "AWS Config Resource Deletion",
"sha256": "b75dd0547cf5415b26f194627721331376b66a9380b020303ab189c3da78130a",
"sha256": "d7267c58adaa59759b247610f0d44632689bbeb1da3010560530b7b14761d19c",
"type": "query",
"version": 100
"version": 101
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"min_stack_version": "8.3",
@@ -5012,9 +5110,9 @@
}
},
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "bed2940df4181810e7478b8e19507306d6a16bd56bbf4441e2c50b768bff324a",
"sha256": "b00e5a4d5d5c6d8d59504b96c3a00540fb27adbd513b6dcfe224ae36f1b1af54",
"type": "eql",
"version": 100
"version": 101
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.3",
@@ -5082,9 +5180,9 @@
}
},
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "85bb1aec79329f7e94bcce8357743ed8fd42b459d5ba231131f2838ca6ced383",
"sha256": "35c5171eaa6db62c999679b4f31b0ef290254247a4cbba5d704249d73bebe16d",
"type": "eql",
"version": 100
"version": 101
},
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"min_stack_version": "8.3",
@@ -5226,9 +5324,9 @@
}
},
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "1abb2447d34ad3e537afe69f7952979911c10b4ac2de409942b8286690971ba8",
"sha256": "00524f4fded82a3b045e070c9a691744774e363de232d396267a2a9cc0b9d652",
"type": "eql",
"version": 100
"version": 101
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"min_stack_version": "8.3",
@@ -5242,9 +5340,9 @@
}
},
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "51517f9a409f7b6c6a70ee3417cb14f1ec4aa9323d6890a09c720defffd6fba1",
"sha256": "cf0976bea81b63409156eee359694480a9e7019b64e9934982721d5a033d64ac",
"type": "eql",
"version": 100
"version": 101
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"min_stack_version": "8.3",
@@ -5313,9 +5411,9 @@
}
},
"rule_name": "Azure Privilege Identity Management Role Modified",
"sha256": "cf5d17d59a760c2a0accc338a57be2d6bfef72f5b5fb4893bb34fc49db576256",
"sha256": "c7ee92c687fa9c3bce9e82202474629c2b5486a7b2887ab1fe55092c3ba392fd",
"type": "query",
"version": 100
"version": 101
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"min_stack_version": "8.3",
@@ -5329,9 +5427,9 @@
}
},
"rule_name": "Spike in AWS Error Messages",
"sha256": "01aad6090bc10b35e30f2ba738f6102b658567c0f78ad2aea02aa8a87624cc24",
"sha256": "8183eb5101841cac57269a1c57fd4742f08bf5abcef72f96e6941a714aa27fc7",
"type": "machine_learning",
"version": 100
"version": 101
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"min_stack_version": "8.3",
@@ -5405,9 +5503,9 @@
}
},
"rule_name": "Windows Network Enumeration",
"sha256": "7b40b87ee1a93d70b7e567f0a0198401ed29fdc5a08e73e173aadc29c7852f58",
"sha256": "a9e25b25ba0cbbde73e38ee1a6c437b908c2512e5bdee9fa417c536dd41923c6",
"type": "eql",
"version": 100
"version": 101
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"min_stack_version": "8.3",
@@ -5441,6 +5539,13 @@
"type": "eql",
"version": 100
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "b2085a3b9a489dab8592255dd99f396e153d9b0230697c8f7bf2d0f370f5b4ae",
"type": "query",
"version": 1
},
"7ceb2216-47dd-4e64-9433-cddc99727623": {
"min_stack_version": "8.3",
"previous": {
@@ -5475,9 +5580,9 @@
}
},
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "3543c058d99e4ede8932d890d7b74e90ef57744f8b2eaecd967e5f8346cd8d3a",
"sha256": "a390a18e42e852cab8e816adcf5b096f01e7969be1dda067aef68e919d3afb07",
"type": "eql",
"version": 100
"version": 101
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"min_stack_version": "8.3",
@@ -5491,9 +5596,9 @@
}
},
"rule_name": "Unusual City For an AWS Command",
"sha256": "5b046d0bbb1b9a2875e3298548e9a76f720dafff820a848849c754e0a43ed6d2",
"sha256": "e09731c2def2470615462990e4622174d41f4c999332453785b2e9040591e1a5",
"type": "machine_learning",
"version": 100
"version": 101
},
"80c52164-c82a-402c-9964-852533d58be1": {
"min_stack_version": "8.3",
@@ -5523,9 +5628,9 @@
}
},
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "b6672245265d500ac777de607d8edf6b31aa2bceade6a79152a97d283673274d",
"sha256": "601184a8d1153cc7ad2141aecd6d54cb94c1cadd7e38ae38fd1b45ec9859f072",
"type": "eql",
"version": 100
"version": 101
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
@@ -5545,9 +5650,16 @@
}
},
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "14de188f0368c8113c85bd365c39d0989d1cf10ed21e6b6ba1efd219c805c7fb",
"sha256": "1d665fbc50175609d066a06a5a9dd7e8826288fd4321053ad1c07dd51ea6f727",
"type": "query",
"version": 100
"version": 101
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"min_stack_version": "8.3",
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "5efa343b8c648239b7dfac4892293cbe1627f57c93e67f295b314cd68102987a",
"type": "eql",
"version": 1
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"min_stack_version": "8.3",
@@ -5599,9 +5711,9 @@
}
},
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "92200cf156380f7b3bb3a4686ebe6468ddf7c36e9b1ee3ceded13c3987906e0e",
"sha256": "e5bd4f551066f92ee4691cf324270878cd316318962eacb6caa6703787f73d6c",
"type": "eql",
"version": 100
"version": 101
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"min_stack_version": "8.3",
@@ -5615,9 +5727,9 @@
}
},
"rule_name": "Potential Remote Credential Access via Registry",
"sha256": "8aa38a9a88715acf22617286f18cf3b682130ccd1d625fe5f0439c81e60be69c",
"sha256": "65a765121cb562a2a0f0a3710e9da97ee5b5ca380d7833a925397e1e6b25f76e",
"type": "eql",
"version": 100
"version": 101
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"min_stack_version": "8.3",
@@ -5631,9 +5743,9 @@
}
},
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "d7c091b6f97197896f2feb40ff590004aadc49d47645dce62abd86354d7a278b",
"sha256": "45b564c5a63cf1b5814b9a4e60d3c91b93c97d12d5fbf31cec8539d9ae3edd6b",
"type": "eql",
"version": 100
"version": 101
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"min_stack_version": "8.3",
@@ -5695,9 +5807,9 @@
}
},
"rule_name": "Security Software Discovery via Grep",
"sha256": "b55b1241816124ff03a9d5d57583bcdf421dff533215d423116d1863b8103de1",
"sha256": "75714943f8e2740e1926b35f09b67526a88b790d1958d66a60343dea55e4943e",
"type": "eql",
"version": 100
"version": 101
},
"871ea072-1b71-4def-b016-6278b505138d": {
"min_stack_version": "8.3",
@@ -5711,9 +5823,9 @@
}
},
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "06e3c5026a6339436c2ba8655621ebb2da7d12585ebd09d0971dacc7a5d5d350",
"sha256": "b9eac6c72b12f8052297685e41942df07d41aa4754fa29d9d82b413a469aaffd",
"type": "eql",
"version": 100
"version": 101
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"min_stack_version": "8.3",
@@ -5803,9 +5915,9 @@
}
},
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "9f205a5f4f70064f2c0001faffa2c6e2bbec9efd880ab8f16cb9586acdeb5341",
"sha256": "0d4ba175dff6933984e07a17b7cc6ff2aff80204a84ae8b0593e183c10a5668e",
"type": "eql",
"version": 100
"version": 101
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"min_stack_version": "8.3",
@@ -5899,9 +6011,9 @@
}
},
"rule_name": "Suspicious JAVA Child Process",
"sha256": "219a9bedef498436f26a9467c7d9398c0a8a656e2740e60d9768074407878031",
"sha256": "76091e6b4e844985dac48f608eae91eeee9cd02b29101c525f64dbf31495b434",
"type": "eql",
"version": 100
"version": 101
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "8.3",
@@ -5931,9 +6043,9 @@
}
},
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "73fa1cce891ee006c32650991843135e8c3b22297fcce1f98242f3b4f1d70504",
"sha256": "45c314dbc1f863265cb06cdd60beb43bcc0ae9285325891e29f2278a01eb1d80",
"type": "eql",
"version": 100
"version": 101
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"min_stack_version": "8.3",
@@ -5986,9 +6098,9 @@
}
},
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "9c404dc9b94bb1c1201ffebf5e20d6cc0efe55784bf9ddd376c74a252a141bfd",
"sha256": "d025edd2a2669cd9ab0f5b0c2f9bbad26d0996dd63ae42861b0db07a3658ae4c",
"type": "eql",
"version": 100
"version": 101
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"min_stack_version": "8.3",
@@ -6002,9 +6114,9 @@
}
},
"rule_name": "Potential SharpRDP Behavior",
"sha256": "7e7bbd2c569226b70cda6e733d18bfc562c365b277d44e266722b6098cead46a",
"sha256": "a15d285042c70eeb85ea414db2aa678adb0758ae7bb07a4ec29469bf7a1185f7",
"type": "eql",
"version": 100
"version": 101
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"min_stack_version": "8.3",
@@ -6022,6 +6134,13 @@
"type": "query",
"version": 100
},
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"min_stack_version": "8.3",
"rule_name": "Potential SSH Password Guessing",
"sha256": "d3e215ab38ab7e3f5ec791b0229c0c0ef5e1695278e85ca26c5d099d031ad72e",
"type": "eql",
"version": 1
},
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"min_stack_version": "8.3",
"previous": {
@@ -6082,9 +6201,9 @@
}
},
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "863c82226f43772f3533a4f83705f1cb95f11bc1167ee249118194ae6d742fcb",
"sha256": "409b24e2e08b01eff4408a43c55f37c5ebcc44a7a784339ba28aeddcab009bde",
"type": "eql",
"version": 100
"version": 101
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"min_stack_version": "8.3",
@@ -6242,6 +6361,13 @@
"type": "machine_learning",
"version": 100
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.3",
"rule_name": "A scheduled task was created",
"sha256": "596dee8b33992208e34dd60551f9b3334558b5aa1fb5ac9cb115224e7e990ab7",
"type": "eql",
"version": 1
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"min_stack_version": "8.3",
"previous": {
@@ -6286,9 +6412,9 @@
}
},
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "6ee1d2e0528d3db2c17ac7633cecd1ae6680dd8e7ebeb17778114fda474dd8d8",
"sha256": "6b32892aa2db1f90353f5be46ecbcfe86c7a3fe108a67c12a422e123d0ad5d08",
"type": "query",
"version": 100
"version": 101
},
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"min_stack_version": "8.3",
@@ -6302,9 +6428,9 @@
}
},
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "c06d1b7e2037801fb0a08f1652feee62f12cfc5352b980ae9f22a33bc2b11b96",
"sha256": "7961c889acee341e70dd9f9c28f9572742af84a397858b392bda127aa49fbd71",
"type": "eql",
"version": 100
"version": 101
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.3",
@@ -6361,6 +6487,13 @@
"type": "query",
"version": 100
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
"sha256": "b354de5608defe82e0d3a7c230774e90003cb87416fc120e1d8e4465d30b3a1c",
"type": "query",
"version": 1
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"min_stack_version": "8.3",
"previous": {
@@ -6373,9 +6506,9 @@
}
},
"rule_name": "Remote Scheduled Task Creation",
"sha256": "33f55756c5eb02716d08d9c2ba5fc6078a766a919114bf7029a0feb10b105993",
"sha256": "62a9b9484177cb6bfb51bfea972dae4bd75d8c3dc5f67d99db5b3de16fa3ba65",
"type": "eql",
"version": 100
"version": 101
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"min_stack_version": "8.3",
@@ -6389,9 +6522,9 @@
}
},
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "e19c44c1daf8561a8b42d913b3be8fc7f223a78bb20d2e3fe0370028cffd0e16",
"sha256": "7c9b4104991762830205300b3dae2864ba35f69eda6c41709be4d83a0259ed86",
"type": "query",
"version": 100
"version": 101
},
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"min_stack_version": "8.3",
@@ -6517,9 +6650,9 @@
}
},
"rule_name": "Suspicious Zoom Child Process",
"sha256": "a2e6e13672acfb9ae9fb203ba3af7a125acd7cc2b39b831d5dc6ec97ff9157d7",
"sha256": "8203c88e34f43822aaf2d8ad3b6c6fe5c52e76cbe368b4b98701ac7ad5d2144f",
"type": "eql",
"version": 100
"version": 101
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
@@ -6552,9 +6685,9 @@
}
},
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "0102d2fbd56aff85e3f756c5d1dda370c666da7bfbd93d7b15df837a6af16425",
"sha256": "04ce9c1ed9afadef4b0595b0431aca7655094d11398dd6e4341b9c30c0a31f7c",
"type": "eql",
"version": 100
"version": 101
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"min_stack_version": "8.3",
@@ -6600,9 +6733,9 @@
}
},
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "ecda50c10faaaf69bff555eee2e1e479aa355b2f6e740ac6960e21f796404cb6",
"sha256": "67ebbcbc9d7430381394cb2bf82988a1db57169ace220d10d9f8ead323c7bb84",
"type": "query",
"version": 100
"version": 101
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"min_stack_version": "8.3",
@@ -6684,6 +6817,13 @@
"type": "query",
"version": 100
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"min_stack_version": "8.3",
"rule_name": "Shadow File Read via Command Line Utilities",
"sha256": "b2da0bd8ae98077c7c58ab6ed35ab10547da51ec3fb5c452532877988ba83929",
"type": "eql",
"version": 1
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"min_stack_version": "8.3",
"previous": {
@@ -6696,9 +6836,9 @@
}
},
"rule_name": "Suspicious Explorer Child Process",
"sha256": "3e5a528e103efa698882556f4ed88d9486cdc710c282dcbc111ee1649f800b5c",
"sha256": "4c49fc2ca451b75836c2d3a7a9cec40a2b75129271420e406a57c612d3cd2a0f",
"type": "eql",
"version": 100
"version": 101
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"min_stack_version": "8.3",
@@ -6728,9 +6868,9 @@
}
},
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "a6dfa186d02163c2d134c0d208d5b58cf4029da56afcf4d70dd221b86240d4e6",
"sha256": "b22024a681301cb72c382198d4546bfc233d9b5392c38e14397426f16aea7296",
"type": "eql",
"version": 100
"version": 101
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"min_stack_version": "8.3",
@@ -6751,9 +6891,16 @@
}
},
"rule_name": "Hosts File Modified",
"sha256": "4273fb3ba5f1cf4615c6884ae41611939288cb47837b3a7bf3a8e783523e6399",
"sha256": "4d4d77432df7611cf1f79fda2d438ec5604ed06612fc271723c6c702e2621c94",
"type": "eql",
"version": 100
"version": 101
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"min_stack_version": "8.3",
"rule_name": "Remote Logon followed by Scheduled Task Creation",
"sha256": "e5b6a0e4ab64e3c620f5ef261bfad9aa9cb5553918c76a45200900924a626904",
"type": "eql",
"version": 1
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.3",
@@ -6771,6 +6918,13 @@
"type": "eql",
"version": 100
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
"sha256": "3605d9c5b34d2095f131e61cdeb7acafed8c40fafcb72268336d7a792608e0da",
"type": "query",
"version": 1
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
"rule_name": "Trusted Developer Application Usage",
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
@@ -6805,9 +6959,9 @@
}
},
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "d7934b4d043fcf05073bb18ede97a1177401869f290fa7c7e7db5e66b829d26a",
"sha256": "26e33b0b951808fa5005787a9ee751d260a9be450966665c0837f3b3aa633909",
"type": "eql",
"version": 100
"version": 101
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"min_stack_version": "8.3",
@@ -6821,9 +6975,9 @@
}
},
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "06d7b068228fbe3b6b0a3b3a08696d011df932e353d6f91ba85d9212ed3b97da",
"sha256": "1e72085f77b8cde2b42fcfaf6209360250d22a2153cc6d71f0645b84087eabe9",
"type": "eql",
"version": 100
"version": 101
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"min_stack_version": "8.3",
@@ -6837,9 +6991,9 @@
}
},
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "b9155f6228e4b16765bf38a9cfda819d204181f27c57a23d9596f20e3864fb69",
"sha256": "cd2c120213f2b09304c817743849cc93280f176e34fb8d484cf594cd4b878848",
"type": "eql",
"version": 100
"version": 101
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"min_stack_version": "8.3",
@@ -6853,9 +7007,9 @@
}
},
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "85caae5e6133b35e3c9c96a9a78614f5e463243a06de92ef85ed835c67741173",
"sha256": "8f9348d8d0b125fe39fce9baf30cc3b171c5557ac0ef57e22dd50195d6745d16",
"type": "eql",
"version": 100
"version": 101
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"min_stack_version": "8.3",
@@ -6933,9 +7087,9 @@
}
},
"rule_name": "Potential Credential Access via DCSync",
"sha256": "1de2b45a29f2d8c8e67b319082ac51b835fe7f2122a80d9760652d4c5aa9811c",
"sha256": "98cc2ca9221f99fe9a3dbb8953a161bfae03bdbfbd31c3098fdf4d5120fad61f",
"type": "eql",
"version": 100
"version": 101
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"min_stack_version": "8.3",
@@ -6965,9 +7119,16 @@
}
},
"rule_name": "AWS Access Secret in Secrets Manager",
"sha256": "138de80e62be7147988a45f810692ce217f563b1c3af65ba80456ed8a5008d17",
"sha256": "224fd69bd46ea7d3e11857b61bac0008649f29e6953f1000e3c51171f9878a85",
"type": "query",
"version": 100
"version": 101
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"min_stack_version": "8.3",
"rule_name": "A scheduled task was updated",
"sha256": "661af71e6e6189c9d45f1b0d951521586c952bf6bcc8ff4f779f1c65f8f7b3b4",
"type": "eql",
"version": 1
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"min_stack_version": "8.3",
@@ -6997,9 +7158,9 @@
}
},
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "266648378533ee95c0729e51434e6bd48677358c8a1847eecaebe1024ae1c6bf",
"sha256": "3207a4319e151615e88e76119b8a5ab20e791feacf991e51958908a091c77775",
"type": "eql",
"version": 100
"version": 101
},
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"min_stack_version": "8.3",
@@ -7061,9 +7222,9 @@
}
},
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "2d2d26e1e48f6957ee35a58ab1f10896e7431ccd2fcb5eae32e4a78cc8872927",
"sha256": "dedb7372116ccf840ea4ca242e1949e286843f01f82669e49c6515dc6ee18cb1",
"type": "eql",
"version": 100
"version": 101
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"min_stack_version": "8.3",
@@ -7081,6 +7242,13 @@
"type": "eql",
"version": 100
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
"sha256": "1dbe088396c7e8d884dd1a45df0faef44362f085ba0b108a137ca6b12a015fd2",
"type": "query",
"version": 1
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"min_stack_version": "8.3",
"previous": {
@@ -7109,9 +7277,9 @@
}
},
"rule_name": "Windows Registry File Creation in SMB Share",
"sha256": "af1f6b1139386f2e329657d551701f981f64318017ff59baf4c6e63c73e325d9",
"sha256": "3f2a1afd12a88576cb5efea0e12de4f485b8906310b60d1cf44fc74c2e5fceab",
"type": "eql",
"version": 100
"version": 101
},
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
"rule_name": "Network Connection via Mshta",
@@ -7119,6 +7287,13 @@
"type": "eql",
"version": 100
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"min_stack_version": "8.3",
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
"sha256": "1f58b61565390787defac72968e80cabd991d81be0fd860b86b722f709b93b33",
"type": "eql",
"version": 1
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"min_stack_version": "8.3",
"previous": {
@@ -7131,9 +7306,9 @@
}
},
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "b05d32d0c6917831ae121d26c799bac883c5dbaf6f3f4396dbf212d1262fd729",
"sha256": "391b6248787161ac0f1fef423f5d7258e91a763f1f500a49de6798044724354f",
"type": "query",
"version": 100
"version": 101
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"min_stack_version": "8.3",
@@ -7147,9 +7322,9 @@
}
},
"rule_name": "Azure Active Directory PowerShell Sign-in",
"sha256": "1a3022edabbf5b967f93873de55b070b0ad03acfe0e64efce9c54ea1600f131a",
"sha256": "60f4bac3fe46489e6ab9ba2fcadf626760d22098c883a396a660eaa01ca3574b",
"type": "query",
"version": 100
"version": 101
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"min_stack_version": "8.3",
@@ -7163,9 +7338,9 @@
}
},
"rule_name": "Suspicious MS Office Child Process",
"sha256": "420c494d9ba2785bfc5f3d7c42cc41c6c5407d8fa9a1e43c4e1e8736c6d673a6",
"sha256": "211342c0c1c3b84d608152b9f15ecd6372eb6bfdb9327ffcaeb7b5f1da485379",
"type": "eql",
"version": 100
"version": 101
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"min_stack_version": "8.3",
@@ -7194,10 +7369,10 @@
"version": 8
}
},
"rule_name": "Suspicious PrintSpooler SPL File Created",
"sha256": "0c834aa122c687f0bf64b255ca5bb7a8985fdbdacb382132f33c2a85fb9c9623",
"rule_name": "Suspicious Print Spooler SPL File Created",
"sha256": "ac3e386ec53fff6d7a73804bac0aa697c3c4661edaf048b84972733211b6ca40",
"type": "eql",
"version": 100
"version": 101
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"min_stack_version": "8.3",
@@ -7211,9 +7386,9 @@
}
},
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "e88078808ef1cb74258d5e45d00597dac0c94a3f8c88f56648d25f0deb6ebf97",
"sha256": "49b7b99d15de4db37df8a43545a2476768e7edebb347fbab117689283c0fcd86",
"type": "eql",
"version": 100
"version": 101
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"min_stack_version": "8.3",
@@ -7352,9 +7527,9 @@
}
},
"rule_name": "Remotely Started Services via RPC",
"sha256": "44295f80f3b15cb68948b0739863a71d934c0ef69288410d12b69e5fa4c3eb75",
"sha256": "100ddcd44032ba4d6075c4239354f24d10f38ed508e73257caec620d522a4d58",
"type": "eql",
"version": 100
"version": 101
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"min_stack_version": "8.3",
@@ -7368,9 +7543,9 @@
}
},
"rule_name": "Remote Execution via File Shares",
"sha256": "acb9b71ba876ce876744b2d81deec5f975cbc9622840ecf0c9a35e6460932b07",
"sha256": "e4eef1d2a84e89af9d2bd0a303700da937d723243f410994f3b0f410318e95ee",
"type": "eql",
"version": 100
"version": 101
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.3",
@@ -7416,9 +7591,9 @@
}
},
"rule_name": "Suspicious WerFault Child Process",
"sha256": "9eb523c7e7f8f2b03de629dcf315e163280f3f23f07a3c8541352802a57c4944",
"sha256": "5f09d7f3510d3f1c8609d214837a3c4d34463951f4cece2e7927a7bc69875d21",
"type": "eql",
"version": 100
"version": 101
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"min_stack_version": "8.3",
@@ -7432,9 +7607,9 @@
}
},
"rule_name": "Unusual AWS Command for a User",
"sha256": "1a56f898719d89efc88cd607e678a90c70b685a7a726ff154d69d82aa02a39e3",
"sha256": "1b85d3a4b1a0ed8a45f322de57273dcd5df8f4cd4f3afb6de7c94350a3a23db2",
"type": "machine_learning",
"version": 100
"version": 101
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"min_stack_version": "8.3",
@@ -7448,9 +7623,9 @@
}
},
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "fbe7bf8e4c621ac26b7b792325e84d8a4ebaf756e9ac6dd25c21666bde8a4bec",
"sha256": "11690a470d6dd85080c882c084aa20680fd6c458ff2d47c6c3ee8eff18ccf078",
"type": "query",
"version": 100
"version": 101
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"min_stack_version": "8.3",
@@ -7502,10 +7677,10 @@
"version": 4
}
},
"rule_name": "Potential SSH Brute Force Detected",
"sha256": "6d0cb93c3879e8f129c1c6b3ba4f47ac8247824375ceadcff0e6a9df2e21ef78",
"rule_name": "Potential macOS SSH Brute Force Detected",
"sha256": "13c27c997dbbab5c52fb4839924f69d9d3fa87da9eb6dbb181ff9e10400cd16a",
"type": "threshold",
"version": 100
"version": 101
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"min_stack_version": "8.3",
@@ -7535,9 +7710,9 @@
}
},
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "33398fe6a04ff61536aa6088fb0c111b0633efe03669e855d9ac6df46d5e40c1",
"sha256": "0481358387cd42bd165bf22af89774374541c9839126637ea92ee9a2b9b5e9dc",
"type": "eql",
"version": 100
"version": 101
},
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
"rule_name": "Proxy Port Activity to the Internet",
@@ -7580,9 +7755,9 @@
}
},
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "dd87b932c4d7e0c7d1df354bc2dd687d599fda8e96b30a3dfa407ad8b0dc1dfc",
"sha256": "befdefeb885fae0bcc5c56f857572949cbe820be6a9fe14b6ac6d8543a082ecc",
"type": "query",
"version": 100
"version": 101
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"min_stack_version": "8.3",
@@ -7612,9 +7787,9 @@
}
},
"rule_name": "Netcat Network Activity",
"sha256": "6d5d12b1e6bb04345611fdbe1efd6fcdb2969c24797068c84c66981792df43ae",
"sha256": "34627e6ab4f68c58c9a4165983ccfd4382b395ee4ab1e87f207b934692de1c8d",
"type": "eql",
"version": 100
"version": 101
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"min_stack_version": "8.3",
@@ -7698,9 +7873,9 @@
}
},
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "c67a26e60bcc0d0102f11fb944764f8b6dc3e298161377161f45d7c960e23899",
"sha256": "a281be4634c4e1517cb4e7e54ce8c773ccfa7b841cdb3db16833630712164bc3",
"type": "eql",
"version": 100
"version": 101
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"min_stack_version": "8.3",
@@ -7762,9 +7937,9 @@
}
},
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "9bc0223af51d5a440aa3392f44355d22cce419d813ee3df11a0208590ee4bc2f",
"sha256": "4a155a2fa22017fe0404d4c080c39239c8e19f766abc880cabb80b641efe618a",
"type": "eql",
"version": 100
"version": 101
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"min_stack_version": "8.3",
@@ -7826,9 +8001,9 @@
}
},
"rule_name": "Clearing Windows Console History",
"sha256": "fee88e407b3008427032dad110fde2345d4a282f54093f7280991a20befeb34c",
"sha256": "f1a5ea62c6721026ca7e18caaf4bf33d454a30da95a5e51de871b44822d66354",
"type": "eql",
"version": 100
"version": 101
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"min_stack_version": "8.3",
@@ -7842,9 +8017,9 @@
}
},
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "f9e7c547669253937f5c4f6d8f1a0ef17e3d2a2dfd660f265b8be56298d73b9d",
"sha256": "779f0a086342fa564299a8d21300ae7e4065e39fffbc4d09ee4f60b9bfd402cc",
"type": "eql",
"version": 100
"version": 101
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"min_stack_version": "8.3",
@@ -7874,9 +8049,9 @@
}
},
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "80c7df7cc840129e3c4fb2dee6e31acb20b0c706d30a52b16562358420b14edd",
"sha256": "4fd150bb0360d26c6447ab45a3237e6572e59b7378963e569c9be82fcc773919",
"type": "eql",
"version": 100
"version": 101
},
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
"min_stack_version": "8.3",
@@ -7970,9 +8145,9 @@
}
},
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "8be0bdf2c5c59327a0d79bead790436d1ee2860046be852b30b54622a7850e7d",
"sha256": "b5fbeed20a27521fcb3cd11676b5e0a18f98bc1b0a733ff8a53c8b363027e903",
"type": "eql",
"version": 100
"version": 101
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"min_stack_version": "8.3",
@@ -8002,9 +8177,9 @@
}
},
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "cee1d015a929b92ca29c739cd0dde4b5840b9274d7a7f9a49dfb18eee6ce508b",
"sha256": "fb8217f660f7f363d93046d01024c84e2b2418063e682cfd8e8bd6b1c9355fe2",
"type": "query",
"version": 100
"version": 101
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"min_stack_version": "8.3",
@@ -8146,9 +8321,9 @@
}
},
"rule_name": "AWS Root Login Without MFA",
"sha256": "fb313dd5be37e0f39d704b9306bd43a7cc691aefe48175c56edc3b8d3cafe805",
"sha256": "ae97c16aa10ee48a4fe9003d1967c34935754844cce19d913aeb1cc538c0fc20",
"type": "query",
"version": 100
"version": 101
},
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
"min_stack_version": "8.3",
@@ -8226,9 +8401,9 @@
}
},
"rule_name": "PowerShell Keylogging Script",
"sha256": "0005eed7151bc66fb0cd04e87aaa3bf667dcfa1611ada4454766beb6ba00acbe",
"sha256": "dfdedc468067ef0624f4a3f8a138534b98e8b6ba5b07b56c2f2d4837d08175a8",
"type": "query",
"version": 100
"version": 101
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"min_stack_version": "8.3",
@@ -8274,9 +8449,9 @@
}
},
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "b903b68f801e8ea76737f8da58506d0a3cf41a8c58e853a307b0b8dc46a8c08d",
"sha256": "63907c72742a3d7977c30a7371746c8db93f522c559150ceb254ca8980d9ea1b",
"type": "eql",
"version": 100
"version": 101
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"min_stack_version": "8.3",
@@ -8306,9 +8481,9 @@
}
},
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "71dd67b27fa1543084d78895e408c1553aae3c0e79e3450ccd0afb37828d1346",
"sha256": "bf9d87e0b134b5f59de31962493afb8906fb964fc1ca6cea6432661018e81096",
"type": "eql",
"version": 100
"version": 101
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"min_stack_version": "8.3",
@@ -8338,9 +8513,9 @@
}
},
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "e9831ca3b5becdb0e68783790b36ff8efc3a0e898056a27f995b7d83053ba624",
"sha256": "3439e19ef66dd3c1290ff01f58d55a419d7177604b43e3d745ec491c7f3d699a",
"type": "eql",
"version": 100
"version": 101
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"min_stack_version": "8.3",
@@ -8386,9 +8561,9 @@
}
},
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "e9606bdaf8cc52bc03c0de35b84bc98c73553ac3a8915da58ec88020a386f392",
"sha256": "832490bfded743aadabb9dbe32ca35a032e3f19e38fe8845baa443ae13521af9",
"type": "eql",
"version": 100
"version": 101
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"min_stack_version": "8.3",
@@ -8434,9 +8609,9 @@
}
},
"rule_name": "Mshta Making Network Connections",
"sha256": "5e623f8957f6bb70d2860015d274b6cd9c0fc27d1da66dc8e3b4d26acdad0305",
"sha256": "70e5225629f3e469c4e29bd0fb2d972cea62f38bb90261be4a8badd8416a102b",
"type": "eql",
"version": 100
"version": 101
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"min_stack_version": "8.3",
@@ -8498,9 +8673,9 @@
}
},
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "ecef5c16ea5973e0fe50eaf9dad95b17ee6ddb1129d560ce19056e4143efdef2",
"sha256": "39f726e84952213e8553aaef9a7cddb0d03fd68943b9e3d2a65eb95bd2bfdaff",
"type": "eql",
"version": 100
"version": 101
},
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"min_stack_version": "8.3",
@@ -8578,9 +8753,9 @@
}
},
"rule_name": "Installation of Custom Shim Databases",
"sha256": "0fa93fc1d232fea99607148f3695e1fb73869fa61cb2e6484fb809f3b4ea84cd",
"sha256": "2b5c67331f981d841fcf2576c6414b658a38614a8d4c7835461644379a31c155",
"type": "eql",
"version": 100
"version": 101
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"min_stack_version": "8.3",
@@ -8594,9 +8769,9 @@
}
},
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "d350611625e53a26866d718ab7d51f9a10f552f8c1679db2031e4b70d7bde1d8",
"sha256": "e597971b64b1606fbd9c68467b49c62f75f4c1c3e606dc6a9d4fff6ed2b479cd",
"type": "eql",
"version": 100
"version": 101
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"min_stack_version": "8.3",
@@ -8626,9 +8801,9 @@
}
},
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "78c9c95071c452b4bd48d9a8d46a37b55762ba51da228e5629e93a0ceb754198",
"sha256": "52bc9584ceccacdf761581eae348ae4110cc6fe813d1835d932e35e953882d58",
"type": "eql",
"version": 100
"version": 101
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
@@ -8680,9 +8855,9 @@
}
},
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "404c23543760a2e14f04d2b192de7c50520d60a6f08226353de75af3a01c41ab",
"sha256": "cd9078c047f279dbf5462247a9c381a0e2ec9f92d48da651ffa74f8925fd3c0d",
"type": "eql",
"version": 100
"version": 101
},
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
"min_stack_version": "8.3",
@@ -8776,9 +8951,9 @@
}
},
"rule_name": "Direct Outbound SMB Connection",
"sha256": "65f317c19bd06744eafcd8c8246900f89b760520f72bc869d0b83bee86a882c8",
"sha256": "9a176ff1112962f8f4b72d0ae6cdc1753d1764de5baf488a063f3e424191b234",
"type": "eql",
"version": 100
"version": 101
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"min_stack_version": "8.3",
@@ -8830,9 +9005,9 @@
}
},
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "ca362fc15b7aa368a146c5f16f7deff23a7f90907b1a6aea57a84a3989bb3d76",
"sha256": "aa11813ffece76619556de611ca09031ce4bb2c374f37f412b0900abbb33171d",
"type": "eql",
"version": 100
"version": 101
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"min_stack_version": "8.3",
@@ -8846,9 +9021,9 @@
}
},
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "8af2a2813d0cd1bd5762df61f47e5d27027bbb7fac6855f1c80192bd6fef08a9",
"sha256": "739b25b61ce3a222fbada6ef424ae076ca2f717296479eca4a6e7bdf75600f87",
"type": "eql",
"version": 100
"version": 101
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"min_stack_version": "8.3",
@@ -8900,9 +9075,9 @@
}
},
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "4c77fcd9cdd04d3546df2ecf4157a33cf6a39a68fda324b1c77cfcaf2e0d0b9a",
"sha256": "6333383e5cf8385b51e754164c06b8ea8626e376636adbcbd98369cf13314896",
"type": "eql",
"version": 100
"version": 101
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"min_stack_version": "8.3",
@@ -8923,9 +9098,9 @@
}
},
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "d7cfa0897aa671a31636e023f43835a351b3bc09bc6e1e3a047e122eda03a7a4",
"sha256": "4c6ea3adddccd015216fef41023adb9d7745d2d4155984d929c2556e111b52a0",
"type": "query",
"version": 100
"version": 101
},
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"min_stack_version": "8.3",
@@ -8965,6 +9140,13 @@
"type": "query",
"version": 100
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Google Workspace User Organizational Unit Changed",
"sha256": "5c88091d0be8219dace6e31de5418a79dffcf18d3bdc73a1c1006b8e882d43b5",
"type": "query",
"version": 1
},
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
"min_stack_version": "8.3",
"previous": {
@@ -9111,9 +9293,9 @@
}
},
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "d6d11a510336026baccb5c48c6f213a08074dfb4e5e820dd69f75346cbaac023",
"sha256": "d90ef3a68ec96f23339d759febd1b6f082cae2d2566417219cb27bbfa1479674",
"type": "eql",
"version": 100
"version": 101
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"min_stack_version": "8.3",
@@ -9166,9 +9348,16 @@
}
},
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "b9c23acbf43665b0b2a7a52dcb4fa5d772b1dbdace50fe13fb5e2fb36640cb45",
"sha256": "e21d8fcca7b44f63c903d7f887b5bac54e0fc9f699a8023540fae7ac4338f38a",
"type": "eql",
"version": 100
"version": 101
},
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"min_stack_version": "8.3",
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "99531b930f46ccd76628ba39a5931172499108c237385b4deb34a86cd33ea022",
"type": "eql",
"version": 1
},
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"min_stack_version": "8.3",
@@ -9198,9 +9387,9 @@
}
},
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "c83b9154eb59550be3f873a64afb2d96a58e3a1e3d08eb79ccfe48c5e6addf8b",
"sha256": "f8d09d0f4eed118f42e827f0455ccde96d1e13fb736bb8e5b464a3fa1d2b0a8b",
"type": "eql",
"version": 100
"version": 101
},
"d2053495-8fe7-4168-b3df-dad844046be3": {
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
@@ -9236,9 +9425,9 @@
}
},
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "963327ef29e41ffff32d97cc72c852380b91a1f508c7e73eb8997b8f08b7203e",
"sha256": "3e9df58020cfccaaa28bd6db826ca997df8524f105956af44d17604491ff5597",
"type": "eql",
"version": 100
"version": 101
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"min_stack_version": "8.3",
@@ -9252,9 +9441,9 @@
}
},
"rule_name": "Clearing Windows Event Logs",
"sha256": "594f4c6237bcc2ceef8508b147a75303098f1b3e334a56c48423cfa272366237",
"sha256": "91c61dfda2eccdb8c59f38eb1379711e7846e9698a82d38e3cd08441cb450742",
"type": "eql",
"version": 100
"version": 101
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"min_stack_version": "8.3",
@@ -9380,9 +9569,9 @@
}
},
"rule_name": "Service Command Lateral Movement",
"sha256": "4f1a9cea4e27cd4aa1579b26c0e1194e00c56dbaa173df926d00b2ac54ffc361",
"sha256": "cefb53a3377c269d90e1ffc9ae6e9c650dfa63fd52a164b01999000280d0bcd7",
"type": "eql",
"version": 100
"version": 101
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"min_stack_version": "8.3",
@@ -9396,9 +9585,9 @@
}
},
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "83c04102eefcd5bad2b3187a8eaa5d04383506462f09127894aabcdeb2c7cc97",
"sha256": "8b6f1ad4f0aeb7cde5409bde164e14b36b7b13265435612370410309afac2c13",
"type": "query",
"version": 100
"version": 101
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"min_stack_version": "8.3",
@@ -9450,9 +9639,9 @@
}
},
"rule_name": "Modification of WDigest Security Provider",
"sha256": "18ae14496eae54ed3c43ec695b95a0db7ea09815f0fb2c0c014bfa319308596a",
"sha256": "d9ecb8a5b46bb59c75d61c08cc9e805df478434893f9d18060606aa2cdd469d3",
"type": "eql",
"version": 100
"version": 101
},
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"min_stack_version": "8.3",
@@ -9466,9 +9655,9 @@
}
},
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "12bb91c5494107580ebf88ac8241b7af9912cc883383de028b8fb9fd9532098c",
"sha256": "d5faba44073d65f08ebc2beb461ed5204fe47b5403698210637f957944333164",
"type": "eql",
"version": 100
"version": 101
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"min_stack_version": "8.3",
@@ -9585,9 +9774,9 @@
}
},
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "753005c4405fcb6da3a3a59832d25d2fd9fa5b4b5518af0cf58cdfc67756adbf",
"sha256": "f7167839f8278786db6a2fee0112a03481d54df9f6f705ed9ba17e213a773842",
"type": "query",
"version": 100
"version": 101
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"min_stack_version": "8.3",
@@ -9601,9 +9790,9 @@
}
},
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "589e122c626ad5497068f4f69cc7ef691042971e5ac9c4a8d1a1268a5af9888e",
"sha256": "6c07e056b78194d8babb4e07d5f498e1b2405c3a24763655ffa394e5cf4d23d1",
"type": "eql",
"version": 100
"version": 101
},
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
@@ -9623,9 +9812,9 @@
}
},
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
"sha256": "fc8ed24bb22f92a18306bd5f3b1453f0368cab9e7f0ff5e90f051fd2a5d57c04",
"sha256": "36086e35de121c47de4592fa3c4e7265ca731b3d1c4d5b117eb63c3d8d84afbe",
"type": "query",
"version": 100
"version": 101
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"min_stack_version": "8.3",
@@ -9661,9 +9850,9 @@
}
},
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "9adb7cd1d7292a45f031dd2beda9b2cce1607bef38696f31ddd2eea4bf12ac34",
"sha256": "d4eaf0bc1a742c8af3f1dc3c393a9f41d5fd3c892913755592408e9207c115c6",
"type": "eql",
"version": 100
"version": 101
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"min_stack_version": "8.3",
@@ -9677,9 +9866,9 @@
}
},
"rule_name": "Unusual Country For an AWS Command",
"sha256": "80f07708470935bc9868b5c62df80b69626b2cbfb5a79e41546a6326905e1722",
"sha256": "48e2412881f42c63b399c71e7f3ab3b8c832aa2b170e5ced8ed0304247ca28e8",
"type": "machine_learning",
"version": 100
"version": 101
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"min_stack_version": "8.3",
@@ -9709,9 +9898,9 @@
}
},
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "f32e6b1973127776314666998a5a0cf538c4c0fd2af4401388c467f0259e2380",
"sha256": "66cc57811e58cc3b6b63b37ef65a7ac823ac2fa1827e6612cd5d33d282bdd3eb",
"type": "eql",
"version": 100
"version": 101
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"min_stack_version": "8.3",
@@ -9955,9 +10144,9 @@
}
},
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "83939370b4568763eb651229e8801014e6e48c318980ac868ba33aad9dfdf306",
"sha256": "e847c81e73d2e9e5eeb45c14ea50f9fb3326d945aed7ccb47ae090cba86e0635",
"type": "query",
"version": 100
"version": 101
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"min_stack_version": "8.3",
@@ -9971,9 +10160,9 @@
}
},
"rule_name": "AWS Management Console Root Login",
"sha256": "42d6d91e094e7f0bad724c4d71bef83efcabc880327a5d87d5e96979bc91dcc9",
"sha256": "cc28748f395bbdc3f948a148609c3b576a04d876907757313a706f4dff387f92",
"type": "query",
"version": 100
"version": 101
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.3",
@@ -9987,9 +10176,9 @@
}
},
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "cf6a6f0eadf2cdccaca88796048d328c3ddbde3453bc36f69a564675fda98019",
"sha256": "05e6ba7ef86cf6c9c220639969457cc4d246a4dd0489a9759bb39d2283d92dc0",
"type": "eql",
"version": 100
"version": 101
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"min_stack_version": "8.3",
@@ -10019,9 +10208,9 @@
}
},
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "b2464865a55c2b0b4cc06c1d870dfac128c7778611e9412fed01ada2d71fa972",
"sha256": "98ae02a925474a4a9e78d0d0d8dbeabfdaf445f52521a8a9b959966ce82d5033",
"type": "eql",
"version": 100
"version": 101
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"min_stack_version": "8.3",
@@ -10131,9 +10320,9 @@
}
},
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "d7e564ab0ed7612650185717def8f732fc9eaba9ad93059452d09ba72cd7ae6a",
"sha256": "18b0b4765885e3927ff10194d174b56855207f7c39a8464625fd11ef9c666687",
"type": "query",
"version": 100
"version": 101
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"min_stack_version": "8.3",
@@ -10256,9 +10445,9 @@
}
},
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "2fdf04b7009cd2472b90eae3023287e0ee8d2592461378505618292c3c102822",
"sha256": "ffdcad77feb9b32b5b76c4dd0e14a29a31972909324ab0ffe901f97b32d355e2",
"type": "eql",
"version": 100
"version": 101
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"min_stack_version": "8.3",
@@ -10352,9 +10541,9 @@
}
},
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "1525ec0087caa20e049ab4ebd2fdf4d75cb1fd1370bff99ce6dc73770aed7a1b",
"sha256": "72f3f24ab46905e067205b77360a5c5c72e64884a0444fecd2db93e731b2c7e2",
"type": "eql",
"version": 100
"version": 101
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"min_stack_version": "8.3",
@@ -10412,9 +10601,9 @@
}
},
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "e782f3b4525be7c780fb64337f04a76fea5509fd810c0f6370639c3008d66591",
"sha256": "03c7727b862b2307279c537a9a666c0dd155084645118943f85af92a1c6d5d22",
"type": "threshold",
"version": 100
"version": 101
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"min_stack_version": "8.3",
@@ -10460,9 +10649,9 @@
}
},
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "f2c04977975186299b4c20414c3fcc749937686fc65d5c023d2bac38d4d7f923",
"sha256": "54b7438d1013123460a2dc32513e815767625fe085c4107d10267f1c2d755f96",
"type": "query",
"version": 100
"version": 101
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"min_stack_version": "8.3",
@@ -10508,9 +10697,9 @@
}
},
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "228f6f139ec1c9c8b08ad6ec16b70da46edc27cfe4f6e0cd704fb38e4c37b7b1",
"sha256": "aa24f4bc7aa8b848fd0d816f4e6c1eccf73256d4925c363778bd93f5ff9f2109",
"type": "eql",
"version": 100
"version": 101
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"min_stack_version": "8.3",
@@ -10524,9 +10713,9 @@
}
},
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "7379a9e4b38b8ab051194763cfb39573689221db20c6e687894566e30663a7a1",
"sha256": "6aded695b37e4a22fde5daf044109f558869e0ecd37bf8223b824f3cfbcc151a",
"type": "eql",
"version": 100
"version": 101
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"min_stack_version": "8.3",
@@ -10540,9 +10729,9 @@
}
},
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "27ef752b89998ad4fbbcf57fcade195acad503f119848acd7db14bd548dedbd0",
"sha256": "51ee0462088e6eb9cbf1226f8e4a3f38ec3ebf7149e59e6111e8bf24d15c62d8",
"type": "eql",
"version": 100
"version": 101
},
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
"min_stack_version": "8.3",
@@ -10604,9 +10793,9 @@
}
},
"rule_name": "AdFind Command Activity",
"sha256": "6066406fc5832c00400b2662b56f9e9cff4875ff349e6932dab06ac0d30c21e5",
"sha256": "2485fbb2689a72ff253a67de943f22d4fb1f1b2f03f8048d7fb617c607811429",
"type": "eql",
"version": 100
"version": 101
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.3",
@@ -10643,9 +10832,9 @@
}
},
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "d8a2c21710519775b99328290a6e140ea3e75c3e833cd07dd9ac0b07dc7d6b31",
"sha256": "353d5f8e6423023ff04c05d5581ee88d8b69ed680e3391194e5cacb86c03b7dc",
"type": "eql",
"version": 100
"version": 101
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.3",
@@ -10713,9 +10902,9 @@
}
},
"rule_name": "Whoami Process Activity",
"sha256": "5d0df796ec4949e95ecae211e8fb18e273a374f3d3734268dd12166a9e7b0928",
"sha256": "fe656a11589118be5a50bf03e4143873c92567396a8cb53a7d86a10f3d1bf880",
"type": "eql",
"version": 100
"version": 101
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"min_stack_version": "8.3",
@@ -10729,9 +10918,9 @@
}
},
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "f5958c3554e8448c5a1295ba0b6827ad3a984642e7d39076c7d43e4ade3ff34a",
"sha256": "99b0a99c245ebf62882fd1478ea24886f28fe0654559a57a66e2f38e0ff5f034",
"type": "eql",
"version": 100
"version": 101
},
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"min_stack_version": "8.3",
@@ -10912,9 +11101,9 @@
}
},
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "846cf2dcf2612cb91b36b658b97ebaccfb99e83642a247e3a1fe4cacc06594f3",
"sha256": "90464ba8471280d1771fbcb1d23b07de8c7af969a287c994de02fe05f80a16f0",
"type": "eql",
"version": 100
"version": 101
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"min_stack_version": "8.3",
@@ -10960,9 +11149,9 @@
}
},
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "9bf14a6e899e66713cc68e923fec0464974a147ca6e00806fbc7b72a00fc2ea2",
"sha256": "ad13c2d8f098b883bc6bf5c27f0678c10bcafc193fca62b85e1de1c4ef2f91ed",
"type": "query",
"version": 100
"version": 101
},
"f52362cd-baf1-4b6d-84be-064efc826461": {
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
@@ -10982,9 +11171,9 @@
}
},
"rule_name": "Windows Script Executing PowerShell",
"sha256": "0eea0b65385ccfaffea183f5d8fe0dc99646b80e0ce365c4bb3a9626d4e8d7b4",
"sha256": "fedc5ef0d246547918a65e267279fadbe346167eb50cae863f0f315138254dc1",
"type": "eql",
"version": 100
"version": 101
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"min_stack_version": "8.3",
@@ -10998,9 +11187,9 @@
}
},
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "44c57bc161ee1e3d503a79ed1594a516a66e383ee248401a96dba30cb0c84122",
"sha256": "13fcde72d8e87ca78eb4d8a245eada3ac99571d940c829c7aba1d199809e860b",
"type": "eql",
"version": 100
"version": 101
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"min_stack_version": "8.3",
@@ -11014,9 +11203,9 @@
}
},
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "84ff62e38a254252fdbee7dd54a05c1d28934e10e02a095f611c07747cda8c2c",
"sha256": "baa9393bddaf7959dc8490b5d81c880e6b15612abe689a688ea96b31921089a7",
"type": "eql",
"version": 100
"version": 101
},
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"min_stack_version": "8.3",
@@ -11062,9 +11251,9 @@
}
},
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "4eaf60e5412ecfdd14fef03492de085caeb67e3759d25d337ed592a4d937f76c",
"sha256": "cae5928d19c3ded04dbcbbd3cc24e608df03c569a3706b025aff68ad72bf9480",
"type": "query",
"version": 100
"version": 101
},
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"min_stack_version": "8.3",
@@ -11078,9 +11267,9 @@
}
},
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "da2561988baf9f0171a26e41a80e7924b7371984fca58c3fd1662dd767f6a3a9",
"sha256": "ef5b71159e79ab55f581e66fe5b663f3dc4a2795f704dcf0e1be011d7c9253d7",
"type": "eql",
"version": 100
"version": 101
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"min_stack_version": "8.3",
@@ -11126,9 +11315,9 @@
}
},
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "5ebee476de3aadc8d6bec46ede1398e84614f270dc5c834a19d1adf957b0c0e1",
"sha256": "149280220e16078cf0db0061bad940797ea17586a2d93324b30954457c888f89",
"type": "eql",
"version": 100
"version": 101
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"min_stack_version": "8.3",
@@ -11146,6 +11335,13 @@
"type": "machine_learning",
"version": 100
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"min_stack_version": "8.3",
"rule_name": "Privileged Account Brute Force",
"sha256": "b0c7affc65036ac049a7cdcd8b10b4f5bde4f58051ecfa44f313a89ec4d46cda",
"type": "eql",
"version": 1
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.3",
"previous": {
@@ -11174,9 +11370,9 @@
}
},
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "569766bec372711851a155fc64514fe8421e5c3db5f3c6e3b0ce5eb2b290fb6e",
"sha256": "adac2d7503feba6af321173615eca5a9d84345c27cb5ca53efb1395e45391bc2",
"type": "eql",
"version": 100
"version": 101
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"min_stack_version": "8.3",
@@ -11228,9 +11424,9 @@
}
},
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "583a2e68141b9adacd617c3da8517b10e3e9ee5f7d897dfdf86b060d095bb4f4",
"sha256": "009ff2eede82a585b649d760e576cc673e0ff8d1038b8139a992cb425123007f",
"type": "eql",
"version": 100
"version": 101
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
@@ -11250,9 +11446,9 @@
}
},
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "4b763acfaf2892abb41f28cb3f0381a3742bfc4456a0b2001aafd8c4fe93cd26",
"sha256": "1e024da5a55e3d1a8548dadb4c8b31139245ab531e780b68bb7e8ed8c16bf40a",
"type": "eql",
"version": 100
"version": 101
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"min_stack_version": "8.3",
@@ -11296,9 +11492,9 @@
}
},
"rule_name": "Svchost spawning Cmd",
"sha256": "1c4aec6373efe193a4250de2efba553b30aafbfb17b9a33cf9a237ef237baa02",
"sha256": "93c84da926504eee9f65932035b6ade982942e28bdc0bc0fd8a38bfd2bada827",
"type": "eql",
"version": 100
"version": 101
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"min_stack_version": "8.3",
@@ -11312,9 +11508,9 @@
}
},
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "8ae9156a1e8b4fc571d581dadad39e033e00b984b7ce4af8939bfbe759cc8958",
"sha256": "94f7275eb748e77098ae1c4fd5e6b4a5c44376568274ac16fb9655e0dd7de6a2",
"type": "eql",
"version": 100
"version": 101
},
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"min_stack_version": "8.3",
@@ -11328,9 +11524,9 @@
}
},
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "2e8be374693ae806c801cd7688bae86a28197f10def63a9645c57e9bbf992ecb",
"sha256": "fd091af378672eb6a4d54cc67946b050400121579f1eae8d4a82063cafb21fd3",
"type": "eql",
"version": 100
"version": 101
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"min_stack_version": "8.3",