security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 (#3291)

Browse Source 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit ba7b2722c2)
This commit is contained in:
github-actions[bot]
2023-11-28 12:30:55 -05:00
parent 7a383770bc
commit 1d05f49436
1 changed files with 214 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+214 -137
View File
@@ -99,9 +99,9 @@
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"min_stack_version": "8.3",
"rule_name": "Dumping Account Hashes via Built-In Commands",
"sha256": "7a5170b3aaae9d499bfda31675011334d8bc6f2ce992414981042ce2563e0efe",
"sha256": "6995ce3fd849830e0591d6419fc8b53d604990cd30316594c1a70f032d3115a1",
"type": "query",
"version": 104
"version": 105
},
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
"min_stack_version": "8.3",
@@ -269,23 +269,23 @@
"080bc66a-5d56-4d1f-8071-817671716db9": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Browser Child Process",
"sha256": "9170960c7d48e8e84833ee33402dc9fc313e3f5fc219be8eebf6c3fef43b13d6",
"sha256": "c250a73408b1392c937770c4ced1fb28a2703649fe04cdb78b0e5b7b4cf63ec8",
"type": "eql",
"version": 104
"version": 105
},
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
"min_stack_version": "8.3",
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
"sha256": "c0576e652d149dba1c8803419d6a632c9e994ab1037dbd4d33c61e67e376b878",
"sha256": "3e3611a0cd7131c9e8caba18a69dab717a16cf76442be2888fb39623e7a310bf",
"type": "eql",
"version": 104
"version": 105
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Hidden Child Process of Launchd",
"sha256": "24161e1b97e4d175337171d4edb04ae53af62b618e97bfadae325175a6a804b9",
"sha256": "102bf6dbf633ea578191b0cba7f03a80e733a63b307a563d2287868c832d13c4",
"type": "query",
"version": 104
"version": 105
},
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"min_stack_version": "8.4",
@@ -310,9 +310,9 @@
"092b068f-84ac-485d-8a55-7dd9e006715f": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Launch Agent or Daemon",
"sha256": "bffb87c25d97a23ef42d1aad12239934aaa88f15fbf46680f22c595a801286da",
"sha256": "a1faf99442ff04d9e895ed0ef988840ddea9fafcb839a00391dd27152099ecf8",
"type": "eql",
"version": 105
"version": 106
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"min_stack_version": "8.3",
@@ -517,9 +517,9 @@
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Root Crontab File Modification",
"sha256": "e840e03f40e5ac088e2f850f08c2b1286f607a659a430a7051e44d31213c7a22",
"sha256": "667a8075ceb2fd14308a5c021811d4dadc06be89300c4eb74d8fc02268962810",
"type": "query",
"version": 104
"version": 105
},
"10754992-28c7-4472-be5b-f3770fd04f2d": {
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
@@ -530,9 +530,9 @@
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
"min_stack_version": "8.3",
"rule_name": "WebProxy Settings Modification",
"sha256": "264c4b78490cec9fae3de080bd655b5a1c53ff31c54b5704c76834b583f0516b",
"sha256": "8d0a544fd454889ae996a250c40de6b79ca174a55887fc883a6c0f1d6fb672b4",
"type": "query",
"version": 104
"version": 105
},
"11013227-0301-4a8c-b150-4db924484475": {
"min_stack_version": "8.3",
@@ -783,9 +783,9 @@
"15dacaa0-5b90-466b-acab-63435a59701a": {
"min_stack_version": "8.3",
"rule_name": "Virtual Private Network Connection Attempt",
"sha256": "2fddf303d95fc9181afbdf53833cd1e53d7499cd79cd616b07838eab1dc5f378",
"sha256": "91a1712e57b935ca9c222118c8d99f2ca99aa936eea6677ad83d308946976166",
"type": "eql",
"version": 105
"version": 106
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"min_stack_version": "8.3",
@@ -804,9 +804,9 @@
"16904215-2c95-4ac8-bf5c-12354e047192": {
"min_stack_version": "8.3",
"rule_name": "Potential Kerberos Attack via Bifrost",
"sha256": "0c96bfd65d7b122ff4af72519d72f2fc9837dcb1d9189a96e7c51301cf0ebcc5",
"sha256": "62f4c4c7d614af2f638274d716d37e705bfa849a15b241efb9a779e1eea0b8c0",
"type": "query",
"version": 104
"version": 105
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"min_stack_version": "8.9",
@@ -1060,6 +1060,13 @@
"type": "eql",
"version": 106
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "3ad26713290c41884722d25cf2fee14ada4dfd908e0a162454e983458948145c",
"type": "query",
"version": 1
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Script Interpreter",
@@ -1205,9 +1212,9 @@
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"min_stack_version": "8.3",
"rule_name": "Access of Stored Browser Credentials",
"sha256": "3d1c5ae1b6b6134946ceb0fab3b028b7757a3cae9213e83e12d2ef7fb4af7498",
"sha256": "3e3f5aec51ac2d4bed5a22f8ab0e6bc87db4da5c76f3e93dd107ed6f15e2c5a2",
"type": "eql",
"version": 105
"version": 106
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"min_stack_version": "8.3",
@@ -1345,6 +1352,13 @@
"type": "new_terms",
"version": 1
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "44887f3eb626b80c75a0110be4b26d1ce66bf37892a7bab818d90f36023aae1c",
"type": "query",
"version": 1
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious DebugFS Root Device Access",
@@ -1516,6 +1530,13 @@
"type": "new_terms",
"version": 209
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "ed5ee5cca37901181403052c73c15575a768c00863a860235c68fae83f550ce1",
"type": "query",
"version": 1
},
"29ef5686-9b93-433e-91b5-683911094698": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
@@ -1655,6 +1676,13 @@
"type": "eql",
"version": 1
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc",
"type": "threshold",
"version": 1
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"min_stack_version": "8.3",
"rule_name": "Halfbaked Command and Control Beacon",
@@ -1665,9 +1693,9 @@
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"min_stack_version": "8.3",
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "7def1140f5946506db0986d62813b2d07f78ddedf08032f5bb4d2e74b12db501",
"sha256": "de2e56710056a8b6da9dc0876399c464d483cd8d86b9960d864a3012ab56e30e",
"type": "eql",
"version": 107
"version": 108
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"min_stack_version": "8.3",
@@ -1835,9 +1863,9 @@
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"min_stack_version": "8.3",
"rule_name": "Execution via Electron Child Process Node.js Module",
"sha256": "190febf9658cb01dd1a472ea2d24563052fffcf60417fbc65be5593e38ad92f5",
"sha256": "b91e01cbd654f79bb65cb81f07f055521e97ddb636f27bcb5c55ba7c599d55f0",
"type": "query",
"version": 104
"version": 105
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.3",
@@ -1949,9 +1977,9 @@
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"min_stack_version": "8.3",
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "e43423649f4196e3471200c4baac5b465e0a667b3d1dbe95b7870b76ecd1410b",
"sha256": "b41ece736909738d8ea437111abfff24846ce37e0dbf28c436ad918ae7056fc5",
"type": "eql",
"version": 104
"version": 105
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.10",
@@ -1979,9 +2007,9 @@
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"min_stack_version": "8.3",
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "7838d2f36bacd85c4a8333291f41d0755a4918b3a06ea5b7d88eb8a7e29dd8fc",
"sha256": "8ad731c423f1a7a201eea63221fa6f1c19645b46b39421558ced549ddda00f7d",
"type": "eql",
"version": 105
"version": 106
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"min_stack_version": "8.3",
@@ -2136,9 +2164,9 @@
"3e3d15c6-1509-479a-b125-21718372157e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Emond Child Process",
"sha256": "1a46d0e2338b7c09dad075c99009e807ddc32b686924dbd5102dde8cc4736bde",
"sha256": "712b5f698a3cdac28ddf24ce2c91dff930454f6cb82e79b2c623129ba42ac23b",
"type": "eql",
"version": 104
"version": 105
},
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"min_stack_version": "8.3",
@@ -2266,9 +2294,9 @@
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"min_stack_version": "8.3",
"rule_name": "Potential Hidden Local User Account Creation",
"sha256": "8ddd47175f4b4ad6fa50a8ffba06037d5e67ddc829c8b6b6c09ec633b9aa2690",
"sha256": "473f098ef25c7659b7ec2c953c7fe83d29d17210bae3f18a76e7aabe5ef9aa31",
"type": "query",
"version": 104
"version": 105
},
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
"min_stack_version": "8.8",
@@ -2421,9 +2449,9 @@
"47f76567-d58a-4fed-b32b-21f571e28910": {
"min_stack_version": "8.3",
"rule_name": "Apple Script Execution followed by Network Connection",
"sha256": "a59f49a0c0dd5d025e9c45e099c22c750b446326578357bac6d938f54780c991",
"sha256": "0707726336298da0eacdb012ecfd3d5a1d4db190cc8b010ea63e32319a591bd7",
"type": "eql",
"version": 104
"version": 105
},
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"min_stack_version": "8.3",
@@ -2456,16 +2484,16 @@
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"min_stack_version": "8.3",
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "50e43811992464777ede6c447f47e0331e4022df0f013c9e69d644081c56d93a",
"sha256": "9a234c8cffcb67324557459f70bc5644b48f12b78ddc226765d69211e2034ced",
"type": "eql",
"version": 105
"version": 106
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Periodic Tasks",
"sha256": "124568f19d6974b48f94c4143a09f425889761f827bdf17b97618850fbf315ae",
"sha256": "3c035219a5681c2514f111063f313c5e3108fc0d98ca2ab089aa72eb6f519951",
"type": "query",
"version": 104
"version": 105
},
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"min_stack_version": "8.3",
@@ -2614,9 +2642,9 @@
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable Gatekeeper",
"sha256": "2150ef27f2f7aa9e92efd14249439bdf38da42604f587b12651f9360dbe5512e",
"sha256": "8d66b86897c0f7e9f90e2ab46d46d6734db7e1fd64cdf5c5c9926e164ccef324",
"type": "query",
"version": 104
"version": 105
},
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"min_stack_version": "8.3",
@@ -2676,6 +2704,13 @@
"type": "eql",
"version": 107
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Users with the Same Device Token Hash",
"sha256": "0cabbcb4f30f4ce25d1efd6d385f10b02ca0ef7cc2d8bac313e45e83abdfa175",
"type": "threshold",
"version": 1
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.3",
"rule_name": "Windows System Information Discovery",
@@ -2784,9 +2819,9 @@
"530178da-92ea-43ce-94c2-8877a826783d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious CronTab Creation or Modification",
"sha256": "378735996cb788f18b470bb893059276f28497684fbee14dc8952ad9914f76da",
"sha256": "27807c0b1bbc5c951feb992b0d6326af2b457c21ea661e1cc745995c25745e21",
"type": "eql",
"version": 104
"version": 105
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"min_stack_version": "8.6",
@@ -2898,16 +2933,16 @@
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"min_stack_version": "8.3",
"rule_name": "Potential Admin Group Account Addition",
"sha256": "5c52523f38fbd7d58ecbaae23c282b59df7964d107d8378355c7232d2c20abbd",
"sha256": "8bc8501a6ddd8f64743ca0b9449b6827723b051c90177dc1d95977ec71d638f3",
"type": "query",
"version": 104
"version": 105
},
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"min_stack_version": "8.3",
"rule_name": "Dumping of Keychain Content via Security Command",
"sha256": "56cdf3c97b7ed30414d2fc5ed2cdb95c0779392ef7347954cf3f3e6be61600e7",
"sha256": "b61fe6deed081a783eadb490bf3de817c38a34b3369fb4393f17e1e058370e7d",
"type": "eql",
"version": 105
"version": 106
},
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
"min_stack_version": "8.3",
@@ -3063,9 +3098,9 @@
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"min_stack_version": "8.3",
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
"sha256": "0f1d99638bad179a4fc6aa5eded3dd7c702cca3bb64d3391795079f2ec31258f",
"sha256": "0468696a45e242d7e3e71b093c8c41a2a2e0318d204b64572529c03774829201",
"type": "query",
"version": 104
"version": 105
},
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"min_stack_version": "8.3",
@@ -3184,9 +3219,9 @@
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Login or Logout Hook",
"sha256": "5cd203eee04afdcba2fde9accdf21b565daaa0b4045828ae0000738b5bb25a43",
"sha256": "4b664dd5877d1ea41aa62988945b0551c37d895fe86546e544ee732f93985f78",
"type": "eql",
"version": 105
"version": 106
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"min_stack_version": "8.3",
@@ -3198,9 +3233,9 @@
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Automator Workflows Execution",
"sha256": "7c02503c215c5f50cc47a690a3caf0da786994efdfcfd87afa318aacea1154b2",
"sha256": "2f1b66054ac5bbc100d284a9f0ceda0c965b47881c9787c1945b8e466f298324",
"type": "eql",
"version": 104
"version": 105
},
"5e161522-2545-11ed-ac47-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -3279,6 +3314,13 @@
"type": "eql",
"version": 109
},
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "061bd86219770d199904efabae4bb62bbc5897cdef6b8d1e517cae8670d3398e",
"type": "threshold",
"version": 1
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
@@ -3289,9 +3331,9 @@
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"min_stack_version": "8.3",
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "4878a18822a0f4ab3c6536a39b0055899b9fa296cc1629aa3d8a99d767235d30",
"sha256": "bff6971b2108d22178fe7e1ba59610ea438646b4c81a203c7c85e90f0b42b640",
"type": "query",
"version": 107
"version": 108
},
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"min_stack_version": "8.3",
@@ -3338,9 +3380,9 @@
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
"min_stack_version": "8.3",
"rule_name": "Modification of Safari Settings via Defaults Command",
"sha256": "9f94576d0bdd988636ba37fb9ff9911924d47880457e60f8a281664394a503bd",
"sha256": "df8fdd419ba042425bba4c2b32c414ac9dc05e1980edd08bc04fc4e8d18ead19",
"type": "query",
"version": 104
"version": 105
},
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"min_stack_version": "8.3",
@@ -3374,9 +3416,9 @@
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Mount SMB Share via Command Line",
"sha256": "4b0aa397b2a5a31b54907a49393ecd97e46a33ceedcd629218f8f7175ccb86b4",
"sha256": "d6221b6ee2915a7b34ad8447f034179710da43b944bec0968235b097e3823ad1",
"type": "eql",
"version": 105
"version": 106
},
"6641a5af-fb7e-487a-adc4-9e6503365318": {
"min_stack_version": "8.5",
@@ -3416,9 +3458,9 @@
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"min_stack_version": "8.3",
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "f1cea9ea6da3199934e1644e4efa06da30f02a8e11d48724001e6152a64ad6ce",
"sha256": "de9510393c24ff3e139c05854ab2ae53078fd1a040209a8d32e2a781b4429df5",
"type": "eql",
"version": 104
"version": 105
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.3",
@@ -3719,9 +3761,9 @@
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"min_stack_version": "8.3",
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "4bcdfcf964b59e07e704d0ae1768231f6895fdeaf16019ec2530b3fd1e908b6a",
"sha256": "470df0c6e17a6b76b3d5dfe11b58055120699d9a00c0cfbb61259400adbc757a",
"type": "eql",
"version": 105
"version": 106
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"min_stack_version": "8.3",
@@ -3756,6 +3798,13 @@
"type": "query",
"version": 100
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "4a61b8effbf32d622b658833f4b222d18ac656a1cddd5bf60629bebf6292ec7f",
"type": "new_terms",
"version": 1
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"min_stack_version": "8.4",
"previous": {
@@ -3827,9 +3876,9 @@
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
"sha256": "ae6e77c0abc663eb2873c37d6321d6ae8da6355d89e5ebb728b742b16d2d14fb",
"sha256": "72795d027c2e5d95512a10ba9093cc08010fd8b0ca59bb63a4d890ebb975b67c",
"type": "query",
"version": 104
"version": 105
},
"7164081a-3930-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
@@ -3914,9 +3963,9 @@
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"min_stack_version": "8.3",
"rule_name": "Modification of Environment Variable via Launchctl",
"sha256": "face2669be6ce58d7dc8b07bc4b200577cdf0bd21facb3d5266facb5df28a6dc",
"sha256": "3db7bef640680a74100f7cb2389b8fa17b1bafa853c727820f3049d568ba79bf",
"type": "query",
"version": 104
"version": 105
},
"745b0119-0560-43ba-860a-7235dd8cee8d": {
"min_stack_version": "8.3",
@@ -4343,9 +4392,9 @@
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"min_stack_version": "8.3",
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "9674dc1bd6cc5c17c8038a4e71b92f2737ef72aa1601bbf05b06fe0d5fb2136e",
"sha256": "f9e2397c95b2c307f8a7ed2bf1151fe7306a38ee6b45dce9ef9531b8e455486f",
"type": "eql",
"version": 105
"version": 106
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"min_stack_version": "8.3",
@@ -4519,9 +4568,9 @@
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"min_stack_version": "8.3",
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "2440310a8c23cbde04e7ac92d579c678d852f3426d6349638199d49af0a46c85",
"sha256": "5c0fc7dd81e04f3fbd1c5c472f0bd727ad065924ec0d714e5bc13c4b6b3e45ff",
"type": "eql",
"version": 105
"version": 106
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"min_stack_version": "8.6",
@@ -4569,9 +4618,9 @@
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"min_stack_version": "8.3",
"rule_name": "Persistence via DirectoryService Plugin Modification",
"sha256": "456c1af4f588c9d3fc039ba183fe378b0d32a8920c785254b0550fdd4329374b",
"sha256": "abc0977e48e577f93d91ddb156280eb131accdb697133ac9f8e895d66e7ead14",
"type": "query",
"version": 104
"version": 105
},
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"min_stack_version": "8.3",
@@ -4580,6 +4629,13 @@
"type": "eql",
"version": 4
},
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "3f33c3e7817f1f2970238c916629c2827ae0b7b46a7c0152797aba33b835fa4b",
"type": "eql",
"version": 1
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"min_stack_version": "8.3",
"rule_name": "Setuid / Setgid Bit Set via chmod",
@@ -4784,9 +4840,9 @@
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"min_stack_version": "8.3",
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "5fd3c8920f816415b48c716e7a2374f0fd76b507f2f5d3669969829ede88cb01",
"sha256": "7ff71544a593f40e8c7261a058bd9edd9c796f925043bb8c917fbdfab7137f94",
"type": "eql",
"version": 105
"version": 106
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"min_stack_version": "8.3",
@@ -5037,9 +5093,9 @@
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"min_stack_version": "8.3",
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "fe23aa5928440dd067c2f16b8a796d46a7480c4f130d91319cfcba852fce1f0d",
"sha256": "360631a00947fd49eec1f1e5ec2234141c5e18b5d345f84d59ffdbfcf8022c22",
"type": "eql",
"version": 105
"version": 106
},
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"min_stack_version": "8.3",
@@ -5089,10 +5145,10 @@
"version": 107
}
},
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
"sha256": "77d0337a5eb54baa93eb1e573ddab7f5e356ad4892d6cf02c74ce6562afd8d2d",
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "9671afcc66dbc58a275066f23ee0484f9b8819dbeccdde28660354c790ae9387",
"type": "eql",
"version": 207
"version": 208
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.3",
@@ -5181,9 +5237,9 @@
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"min_stack_version": "8.3",
"rule_name": "MacOS Installer Package Spawns Network Event",
"sha256": "40258127ac6373780bfd25be362342b142324a166319243b55a747b477db70b0",
"sha256": "3716f7ea4026fc8bb71aa2f326ddd6b6d1d47e6e120cf8b992ebdc2dd76ebb95",
"type": "eql",
"version": 104
"version": 105
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.9",
@@ -5379,9 +5435,9 @@
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"min_stack_version": "8.3",
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
"sha256": "362420c35e0dec946d828d9efe8a1dd0e2313dec67f9a9b0f2c27f8361fffe58",
"sha256": "a96af71832577dd58427030d8213653dc4e553bed0e3edf06ad87c56ceef6c49",
"type": "eql",
"version": 104
"version": 105
},
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
"min_stack_version": "8.3",
@@ -5631,9 +5687,9 @@
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"min_stack_version": "8.3",
"rule_name": "Emond Rules Creation or Modification",
"sha256": "5059d25e53e20ecda5bd0bddff5f19aa0c90190e3c58cf6926c946c26f701839",
"sha256": "9c88642e11a43c139d78492404690649488e23d89b508c7de31e65e235630a25",
"type": "eql",
"version": 105
"version": 106
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"min_stack_version": "8.9",
@@ -5751,9 +5807,9 @@
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"min_stack_version": "8.3",
"rule_name": "Remote Execution via File Shares",
"sha256": "9960496bb3be4ae85c905a65d9967cce3c87c957c5b9c0a36e7940676dc24fac",
"sha256": "d0dd83e403bca3f7f3d1950d5015f30d849b5fcd9227445946baf01306304def",
"type": "eql",
"version": 108
"version": 109
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.3",
@@ -5765,16 +5821,16 @@
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Login Hook",
"sha256": "742e178d21a4f38dbde0ceff9f3c75a33a79e70080f971e3fc63e644283c1f24",
"sha256": "5431b29441b0311ce85f05817f1b65afc8e1440be98c43efc808531aceb55b40",
"type": "query",
"version": 105
"version": 106
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WerFault Child Process",
"sha256": "6fc6cae28ebf0c75451af175b21022b2c33ceb781032192f90c20d91bd0ad2a8",
"sha256": "6db650fd26dc358bff1969f2dddd549f4725e7cb9e13c6037613103125d67d05",
"type": "eql",
"version": 109
"version": 110
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"min_stack_version": "8.9",
@@ -5832,16 +5888,16 @@
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"min_stack_version": "8.3",
"rule_name": "Potential macOS SSH Brute Force Detected",
"sha256": "6d6c36df74a3227db9ddfe242e6d7e4598aa4536c80338756b9774499deb5d46",
"sha256": "717b98ebd28d44eb41e239b4c1fce9a077b804fb2fa74887e44db8abf8a9d984",
"type": "threshold",
"version": 105
"version": 106
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "f9f3abc0bcdf5a397a26aac862f259f0a5b8a25feded07e85dcb9a308c799f23",
"sha256": "7a665dd484eabb4ea95433a9fc76aa6c2f6a5e88e3bf2aa3586eb8624521f396",
"type": "eql",
"version": 105
"version": 106
},
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"min_stack_version": "8.3",
@@ -5882,9 +5938,9 @@
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "1784ba8b2bf2310de8bfc0fb1eb058a96c9ef25ba4a1e78a8e271a61f856f675",
"sha256": "a1d0802a3a49d1a2c58175fb38e49b393c12892b0263bc10245b307ccec0d964",
"type": "query",
"version": 104
"version": 105
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"min_stack_version": "8.3",
@@ -5952,9 +6008,9 @@
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"min_stack_version": "8.3",
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
"sha256": "fe6380b09c3b3d38b09818076fb3ef3d0693c968fe9ce5547c4a82196782f931",
"sha256": "b919ec7747f8bf3d3a989dbb2894552ecf9eee7139899e68b404a3802c120c3d",
"type": "query",
"version": 104
"version": 105
},
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"min_stack_version": "8.3",
@@ -5986,9 +6042,9 @@
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"min_stack_version": "8.3",
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "5140f51472bb51e246f8a5076ee0138186c0db463f337c8cbc044bbede59a6bb",
"sha256": "e726cfbb1046391cb001954a90288d5b3222d8379b5ae13d58b6e6bc20aec033",
"type": "eql",
"version": 108
"version": 109
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"min_stack_version": "8.3",
@@ -6028,9 +6084,9 @@
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Atom Init Script Modification",
"sha256": "46fcd9e76f08b0cd3308e57b64244a9bec5ce01b30e491015a20e1fd53e3de2a",
"sha256": "c663140ba0d75027a34b394dec5c86633102e0f2514050f99e1d706c97cb9b8e",
"type": "query",
"version": 104
"version": 105
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"min_stack_version": "8.9",
@@ -6313,9 +6369,9 @@
"bc1eeacf-2972-434f-b782-3a532b100d67": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Install Root Certificate",
"sha256": "2ec38edc30ee4c822372bf3a9e2f00ebdead1b16f135cbf5fbb1c657fbf41c9d",
"sha256": "7f461bbff1e8be89e57d400d6e907b6697dbc783dae396c6d6ee0ce3efd419f1",
"type": "query",
"version": 104
"version": 105
},
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
"min_stack_version": "8.3",
@@ -6448,9 +6504,9 @@
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"min_stack_version": "8.3",
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"sha256": "0afe2d906b4e49920bacb79b64404fb8d2ad10c938ab6066d1775c4498d2c1a1",
"sha256": "2c9b4244cb4994ff559dfc5ff89df8400a366e4faadd5f8900810fa90b30281e",
"type": "eql",
"version": 105
"version": 106
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"min_stack_version": "8.3",
@@ -6529,9 +6585,9 @@
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Folder Action Script",
"sha256": "07321ea58e3520857e64122ab09803a1fc574e94988a20508aea507982b84a06",
"sha256": "bb9fad0b65e7bc241670ef85a6bc8750f4bcc92e98888e091f2ca9b30d833ce8",
"type": "eql",
"version": 104
"version": 105
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"min_stack_version": "8.3",
@@ -6723,9 +6779,9 @@
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Docker Shortcut Modification",
"sha256": "aa52a0c9a38018a7a9d08eff12060ae5763f3672ab6f68acbc3a41dc323c4720",
"sha256": "4c1848771275a47db363a85fd08d70afa61b85baaca4651d4c823c0accc02d6d",
"type": "query",
"version": 104
"version": 105
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"min_stack_version": "8.3",
@@ -6851,9 +6907,9 @@
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Calendar File Modification",
"sha256": "0efc16177bd032307d27579913e6c57c8d1d44ed1f5df38407ead5bbbe045dd8",
"sha256": "4020e8d93c52fc49bce77c661a1566c03732a2a74906ceec9c5371f6f0fdecef",
"type": "query",
"version": 104
"version": 105
},
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
"rule_name": "Process Discovery via Tasklist",
@@ -6864,9 +6920,16 @@
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Enable the Root Account",
"sha256": "08bf09dc443eb0fb41c941a0a47f67b866253111c50d852fec72b81e5cdea100",
"sha256": "859a1abd493744516a89a3da4036d0f389decd9a8f56ee51a41b0f3bd7d335bd",
"type": "query",
"version": 104
"version": 105
},
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Client Addresses for a Single User Session",
"sha256": "95e6787fdbd7768c2066b060596b45e20e11a64d5e238abe96679290fbbf2469",
"type": "threshold",
"version": 1
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"min_stack_version": "8.9",
@@ -7112,9 +7175,9 @@
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
"min_stack_version": "8.3",
"rule_name": "Potential Microsoft Office Sandbox Evasion",
"sha256": "688898fbfb57e6d44d1f755be87e439516aa1a084dd4adbaa97b65bf8eb86995",
"sha256": "89e780b8ad04e619a91f21797ef0ad455995889221fac37ccd693f8a9be88e1c",
"type": "query",
"version": 104
"version": 105
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"min_stack_version": "8.3",
@@ -7147,9 +7210,9 @@
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"min_stack_version": "8.3",
"rule_name": "Shell Execution via Apple Scripting",
"sha256": "6f6e3def0588b1a03d12a0293b5bbd9c1d0090fe90097786f9d7a4b13c95f02e",
"sha256": "692c64fb60537e8d2920f5feaa3ed8a0bbb120fa138fee7526e2698ed2895421",
"type": "eql",
"version": 104
"version": 105
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.10",
@@ -7299,9 +7362,9 @@
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"min_stack_version": "8.3",
"rule_name": "SystemKey Access via Command Line",
"sha256": "9d6616ef8767f89e243b80ec3f320bdd3c8e6a46acc445fd040ae92aaf3e9c12",
"sha256": "f758f68cb5c44f5582fdf29f91b5ede95c7b692861a950921ce02561e9bddb48",
"type": "query",
"version": 104
"version": 105
},
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"min_stack_version": "8.3",
@@ -7787,6 +7850,13 @@
"type": "eql",
"version": 108
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "856cdc898f8b290d5ebe5bfffde4ce85f483f62eb7e0158a0f9e35f6e8dc2afd",
"type": "new_terms",
"version": 1
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.10",
"previous": {
@@ -7849,9 +7919,9 @@
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"min_stack_version": "8.3",
"rule_name": "Authorization Plugin Modification",
"sha256": "588ebf1bdd990fd6153d745e01de7aa329e4b9ad1cf727e6c6ae340a7691e07f",
"sha256": "0e60f668e5a539600f5060b2537b7bda7cd79b13c441946455056b809cb95563",
"type": "query",
"version": 104
"version": 105
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.10",
@@ -7872,9 +7942,9 @@
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"min_stack_version": "8.3",
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "1732013a4ba605cabe48c7b619ab0091ebe06309b90dd143c75a2212213833bf",
"sha256": "7180375170c573c1ff2a7287cba28879a2150c8796bb81c12556a08394e87e8f",
"type": "eql",
"version": 105
"version": 106
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"min_stack_version": "8.3",
@@ -8226,6 +8296,13 @@
"type": "eql",
"version": 3
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.3",
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "8270e1a274c3fc9549fd1c6e7a45f05f1bffa07a9b5f4f416074649a7a48b303",
"type": "query",
"version": 2
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Print Spooler Child Process",
@@ -8249,9 +8326,9 @@
"eea82229-b002-470e-a9e1-00be38b14d32": {
"min_stack_version": "8.3",
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
"sha256": "9893771c796bd09dcc8f046fd8356942e6cdc5159da8de8a23d418df3220c216",
"sha256": "26d4865a30d6490602a379d7abcba4e5aa0095e306e662d489bb63f80cb57bc9",
"type": "eql",
"version": 105
"version": 106
},
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
"min_stack_version": "8.3",
@@ -8314,9 +8391,9 @@
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Remove File Quarantine Attribute",
"sha256": "d7bdcd2de9485c0496e83b118d9a4206a6bb8b4d6a4708797dc89b42403f753a",
"sha256": "692fa40e6bf4142e039d77a8009d3ffaf73cb02fb0bad253f89a7791b27bb286",
"type": "eql",
"version": 105
"version": 106
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"min_stack_version": "8.3",
@@ -8328,9 +8405,9 @@
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"min_stack_version": "8.3",
"rule_name": "Execution with Explicit Credentials via Scripting",
"sha256": "1757d1031c5a71bf9d138675ce1ff87d27789dbda0f8da8764846ec8e42433f4",
"sha256": "86c5bd201fcce02f843be59ad5577b453feab265fb5ace94414dfd794f1083c5",
"type": "query",
"version": 104
"version": 105
},
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
"min_stack_version": "8.3",
@@ -8356,9 +8433,9 @@
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Login Item via Apple Script",
"sha256": "e9d5cd6f343029ce8db6fae1ac69791d81d0079795f15c27d2b04cae4d5692b5",
"sha256": "6fb54f1660018d11515f2fbdb198da3ff179bd8c841c93cccdb1fc2e681d5f7e",
"type": "eql",
"version": 106
"version": 107
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"min_stack_version": "8.3",
@@ -8539,9 +8616,9 @@
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"min_stack_version": "8.3",
"rule_name": "SoftwareUpdate Preferences Modification",
"sha256": "244211398fba0bab7dda8256bd3c850b4d50809a75b98d4a729d349b94fee478",
"sha256": "fb87b9eb3ce642106368e9900a834940914053f852b8fb77bc5c68cc937f3312",
"type": "query",
"version": 104
"version": 105
},
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
"min_stack_version": "8.3",
@@ -8597,9 +8674,9 @@
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
"sha256": "a2f610710f7b33470a65808c34fbd182dcd0512ec2a9678a18b05f5f24343378",
"sha256": "f27060c1e1635cedb3d4db1d8bb5ddabdf1ffa478643e158e4847d1405cac3ca",
"type": "query",
"version": 104
"version": 105
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"min_stack_version": "8.3",