diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index c787f28f1..52ef7c49b 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -99,9 +99,9 @@ "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "min_stack_version": "8.3", "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "7a5170b3aaae9d499bfda31675011334d8bc6f2ce992414981042ce2563e0efe", + "sha256": "6995ce3fd849830e0591d6419fc8b53d604990cd30316594c1a70f032d3115a1", "type": "query", - "version": 104 + "version": 105 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "min_stack_version": "8.3", @@ -269,23 +269,23 @@ "080bc66a-5d56-4d1f-8071-817671716db9": { "min_stack_version": "8.3", "rule_name": "Suspicious Browser Child Process", - "sha256": "9170960c7d48e8e84833ee33402dc9fc313e3f5fc219be8eebf6c3fef43b13d6", + "sha256": "c250a73408b1392c937770c4ced1fb28a2703649fe04cdb78b0e5b7b4cf63ec8", "type": "eql", - "version": 104 + "version": 105 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "min_stack_version": "8.3", "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "c0576e652d149dba1c8803419d6a632c9e994ab1037dbd4d33c61e67e376b878", + "sha256": "3e3611a0cd7131c9e8caba18a69dab717a16cf76442be2888fb39623e7a310bf", "type": "eql", - "version": 104 + "version": 105 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "min_stack_version": "8.3", "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "24161e1b97e4d175337171d4edb04ae53af62b618e97bfadae325175a6a804b9", + "sha256": "102bf6dbf633ea578191b0cba7f03a80e733a63b307a563d2287868c832d13c4", "type": "query", - "version": 104 + "version": 105 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "min_stack_version": "8.4", @@ -310,9 +310,9 @@ "092b068f-84ac-485d-8a55-7dd9e006715f": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "bffb87c25d97a23ef42d1aad12239934aaa88f15fbf46680f22c595a801286da", + "sha256": "a1faf99442ff04d9e895ed0ef988840ddea9fafcb839a00391dd27152099ecf8", "type": "eql", - "version": 105 + "version": 106 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "min_stack_version": "8.3", @@ -517,9 +517,9 @@ "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "e840e03f40e5ac088e2f850f08c2b1286f607a659a430a7051e44d31213c7a22", + "sha256": "667a8075ceb2fd14308a5c021811d4dadc06be89300c4eb74d8fc02268962810", "type": "query", - "version": 104 + "version": 105 }, "10754992-28c7-4472-be5b-f3770fd04f2d": { "rule_name": "Linux Restricted Shell Breakout via awk Commands", @@ -530,9 +530,9 @@ "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { "min_stack_version": "8.3", "rule_name": "WebProxy Settings Modification", - "sha256": "264c4b78490cec9fae3de080bd655b5a1c53ff31c54b5704c76834b583f0516b", + "sha256": "8d0a544fd454889ae996a250c40de6b79ca174a55887fc883a6c0f1d6fb672b4", "type": "query", - "version": 104 + "version": 105 }, "11013227-0301-4a8c-b150-4db924484475": { "min_stack_version": "8.3", @@ -783,9 +783,9 @@ "15dacaa0-5b90-466b-acab-63435a59701a": { "min_stack_version": "8.3", "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "2fddf303d95fc9181afbdf53833cd1e53d7499cd79cd616b07838eab1dc5f378", + "sha256": "91a1712e57b935ca9c222118c8d99f2ca99aa936eea6677ad83d308946976166", "type": "eql", - "version": 105 + "version": 106 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "min_stack_version": "8.3", @@ -804,9 +804,9 @@ "16904215-2c95-4ac8-bf5c-12354e047192": { "min_stack_version": "8.3", "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "0c96bfd65d7b122ff4af72519d72f2fc9837dcb1d9189a96e7c51301cf0ebcc5", + "sha256": "62f4c4c7d614af2f638274d716d37e705bfa849a15b241efb9a779e1eea0b8c0", "type": "query", - "version": 104 + "version": 105 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "min_stack_version": "8.9", @@ -1060,6 +1060,13 @@ "type": "eql", "version": 106 }, + "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { + "min_stack_version": "8.10", + "rule_name": "Okta Sign-In Events via Third-Party IdP", + "sha256": "3ad26713290c41884722d25cf2fee14ada4dfd908e0a162454e983458948145c", + "type": "query", + "version": 1 + }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.3", "rule_name": "Remote File Download via Script Interpreter", @@ -1205,9 +1212,9 @@ "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.3", "rule_name": "Access of Stored Browser Credentials", - "sha256": "3d1c5ae1b6b6134946ceb0fab3b028b7757a3cae9213e83e12d2ef7fb4af7498", + "sha256": "3e3f5aec51ac2d4bed5a22f8ab0e6bc87db4da5c76f3e93dd107ed6f15e2c5a2", "type": "eql", - "version": 105 + "version": 106 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "min_stack_version": "8.3", @@ -1345,6 +1352,13 @@ "type": "new_terms", "version": 1 }, + "260486ee-7d98-11ee-9599-f661ea17fbcd": { + "min_stack_version": "8.10", + "rule_name": "New Okta Authentication Behavior Detected", + "sha256": "44887f3eb626b80c75a0110be4b26d1ce66bf37892a7bab818d90f36023aae1c", + "type": "query", + "version": 1 + }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious DebugFS Root Device Access", @@ -1516,6 +1530,13 @@ "type": "new_terms", "version": 209 }, + "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { + "min_stack_version": "8.10", + "rule_name": "New Okta Identity Provider (IdP) Added by Admin", + "sha256": "ed5ee5cca37901181403052c73c15575a768c00863a860235c68fae83f550ce1", + "type": "query", + "version": 1 + }, "29ef5686-9b93-433e-91b5-683911094698": { "min_stack_version": "8.6", "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", @@ -1655,6 +1676,13 @@ "type": "eql", "version": 1 }, + "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { + "min_stack_version": "8.10", + "rule_name": "Okta User Sessions Started from Different Geolocations", + "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", + "type": "threshold", + "version": 1 + }, "2e580225-2a58-48ef-938b-572933be06fe": { "min_stack_version": "8.3", "rule_name": "Halfbaked Command and Control Beacon", @@ -1665,9 +1693,9 @@ "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.3", "rule_name": "Creation of a Hidden Local User Account", - "sha256": "7def1140f5946506db0986d62813b2d07f78ddedf08032f5bb4d2e74b12db501", + "sha256": "de2e56710056a8b6da9dc0876399c464d483cd8d86b9960d864a3012ab56e30e", "type": "eql", - "version": 107 + "version": 108 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "min_stack_version": "8.3", @@ -1835,9 +1863,9 @@ "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "min_stack_version": "8.3", "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "190febf9658cb01dd1a472ea2d24563052fffcf60417fbc65be5593e38ad92f5", + "sha256": "b91e01cbd654f79bb65cb81f07f055521e97ddb636f27bcb5c55ba7c599d55f0", "type": "query", - "version": 104 + "version": 105 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.3", @@ -1949,9 +1977,9 @@ "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.3", "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "e43423649f4196e3471200c4baac5b465e0a667b3d1dbe95b7870b76ecd1410b", + "sha256": "b41ece736909738d8ea437111abfff24846ce37e0dbf28c436ad918ae7056fc5", "type": "eql", - "version": 104 + "version": 105 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.10", @@ -1979,9 +2007,9 @@ "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "min_stack_version": "8.3", "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "7838d2f36bacd85c4a8333291f41d0755a4918b3a06ea5b7d88eb8a7e29dd8fc", + "sha256": "8ad731c423f1a7a201eea63221fa6f1c19645b46b39421558ced549ddda00f7d", "type": "eql", - "version": 105 + "version": 106 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "min_stack_version": "8.3", @@ -2136,9 +2164,9 @@ "3e3d15c6-1509-479a-b125-21718372157e": { "min_stack_version": "8.3", "rule_name": "Suspicious Emond Child Process", - "sha256": "1a46d0e2338b7c09dad075c99009e807ddc32b686924dbd5102dde8cc4736bde", + "sha256": "712b5f698a3cdac28ddf24ce2c91dff930454f6cb82e79b2c623129ba42ac23b", "type": "eql", - "version": 104 + "version": 105 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "min_stack_version": "8.3", @@ -2266,9 +2294,9 @@ "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "min_stack_version": "8.3", "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "8ddd47175f4b4ad6fa50a8ffba06037d5e67ddc829c8b6b6c09ec633b9aa2690", + "sha256": "473f098ef25c7659b7ec2c953c7fe83d29d17210bae3f18a76e7aabe5ef9aa31", "type": "query", - "version": 104 + "version": 105 }, "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { "min_stack_version": "8.8", @@ -2421,9 +2449,9 @@ "47f76567-d58a-4fed-b32b-21f571e28910": { "min_stack_version": "8.3", "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "a59f49a0c0dd5d025e9c45e099c22c750b446326578357bac6d938f54780c991", + "sha256": "0707726336298da0eacdb012ecfd3d5a1d4db190cc8b010ea63e32319a591bd7", "type": "eql", - "version": 104 + "version": 105 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.3", @@ -2456,16 +2484,16 @@ "48d7f54d-c29e-4430-93a9-9db6b5892270": { "min_stack_version": "8.3", "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "50e43811992464777ede6c447f47e0331e4022df0f013c9e69d644081c56d93a", + "sha256": "9a234c8cffcb67324557459f70bc5644b48f12b78ddc226765d69211e2034ced", "type": "eql", - "version": 105 + "version": 106 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "124568f19d6974b48f94c4143a09f425889761f827bdf17b97618850fbf315ae", + "sha256": "3c035219a5681c2514f111063f313c5e3108fc0d98ca2ab089aa72eb6f519951", "type": "query", - "version": 104 + "version": 105 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "min_stack_version": "8.3", @@ -2614,9 +2642,9 @@ "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "2150ef27f2f7aa9e92efd14249439bdf38da42604f587b12651f9360dbe5512e", + "sha256": "8d66b86897c0f7e9f90e2ab46d46d6734db7e1fd64cdf5c5c9926e164ccef324", "type": "query", - "version": 104 + "version": 105 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.3", @@ -2676,6 +2704,13 @@ "type": "eql", "version": 107 }, + "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { + "min_stack_version": "8.10", + "rule_name": "Multiple Okta Users with the Same Device Token Hash", + "sha256": "0cabbcb4f30f4ce25d1efd6d385f10b02ca0ef7cc2d8bac313e45e83abdfa175", + "type": "threshold", + "version": 1 + }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.3", "rule_name": "Windows System Information Discovery", @@ -2784,9 +2819,9 @@ "530178da-92ea-43ce-94c2-8877a826783d": { "min_stack_version": "8.3", "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "378735996cb788f18b470bb893059276f28497684fbee14dc8952ad9914f76da", + "sha256": "27807c0b1bbc5c951feb992b0d6326af2b457c21ea661e1cc745995c25745e21", "type": "eql", - "version": 104 + "version": 105 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "min_stack_version": "8.6", @@ -2898,16 +2933,16 @@ "565c2b44-7a21-4818-955f-8d4737967d2e": { "min_stack_version": "8.3", "rule_name": "Potential Admin Group Account Addition", - "sha256": "5c52523f38fbd7d58ecbaae23c282b59df7964d107d8378355c7232d2c20abbd", + "sha256": "8bc8501a6ddd8f64743ca0b9449b6827723b051c90177dc1d95977ec71d638f3", "type": "query", - "version": 104 + "version": 105 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "min_stack_version": "8.3", "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "56cdf3c97b7ed30414d2fc5ed2cdb95c0779392ef7347954cf3f3e6be61600e7", + "sha256": "b61fe6deed081a783eadb490bf3de817c38a34b3369fb4393f17e1e058370e7d", "type": "eql", - "version": 105 + "version": 106 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "min_stack_version": "8.3", @@ -3063,9 +3098,9 @@ "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "min_stack_version": "8.3", "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "0f1d99638bad179a4fc6aa5eded3dd7c702cca3bb64d3391795079f2ec31258f", + "sha256": "0468696a45e242d7e3e71b093c8c41a2a2e0318d204b64572529c03774829201", "type": "query", - "version": 104 + "version": 105 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.3", @@ -3184,9 +3219,9 @@ "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "min_stack_version": "8.3", "rule_name": "Persistence via Login or Logout Hook", - "sha256": "5cd203eee04afdcba2fde9accdf21b565daaa0b4045828ae0000738b5bb25a43", + "sha256": "4b664dd5877d1ea41aa62988945b0551c37d895fe86546e544ee732f93985f78", "type": "eql", - "version": 105 + "version": 106 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.3", @@ -3198,9 +3233,9 @@ "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "min_stack_version": "8.3", "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "7c02503c215c5f50cc47a690a3caf0da786994efdfcfd87afa318aacea1154b2", + "sha256": "2f1b66054ac5bbc100d284a9f0ceda0c965b47881c9787c1945b8e466f298324", "type": "eql", - "version": 104 + "version": 105 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { "min_stack_version": "8.4", @@ -3279,6 +3314,13 @@ "type": "eql", "version": 109 }, + "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { + "min_stack_version": "8.10", + "rule_name": "Multiple Okta Sessions Detected for a Single User", + "sha256": "061bd86219770d199904efabae4bb62bbc5897cdef6b8d1e517cae8670d3398e", + "type": "threshold", + "version": 1 + }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement via MSHTA", @@ -3289,9 +3331,9 @@ "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.3", "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "4878a18822a0f4ab3c6536a39b0055899b9fa296cc1629aa3d8a99d767235d30", + "sha256": "bff6971b2108d22178fe7e1ba59610ea438646b4c81a203c7c85e90f0b42b640", "type": "query", - "version": 107 + "version": 108 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "min_stack_version": "8.3", @@ -3338,9 +3380,9 @@ "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "min_stack_version": "8.3", "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "9f94576d0bdd988636ba37fb9ff9911924d47880457e60f8a281664394a503bd", + "sha256": "df8fdd419ba042425bba4c2b32c414ac9dc05e1980edd08bc04fc4e8d18ead19", "type": "query", - "version": 104 + "version": 105 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "min_stack_version": "8.3", @@ -3374,9 +3416,9 @@ "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "min_stack_version": "8.3", "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "4b0aa397b2a5a31b54907a49393ecd97e46a33ceedcd629218f8f7175ccb86b4", + "sha256": "d6221b6ee2915a7b34ad8447f034179710da43b944bec0968235b097e3823ad1", "type": "eql", - "version": 105 + "version": 106 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "min_stack_version": "8.5", @@ -3416,9 +3458,9 @@ "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.3", "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "f1cea9ea6da3199934e1644e4efa06da30f02a8e11d48724001e6152a64ad6ce", + "sha256": "de9510393c24ff3e139c05854ab2ae53078fd1a040209a8d32e2a781b4429df5", "type": "eql", - "version": 104 + "version": 105 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.3", @@ -3719,9 +3761,9 @@ "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "min_stack_version": "8.3", "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "4bcdfcf964b59e07e704d0ae1768231f6895fdeaf16019ec2530b3fd1e908b6a", + "sha256": "470df0c6e17a6b76b3d5dfe11b58055120699d9a00c0cfbb61259400adbc757a", "type": "eql", - "version": 105 + "version": 106 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.3", @@ -3756,6 +3798,13 @@ "type": "query", "version": 100 }, + "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { + "min_stack_version": "8.10", + "rule_name": "First Occurrence of Okta User Session Started via Proxy", + "sha256": "4a61b8effbf32d622b658833f4b222d18ac656a1cddd5bf60629bebf6292ec7f", + "type": "new_terms", + "version": 1 + }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "min_stack_version": "8.4", "previous": { @@ -3827,9 +3876,9 @@ "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "min_stack_version": "8.3", "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "ae6e77c0abc663eb2873c37d6321d6ae8da6355d89e5ebb728b742b16d2d14fb", + "sha256": "72795d027c2e5d95512a10ba9093cc08010fd8b0ca59bb63a4d890ebb975b67c", "type": "query", - "version": 104 + "version": 105 }, "7164081a-3930-11ed-a261-0242ac120002": { "min_stack_version": "8.4", @@ -3914,9 +3963,9 @@ "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.3", "rule_name": "Modification of Environment Variable via Launchctl", - "sha256": "face2669be6ce58d7dc8b07bc4b200577cdf0bd21facb3d5266facb5df28a6dc", + "sha256": "3db7bef640680a74100f7cb2389b8fa17b1bafa853c727820f3049d568ba79bf", "type": "query", - "version": 104 + "version": 105 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "min_stack_version": "8.3", @@ -4343,9 +4392,9 @@ "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.3", "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "9674dc1bd6cc5c17c8038a4e71b92f2737ef72aa1601bbf05b06fe0d5fb2136e", + "sha256": "f9e2397c95b2c307f8a7ed2bf1151fe7306a38ee6b45dce9ef9531b8e455486f", "type": "eql", - "version": 105 + "version": 106 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "min_stack_version": "8.3", @@ -4519,9 +4568,9 @@ "88817a33-60d3-411f-ba79-7c905d865b2a": { "min_stack_version": "8.3", "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "2440310a8c23cbde04e7ac92d579c678d852f3426d6349638199d49af0a46c85", + "sha256": "5c0fc7dd81e04f3fbd1c5c472f0bd727ad065924ec0d714e5bc13c4b6b3e45ff", "type": "eql", - "version": 105 + "version": 106 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "min_stack_version": "8.6", @@ -4569,9 +4618,9 @@ "89fa6cb7-6b53-4de2-b604-648488841ab8": { "min_stack_version": "8.3", "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "456c1af4f588c9d3fc039ba183fe378b0d32a8920c785254b0550fdd4329374b", + "sha256": "abc0977e48e577f93d91ddb156280eb131accdb697133ac9f8e895d66e7ead14", "type": "query", - "version": 104 + "version": 105 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "min_stack_version": "8.3", @@ -4580,6 +4629,13 @@ "type": "eql", "version": 4 }, + "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { + "min_stack_version": "8.10", + "rule_name": "Potential Okta MFA Bombing via Push Notifications", + "sha256": "3f33c3e7817f1f2970238c916629c2827ae0b7b46a7c0152797aba33b835fa4b", + "type": "eql", + "version": 1 + }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "min_stack_version": "8.3", "rule_name": "Setuid / Setgid Bit Set via chmod", @@ -4784,9 +4840,9 @@ "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "min_stack_version": "8.3", "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "5fd3c8920f816415b48c716e7a2374f0fd76b507f2f5d3669969829ede88cb01", + "sha256": "7ff71544a593f40e8c7261a058bd9edd9c796f925043bb8c917fbdfab7137f94", "type": "eql", - "version": 105 + "version": 106 }, "90babaa8-5216-4568-992d-d4a01a105d98": { "min_stack_version": "8.3", @@ -5037,9 +5093,9 @@ "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "min_stack_version": "8.3", "rule_name": "Access to Keychain Credentials Directories", - "sha256": "fe23aa5928440dd067c2f16b8a796d46a7480c4f130d91319cfcba852fce1f0d", + "sha256": "360631a00947fd49eec1f1e5ec2234141c5e18b5d345f84d59ffdbfcf8022c22", "type": "eql", - "version": 105 + "version": 106 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "min_stack_version": "8.3", @@ -5089,10 +5145,10 @@ "version": 107 } }, - "rule_name": "Potential Abuse of Repeated MFA Push Notifications", - "sha256": "77d0337a5eb54baa93eb1e573ddab7f5e356ad4892d6cf02c74ce6562afd8d2d", + "rule_name": "Potentially Successful MFA Bombing via Push Notifications", + "sha256": "9671afcc66dbc58a275066f23ee0484f9b8819dbeccdde28660354c790ae9387", "type": "eql", - "version": 207 + "version": 208 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.3", @@ -5181,9 +5237,9 @@ "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "min_stack_version": "8.3", "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "40258127ac6373780bfd25be362342b142324a166319243b55a747b477db70b0", + "sha256": "3716f7ea4026fc8bb71aa2f326ddd6b6d1d47e6e120cf8b992ebdc2dd76ebb95", "type": "eql", - "version": 104 + "version": 105 }, "994e40aa-8c85-43de-825e-15f665375ee8": { "min_stack_version": "8.9", @@ -5379,9 +5435,9 @@ "9d19ece6-c20e-481a-90c5-ccca596537de": { "min_stack_version": "8.3", "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "362420c35e0dec946d828d9efe8a1dd0e2313dec67f9a9b0f2c27f8361fffe58", + "sha256": "a96af71832577dd58427030d8213653dc4e553bed0e3edf06ad87c56ceef6c49", "type": "eql", - "version": 104 + "version": 105 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "min_stack_version": "8.3", @@ -5631,9 +5687,9 @@ "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "min_stack_version": "8.3", "rule_name": "Emond Rules Creation or Modification", - "sha256": "5059d25e53e20ecda5bd0bddff5f19aa0c90190e3c58cf6926c946c26f701839", + "sha256": "9c88642e11a43c139d78492404690649488e23d89b508c7de31e65e235630a25", "type": "eql", - "version": 105 + "version": 106 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "min_stack_version": "8.9", @@ -5751,9 +5807,9 @@ "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", "rule_name": "Remote Execution via File Shares", - "sha256": "9960496bb3be4ae85c905a65d9967cce3c87c957c5b9c0a36e7940676dc24fac", + "sha256": "d0dd83e403bca3f7f3d1950d5015f30d849b5fcd9227445946baf01306304def", "type": "eql", - "version": 108 + "version": 109 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.3", @@ -5765,16 +5821,16 @@ "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Login Hook", - "sha256": "742e178d21a4f38dbde0ceff9f3c75a33a79e70080f971e3fc63e644283c1f24", + "sha256": "5431b29441b0311ce85f05817f1b65afc8e1440be98c43efc808531aceb55b40", "type": "query", - "version": 105 + "version": 106 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.3", "rule_name": "Suspicious WerFault Child Process", - "sha256": "6fc6cae28ebf0c75451af175b21022b2c33ceb781032192f90c20d91bd0ad2a8", + "sha256": "6db650fd26dc358bff1969f2dddd549f4725e7cb9e13c6037613103125d67d05", "type": "eql", - "version": 109 + "version": 110 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "8.9", @@ -5832,16 +5888,16 @@ "ace1e989-a541-44df-93a8-a8b0591b63c0": { "min_stack_version": "8.3", "rule_name": "Potential macOS SSH Brute Force Detected", - "sha256": "6d6c36df74a3227db9ddfe242e6d7e4598aa4536c80338756b9774499deb5d46", + "sha256": "717b98ebd28d44eb41e239b4c1fce9a077b804fb2fa74887e44db8abf8a9d984", "type": "threshold", - "version": 105 + "version": 106 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.3", "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "f9f3abc0bcdf5a397a26aac862f259f0a5b8a25feded07e85dcb9a308c799f23", + "sha256": "7a665dd484eabb4ea95433a9fc76aa6c2f6a5e88e3bf2aa3586eb8624521f396", "type": "eql", - "version": 105 + "version": 106 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.3", @@ -5882,9 +5938,9 @@ "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "min_stack_version": "8.3", "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "1784ba8b2bf2310de8bfc0fb1eb058a96c9ef25ba4a1e78a8e271a61f856f675", + "sha256": "a1d0802a3a49d1a2c58175fb38e49b393c12892b0263bc10245b307ccec0d964", "type": "query", - "version": 104 + "version": 105 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "min_stack_version": "8.3", @@ -5952,9 +6008,9 @@ "b00bcd89-000c-4425-b94c-716ef67762f6": { "min_stack_version": "8.3", "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "fe6380b09c3b3d38b09818076fb3ef3d0693c968fe9ce5547c4a82196782f931", + "sha256": "b919ec7747f8bf3d3a989dbb2894552ecf9eee7139899e68b404a3802c120c3d", "type": "query", - "version": 104 + "version": 105 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "min_stack_version": "8.3", @@ -5986,9 +6042,9 @@ "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "min_stack_version": "8.3", "rule_name": "Remote File Copy via TeamViewer", - "sha256": "5140f51472bb51e246f8a5076ee0138186c0db463f337c8cbc044bbede59a6bb", + "sha256": "e726cfbb1046391cb001954a90288d5b3222d8379b5ae13d58b6e6bc20aec033", "type": "eql", - "version": 108 + "version": 109 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "min_stack_version": "8.3", @@ -6028,9 +6084,9 @@ "b4449455-f986-4b5a-82ed-e36b129331f7": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "46fcd9e76f08b0cd3308e57b64244a9bec5ce01b30e491015a20e1fd53e3de2a", + "sha256": "c663140ba0d75027a34b394dec5c86633102e0f2514050f99e1d706c97cb9b8e", "type": "query", - "version": 104 + "version": 105 }, "b45ab1d2-712f-4f01-a751-df3826969807": { "min_stack_version": "8.9", @@ -6313,9 +6369,9 @@ "bc1eeacf-2972-434f-b782-3a532b100d67": { "min_stack_version": "8.3", "rule_name": "Attempt to Install Root Certificate", - "sha256": "2ec38edc30ee4c822372bf3a9e2f00ebdead1b16f135cbf5fbb1c657fbf41c9d", + "sha256": "7f461bbff1e8be89e57d400d6e907b6697dbc783dae396c6d6ee0ce3efd419f1", "type": "query", - "version": 104 + "version": 105 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "min_stack_version": "8.3", @@ -6448,9 +6504,9 @@ "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "0afe2d906b4e49920bacb79b64404fb8d2ad10c938ab6066d1775c4498d2c1a1", + "sha256": "2c9b4244cb4994ff559dfc5ff89df8400a366e4faadd5f8900810fa90b30281e", "type": "eql", - "version": 105 + "version": 106 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.3", @@ -6529,9 +6585,9 @@ "c292fa52-4115-408a-b897-e14f684b3cb7": { "min_stack_version": "8.3", "rule_name": "Persistence via Folder Action Script", - "sha256": "07321ea58e3520857e64122ab09803a1fc574e94988a20508aea507982b84a06", + "sha256": "bb9fad0b65e7bc241670ef85a6bc8750f4bcc92e98888e091f2ca9b30d833ce8", "type": "eql", - "version": 104 + "version": 105 }, "c2d90150-0133-451c-a783-533e736c12d7": { "min_stack_version": "8.3", @@ -6723,9 +6779,9 @@ "c81cefcb-82b9-4408-a533-3c3df549e62d": { "min_stack_version": "8.3", "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "aa52a0c9a38018a7a9d08eff12060ae5763f3672ab6f68acbc3a41dc323c4720", + "sha256": "4c1848771275a47db363a85fd08d70afa61b85baaca4651d4c823c0accc02d6d", "type": "query", - "version": 104 + "version": 105 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "min_stack_version": "8.3", @@ -6851,9 +6907,9 @@ "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "min_stack_version": "8.3", "rule_name": "Suspicious Calendar File Modification", - "sha256": "0efc16177bd032307d27579913e6c57c8d1d44ed1f5df38407ead5bbbe045dd8", + "sha256": "4020e8d93c52fc49bce77c661a1566c03732a2a74906ceec9c5371f6f0fdecef", "type": "query", - "version": 104 + "version": 105 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -6864,9 +6920,16 @@ "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { "min_stack_version": "8.3", "rule_name": "Attempt to Enable the Root Account", - "sha256": "08bf09dc443eb0fb41c941a0a47f67b866253111c50d852fec72b81e5cdea100", + "sha256": "859a1abd493744516a89a3da4036d0f389decd9a8f56ee51a41b0f3bd7d335bd", "type": "query", - "version": 104 + "version": 105 + }, + "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { + "min_stack_version": "8.10", + "rule_name": "Multiple Okta Client Addresses for a Single User Session", + "sha256": "95e6787fdbd7768c2066b060596b45e20e11a64d5e238abe96679290fbbf2469", + "type": "threshold", + "version": 1 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "min_stack_version": "8.9", @@ -7112,9 +7175,9 @@ "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { "min_stack_version": "8.3", "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "688898fbfb57e6d44d1f755be87e439516aa1a084dd4adbaa97b65bf8eb86995", + "sha256": "89e780b8ad04e619a91f21797ef0ad455995889221fac37ccd693f8a9be88e1c", "type": "query", - "version": 104 + "version": 105 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.3", @@ -7147,9 +7210,9 @@ "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "min_stack_version": "8.3", "rule_name": "Shell Execution via Apple Scripting", - "sha256": "6f6e3def0588b1a03d12a0293b5bbd9c1d0090fe90097786f9d7a4b13c95f02e", + "sha256": "692c64fb60537e8d2920f5feaa3ed8a0bbb120fa138fee7526e2698ed2895421", "type": "eql", - "version": 104 + "version": 105 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.10", @@ -7299,9 +7362,9 @@ "d75991f2-b989-419d-b797-ac1e54ec2d61": { "min_stack_version": "8.3", "rule_name": "SystemKey Access via Command Line", - "sha256": "9d6616ef8767f89e243b80ec3f320bdd3c8e6a46acc445fd040ae92aaf3e9c12", + "sha256": "f758f68cb5c44f5582fdf29f91b5ede95c7b692861a950921ce02561e9bddb48", "type": "query", - "version": 104 + "version": 105 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.3", @@ -7787,6 +7850,13 @@ "type": "eql", "version": 108 }, + "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { + "min_stack_version": "8.4", + "rule_name": "First Time Seen NewCredentials Logon Process", + "sha256": "856cdc898f8b290d5ebe5bfffde4ce85f483f62eb7e0158a0f9e35f6e8dc2afd", + "type": "new_terms", + "version": 1 + }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.10", "previous": { @@ -7849,9 +7919,9 @@ "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "min_stack_version": "8.3", "rule_name": "Authorization Plugin Modification", - "sha256": "588ebf1bdd990fd6153d745e01de7aa329e4b9ad1cf727e6c6ae340a7691e07f", + "sha256": "0e60f668e5a539600f5060b2537b7bda7cd79b13c441946455056b809cb95563", "type": "query", - "version": 104 + "version": 105 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.10", @@ -7872,9 +7942,9 @@ "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "min_stack_version": "8.3", "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "1732013a4ba605cabe48c7b619ab0091ebe06309b90dd143c75a2212213833bf", + "sha256": "7180375170c573c1ff2a7287cba28879a2150c8796bb81c12556a08394e87e8f", "type": "eql", - "version": 105 + "version": 106 }, "e7075e8d-a966-458e-a183-85cd331af255": { "min_stack_version": "8.3", @@ -8226,6 +8296,13 @@ "type": "eql", "version": 3 }, + "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { + "min_stack_version": "8.3", + "rule_name": "Okta FastPass Phishing Detection", + "sha256": "8270e1a274c3fc9549fd1c6e7a45f05f1bffa07a9b5f4f416074649a7a48b303", + "type": "query", + "version": 2 + }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Print Spooler Child Process", @@ -8249,9 +8326,9 @@ "eea82229-b002-470e-a9e1-00be38b14d32": { "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "9893771c796bd09dcc8f046fd8356942e6cdc5159da8de8a23d418df3220c216", + "sha256": "26d4865a30d6490602a379d7abcba4e5aa0095e306e662d489bb63f80cb57bc9", "type": "eql", - "version": 105 + "version": 106 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "min_stack_version": "8.3", @@ -8314,9 +8391,9 @@ "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "min_stack_version": "8.3", "rule_name": "Attempt to Remove File Quarantine Attribute", - "sha256": "d7bdcd2de9485c0496e83b118d9a4206a6bb8b4d6a4708797dc89b42403f753a", + "sha256": "692fa40e6bf4142e039d77a8009d3ffaf73cb02fb0bad253f89a7791b27bb286", "type": "eql", - "version": 105 + "version": 106 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "min_stack_version": "8.3", @@ -8328,9 +8405,9 @@ "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "min_stack_version": "8.3", "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "1757d1031c5a71bf9d138675ce1ff87d27789dbda0f8da8764846ec8e42433f4", + "sha256": "86c5bd201fcce02f843be59ad5577b453feab265fb5ace94414dfd794f1083c5", "type": "query", - "version": 104 + "version": 105 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "min_stack_version": "8.3", @@ -8356,9 +8433,9 @@ "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "e9d5cd6f343029ce8db6fae1ac69791d81d0079795f15c27d2b04cae4d5692b5", + "sha256": "6fb54f1660018d11515f2fbdb198da3ff179bd8c841c93cccdb1fc2e681d5f7e", "type": "eql", - "version": 106 + "version": 107 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.3", @@ -8539,9 +8616,9 @@ "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "min_stack_version": "8.3", "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "244211398fba0bab7dda8256bd3c850b4d50809a75b98d4a729d349b94fee478", + "sha256": "fb87b9eb3ce642106368e9900a834940914053f852b8fb77bc5c68cc937f3312", "type": "query", - "version": 104 + "version": 105 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { "min_stack_version": "8.3", @@ -8597,9 +8674,9 @@ "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "min_stack_version": "8.3", "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "a2f610710f7b33470a65808c34fbd182dcd0512ec2a9678a18b05f5f24343378", + "sha256": "f27060c1e1635cedb3d4db1d8bb5ddabdf1ffa478643e158e4847d1405cac3ca", "type": "query", - "version": 104 + "version": 105 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.3",