From 1dfb05ec1cd5604db32e7ac602fd28435c19eb65 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 4 Feb 2025 00:05:59 +0530 Subject: [PATCH] Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4442) --- detection_rules/etc/version.lock.json | 6745 +++++++++++++------------ pyproject.toml | 2 +- 2 files changed, 3404 insertions(+), 3343 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 0147e5f38..4fa6fc294 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -5,22 +5,22 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99", "type": "query", - "version": 210 + "version": 211 }, "8.14": { "max_allowable_version": 410, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99", "type": "query", - "version": 311 + "version": 312 } }, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "561c0d51c4c4e4beb9bcd901a8b3f7be2ed94911ca0dca31faf86088f75aec7a", + "sha256": "983f1980633f2fdeefc4b7d50b5e5662382880e65a27b51351387386cf225207", "type": "query", - "version": 411 + "version": 412 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.14", @@ -51,59 +51,59 @@ "8.12": { "max_allowable_version": 209, "rule_name": "System Shells via Services", - "sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783", + "sha256": "234ca1d03d9490f694e58e4e930034af44bc5607d0b3d9b618220e2c43f63709", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 413, "rule_name": "System Shells via Services", - "sha256": "708a60d7b82bcae8d3c5d83d4e192c9b30bb0f4e8d73b7c6c3cb947d05f98199", + "sha256": "053a24a7c772b51aa6c4cacaaf2b60d644b999d648117254f85fb9550c02b7d1", "type": "eql", - "version": 314 + "version": 315 } }, "rule_name": "System Shells via Services", - "sha256": "15ba51d5a9926689787c960642056ab3de981a47b061a42487b3d8425f22e435", + "sha256": "3c7e037d08a986cffce89446616f2c30c98c4f0c30ab9560f83af5f3f4ae76dc", "type": "eql", - "version": 415 + "version": 416 }, "0049cf71-fe13-4d79-b767-f7519921ffb5": { "rule_name": "System Binary Path File Permission Modification", - "sha256": "f349feeacc158450a8c5f0668ae859afc19fd12c10c89d18b3f0f2ddd04215dd", + "sha256": "110f1d5ec2ca1f18a3743314973ced9654ea4260ae861e092afd16c9f929ecd4", "type": "eql", - "version": 1 + "version": 2 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", - "sha256": "8283b518baac8842c7ce326891bda4e15bace4d280e83afbd132727190139aee", + "sha256": "084af080fe0d6182cf5ea6c48b232167996f3eead720253e885568afa89e5afa", "type": "query", - "version": 3 + "version": 4 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f", + "sha256": "3d31dd5d0a8353000b212c5ffe3b14f5abe88a3f98db97488625321608bd20f0", "type": "query", - "version": 206 + "version": 207 }, "015cca13-8832-49ac-a01b-a396114809f6": { "rule_name": "AWS Redshift Cluster Creation", - "sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca", + "sha256": "1341375c3cccb30e7ed441439c386122fec8eca43759b591f42c42d2bd11083f", "type": "query", - "version": 206 + "version": 207 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { "rule_name": "Potential Network Scan Detected", - "sha256": "0b7bd18f56d2a7b5f3bc16613aeb6e2a09c6a9ccc54a0592c9835fff18811b79", + "sha256": "c1b9eadbd36d57badf096a96ee583481a92a6e1de6d1e40b428fb368591eff60", "type": "threshold", - "version": 7 + "version": 8 }, "017de1e4-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Memory Threat - Detected - Elastic Defend", - "sha256": "9bd0f3d01ba4fa20cad1d9fbbc2e6ceb49cc0b07a3e1c1c6250c0f990af738e6", + "sha256": "a6477740d6012e55a9333f32ef516a7b656ca22dba1362371129cc6f75da54ab", "type": "query", - "version": 1 + "version": 2 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { "min_stack_version": "8.13", @@ -127,15 +127,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", + "sha256": "810907d90a27aee361c0e4bdf4d0bfe79e58e47c2b9f7a8df4b14ad750f1aa8a", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "28cbeaec5f3660a4e3a04bc6a7cb9638f8a0875530b512ad5614994fe1c3f004", + "sha256": "dbcb6ee16e0332c0f9e3c35385be6f5264364abf46e4cfa8504e52f66afc3999", "type": "eql", - "version": 207 + "version": 208 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { "min_stack_version": "8.13", @@ -155,9 +155,9 @@ }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", - "sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db", + "sha256": "1ac8ed3b1ca5fea1b2f1908042c00a316d4459af2220eb483569bcea820be9c1", "type": "eql", - "version": 6 + "version": 7 }, "02a4576a-7480-4284-9327-548a806b5e48": { "min_stack_version": "8.14", @@ -165,15 +165,15 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", + "sha256": "376189f0989a9c834ea9e807f1c31236301e528eec227aa389419a7e53aeabf0", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "378f6d82a234a955375536d3a61db47a5093fe754b62078f81f9746f4e1a3ac7", + "sha256": "3e2498d141db920ce8fc17488acde7032ea81b42d39f7e26c4050febb32a3bec", "type": "eql", - "version": 308 + "version": 309 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { "rule_name": "Potential Ransomware Note File Dropped via SMB", @@ -183,15 +183,15 @@ }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb", + "sha256": "a07d5178b0d63fe45832be7feae2eea146956b3b81baf2c247c23c39a4465af4", "type": "query", - "version": 106 + "version": 107 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573", + "sha256": "6914713f09336f9c3dd081ef53ac47488673b0d06d86d731eae0c68021783845", "type": "query", - "version": 206 + "version": 207 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "min_stack_version": "8.14", @@ -221,39 +221,39 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Suspicious Dynamic Linker Discovery via od", - "sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8", + "sha256": "63da0c176cc07352e9a1cb9d92ededc8900ca1b1c6f6dfa5b1d8af6e158f55fa", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Suspicious Dynamic Linker Discovery via od", - "sha256": "5a89e9c9403463bc8cad9d70b104d352791bd9ba509e45e22ce425a5b8bdba4e", + "sha256": "7be24103e80b488ec59b95552a069f1c357d42f5fec529c19402f290b74e282c", "type": "eql", - "version": 102 + "version": 103 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "rule_name": "SSH Process Launched From Inside A Container", - "sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d", + "sha256": "f20d44b0d750d0c26fca0b620394312ba50e05209f19a2c8efe8a5779d97e899", "type": "eql", - "version": 2 + "version": 3 }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { "rule_name": "Potential Network Scan Executed From Host", - "sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4", + "sha256": "ae3ea0137d74ca472a7ba99931f0fb829c7b6419004e69b9a9a0ac88b87e0ebb", "type": "threshold", - "version": 3 + "version": 4 }, "0415258b-a7b2-48a6-891a-3367cd9d4d31": { "rule_name": "First Time AWS Cloudformation Stack Creation by User", - "sha256": "94bf8efc1418d0c3dbcfad25b23fcfb931aaa7d34d5a718971956c00ce220f69", + "sha256": "52da905207d1e7c88fc6422717c8a5e4a92dc36ee070a06fc4bcdbc3d90476d3", "type": "new_terms", - "version": 1 + "version": 2 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Modification of OpenSSH Binaries", - "sha256": "04af79fc085a46b7a9239dd4f9bfaf09118355ac4802004f3fdb734b00113972", + "sha256": "3b26f04620990f0636c48d69c7dddb1091ac744f61ef4244cf1bf27d38677ecc", "type": "query", - "version": 110 + "version": 111 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", @@ -267,34 +267,34 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "c033b9b9cf89ada890efbe4f3d50749d62d412f4f4649252be0cde9f15bab174", + "sha256": "47373227a503f5fe1fde96d536e6a205fcac83b971b0dee087b3614cd96c814f", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 200, "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "ca6b6244eb33d751ab8afe90e9447bc34a5cd46b0e4604ee73d8c2e77612cb67", + "sha256": "8d179fe06605d1b9a62c3cda5f232e20d6e98172b8c62bc1ac5e3c362f0caf83", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "8a7f7f22aef8cdf2fa76b6194ccab0d26453470ba193c15aa82ef83fa9cf3102", + "sha256": "95d69d7ba9d1821cb7a31fc102eddbf4725f3512d45f8c1129cd08902c00b9da", "type": "eql", - "version": 202 + "version": 203 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "rule_name": "Azure AD Global Administrator Role Assigned", - "sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9", + "sha256": "60c46c899a69ab28b32485227c01fb16cee84b26abd65893b8f900c888034338", "type": "query", - "version": 102 + "version": 103 }, "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { "rule_name": "User Added to the Admin Group", - "sha256": "018ed4ea49d89558cfa618d30dec9b266a2926894b75e434ede0254443d6bab9", + "sha256": "605d63b5087ecb7c6b317b124502b5109f16a229ccb1a878d7f5c7f08940e119", "type": "eql", - "version": 1 + "version": 2 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.14", @@ -302,21 +302,21 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "e4bf9920903785a4d419c63645c7e09513aac5d799ecd7dbebd52664884af5e0", + "sha256": "1ca8fdf09317fd36c70df03f3201b8274dda82e84f259811b7e392d1b5d8e6b4", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "ae7b800eac312f398df8ba82f12abc2529bb704c4185f69948be3617af2847fb", + "sha256": "a219cd9773dc1fa8aa69881e4de1fb3c8b9b635a1c380a4782cf15cec90f8904", "type": "eql", - "version": 211 + "version": 212 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", - "sha256": "12d9feafcc88441dac8a47687708fa8fb7bf194076d084b80efd2128b97a5570", + "sha256": "8d613ba421aebd8dcbce56302f1c2d6a19b749085004adc1050a81aed090dcc5", "type": "eql", - "version": 7 + "version": 8 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.14", @@ -359,15 +359,15 @@ }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "rule_name": "Tainted Kernel Module Load", - "sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4", + "sha256": "6e6fcbbf2ea3332a110e3c68ebc52cde1b789a0370ce24f76e00a25d8c349bf6", "type": "query", - "version": 4 + "version": 5 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754", + "sha256": "c70d925a16e8a0ca54c52ed7ba79164ff5091150dc18e8f3096440d73fd87433", "type": "query", - "version": 108 + "version": 109 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.14", @@ -403,9 +403,9 @@ }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "rule_name": "Unusual Remote File Size", - "sha256": "86c63dfc5a14108858c1a668088b651845e888e1dfa6764e364d7193cda1e105", + "sha256": "1c0662f5b11e6019bfa3e32d36fedf5821114840e8aa8e424150ea7631c58079", "type": "machine_learning", - "version": 4 + "version": 5 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.14", @@ -436,15 +436,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Dynamic Linker (ld.so) Creation", - "sha256": "d199c5e9dfd9aa2e6e54808f02b7c661ba51e4c78cc780b45d0e910dc09b0230", + "sha256": "798d7634945767913aeab178e7df25c3696ac6e993cbaaaefe8030ea91fe0f4c", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Dynamic Linker (ld.so) Creation", - "sha256": "25c134214022fe4919832996ce775387fbd9ee22fda14c49daaecb865d145206", + "sha256": "cf3d305ea89fd7b2c84f8ed412f55d0c5180e021f2d107a517d501e85c15e038", "type": "eql", - "version": 101 + "version": 102 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.14", @@ -452,22 +452,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Potential Evasion via Filter Manager", - "sha256": "b4231cb6409668adc787176da9f432d5d9c835cff96c03363e9ce8745301edd1", + "sha256": "fe0b271cf1660d839ba9c04e3ae7c6a2ae6bfc5ba80b354d7aa2ebf8ba75db6b", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Potential Evasion via Filter Manager", - "sha256": "3a61aa859d4dd430becb99b7310d8f43570207832557eedf3e2684c3180cd10c", + "sha256": "cb388e3a30c4e77292f3c6ffde5fabc2aa388f8affa6756cf70e1b8442d61a30", "type": "eql", - "version": 213 + "version": 214 }, "06f3a26c-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Memory Threat - Prevented- Elastic Defend", - "sha256": "542beb283553b21b373b87f1963fa845b95929b9664d3af97f7777e621206a0b", + "sha256": "96b6afa2ed123a001168eaaafe269a572393ee32c8248cd27a29182040b5dbcc", "type": "query", - "version": 1 + "version": 2 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.14", @@ -498,15 +498,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333", + "sha256": "380c523049b8404ce0d831d93a39d8d6e334c2a51c94e3454920aa9b947d0d60", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "d8a91efd007be1ed16d117fe17458c7361f18450b73e73083ee88ec02bf6d049", + "sha256": "3d9549ea279015b77bc82b2e69b630d2013529cbc37e51d1316381f1c8f34d54", "type": "eql", - "version": 206 + "version": 207 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", @@ -520,22 +520,22 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d", + "sha256": "09c2f36752a76180ee5f6c3d999fca9b4a594baf1e68da518828098d4a918b29", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 311, "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "1d581fab9894150d93b9290184613601916238ed613aed8f033ba029c6d7f747", + "sha256": "7a1e221305122e11869857dfef01583fa3242e9353bbc3c58bd029ddc08ce349", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "cba44e5f0b785c8ff69b139d209a7e10ae87452830da92efee001b69f5a95d51", + "sha256": "a02807e2dbf00fd418c04b345cf9bb599e756134d50cfc7ceb239d0db3e3d270", "type": "eql", - "version": 312 + "version": 313 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", @@ -545,21 +545,21 @@ }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", - "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", + "sha256": "a43d168f61e8163581d0687f0304f03e2ddae74d1116c478f933178625133b7d", "type": "eql", - "version": 107 + "version": 108 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879", + "sha256": "c267399fea2ab4ee01b5424d01dc5ca68f6fbcb529f4f0c022cde54d6f87b25e", "type": "eql", - "version": 106 + "version": 107 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece", + "sha256": "a01dd38408bbec2545a780590fb1551649acb6e25b7f9589b305b518dcfae70a", "type": "query", - "version": 106 + "version": 107 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "min_stack_version": "8.14", @@ -567,22 +567,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "First Time Seen Removable Device", - "sha256": "aec36fbd3822bf9e12b866c619574507647dfdec52725d3f77d00b7be3d4aaef", + "sha256": "f1ac8cf1be60a96de758a01dfbfd0a5b594450e5a38ceae29fc315267402c892", "type": "new_terms", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, "rule_name": "First Time Seen Removable Device", - "sha256": "629de40be19abc034ed2f876dd72df2fc72ce0397116eed55c08d790401d4da6", + "sha256": "c14fec5bc1b916855cac0929b535c0865ae08136bf417b3ef52374ed88a27cc5", "type": "new_terms", - "version": 109 + "version": 110 } }, "rule_name": "First Time Seen Removable Device", - "sha256": "20d5ab4b426cb84f65b990fde4a3011164e908b124f4c961646afae8d6e73a58", + "sha256": "70f7e9b02ae62752a1aa355c2bf0737861fcbe8f6d564b36f533e1c115925ed6", "type": "new_terms", - "version": 209 + "version": 210 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "rule_name": "Windows Account or Group Discovery", @@ -598,15 +598,15 @@ }, "092b068f-84ac-485d-8a55-7dd9e006715f": { "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993", + "sha256": "df3311bb176bf73432fcbf38549d153c5d42b0a2dc86764c6daa86fc9db5903f", "type": "eql", - "version": 107 + "version": 108 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "rule_name": "Process Termination followed by Deletion", - "sha256": "07259ee65eed64efa83cd67f2944378c9f5eac6af8a0d950ddf46fd06505c613", + "sha256": "14b2c50279749311159d46204420c773d52555a562d83ce604a03fd9d9abaafb", "type": "eql", - "version": 110 + "version": 111 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { "min_stack_version": "8.13", @@ -632,27 +632,27 @@ }, "09bc6c90-7501-494d-b015-5d988dc3f233": { "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", - "sha256": "ba5ece96c45f82ec3deddbb0311dc407ea0a8234e9dea257649d0cd4014c2eff", + "sha256": "c8115f0fe38df7a874ae8c9073dfe093a940fc49c4e0f9ae6c7e317213b43120", "type": "eql", - "version": 5 + "version": 6 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", - "sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53", - "type": "query", - "version": 102 - }, - "0a97b20f-4144-49ea-be32-b540ecc445de": { - "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2", + "sha256": "f6a45024261cb0b349f1b5e65afcbfd1cffe90e669fa3157bf60ea20538b5f44", "type": "query", "version": 103 }, + "0a97b20f-4144-49ea-be32-b540ecc445de": { + "rule_name": "Malware - Detected - Elastic Endgame", + "sha256": "7a47db16ef187e82ca162b4ddc7be98c559c56f60930c7f857b4998e456db762", + "type": "query", + "version": 104 + }, "0ab319ef-92b8-4c7f-989b-5de93c852e93": { "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", - "sha256": "d6a0f724b514c85dbde5be35083810d0d6e18c2cd144eef691aa03bd23590370", + "sha256": "d0ca847022a16689d65f980293f4e0fd6f57daf55cdf34dcf2d377d146f0757a", "type": "query", - "version": 5 + "version": 6 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.14", @@ -672,9 +672,9 @@ }, "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { "rule_name": "Yum Package Manager Plugin File Creation", - "sha256": "b6b6b3ca5a1b00c1c9c2963e11de9416eb551dc1cae810218908a0530dee3559", + "sha256": "2246ca718f9e4c68f8015278f6c338d481215cf44d109266c689582b268cd4b6", "type": "eql", - "version": 4 + "version": 5 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.14", @@ -682,15 +682,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Anomalous Windows Process Creation", - "sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c", + "sha256": "e58901307b82a6b703f7a5b2767769ca7cbec1c80db040954fe646835f35d714", "type": "machine_learning", - "version": 108 + "version": 109 } }, "rule_name": "Anomalous Windows Process Creation", - "sha256": "acdcc7db7bd1b750efe71ad345cb5a5475fd227ac91ab85cc7c45383df0d9eb0", + "sha256": "c0f120a64ff245f24b22572875fa394dbdc77cb4f3718153eba555eb889feac8", "type": "machine_learning", - "version": 208 + "version": 209 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "min_stack_version": "8.14", @@ -704,21 +704,21 @@ } }, "rule_name": "User account exposed to Kerberoasting", - "sha256": "4b5cbd7460298bb5d01a57eea52921d5400e6071d98b2cb6ec940f3fdcc3d2af", + "sha256": "ebe574808b30bc1075a58cef2f874bdd05f42e8a24777f0a63b52a2120faa70c", "type": "query", - "version": 213 + "version": 214 }, "0b76ad27-c3f3-4769-9e7e-3237137fdf06": { "rule_name": "Systemd Shell Execution During Boot", - "sha256": "22a959fc1ae4b5c978a6bb8e8fa8d2acd527c45d6f559981da7a7b185d3ce099", + "sha256": "f38d9a3cb527fed3ad70ba4055716a8490606cb347a6813497bae630dd296758", "type": "eql", - "version": 1 + "version": 2 }, "0b79f5c0-2c31-4fea-86cd-e62644278205": { "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", - "sha256": "ba7852357719e494be81332b6d01118f5355863b002a850e69704188995ec8c6", + "sha256": "4a8f1df0c1c99b704e5485fd658ff9569854ebb1e729a16996a835862cfe8f24", "type": "eql", - "version": 1 + "version": 2 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "min_stack_version": "8.13", @@ -726,15 +726,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "9379617540e2ec131f85bb616170f340ca96c8e809e9754dfd7cba46a7f361e9", + "sha256": "91457268048c8d92e741bfd1d7bb5d54fe0d743c61407f7a0715f70c10dfa674", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "81734f1eb98d81af0ca26082b03fceb94a4883a4f849ace026fd8c1adbc3bd35", + "sha256": "9e2c7511c3657f8026a9d0e6444662c80eb57012a8d38efa6e23d9c3814ef567", "type": "eql", - "version": 106 + "version": 107 }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "min_stack_version": "8.14", @@ -742,15 +742,15 @@ "8.13": { "max_allowable_version": 101, "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "d6fa3f4e6eefb62df2be718d0947e519176fb25f046497c15158ef5116ca4088", + "sha256": "7ffa76bdd42de95fc9de0514beb379f3022d2480038fc89512a38dc061cf24e9", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "a41786ebd2dfbb03c42ea6bf3fdc405509199a39d2c76596d2106580b4e85706", + "sha256": "e00123eeed5a9592b8d966a72a4ad924189880c7010e544d25d5026d9accd309", "type": "eql", - "version": 104 + "version": 105 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", @@ -764,28 +764,28 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Potential Hex Payload Execution", - "sha256": "b50ace78d817688a156f23beb890b4697291938d084ca42129f8ecf1dcb8b0b0", + "sha256": "74f721a4c27361f235243b389dfdd0770212ed79d7fe1c2959e73c93b9edb754", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Potential Hex Payload Execution", - "sha256": "2d0fa73ed28a53fba32e51085db7721c3da52a4443b249024ba095506e2997d7", + "sha256": "60df1c7136646558bb4c4713cbfb9a5a4b107a9416be8a60fbf7700cbcb94ce3", "type": "eql", - "version": 101 + "version": 102 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", - "sha256": "73f1d7ac5e48ae941a948cf4fd8934aa63350e31aa9b81f06de2f8543783dd7d", + "sha256": "9507b5aae7440ff10ceb3f3e75dcc178e809320a084d56e616de90e14713d0d6", "type": "threat_match", - "version": 7 + "version": 8 }, "0c74cd7e-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Ransomware - Detected - Elastic Defend", - "sha256": "d762ceed58b4360fed6a1ddbf89869a6d4548ddaaff3398092e868f20864f049", + "sha256": "bdb55dbd118fb03d8e90db6727cb7c17fdf199dc7aab3fad8d6a9c783bd05f4e", "type": "query", - "version": 1 + "version": 2 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.14", @@ -819,21 +819,21 @@ "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", - "sha256": "dbe1ee653e8649143a8b2aa6c43f5f5661b1bbccfd106614feb092ddd050d25b", + "sha256": "0d0084d44982bd3c5392b363044b94d1c083b4ff85c4da034a82be08872812d5", "type": "esql", - "version": 4 + "version": 5 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746", + "sha256": "c5b5703eecd7632b4ddb4091627b0ff3ab51fe21941d1f5b53297f00d72c4f4d", "type": "query", - "version": 206 + "version": 207 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "rule_name": "Multiple Alerts Involving a User", - "sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252", + "sha256": "15e804addadde83664812796f8f9823a5c7ebff99e0beb27678162bd9c31e24b", "type": "threshold", - "version": 3 + "version": 4 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "min_stack_version": "8.13", @@ -841,15 +841,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Nping Process Activity", - "sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec", + "sha256": "b83427252d66ff411238da7c5005c49740b023436dbc3bf58ba27c1ee3922248", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Nping Process Activity", - "sha256": "9e6ad0d56964a23df0d9728adfe7374b9829eb6b744d07e2139d35a8836e8ff3", + "sha256": "9e4865a109815afb06442ed8b43a911844889487f3b85f1621ef70b5400b71c7", "type": "eql", - "version": 208 + "version": 209 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", @@ -860,9 +860,9 @@ "0e1af929-42ed-4262-a846-55a7c54e7c84": { "min_stack_version": "8.13", "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", - "sha256": "b33e65a3ee076e720b9bdf2aa373dea700cfccd237404dd9f93cc4807700b15e", + "sha256": "06cd8ab4b8922f24d2b6151406f8680b95c67b7d415ccdab4ef61cfc5c80fda7", "type": "esql", - "version": 1 + "version": 2 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { "min_stack_version": "8.13", @@ -882,15 +882,15 @@ }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "SharePoint Malware File Upload", - "sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393", + "sha256": "74965d932cbd9a720a97b2ceab342bba465997b95f0c655b95003fbbe6387365", "type": "query", - "version": 206 + "version": 207 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", - "sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b", + "sha256": "59e29ccc3ac8165891a2e84b728fb276eaf024e4adc86f129eed888139ef37bc", "type": "query", - "version": 104 + "version": 105 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "min_stack_version": "8.14", @@ -898,34 +898,44 @@ "8.12": { "max_allowable_version": 209, "rule_name": "MsBuild Making Network Connections", - "sha256": "dde434b8d763db265a284e83d3a6b88cf8b88da05acec8a4ef9f325b9c2ec960", + "sha256": "7c639b668c0b9207254749cb4e45c08ed861a61d1b5e8b27147b3b664d0ae255", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "MsBuild Making Network Connections", - "sha256": "bf7179d1b47194100baad37ed0a523ce816c9844de775a252e0c6a98cd5d3ebf", + "sha256": "dcb595ba973117d787c324d67e3c1089fbb00fd94c18e02e68348da2cbca9297", "type": "eql", - "version": 210 + "version": 211 }, "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { "min_stack_version": "8.14", "rule_name": "Sensitive Audit Policy Sub-Category Disabled", - "sha256": "1bf144627669639eeaddc1fd3dacb1721c5a22b5bbd5c657d21a9ea80a9e7a98", + "sha256": "2ccd6e44765c01f2922e5dbfec21d3112b12ea481499e274cc65faed4937a76a", "type": "query", - "version": 1 + "version": 2 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", - "sha256": "28070d788626c94266ca156adfce5e6d58d48df08e6103e0cfc4c1b1e7bb8ab5", + "sha256": "a58f936fd70ead1323075c2db07bdc08ae6fcf158dc76d3e3f8ee000206c8907", "type": "eql", - "version": 114 + "version": 115 }, "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Polkit Policy Creation", + "sha256": "44b43d02b93465a284ad02a34ec8aac120647331d3e94740777d0814d5113600", + "type": "eql", + "version": 3 + } + }, "rule_name": "Polkit Policy Creation", - "sha256": "c5b96e974b3fcfcec0a0363729ff3eaaa75d3eef6433dcfa417afba10d813e2a", + "sha256": "0afcc930436684dfdd61e2ef01cbc1adfa72ab7f84b9fd58280c94953ffdaae0", "type": "eql", - "version": 2 + "version": 103 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { "min_stack_version": "8.13", @@ -933,22 +943,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147", + "sha256": "79a36ec04c23d206b4a169e76b5d28d8f804a425556086fca9789d4fc8b188da", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "0925718d6acd18e0a768b91cd047c58843ab49c9db753e14eabcec5fed876a96", + "sha256": "43a81f7c9afb83eccece14a9be3e1ea2f6a731c8417ac2503e6ccae6a6db44af", "type": "eql", - "version": 103 + "version": 104 }, "0f615fe4-eaa2-11ee-ae33-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Behavior - Detected - Elastic Defend", - "sha256": "744407645eb6ef1ce3977b8496e04d8f01d92fb09e755c6b86c46789bcc96172", + "sha256": "1b61e930271caf4b24683fcdcd5d779d2a0f082e6b215464af1895be281398c9", "type": "query", - "version": 1 + "version": 2 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -962,21 +972,21 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", + "sha256": "47eb039775808da28b11790e0cc065e4a50d78e27c509b0d3658b680d0e8afa5", "type": "threshold", - "version": 210 + "version": 211 } }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "b6fe17ae61cabf399f3502a59bd831e6a43b9d29f19787c3623981dc44eec698", + "sha256": "bbaf49b522cd5d40af2d47cba7e4b4171ca4727ca8719122a6cdbee63432dc73", "type": "threshold", - "version": 310 + "version": 311 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895", + "sha256": "76940df70c1484a0067d03c9147c59cb9cb88ff381bc232e981395b072fbcad0", "type": "query", - "version": 106 + "version": 107 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { "rule_name": "AWS IAM Login Profile Added to User", @@ -992,16 +1002,16 @@ }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { "rule_name": "WebProxy Settings Modification", - "sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af", + "sha256": "43d8180f7e5ee5ede17e49e4b51dde1ec237e4fd3684df5ed85afbbde690f390", "type": "query", - "version": 206 + "version": 207 }, "10f3d520-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Ransomware - Prevented - Elastic Defend", - "sha256": "66448c143965f6318351f4adfaf855518fd60f58e0fceab482a7e31720a276b9", + "sha256": "f5b721e962c74dd5fefb7ed7ed924c02a88684947c35f6d8dc29286c755143f9", "type": "query", - "version": 1 + "version": 2 }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", @@ -1015,15 +1025,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "d2e9275f49d79f985078f90b204c71c5cc8da39f4545ee151878e99517456602", + "sha256": "46d8b330ba652e23adf896e687f3e5366a624a5331876fc279966cc8b152cf65", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "e8f11b08f41d0af660c26c82752b4d5344f91cdc0fc98514b43577e6477977d6", + "sha256": "a2bdb54600ed5810827ddcde587fdd19f4abe4ac4f268242ea2b360c433b20ae", "type": "eql", - "version": 211 + "version": 212 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.14", @@ -1031,28 +1041,28 @@ "8.12": { "max_allowable_version": 211, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "a2621f0e17b9625bfe787a3805bcca24cff11520ce44286c5c5c49488561f7fd", + "sha256": "a994d1f91f21add41bfa56ede5881e607b7400b4d3892076489853ee155f7fce", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "aa018af3ba1144c484d88c95f262455130c03245c19a0d48b1f9e314be08333b", + "sha256": "153cade6c2583d73aadcdb8e1f138fd04f15225a1d087281dfb8e0a38a94a08d", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "cd4ff3a06fa4ded3c35daf6785753a17cb5582a6ae1ad4a06a341c03c74b12a5", + "sha256": "89ff75015ccc7505d10b8e1dd68a6e00bc013390bb1d3c3261ebea0dee5a9cd8", "type": "eql", - "version": 312 + "version": 313 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "rule_name": "AWS RDS Snapshot Export", - "sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c", + "sha256": "22b038a9d7ed9ae2bb66b4cb46bcfc5b0b5fd00d0c6512a3aa092001b5c12e80", "type": "query", - "version": 206 + "version": 207 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -1066,15 +1076,15 @@ "8.12": { "max_allowable_version": 113, "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "6df7d5c060e8d61e90cfec0609cf1ff20b5d00a9a9710cad398debcbd37532d2", + "sha256": "a7ec142dcda7675c77e9b876a21fdbc81216e3a996b187d8b9ce5fb6ee881abc", "type": "query", - "version": 14 + "version": 15 } }, "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "5da4a9373dd0e7d3e939dc5815ae14c28a0fedadefabad3b85e2e059b5cc1a24", + "sha256": "6b484742b765e528a93679109d41f88dab5fc43c020fe7354c920f488c850661", "type": "query", - "version": 114 + "version": 115 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.13", @@ -1094,9 +1104,9 @@ }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7", + "sha256": "2e9c3df902a7e2af50b5f91cbc53f971eaac2d7c296180dc7140aa88c286406a", "type": "query", - "version": 206 + "version": 207 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -1110,15 +1120,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "cb2a69fa201dd3ff5dce343a170be369ad36f706783f357da48c68a5642d8c0b", + "sha256": "36f3d53e0e615d93af889f1a29da008db557f004f34ab0b3a14b5210f0aeee2f", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "a979104cf9cc45e2deefe33c7763b2f7452f1cce582e84c1036d8659251e76e9", + "sha256": "5e43858136609068909a67bd2ffd833f974eeee7ae19cdb80a02ae08ad096d70", "type": "machine_learning", - "version": 107 + "version": 108 }, "1251b98a-ff45-11ee-89a1-f661ea17fbce": { "rule_name": "AWS Lambda Function Created or Updated", @@ -1138,27 +1148,27 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Lsass Process Access", - "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", + "sha256": "b5585ef93c094d17af2ec93e821abae35166aff50db392c679bdfd4ad289691e", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Suspicious Lsass Process Access", - "sha256": "c7b2febcd7a93457f53f7d4c52aad131a4116e9f93d76437d261111f09423eca", + "sha256": "19af37acbf8a0f9774fb22c8fe43855471d07d04d9aa68dfaf95e90219bd65a0", "type": "eql", - "version": 208 + "version": 209 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec", + "sha256": "75734b3460dff650d8fb6adbbe456341d03756acefec419bdbe2f8dbb064b12b", "type": "query", - "version": 203 + "version": 204 }, "12cbf709-69e8-4055-94f9-24314385c27e": { "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "6f467e2189a55fb44966834223c32fb6509c57dd21bcdff69b4f6e2ec920aeff", + "sha256": "7c44812095bd92d02344d24e68f59d1becb7a2912cb9f782309717e196302e80", "type": "query", - "version": 204 + "version": 205 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { "min_stack_version": "8.14", @@ -1166,22 +1176,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", + "sha256": "272a96e698a6afe16c3181d064b9c894e77f51b3eaf866209b5dce7565d67d30", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "4bbc3bd2b9452e05e7e5829db2c77881e9bd34accc89ae0ee089e96ed991a0d0", + "sha256": "dee24546d469b37c7b76c8f8f173a6c83c366cb49c0b9576f370a0bd5511952c", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "20059209c3052442c7ed5c5a377f07f5900366dd533db5b237c40a4f03968c49", + "sha256": "1a23f04cf58db376fd7b4ec19d06758a03d9ff61f0e7e73111cd6bdebc85966f", "type": "eql", - "version": 203 + "version": 204 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.14", @@ -1189,22 +1199,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "9615cede41c17c4dfa309ed0a2cede4a5fa23734c8f00ec7f88b4bafd96f0177", + "sha256": "98f99aa122e1e624b3e09c6ba6ef60f17fad0fb85c2a0312908fa83888d30adf", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "fe4ba438fce303e2daf224812c4bd214f595f651161a5e587cc2d2e50dda76ee", + "sha256": "655e84527e938f302b438d0661911d1fc0c26eb040707b8dadc870b71b09621e", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "2948ee0b531e8ccedd058b6ffb287bbd8285049d41818d9af4a814c1705e8765", + "sha256": "e64945c3198ab598f7b7fbb252d2af8e1130443ca01fb4b04ab121f6bdea367e", "type": "eql", - "version": 314 + "version": 315 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.14", @@ -1212,22 +1222,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29", + "sha256": "17d08d5a22a343108d957c179ce6094d0257d0d8b2579a4951119dda819508f6", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 410, "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "88943865100dbcb63138fc9fc3e1c81fcd227f586956038e529e688b71384ceb", + "sha256": "9e89e81b01768e4420d38600625f002d5442c3b66d427dc5892345446d213aa6", "type": "eql", - "version": 311 + "version": 312 } }, "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "9ffa543a06d0f2ad3662845e6fa645986ce32abf6fdd1a341eb3cb92a2c2e4c2", + "sha256": "b0ccfcb313b2d42d0235a2596412d1178773cf4161732fd7ad768553a89a446b", "type": "eql", - "version": 411 + "version": 412 }, "135abb91-dcf4-48aa-b81a-5ad036b67c68": { "min_stack_version": "8.13", @@ -1235,15 +1245,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", - "sha256": "b6c89e8c3a97272346f423ebb217dd3b570a754d8cf3cc976707c2b412198fdc", + "sha256": "7a40d647d43e173b746b298d0619a6058cb05a2eb33d6e0a4e546788fa16634a", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", - "sha256": "c0225ffbf6f1c5644805b6540d4044e24bcb9f08e6af9d221853d008f463c7e5", + "sha256": "bdade28ec6aad91e8926504e30173907dc1309924ed35deef6fcedb8d5fd3f91", "type": "eql", - "version": 101 + "version": 102 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "rule_name": "Rare User Logon", @@ -1282,21 +1292,21 @@ }, "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score", - "sha256": "6f94ca87d3b3519fd810a9fdc1a9a04afdea58ca913b4b4dc9e9be63ed77cec0", + "sha256": "3ec2e506931ecd0b5ba1e027207e34901c5ac024f575d19242d7a03f5ee033f6", "type": "eql", - "version": 8 + "version": 9 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Azure External Guest User Invitation", - "sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1", + "sha256": "6fbce9547774cb786e35438648ca5a236089ce43936066235b21a006520def25", "type": "query", - "version": 102 + "version": 103 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "6f7487c7e356c40aec2caceb15dce0977070fac0869a8f73757b0d4986b15113", + "sha256": "05723d7fde940cd2cc2663a56ee79b455405ca9d1e1270db75b986c5ef72717c", "type": "query", - "version": 104 + "version": 105 }, "14dab405-5dd9-450c-8106-72951af2391f": { "min_stack_version": "8.13", @@ -1304,21 +1314,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Office Test Registry Persistence", - "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", + "sha256": "3e44efbf96a359a35159414069ff36e12436779f48247e1ebb07a941605b448f", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Office Test Registry Persistence", - "sha256": "e0673b4aff07f3de4b7256ce50a44e6147759d3281b639adae677dff72feecbc", + "sha256": "ef730832a93503b501376aacb96760534cb31876eed560a014670d79b2d03b74", "type": "eql", - "version": 103 + "version": 104 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "rule_name": "Kubernetes User Exec into Pod", - "sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9", + "sha256": "fc2b301f6bbaa53417113b60b7a3c366d6f6c509954e72e27e9386b8b8585c28", "type": "query", - "version": 203 + "version": 204 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.14", @@ -1326,22 +1336,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "2536e138a13316b962ee6f5eb296c024e757f735e0e882e0c547eb4364066937", + "sha256": "c1c4d209cde3b94cd2f8c548ecdb34cb3fa679dd0b53e7fdede58f9d1556ead5", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "6349c839b9198d37d576fd976eaa2f85e6034f8ba89204b451ff0d11467cde5b", + "sha256": "c8f114645f7f362fd704081bd1e07a79689640b1eff476ca39c731460729be8c", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "cd5c53102463d73641cecf06ff0109725f62f522ecbaba20de251787a79cb33f", + "sha256": "9b84185dd52ac21aec4f2a8db1583492782012ec7a3cf59ce9987512ffb52e0f", "type": "eql", - "version": 311 + "version": 312 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { "min_stack_version": "8.15", @@ -1349,34 +1359,34 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", + "sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2", "type": "new_terms", - "version": 3 + "version": 4 }, "8.14": { "max_allowable_version": 203, "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", + "sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2", "type": "new_terms", - "version": 104 + "version": 105 } }, "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "799665e748ad6c9758a0a4af1965fdd3bc188747f09e28e7ec1118da317d6a2b", + "sha256": "b2723b3de15eaf38f608b269cd27119a720895d4cd72b126071f5f0dd90555ee", "type": "new_terms", - "version": 204 + "version": 205 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", - "sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740", + "sha256": "f1e6f5c52e4c18b16f84c216103655718a11c24159fd88c9d53d7810f03b9fca", "type": "query", - "version": 1 + "version": 2 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "rule_name": "Execution from a Removable Media with Network Connection", - "sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4", + "sha256": "c942ba35d01b9cb9eebfce159f6c2ef894b5f93d7501c1f04fbfe4f029914e25", "type": "eql", - "version": 3 + "version": 4 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.14", @@ -1400,40 +1410,40 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "82b0a8a50a3ffeea555a5a4f4e12a8c825c7289a6d7e27a59e68bffc4c6d1863", + "sha256": "0cc6051b059f0a4c23d62a16a546d261c5bbbf67a3446bf0fb2712619334c81f", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "afb44f5ed406ccfb9c40513c5e774867e961f22a9ac007320d0a4c1c31fb8cc0", + "sha256": "47c62d0707a97119096476193b3bbf9c24f7265594587011d87a5248a4d6a588", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "43674c0e7d244957e0cecaf069f23652cb12fe5bee0b6d2dfb54c4bf6bd9160f", + "sha256": "affead342a3622a946986ec040beb993b0e5c27fe2442af4d4cdd70cce50f419", "type": "eql", - "version": 314 + "version": 315 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0", + "sha256": "b852f838beb12b31ac0857a95bfdd281593b4bbcb010dc1e2a32c159d2349b09", "type": "eql", - "version": 107 + "version": 108 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "rule_name": "Potential Container Escape via Modified release_agent File", - "sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3", + "sha256": "6227f5574f6e391b1d85763a35113b7299b3d0a278820a3c90fe8d5758de412d", "type": "eql", - "version": 1 + "version": 2 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", - "sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633", + "sha256": "ba45931cd861307121631371d3ceada4c31f8c0df2f03e06f91fc43499cafeab", "type": "query", - "version": 102 + "version": 103 }, "166727ab-6768-4e26-b80c-948b228ffc06": { "min_stack_version": "8.14", @@ -1441,27 +1451,27 @@ "8.12": { "max_allowable_version": 104, "rule_name": "File Creation Time Changed", - "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", + "sha256": "4b13b87a19503b754f0e1168a58053e72b7ab57ed3f6b4fa1e85ca983050228f", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "File Creation Time Changed", - "sha256": "b50d36dbfeb9c4de02bafa12ca2bfce4a438b1ba628cf3c02d4f726079e3e1b8", + "sha256": "a4b5224b6210e6ae22a3b2aae8187bd48cbb3c7b41926bda9a2a48c0528de974", "type": "eql", - "version": 105 + "version": 106 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d", + "sha256": "23b10e667366dd92f41808c9b01db2f62209ebea86cc67add8a43532a3341b74", "type": "query", - "version": 106 + "version": 107 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", - "sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1", + "sha256": "ee11c9442b8e8b3ba41f33c3a39715ed346f2d770c4dc8cee36662b2214222d0", "type": "query", - "version": 206 + "version": 207 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", @@ -1487,16 +1497,16 @@ }, "1719ee47-89b8-4407-9d55-6dff2629dd4c": { "rule_name": "Persistence via a Windows Installer", - "sha256": "20685cfaedd2fe2b3471f27dca9cdbd6794180b2a0fe8045a0e6eef35ebd9c56", + "sha256": "8ac49e7c12e9e26728ce584fffb95e858c0145cd1ff89099123834f39022652e", "type": "eql", - "version": 1 + "version": 2 }, "17261da3-a6d0-463c-aac8-ea1718afcd20": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", - "sha256": "03de244ffc1915c80ee82688449c357f1f23252b911b441563cb5f95106f963e", + "sha256": "6862e5d1dee36ec1dcdcd165a67f6c373cd83aaa5f0db1b63ac526b78d346e02", "type": "esql", - "version": 3 + "version": 4 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.14", @@ -1504,15 +1514,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Windows Username", - "sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600", + "sha256": "e9ed01e74760cd8f6b5436fa2bf1017b75f7981365876ee0443e0bab995a0f27", "type": "machine_learning", - "version": 107 + "version": 108 } }, "rule_name": "Unusual Windows Username", - "sha256": "2aa54fb200fbc2dc2a08134e4047e7d738718526afc740d255f2d4122be23a8a", + "sha256": "1e10d9ab500e362602268cac7c057d8f4200d268485ee4c70b1e1381d74f32a7", "type": "machine_learning", - "version": 207 + "version": 208 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "8.14", @@ -1520,15 +1530,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Service", - "sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55", + "sha256": "a1c9cbff26b71eb5194648a9907fd39e1504c7662a8f217cd2e9c099f9e24767", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows Service", - "sha256": "aeb4741bd8e4ad54e3207d4a0c8f74feb21e04a61c42cca74da415224a2af13c", + "sha256": "63fc4e38fc33fd24ef301efc7a52d2781085a9dd8465d14910b075c4ca6b5023", "type": "machine_learning", - "version": 206 + "version": 207 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "min_stack_version": "8.14", @@ -1536,15 +1546,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Powershell Script", - "sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192", + "sha256": "fc63208d7b1218e72d90948342343c545aab84431421c2d3b6d81b1a925181a1", "type": "machine_learning", - "version": 107 + "version": 108 } }, "rule_name": "Suspicious Powershell Script", - "sha256": "14d8f45b942a560b3b14732c25e7974f73d292f45a4e7918d19e53176371a601", + "sha256": "3bfa0053ceaa3a5923c2aeac1cbb923a448d65b83dda46cfc701cbcf37772899", "type": "machine_learning", - "version": 207 + "version": 208 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "8.14", @@ -1552,15 +1562,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251", + "sha256": "219fa2a191fb555ae903516b407568cc9bbc7be95ca6f3fb302311ce94382f0f", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "e1c5e226e528ca5b94b5043313893ac737e6f289a6c7021011cbccbac374b8a0", + "sha256": "b13eb00c757b1251104bf4c37b3a291ee5acc963ba34c008a8b6d8731a102b47", "type": "machine_learning", - "version": 206 + "version": 207 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "min_stack_version": "8.14", @@ -1568,28 +1578,28 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Remote User", - "sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad", + "sha256": "c2ce8aa3cd6b41359d2374f00b781728b1d6990960574e1d27d013e9a33cda80", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows Remote User", - "sha256": "1c6ce3b862feb23ee131c82cda24b91a71c155b8cfbc57d8deadf6782dc324eb", + "sha256": "6e49cc6ec8fa0f149019eeb0d99bc587779e02711c05c54762667fb21676de08", "type": "machine_learning", - "version": 206 + "version": 207 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", - "sha256": "b60b8f6f9625053ab6af246ddc30eb490e456bda7f66464b769de74b3309378a", + "sha256": "64deb3a7d35566d558e890c281946d23e332598949d863e7f3fbefa14896a901", "type": "eql", - "version": 15 + "version": 16 }, "17b3fcd1-90fb-4f5d-858c-dc1d998fa368": { "min_stack_version": "8.13", "rule_name": "Initramfs Extraction via CPIO", - "sha256": "88f6c3605792e48f97143dae8fefedd34a2b14b68960474ed089ba2db106e09f", + "sha256": "e91def04da5452836c00e38e6652e095e4124c1820f2650c10e07cd01e3fc61b", "type": "eql", - "version": 1 + "version": 2 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.14", @@ -1597,21 +1607,21 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "a898efb0f299871b59ba7adba9ad0da35c45be4f24097e4675a62d23663a67e7", + "sha256": "3b12641768e2a47b26428daf4f845ab28c7dd839b86550febd738e1e8586d6ff", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "ace9eeca0b1a6ebcd4b65d9e2ae4bd2f36b8947c516f5d108e7f2e714efc8ddf", + "sha256": "897127ce66b9d6ef35af246c068852d99e7af8df437c3e4d98baa466d779a8cf", "type": "eql", - "version": 210 + "version": 211 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", - "sha256": "0bcbe426712010462b5b8c7b7e268f1c7edb9b662ab4b0db3cdb41c9ded8b7fa", + "sha256": "f20d9f97b235081744c25d793925b812e945e1e5e01719ce39cfcc0defb5b253", "type": "machine_learning", - "version": 104 + "version": 105 }, "181f6b23-3799-445e-9589-0018328a9e46": { "min_stack_version": "8.14", @@ -1619,34 +1629,34 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "8dcccb5d5071b3afa1eb7c8745394d66ab6fb8c1e33298891aea992e882930a5", + "sha256": "f368ae24273f75a97331eb4294db2df1c387c497dada5ace32520098feaef4f0", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "2c618a1e42c7a15f0b94f84bedbef7c477dfa17b3cac3d42205bf6cde5202f00", + "sha256": "e90219da2c60953e27bc20e62830dafd75772d2db35bbd32f51b8d0a4c6dc954", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "684159701e9e3176c8ca83b06107285ec6e1aab78f1d1794866e3aa38cfaa963", + "sha256": "2e6ff66e9a80e9b1753f07eb7bd19334a9803978510c2c2154280ebcb66cb4c8", "type": "eql", - "version": 201 + "version": 202 }, "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { "rule_name": "Simple HTTP Web Server Connection", - "sha256": "575964f96d787c02c6888d33c9161a93837fb176e8e240198586bbbd307789db", + "sha256": "300e205d2f05314cabd3ea5c9dc9fdc35ce1ee5211afd8f65d74a15e3ef0d8e2", "type": "eql", - "version": 1 + "version": 2 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", - "sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2", + "sha256": "61f062813d6ebdebc0cc6698c7dcc7a975d9f3cacf7713f599fefb3a363a15bf", "type": "query", - "version": 104 + "version": 105 }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", @@ -1656,39 +1666,39 @@ }, "185c782e-f86a-11ee-9d9f-f661ea17fbce": { "rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", - "sha256": "c4dbede7ecb8a7d4cb801fda64b573c95bb9410728f7c9f08aa32550ce093b7d", + "sha256": "1f41f4ccb333df0f6e2e8c35cf140f6c0d2a9bcd69f6bcbe995c987bbe00a668", "type": "threshold", - "version": 2 + "version": 3 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "rule_name": "Spike in Number of Connections Made to a Destination IP", - "sha256": "c06e03682393f75d7f4e7c47efac0a2a3bdc53865089656f9628b0e2129f33de", + "sha256": "3624c2a233bea0d357eca3960733b5cd7bc6de43ac52d3c824553397d583e773", "type": "machine_learning", - "version": 4 + "version": 5 }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "f5cbfcaf9e6dd8e01c55fb2ed8afe33ef0b81e5007dc3743f0941ad9b58b7103", + "sha256": "3e0bbc97f6625f0f5294307064489d5cde380528cf838db84c6d84498961b0bd", "type": "eql", - "version": 6 + "version": 7 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", - "sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f", + "sha256": "50d50eff9038dd625531b68413c95b8a5ff3357a9369c17508d6769ab15e953f", "type": "eql", - "version": 4 + "version": 5 }, "1965eab8-d17f-4b21-8c48-ad5ff133695d": { "rule_name": "Kernel Object File Creation", - "sha256": "2eb986eae007c47e943a3657d2458133f365a7cbb5f997b2bd18de59abedf5c6", + "sha256": "eb75ed2a02885be89ba411760bb066cdb4f58f77f25e138ab75b9eb72226030c", "type": "new_terms", - "version": 1 + "version": 2 }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests", - "sha256": "80afc7e88ead296e54b8f63975fb596c9442153984a4652479ae2d868e1e14e7", + "sha256": "33f648f8fa253d9d09a1f3594faf4499982de1fc6d268944164a5d4b08313bbf", "type": "esql", - "version": 2 + "version": 3 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", @@ -1698,21 +1708,21 @@ }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "rule_name": "Spike in Number of Processes in an RDP Session", - "sha256": "c02ce126b5e2476c4b0957b0c3ef37a9b2dba70091c0f7164a46bc10a7ebdcd4", + "sha256": "2a4b88bcda39f3627856cc76ad43b699768b3d1cabd2d7ed7335c991b0466857", "type": "machine_learning", - "version": 4 + "version": 5 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "rule_name": "Suspicious Network Tool Launched Inside A Container", - "sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc", + "sha256": "68a2c9ed8a46b384ecb2a355df2a4634cbf081463794ed6e93931901277da031", "type": "eql", - "version": 2 + "version": 3 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Azure Application Credential Modification", - "sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a", + "sha256": "f7362735f6b890396d8a39feb56c68597b92b95b75576e198efa44353fb980a4", "type": "query", - "version": 102 + "version": 103 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "min_stack_version": "8.14", @@ -1720,22 +1730,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Execution of COM object via Xwizard", - "sha256": "d5330b96f928f7e7a7a2cc531152af5ce8c6a2e9ed52235ce07ca406f8dda1be", + "sha256": "62babd726ae5a985d3dd9add1aabacf93bb5c8787ad3486f8ca9d1ae675d7ec4", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Execution of COM object via Xwizard", - "sha256": "378075d3770551eeae56e8ea53ab1cd46b454659bb893501cf1d289db20b6fb4", + "sha256": "9826caa22a613e9fdde9bae7324fb6f400cce7a89819041bbb709563fe470c21", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Execution of COM object via Xwizard", - "sha256": "45e3cf83135b3ec25c35cb029422968d7a5094dea02895e0490145fa04586340", + "sha256": "414ae5d1c777554706e77fcf698fa405ce9159905c53e47449683ff8b606b8d6", "type": "eql", - "version": 312 + "version": 313 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", @@ -1768,9 +1778,9 @@ }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "rule_name": "Process Created with a Duplicated Token", - "sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802", + "sha256": "34b078db5943919e82a752fb623100ecf49de4400eb5b5af0beb5dde7933f97f", "type": "eql", - "version": 3 + "version": 4 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.13", @@ -1778,27 +1788,27 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Connection to Internal Network via Telnet", - "sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e", + "sha256": "1bc65565de45f1eff32df65b75aff663321aa0ebe9f25ab4bf86a1069147f03e", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Connection to Internal Network via Telnet", - "sha256": "e19d71cafe597bc4b326785b8e8e725a53ba901c3bb0333928c1cb54799beb8c", + "sha256": "be9f9df9dab4218b1aee0e1a6cb799712ac359f1a3282a5bed0d5872ac0928f2", "type": "eql", - "version": 207 + "version": 208 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d", + "sha256": "91601e89cb6509b662c58081c0bc8819adcf3c883bdc11c2819cd87ed1ce2996", "type": "query", - "version": 206 + "version": 207 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "rule_name": "Potential Internal Linux SSH Brute Force Detected", - "sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516", + "sha256": "7356e96ea1f088a2fd1b9412babba3ca73d9331aedf84b27f6fc8efe96edfc04", "type": "eql", - "version": 11 + "version": 12 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { "rule_name": "Potential Process Injection from Malicious Document", @@ -1813,16 +1823,16 @@ "version": 213 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { - "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "ae500dfb91fef53e60123090127f7daaf307a63a988ad01fc07d30ed8c8fc368", + "rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence", + "sha256": "9abe49370597003f6dc75e766e6b82486a26d1616b162ec5d2057028895d5ea9", "type": "eql", - "version": 116 + "version": 117 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "rule_name": "Azure Kubernetes Rolebindings Created", - "sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce", + "sha256": "250fb7d71a7e245ddced159b3f88b246c5ab4e89708f3130c7b27c55c998a33a", "type": "query", - "version": 102 + "version": 103 }, "1ca62f14-4787-4913-b7af-df11745a49da": { "min_stack_version": "8.13", @@ -1830,15 +1840,15 @@ "8.12": { "max_allowable_version": 203, "rule_name": "New GitHub App Installed", - "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", + "sha256": "5409f401ac786bdadc45606d8d7f4b4c537367d93cf5555278d620c26f984168", "type": "eql", - "version": 104 + "version": 105 } }, "rule_name": "New GitHub App Installed", - "sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec", + "sha256": "e00feec6890b2361d7a10a06e2e91c713d0f28c866005e9e1f72610f0dbea4eb", "type": "eql", - "version": 204 + "version": 205 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.14", @@ -1846,15 +1856,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", + "sha256": "ce97e8b346f6e7bba7e209a95c49253e1561ae4cc80a170c9ae2e23ae6f36dbb", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "413e3eff92ab72f06e4cef563d06cb6fee44cc7c59fd54e342da4d6097e914b6", + "sha256": "26cde5fd51100b2103cc8ebd9ffa4347f2529e861975e6d4b22770ff4e8f244a", "type": "eql", - "version": 208 + "version": 209 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "min_stack_version": "8.15", @@ -1862,22 +1872,22 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", + "sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d", "type": "query", - "version": 5 + "version": 6 }, "8.14": { "max_allowable_version": 205, "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", + "sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d", "type": "query", - "version": 106 + "version": 107 } }, "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "b6e0d858fa2ce9ed087727cbe4fdca6b72491a94f2b9d7d418aff036ded365e3", + "sha256": "7709f499f3a03dd5ce65351e23a1a9959dc5139e8f50d72015df6ce2b0a3233b", "type": "query", - "version": 206 + "version": 207 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.14", @@ -1885,21 +1895,21 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Remote File Download via Script Interpreter", - "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", + "sha256": "832c238b226f2b7fbbc201338e1d0dfe12a9a7ebf4a6263a1f038ab6019e0e6f", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Remote File Download via Script Interpreter", - "sha256": "6f27265db635c4e5a27af29fa64198dfa96b707802e5ccc7cba6609498d3543e", + "sha256": "ada7bae223693811f424b80ca156f7135da309f54f39186bed4f022974dda573", "type": "eql", - "version": 210 + "version": 211 }, "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Profile Creation", - "sha256": "becc05324f5f605086badfd23a1e969801e19931eb7ae06312657e19eac4175d", + "sha256": "16b6264718403929b906f7b79bfd533c83024fbc7acec96ca185dd3cf5d3eaa3", "type": "query", - "version": 2 + "version": 3 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", @@ -1929,28 +1939,28 @@ "8.12": { "max_allowable_version": 209, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "7dd8220ed8a7e8190861088dcf735ec663fdc118c9226fe5a0cbd711ba56e81f", + "sha256": "94f7d66b79180d0ba45c617e24e4cb3a00c1489fb51b504d7aeffe8001d10959", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "ab6031b77ee7e33386e09b6709ad7d1ab82280dbfda90557b8d4b617f07ee4a2", + "sha256": "c994e0389ac555c93a42a57df8ea2b97d510399c33eb3f11de809c2018c44686", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "efc56fdcfe6bda16119359923755ab32f6703b8de3c44f536d1335dabbd59c93", + "sha256": "675020877e0f237ac091e0142a7db019267d1f73af9366cc520a9f7d27bac85e", "type": "eql", - "version": 311 + "version": 312 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "rule_name": "Suspicious Inter-Process Communication via Outlook", - "sha256": "181668624cb2b4bcc36606deec8dd31b109407ea7b1591438578d01cdce15dce", + "sha256": "c0dac1892d3e83d5514d879ef3a350f6156b44bf4e67c8e1055de7ef2c6d1a8b", "type": "eql", - "version": 7 + "version": 8 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.14", @@ -1974,15 +1984,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "c45877265f7039d3e1d666f7844b61798b2b176867b0b221c503ffb8e52ce0ae", + "sha256": "aa02b181f4f9a4df3460586733ba1ae7481ed321e4ef4e2ed3b418030ef65bc9", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "49f49d62f770f10f10fdae98e3f6c03211715e12f5a072a26c1d0b22d1c275cc", + "sha256": "9fb2dbcc6cef8cc07dbeebd0d80481cd0482fb7b26c7ea593610b44081afb982", "type": "eql", - "version": 104 + "version": 105 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.14", @@ -2002,9 +2012,9 @@ }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", - "sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e", + "sha256": "cacd567d5376f99af90e85da629e9cff9118851b3e35ce7448c89ba66e5c1407", "type": "query", - "version": 102 + "version": 103 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "min_stack_version": "8.14", @@ -2012,15 +2022,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Creation of a DNS-Named Record", - "sha256": "1b392cf50fd5083faedc5e84700d71550e9da1adcd4b2de26a285e88c8bf84e3", + "sha256": "24a5cc160724e80ee85572da35813e258fcb55ef5b077894b4a649d8fbd6f1e9", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Creation of a DNS-Named Record", - "sha256": "5accab0498d68d3aea14b3f15cb0cfde813706bc712ed95d37e68281a4e3750c", + "sha256": "bd366149e20faa5b5e9ad60b298c1ad8f63002ee1451b7ee55e6c101547e6979", "type": "eql", - "version": 103 + "version": 104 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "min_stack_version": "8.14", @@ -2056,9 +2066,9 @@ }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", - "sha256": "1b4afd134fbb5d5c1cb57e6672f3fbcc22b63ae075701aa614af5619f80cff4e", + "sha256": "72276af57d19261776e819edd8d905bd7c5374108d27e9728922200bc839ea34", "type": "machine_learning", - "version": 104 + "version": 105 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "min_stack_version": "8.14", @@ -2066,22 +2076,22 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", + "sha256": "021df20053fabc64b24430c7e4bdb3fa187c6f00b27139bffc24759c4e97b817", "type": "query", - "version": 10 + "version": 11 } }, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "d57fd991da3d4f7b2a68dfa3e37deec177fe3b4f4977637a564c09c68949629c", + "sha256": "89dad03842e0833b63ac6d38d5cf8f2712f22e296b4390309b10f471ab78fc07", "type": "query", - "version": 111 + "version": 112 }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "AWS Signin Single Factor Console Login with Federated User", - "sha256": "5615d41bfc71884b3d207932c4421f434757b249aa207250e50b97b10d25315f", + "sha256": "67652ae55e23dcc67c6e395bd4b6354b74840c3c0ef81b0abe48e5f0fda50dc7", "type": "esql", - "version": 2 + "version": 3 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "min_stack_version": "8.14", @@ -2101,9 +2111,9 @@ }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "1020c70dcaf191d3b48430a916809caba50985d924ebc5a379d1de8c0dc3fca9", + "sha256": "7e9aeb7a0920e68d445b655d2a0b447b01aa117624ddd9e02a8ad4840701900a", "type": "machine_learning", - "version": 104 + "version": 105 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.14", @@ -2111,21 +2121,21 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "065d31dda5018a121026016d00d6c7245d1656c3ef25f36665984764f64a2e74", + "sha256": "4fefe2cc790c9b5fd8afbd08cfd7bd28ee6f50dffd877ec1400d81c1659bcc36", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "edb91b7c64bd8e744fac58ccc66f711fb22f4daf41dde169c4e8be954d4d2b81", + "sha256": "b8941a4bd23e47360ee8b1a98140c573efad95250ad8e4ff1315da0b83ee3d8f", "type": "eql", - "version": 213 + "version": 214 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2", + "sha256": "e43231e171e4e726c838f080bb14bcde8a580af0997b0177b568ebdfd462e290", "type": "query", - "version": 103 + "version": 104 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.14", @@ -2133,22 +2143,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "db2f8575c9e60cf49f9d13b3a8fba24af09922368ddad48fe7a80d1dda9519f0", + "sha256": "6f9e237253c1d533e1dceaf4f673182fa86dcb4f04539ecb15a9f0dadb01047a", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "c69929f38a28448280307676118534bb0928728d16c0269577d27e957d21011e", + "sha256": "87f7a5cdc22d29da0c8cd7bc438e5e735e064c81584577cd34b46d510dccbe08", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "1a866e733aa7ce66be8425aa24bf02efd91c98b7dce86a22fab32584ef096ac1", + "sha256": "b697c5f18da0dedf8adabf369e59016a5fd9e362cb43d0434c14e7f8b63d93b8", "type": "eql", - "version": 312 + "version": 313 }, "202829f6-0271-4e88-b882-11a655c590d4": { "min_stack_version": "8.13", @@ -2156,15 +2166,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Executable Masquerading as Kernel Process", - "sha256": "6ad1b642bad962d9940a85ca08a1032187176ae60ef68d10052b7a025ecdea46", + "sha256": "c647d352170795fda0533a278e5c93824030a0e2391afb7d858ddf8fcef50ea3", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Executable Masquerading as Kernel Process", - "sha256": "dcccdcb3bc1e5b240f35cb216dd6c016c822cf4c7adb33f410aeb8a5f7c01f78", + "sha256": "e6a93a82d6ff821825f36acf2e6b37d99c68712acf3ab5f2a522d288de604dc7", "type": "eql", - "version": 103 + "version": 104 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.14", @@ -2191,15 +2201,15 @@ }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297", + "sha256": "25cdfe21fb209fb7941dd020fbcfbadef29f04aadf5eb0e226efda9c35351231", "type": "query", - "version": 206 + "version": 207 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "rule_name": "Suspicious Web Browser Sensitive File Access", - "sha256": "f285de9c9bf8851c505323409cd2daf9c3f4f430c5bae5b68541220f7acf0fbd", + "sha256": "f2563e3a26b24e637c8ac73d1f8b2c0a4f7fde0d81cde5ee33392c65892d9ccb", "type": "eql", - "version": 209 + "version": 210 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "min_stack_version": "8.14", @@ -2207,22 +2217,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", + "sha256": "69246453362e5ca8115d5ebc4d54e31708b17fca42e8f1c3289e2f21e27e0982", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "606f8fb96e10d28c3f078e71f4be2fa3c1806eac4331c217010c3e5404457407", + "sha256": "b3cf96a675e8bce7a335b93a6cceb02c5a7c736ced121dac5662c305c9855738", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "dedd11f2f7e4c43edba25c00b1deddb8fcd93f7c17a384a0ff0e086781d74caa", + "sha256": "99ed70fd9f47a95ed1240f5cc52f747dee59633a0c745c4efa9ab0127865b48c", "type": "eql", - "version": 202 + "version": 203 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "min_stack_version": "8.14", @@ -2230,15 +2240,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "13217b6a2a8a60bd16c88f972c5a154d41523241776c401344cd37421eaf13ef", + "sha256": "633c67422491d16a2f3773ed98d16e1beb6d9369dcdf7edf264b8350e008ae33", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "8f0e6c0741fc802300e26ea71da63f8ece28e9b054d35e452de4e7d78bc634a5", + "sha256": "12383abd03ed18e19cc6e38a242cfe6ef50687fab36db30ce2d216216b538b16", "type": "eql", - "version": 211 + "version": 212 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -2248,9 +2258,9 @@ }, "210d4430-b371-470e-b879-80b7182aa75e": { "rule_name": "Mofcomp Activity", - "sha256": "c154de44212ce97be6bf2064228454a7baeb68ef036313f325ecbef08dfb1184", + "sha256": "43f37baa64cc4804bd89840d33aefed80888653d43e7e46330bfb4849e0880e3", "type": "eql", - "version": 4 + "version": 5 }, "2112ecce-cd34-11ef-873f-f661ea17fbcd": { "rule_name": "SNS Topic Message Publish by Rare User", @@ -2260,15 +2270,15 @@ }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "rule_name": "Potential Reverse Shell via Child", - "sha256": "52be9ea43b199f813b9c25ab2637afd7569a16c06703b7dc7f5151925b0b2853", + "sha256": "60b1fc8e258630c37d46106e04ddc92ee630843e73a695ff7697480d76438d79", "type": "eql", - "version": 3 + "version": 4 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", - "sha256": "5123093932b6f544cf28a9f7f30a22658848fa12289e7f1c21584d21a79e2354", + "sha256": "ae4d37f61191761fb59911def2d9d39ebedf6f1dd02bd3d22bca816328750af3", "type": "new_terms", - "version": 5 + "version": 6 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "min_stack_version": "8.14", @@ -2276,33 +2286,33 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "1cc91703e211a89bc8b1f0519649e4e3958193ad7f77cdd75d2aed5b9c6e1a1b", + "sha256": "39e75f704730200ba6057b7687a63159e2080003d55f8b8e6217740e487ab59e", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "30c368664c1bd007c6f25e8f4815c47ba84d8626a03680a17f4d9e672cd6b61d", + "sha256": "7d93d723489d1f6a59e139b58489ea66daaaa5a601a1f03527f4e18f249bd3ac", "type": "eql", - "version": 108 + "version": 109 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "rule_name": "SSH Authorized Keys File Modification", - "sha256": "5950490a263aef327d0d6b9b4f9c83dd9eeb655207043afab349082a0d04e0e9", + "sha256": "3305c5a0f15096a7bb8b0818b40de617448029c1e701c89f35a611f31ddd9f0d", "type": "new_terms", - "version": 206 + "version": 207 }, "22599847-5d13-48cb-8872-5796fee8692b": { "rule_name": "SUNBURST Command and Control Activity", - "sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7", + "sha256": "8f0663314dfece6334c90619e9b9e2f5cee01e01b4768df72c1577b166910b24", "type": "eql", - "version": 108 + "version": 109 }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629", + "sha256": "739bcd7a637855f9186eb263bcd8107c93d83f7790c1ea4fab07b69046503e46", "type": "query", - "version": 207 + "version": 208 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", @@ -2312,9 +2322,9 @@ }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604", + "sha256": "496ed866c8272f94c11bfa2277bde15dbfa2efe47873a8ddbcbbe832eb805693", "type": "query", - "version": 104 + "version": 105 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "min_stack_version": "8.13", @@ -2322,15 +2332,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Kernel Module Load via insmod", - "sha256": "f93a7445bd58a5432583f328a212f267f6b995da0635115c18ac935a208acd5d", + "sha256": "6d909c9373be54b6dc83f2c1d0b5416582fe6dbf4206daf4e496410ac5913aec", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Kernel Module Load via insmod", - "sha256": "9abb3eb385fa47087a7d19e819147ba24a8b793841f61aa0b3d6901aa880f106", + "sha256": "34839afc89c7b63c7e306377524879c547688d939a3f78e14a6ab5cf5b7ac210", "type": "eql", - "version": 210 + "version": 211 }, "2377946d-0f01-4957-8812-6878985f515d": { "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", @@ -2340,9 +2350,9 @@ }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { "rule_name": "Unknown Execution of Binary with RWX Memory Region", - "sha256": "3f418fe503710182cb6ee9cfde5fad9281638f086f4441f882e8c13dbfdaccaa", + "sha256": "6206107d6e66665a64ef46d0bcd7102570f88e6977651000f2609ad3cc6e8b4d", "type": "new_terms", - "version": 3 + "version": 4 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "min_stack_version": "8.15", @@ -2350,22 +2360,22 @@ "8.13": { "max_allowable_version": 102, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", + "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", "type": "esql", - "version": 3 + "version": 4 }, "8.14": { "max_allowable_version": 202, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", + "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", "type": "esql", - "version": 103 + "version": 104 } }, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", + "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", "type": "esql", - "version": 203 + "version": 204 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "min_stack_version": "8.13", @@ -2373,15 +2383,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "New GitHub Owner Added", - "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", + "sha256": "002be9292a0806831cffe8f7c1ae8704f2aba19ded7a11964225cde1c263c851", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "New GitHub Owner Added", - "sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6", + "sha256": "a2e44a9352982f9a7fab91d7a6c0ed56fa52f09663f20c41c246407f643bb81a", "type": "eql", - "version": 206 + "version": 207 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.14", @@ -2389,22 +2399,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Lateral Movement via Startup Folder", - "sha256": "b8f39d602ba7bf7b7f9c6c542137ef20c80ade3c7f0d9b301172e371a1458381", + "sha256": "9a03061d1c7d42331e54fa8c990602900d110a67d95d1245e44eae86e42cdc90", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Lateral Movement via Startup Folder", - "sha256": "2fa971d8349cceea534e945ac39e6dc74a0af458533c1ccbca9f544f5f4b2a7c", + "sha256": "9e4c99a01ff339552587a57d476760b6cdeec2634d2f26b6d801a2f3baeb0bd5", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Lateral Movement via Startup Folder", - "sha256": "274df472a867247fc2de690c81bfcb03b32b4ed67e0cc46c3a64d40fd0231c44", + "sha256": "77d41e72a8e9b4a7bbb7fab3c40167833d4e87d06b28d8e465774750ef5104b5", "type": "eql", - "version": 309 + "version": 310 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "min_stack_version": "8.14", @@ -2412,15 +2422,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "73577478f9ddc1f86f6e593172107b94cb54d7aa9ae3d818dd6196eaf5dd05f4", + "sha256": "099be59655d3f1d35382b882049816c2c0570633f5d119e1ae6285bf5d5a901c", "type": "query", - "version": 4 + "version": 5 } }, "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "01735177fce51c42923f16c612bbf247992c18fbc96e57a1b72c571807c334eb", + "sha256": "75e4844865ebef904a98f31b4021a2423b98a9e56a10e931089cea0ea3821cc7", "type": "query", - "version": 104 + "version": 105 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "min_stack_version": "8.13", @@ -2428,27 +2438,27 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5", + "sha256": "0fee3ba7e3d8302fa7bf7fe483672987cabfa3cd38c2e532907b1b788f7c8260", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "219e824eb630f41ee3e7b32a4960f77e8fbe50e1014a05e29acf3a988cf0fbc1", + "sha256": "6ae28a9f2bb3480636a6b4ed317a06aa8278b5aeffa859e7279b2d41a85a12af", "type": "eql", - "version": 104 + "version": 105 }, "25d917c4-aa3c-4111-974c-286c0312ff95": { "rule_name": "Network Activity Detected via Kworker", - "sha256": "6c823634705c69de0120c2254520b0a79b53891b3f5af608fab3f07a2f04ec3b", + "sha256": "74fc51f05798d86c079a4db56ebd754908e541d5391fb639a014358bf4da50f8", "type": "new_terms", - "version": 6 + "version": 7 }, "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", - "sha256": "e07c5774ac9be077fa7a454528f609d611bd70ce18b1d4ae04954c19fd243eec", + "sha256": "299b97cbda715b5eeabc7800ef5fbdd230b83acfb8b38ff4d6c1f1e231fe8185", "type": "query", - "version": 1 + "version": 2 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { "min_stack_version": "8.15", @@ -2456,28 +2466,28 @@ "8.12": { "max_allowable_version": 104, "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", + "sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935", "type": "query", - "version": 5 + "version": 6 }, "8.14": { "max_allowable_version": 205, "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", + "sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935", "type": "query", - "version": 106 + "version": 107 } }, "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "33842fbf7fc226966855416ba8a5ac52112cf62c408fa0b5fa3420f4941cbb76", + "sha256": "3686340ff7f23094109815bb3ff499c3c9d5feb46b8ca8bf9dcc9059d295a28e", "type": "query", - "version": 206 + "version": 207 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "c48d98b19af215d3015bf2ae376ddaf8e9cf52396b7d8c7ecc202a8dd07e6ca7", + "sha256": "cd4778bc5d33895772be26bc4a6ecf28ef907e39c922c263758d2eed3f7c94a9", "type": "eql", - "version": 6 + "version": 7 }, "263481c8-1e9b-492e-912d-d1760707f810": { "min_stack_version": "8.14", @@ -2485,27 +2495,27 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "a6d31b2e82a80eb8609b1bb25461fd5d2588fdfba77a75c4df407666b1f6dce2", + "sha256": "a91ee3996b61c4f76e5010d94738862b0c66cc3ab4c1ab802cc609b442a00947", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "42c3946d99b19b6c84dd284fe024b606c61cd8cbf26ccf17a957a92f9ac8f441", + "sha256": "0ed2079dc7c35c55a5dd08388ae09965a545b30ce73ae9974ab0d607832b6fac", "type": "eql", - "version": 102 + "version": 103 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Container Access Level Modification", - "sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534", + "sha256": "9c1500534b794aa60add9daf3da3805ce5f70b117a900faf565c911764fdc73d", "type": "query", - "version": 102 + "version": 103 }, "264c641e-c202-11ef-993e-f661ea17fbce": { "rule_name": "AWS EC2 Deprecated AMI Discovery", - "sha256": "984211ed55f8898b7321729d0d86c68d2e9df858d8707db16a873776a96bf7f8", + "sha256": "8b8ce9fd3c322d65ab9459337f4a67256c7d08be0426c6825699f4fcc4ca4659", "type": "query", - "version": 1 + "version": 2 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.14", @@ -2513,29 +2523,29 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", + "sha256": "4cb0180da3ef6e0e18bd152032578629a162d39c81b679998254e1e96d7a7a1e", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "535792c8a18d108f65af67d434bd5befcc35f6422b87accce90f5cf7fcda3f7e", + "sha256": "4daca120672fa56fe87a520d2babba093bc294cc504bef5119b188d48173faa7", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "63d4edaeb49856654125035d9376493bf4182f432dffc0f6dd69eef84bf81441", + "sha256": "62371061d0455aa0c946f5512e06573f49e1e88b64995595af69a37cfc14651b", "type": "eql", - "version": 312 + "version": 313 }, "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { "min_stack_version": "8.13", "rule_name": "Unusual High Denied Topic Blocks Detected", - "sha256": "745f9961079e7134e24a8241e8b0dd9241739cd420c1904e1d1b3d479e86172d", + "sha256": "fe10ea745cf3203f237c4b8a40c63e9cb9d364c796bf52a2377425c3bd013171", "type": "esql", - "version": 1 + "version": 2 }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "min_stack_version": "8.13", @@ -2543,21 +2553,21 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Potential Defense Evasion via Doas", - "sha256": "50cf0764ce053db1d0cb8bf2401a9d3fd54a9e4169552a7f5f6f0299476c5c27", + "sha256": "5a94f36cb64d23ad01b8c1ffe0cbe7229007da049faf46d3b1076badcc0a3714", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Potential Defense Evasion via Doas", - "sha256": "1c3da01c4b351cf0ade023da9ee0f8c71f5d33cd9ec57d70d403045f8ee952eb", + "sha256": "aeeb4b372fbfd18ee0dfa78606413a606d6bc8e7bee480b01504cbe103fe8006", "type": "eql", - "version": 101 + "version": 102 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "rule_name": "Privileges Elevation via Parent Process PID Spoofing", - "sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517", + "sha256": "bfaf73bd5525893100c9a0593503ec5113aa3f61db2953a685aebf429b142390", "type": "eql", - "version": 7 + "version": 8 }, "26edba02-6979-4bce-920a-70b080a7be81": { "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", @@ -2571,15 +2581,15 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "d99f8d2a53313d1324ea4635f6235c36145f3ce8bb4f95324fa5e25e09a6d5a4", + "sha256": "d41060acde6ba44c9fd538c2c2169114bcdd473a35332389b5cd82e9ebef2af9", "type": "esql", - "version": 210 + "version": 211 } }, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "defedded1b250e59f79608e335fc198ae97d2dcae4a0ac4386e61630388a1c70", + "sha256": "d25046282b20d2a93b29f3016f1dfa97b68488629031ddb7157c032045f36b59", "type": "esql", - "version": 311 + "version": 312 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.14", @@ -2603,21 +2613,21 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "25e2ab660e4188ceba62e4820957228cb86abad97ae790a7202ba5b2531e345f", + "sha256": "63d9ec6b0b8f754c3d04d1b8509f7978545110c21c7cd36b95629e33e8327e06", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "450d468c26a54a6c70c3b7980ebdd8b9885277c51b1b7847b6a9c6cad45d1de1", + "sha256": "ac8b44ec148a457414e9ec3e058a6bc9ca8419eeb1df29a3108f4470cf55f9b7", "type": "eql", - "version": 105 + "version": 106 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e", + "sha256": "45a1f7ed44be930e88471db5a5342a95b57a72bc185ba59c55fe89e7400fc69f", "type": "query", - "version": 206 + "version": 207 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.14", @@ -2625,27 +2635,27 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", + "sha256": "21c8229d021bc8b4ae787107ff45217ab56d52e249857ff17e0a4f51ef3c7f85", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "30c7423c5023c7e2a06f2b998a346e1a90ca192c24819613312d92d5f7e37117", + "sha256": "5a0f9b9a7ffefc4f2658c7b3637872e4beedb55b3e26d5cc76e3bf45f89cba0c", "type": "eql", - "version": 209 + "version": 210 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", - "sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf", + "sha256": "56e2aa8538cb1bfc6628887e820d427e37754644260ff65a94d8b2cd6ea08aa2", "type": "query", - "version": 104 + "version": 105 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56", + "sha256": "72cefcbe9406dd477e621a600dab722c48420a443a88f1fe2afb43a0cf62af8e", "type": "query", - "version": 206 + "version": 207 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.14", @@ -2653,22 +2663,22 @@ "8.12": { "max_allowable_version": 215, "rule_name": "Account Password Reset Remotely", - "sha256": "dbf803fd05859ae76bda5f4e085129d4a5f840731285774dfae887a28a0e6799", + "sha256": "4c5bf771c55b8c874282ea178599a0885a460a0a2f93008e1ce3b37eeca9ae40", "type": "eql", - "version": 116 + "version": 117 } }, "rule_name": "Account Password Reset Remotely", - "sha256": "8adb8b82a3d53207484f625914ee09d91378639f23dfaf99e0c5e4e504e7323b", + "sha256": "56605872558fe05e912719802d071ff5ecbb63e38f64a87c8e829ced69d9b961", "type": "eql", - "version": 216 + "version": 217 }, "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { "min_stack_version": "8.13", "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", - "sha256": "f869eb5fd1ce73193d75b85ad5bee9347325c5b60329c8274b00d1807a867977", + "sha256": "138552f6df8aee3e8ab2164631ef74888c7d0297c012bbd6ac9ea1c1a37ecc46", "type": "esql", - "version": 2 + "version": 3 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.14", @@ -2688,9 +2698,9 @@ }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d", + "sha256": "c5975ef9ab2cb8b6055ad6bcc0d785f845ed553b7efe8c2791515b7f349e860c", "type": "query", - "version": 103 + "version": 104 }, "28738f9f-7427-4d23-bc69-756708b5f624": { "rule_name": "Suspicious File Changes Activity Detected", @@ -2706,15 +2716,15 @@ }, "288a198e-9b9b-11ef-a0a8-f661ea17fbcd": { "rule_name": "AWS STS Role Assumption by User", - "sha256": "2988f8c5e5774464830730c7672f895c27574e37db7a0dd42027d9e4617f69f4", + "sha256": "953a7ce35bfed2b2ce4beb94c883fdfa3e7d04f037d8ffa09fefc2a054676072", "type": "new_terms", - "version": 1 + "version": 2 }, "28bc620d-b2f7-4132-b372-f77953881d05": { "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", - "sha256": "50b88f12b91fe3feb9118bf703666cee8eef3f3a6c36a426e7b43936ed0e50e2", + "sha256": "8e540cba7b904b32d6b84add9bbcc2611190e0acc86307c9b1808f95efcc53af", "type": "eql", - "version": 2 + "version": 3 }, "28d39238-0c01-420a-b77a-24e5a7378663": { "min_stack_version": "8.13", @@ -2722,15 +2732,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Sudo Command Enumeration Detected", - "sha256": "0f36e67505607bcb3888b92df081e70b54c5e239c9e0ed3345f8f8736beed326", + "sha256": "60350833224cc7d578b57e68377f5c6eec36459f3b1219b27857d2dfb83c1dcb", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Sudo Command Enumeration Detected", - "sha256": "baf439993dc981bafad369990438f1d3377f8fed5bd3dc2eb66c2df021a7898e", + "sha256": "ca3c91b710e64c16368c525e5853a28d7c78cd266645365f5365dc149a48b72b", "type": "eql", - "version": 106 + "version": 107 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "min_stack_version": "8.16", @@ -2738,27 +2748,27 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403", + "sha256": "6ace4761c9708044d26fcf7337460b8479b0c47a4aad784406a4831f875a8ea1", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "3ad739db58620275cb4330a3cc329918aeae3bec457d3dff8ae127ef93ac05f7", + "sha256": "c7cea47065a3505125b65ea6912a9eb94cc3960f40931a96702b6d941aada582", "type": "eql", - "version": 105 + "version": 106 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", - "sha256": "82a1df00e80a4d2e8c1cbcdef1cbc52c47bca472993056876a09f27981ed2fe6", + "sha256": "871b644ecad8dbcc497878dc7e8709971fb1b44536be0fa5cd97cfb75cec1082", "type": "eql", - "version": 5 + "version": 6 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS EC2 Security Group Configuration Change", - "sha256": "48882709d629f366aa2742f2930bda9d8520aa354b7a9df6ecb07e58d3ce6a95", + "sha256": "3094fc894dfd934d136e44472bb85b39b667d39ae1af5bbdecb0def1e9ee08b3", "type": "query", - "version": 207 + "version": 208 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.14", @@ -2766,22 +2776,22 @@ "8.12": { "max_allowable_version": 213, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "5cfe971491ae9ff4d1d7dfd27691dc0cdebf5a8553599712008e0504e0d7cc4c", + "sha256": "8fbc91f17e1079c6d25358d51370483f648279f3ad8e892d2a679df03c969ec2", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "d5889d6fb11d2ccc008cab9342767cacc97ce35cad65e947b0e808f8dd323e78", + "sha256": "d77ce672bc5fc2088fafb1b6633cb2f5955b7939b1d1302b5c2da31c8d336950", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "891e2a84a8bee293f84e2d2d2fb5755a5677ceb079a6adbd7cd800fd88b6a889", + "sha256": "d8fad9d3a7b3d3b175b9bfac15436fde23c180087fd9a61d05bbbdd70434ef3f", "type": "eql", - "version": 315 + "version": 316 }, "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.14", @@ -2812,15 +2822,15 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4", + "sha256": "ca1675b3254c032d02eb36a19399f23707b98c5db2ccfb585fd8047fe45e718c", "type": "new_terms", - "version": 212 + "version": 213 } }, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "6b9ddb99af8aebdf137ebdbc012a627a5c96f21ad7dfab54a26dc16d5763ed3d", + "sha256": "5ac18ed0a46ab76604bf76b574a4dd4d177cff97fabf4ba50cf58d2559cf6ba3", "type": "new_terms", - "version": 415 + "version": 416 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "min_stack_version": "8.15", @@ -2828,28 +2838,28 @@ "8.12": { "max_allowable_version": 103, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", + "sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd", "type": "query", - "version": 4 + "version": 5 }, "8.14": { "max_allowable_version": 204, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", + "sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd", "type": "query", - "version": 105 + "version": 106 } }, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "953c407d8ef9a6d6bfd9326baf1d26551ef58ef6df60ad6f153d5cfd92b78211", + "sha256": "020aa41dcdc659d6c9cf5c0619429e17fc67a4ed3a229e63c3e2aa82ca64dc59", "type": "query", - "version": 205 + "version": 206 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", - "sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342", + "sha256": "cb837753dc5b1e38c537d26af1c4c7ce8ac7211509bf369afa0654a9045f21e4", "type": "new_terms", - "version": 1 + "version": 2 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { "min_stack_version": "8.13", @@ -2857,27 +2867,27 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Linux SSH X11 Forwarding", - "sha256": "2562c461d5762274c7090f399cda06176716c846f045c4ba9c5d60ad1d63df91", + "sha256": "607bcf6166da9a0c07fa8208a598d656e9da82b719410a4b3861431a7ad23b41", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Linux SSH X11 Forwarding", - "sha256": "61ef0630017ee5ecedc27ac198533afc92662fccf83af9e680976fb38d7b6245", + "sha256": "00e2bb957fa4242ec45b9b70e37c642d9e2a9fda94bd439e3be93f136118c283", "type": "eql", - "version": 104 + "version": 105 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", - "sha256": "31193d1ef0348a443dc4c9605b4f62d6242633a24281f63b10519a48bb6178b4", + "sha256": "c40db65118e9a93fd6d8e9b520bbce17da234a91ebb79cd1b51352c4215c0127", "type": "eql", - "version": 7 + "version": 8 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "dc8b0a2fc0d7fa52084bd9ff94ef01de5dbafce96fa29a0e89c89ef27ab8e9a7", + "sha256": "9ed50af9932a336e33eacff970ebcb3d99c94830b55744d32565828d68c683cc", "type": "query", - "version": 204 + "version": 205 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "min_stack_version": "8.13", @@ -2885,15 +2895,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "ESXI Discovery via Grep", - "sha256": "93e259e4c84d6f482879c952380259c33794efa042c0d5141a382f91661b8880", + "sha256": "0b220ddab575a1241b10575ba0fa022641bb5dd6d7b668a24f6e4e8e7795381c", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "ESXI Discovery via Grep", - "sha256": "d38a739617452964c32555576678742890611cdb452ed76394bb7a4dbc5b1bc1", + "sha256": "17186c1c0c162dc0877b0ee69ac30a87d0a2ab108b22eaa116c9df0c9a840578", "type": "eql", - "version": 107 + "version": 108 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.14", @@ -2901,22 +2911,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Adobe Hijack Persistence", - "sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe", + "sha256": "c39267858935a1708b5485ab0f15d8fec3c65af74dda3eabe1a645357b6ff54c", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 413, "rule_name": "Adobe Hijack Persistence", - "sha256": "444405e37e8e57d20939866f5b78a3a70eb14ff1533a0524f612c56daa2ce62a", + "sha256": "5d4eda2322ee604b41b05b508100d15e3d8230cf544f5e9685b20c82c9957fc4", "type": "eql", - "version": 314 + "version": 315 } }, "rule_name": "Adobe Hijack Persistence", - "sha256": "98e76c4e7dfdfd6f4b1bbc860b8d1ded5399f58cf113baa58e96cbb4c2c34f65", + "sha256": "e7b371bc3cb56880f4b66c8f8fe941a3dc804cf4d7a909203eb1aac36b2eb4e8", "type": "eql", - "version": 414 + "version": 415 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.14", @@ -2947,15 +2957,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "afff98a0b90a5aae640601eba5921162ce7572b6838da100bc6c1a0be27e6f22", + "sha256": "19459360acfaabbee9191b0bffc67924d652582ec4b24d908ab43e31ed2baf8f", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "9cb101dff02725a228ac6abd8ec38be725b6f0375a41b27f1ce6e446fa009463", + "sha256": "ed9cc4c9d37caa1424d72d1771b8aaa477eee67588db0cf67131757668706a64", "type": "eql", - "version": 210 + "version": 211 }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "min_stack_version": "8.14", @@ -2963,22 +2973,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Potential Foxmail Exploitation", - "sha256": "a4f0739152df6e638b21a5eac1cc7cf12b94d145b6cccfb04e27fdce391b2f91", + "sha256": "9f86eac400e2faa31c8268ac8e848b69881a1f1609f46197976260493af312d7", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Potential Foxmail Exploitation", - "sha256": "677b62dc3502ba3192802220e5c25de4e44c1c068cc4cbb54124820c29ce13f2", + "sha256": "6d21068759a60e2fe7b6b07091cfa26e48f2b6c2a2cf16239f5aff16aa3e6819", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Potential Foxmail Exploitation", - "sha256": "2cbfc9b78f91dc490e73a2fda8ca38737b819a786d7912db3d0dee69983a971d", + "sha256": "deaa9f94ff0d77ec297bbe56228d604d0ec8ff93168338d0fe56ea6586be9b37", "type": "eql", - "version": 202 + "version": 203 }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "min_stack_version": "8.14", @@ -2986,28 +2996,28 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "809e425e3a5be9a9800b6d14b48f314124436ff849b26df4baf4ff68b0da5cbf", + "sha256": "ca696785db9d072b73354981c190cb3612631aff9bfb21a7e71087839979c28f", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "a80f52e2d0f126a7c18db7078056274ede0a847de4047bf98ab6fdeb58beef17", + "sha256": "db70fff6a4d8ac90ee2307787ac0d09653001e7019f4ef1014397d5d28e28264", "type": "eql", - "version": 101 + "version": 102 } }, - "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "f343d88c98d36193572a1726eef142417d8f9af99eb57da610bd75e4c1a79d9d", + "rule_name": "Command and Scripting Interpreter via Windows Scripts", + "sha256": "0f14291a9a4bfdb07c95473002beefcd90774b98afcf9d8e07c0e2c3ce47a9b2", "type": "eql", - "version": 201 + "version": 202 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", - "sha256": "e476a54ff58dbe2b9ad2df9aa0a9e110cdaa9b7f6adea0b3fa77bd0f4638913c", + "sha256": "52c116a646055bd0157cedd2d9977b1582266b6dd9b8f6d1911d2e72232ae161", "type": "new_terms", - "version": 210 + "version": 211 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.14", @@ -3015,15 +3025,15 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", + "sha256": "6f9f6d3a9b1c3c10ee6f372c529e3043cf57abbe70e819991e61b39bd48cfac8", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "ddbbefc59783e983723d68990ec3bed4228de396458b94ed38fdc10ade8d9c9d", + "sha256": "9f2195a1ff14af308fa971db89cf85114f85149da9fab3f43237cc3cbb0a5bd6", "type": "eql", - "version": 311 + "version": 312 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { "min_stack_version": "8.13", @@ -3031,21 +3041,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential SSH-IT SSH Worm Downloaded", - "sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c", + "sha256": "fc0687aaffa30b4402ffbb232a6609e8a832a677f70d6f87d826e0967cb6ae18", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Potential SSH-IT SSH Worm Downloaded", - "sha256": "493174dd97f98d9dc2385620938cdd1b1fb3bac13fbaf6cefd5bba1d9d52fbba", + "sha256": "54a054dded59179d223df5711dfe78e54de51c2d8c7f3fd91d4eb0b7cda1aa0c", "type": "eql", - "version": 103 + "version": 104 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46", + "sha256": "8df93c4d2e8d8e22dc9b2519c322833798fd0dd6e0179688ad46849263b97038", "type": "threshold", - "version": 207 + "version": 208 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "min_stack_version": "8.14", @@ -3053,22 +3063,29 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "7e5b7e7f86dcf4fbb6d5372775029f3abd32e945f33ed157e27d84917858b727", + "sha256": "a1f96c64b24f9a8b3741efd7057dd191f2cfe328e4418e21fa2861f4943345b0", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "903805e8cc42654adfa662e19eab1b40069bf11b67935e85d3d175c3a969514a", + "sha256": "6f66a2c4f0eb285877ec1976337925c992b5644474d9a8292c702802bd961c34", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "1e0176ef079975e1f7800254fbb79354318b4765c236b9cbb67f9ade42b3fa4f", + "sha256": "edaa7c97d52183cb2ff7b10553ab33fbdcfc197d78bc07cda7f29633f878e4e6", "type": "eql", - "version": 210 + "version": 211 + }, + "2e0051cb-51f8-492f-9d90-174e16b5e96b": { + "min_stack_version": "8.14", + "rule_name": "Potential File Transfer via Curl for Windows", + "sha256": "6557b61c306bf5be34401d54dd293dc893f43c1ecd05c5705ad94ca2967878ff", + "type": "eql", + "version": 1 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.14", @@ -3076,15 +3093,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "c9fca874ba0aea66a0b05cce3eff5be4bec6fd71adbcdabb89b538dfe2294d8b", + "sha256": "3f92ade9c8cf46297f9846194909bde8477311035bce84de538a59154fab0a08", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "868e3c2f1a196ebbc4dd930f064d4c6b6e935ec882160043674baf64605134b0", + "sha256": "ba2643e57a281cd68d1f699d40aa824bffb36faa4b50d6ee43eafdc67fbf0942", "type": "eql", - "version": 211 + "version": 212 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.14", @@ -3124,35 +3141,35 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", + "sha256": "154a54c158e1072b12c8c12e5c0b1a4efd33eeb055cc0a97dfbce0af0e73dc48", "type": "threshold", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 202, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", + "sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66", "type": "esql", - "version": 103 + "version": 104 }, "8.14": { "max_allowable_version": 302, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", + "sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66", "type": "esql", - "version": 203 + "version": 204 } }, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", + "sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66", "type": "esql", - "version": 303 + "version": 304 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174", + "sha256": "33aca0b923a70f6be45450125434d1f43b00df2f2b4c53db570c103caff35644", "type": "query", - "version": 104 + "version": 105 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.14", @@ -3205,27 +3222,27 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Attempt to Disable Syslog Service", - "sha256": "b1a7d12998e1efd7ea299012dcf84947b7b732b5d5acaf875515adc5e0289cf9", + "sha256": "2ef044a4379ebf8587fd12c998257f558761c47509df7f0295893dd4bb6f34f3", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Attempt to Disable Syslog Service", - "sha256": "22a0fbb06dfda70d1adfd4babcfef821d608b27db689d38ad0a6da435108d146", + "sha256": "06b9e45618193c5102c36edb26ebfcf648ece1120ef3a26f650915c43b5881b2", "type": "eql", - "version": 210 + "version": 211 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { "rule_name": "Suspicious /proc/maps Discovery", - "sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93", + "sha256": "5316ada4014d2c9a7930574d4566f9b686174872e4fe5ceb6aadf5aa70ea9f33", "type": "eql", - "version": 2 + "version": 3 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813", + "sha256": "12a39f6d9969db63436c1a00acca99e9add307c1cd5027f78b8845251fab148b", "type": "eql", - "version": 109 + "version": 110 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.14", @@ -3251,15 +3268,15 @@ }, "30562697-9859-4ae0-a8c5-dab45d664170": { "rule_name": "GCP Firewall Rule Creation", - "sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e", + "sha256": "bdc8c042341275de2dda2fbb2cfe8352f8fef57e17ade3f9a6a0f4a2f34f6f7b", "type": "query", - "version": 104 + "version": 105 }, "30b5bb96-c7db-492c-80e9-1eab00db580b": { "rule_name": "AWS S3 Object Versioning Suspended", - "sha256": "16e9f3ed67d6796c3a8d6b7fae2c3432ecec1180bccc33240b81d05c0d654d22", + "sha256": "501b384fc62d0114e489f893db676c77a67a7de686ed549cc96d28110a216431", "type": "eql", - "version": 2 + "version": 3 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "min_stack_version": "8.13", @@ -3267,39 +3284,39 @@ "8.12": { "max_allowable_version": 107, "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", + "sha256": "087ddf9a38cc3a95ddd050c3af74a8205dcf16b78a267a1c40ecab0206895466", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "696509a7cdb782460d36cfa3fa0aacd0526662d34d5b8104d0a5f75c0bdaeb93", + "sha256": "fde62451dcbc2aa7269cb18d276d8552cd6e745cb2f47292fcf56451ef9fdfec", "type": "eql", - "version": 108 + "version": 109 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "rule_name": "Network Connection via Sudo Binary", - "sha256": "b469b8c3a65e085d1a09370ef4bf02f1feb2e98f438d6af4c42d1495c1959385", + "sha256": "78f4f52284b8ea5c871846b90d949f540c2cf40216301247c3589ad6e31e8aca", "type": "eql", - "version": 3 + "version": 4 }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", - "sha256": "a0060f1d4d4a006b66f4dad527c7bf963002cf71864a361f0c45f7959030f08f", + "sha256": "fde6148916cb146e840e4017c597cb865ed148dd9eb6ad32b27f527b18e30866", "type": "new_terms", - "version": 3 + "version": 4 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "rule_name": "Agent Spoofing - Mismatched Agent ID", - "sha256": "ec70ea76f2b63b214733972e4c42caadfa150fe1b0efa06b5d369bdcf5d80129", + "sha256": "7cec198919a09236965c3fdfd4b59f77b7f52143b5764447161b1098935d2ee3", "type": "query", - "version": 102 + "version": 103 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446", + "sha256": "ee23f22e47ceddb6e8677a346d2b5a4af9d9f5da170c238a64f5c8851cb61903", "type": "query", - "version": 104 + "version": 105 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.14", @@ -3307,53 +3324,53 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "6803ee7c44e816c648b5cb1c7638f63b9a8952d06dc27673a10931537edcc6c7", + "sha256": "1d5b8b66ae45d9bcba982bcee8dc4994d4cedb7541738eda36dfb8de2accfb0c", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "3a5ba368eb9c20041f39f0ccb099b88622f09abeeca8836f0978e004928922e6", + "sha256": "27eb461382f469f2615f24a2887acc73df8bdfbe582d3d31d321bcefcaa5d201", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "7636e829317fb6054a6324982a7342705e13d8712bd9297b1e16195419b0edbb", + "sha256": "50e3fed73bd4705f76f78df40640d810c310f3acc21468d1246f910127187f4c", "type": "eql", - "version": 315 + "version": 316 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0", + "sha256": "5f12891f87725569f26f55d846990b172e4b083945291b524995a0c2b39d1f88", "type": "query", - "version": 104 + "version": 105 }, "3216949c-9300-4c53-b57a-221e364c6457": { "min_stack_version": "8.13", "rule_name": "Unusual High Word Policy Blocks Detected", - "sha256": "e60e73464e34fc8b533162ec135fadf0b5dcfc463f310236241febc2eb032c17", + "sha256": "fbc24d43876fb187d170bf7067f200bfc4a9dc9315138429cf73dd99f867b8ba", "type": "esql", - "version": 1 + "version": 2 }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", - "sha256": "f4f1b93a821c7d0b22e83e0cf23a1df584971e45af788834809e1d6f1c716d1e", + "sha256": "a75544c3aa79d018caa2133ae6cea5c8ad25a63e3287613ed0a491e21ea8db90", "type": "eql", - "version": 3 + "version": 4 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure Network Watcher Deletion", - "sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a", + "sha256": "4361eedfbd069e79f89dc6fc2cb69959fa012d9333bb12fa3a7a48bdc1956047", "type": "query", - "version": 102 + "version": 103 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "bd14c9e18b459c255249f0f5e5e5d3fb94b2c32186ea0e40eb3847cf3da62ac3", + "sha256": "4225710e2f58d4c9a39ab24e6e05d1553387f3bd659ccf97398b490b820df50b", "type": "query", - "version": 104 + "version": 105 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.14", @@ -3361,28 +3378,28 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Program Files Directory Masquerading", - "sha256": "258a6e5c72a134ab06314270a0d8709dc02f850f08ae059cb9eb2467a30befef", + "sha256": "17788893fc6510e7f611de6c1046d1c0a8ebb5937ac675d96d8555b98ed4b9c8", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Program Files Directory Masquerading", - "sha256": "b971172eccda841cf458753c2173ec71dad386098f0aecce8d402912cc50f630", + "sha256": "dd7609c7ed75762383c65d441706b5cec4f6760974567894ea5e4b08fb80603f", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Program Files Directory Masquerading", - "sha256": "7118d989ba0d5e6e0b2a80bb486a7a93738b35454c185aa6edf9e558ca1662d3", + "sha256": "5e2521c495505730bc747cae7beaef82e123e96c4fa6dfcc7530e8d63d3640a6", "type": "eql", - "version": 312 + "version": 313 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "Microsoft 365 Portal Login from Rare Location", - "sha256": "3e3186fdaf81508055217cd52ac7b74d8c88bda2fca0eca7f8e1b3b573b7cd02", + "sha256": "c839af879a5c765f5e319641da93e5418ac234abdb825d1d9f1df9d746f9e2e2", "type": "new_terms", - "version": 2 + "version": 3 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.14", @@ -3413,15 +3430,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Directory Creation in /bin directory", - "sha256": "f412ce479acffee82949aed77160fece5ab382dbec5d754ae3c3fdf213e61712", + "sha256": "e2fc0d10f43934c5dfad79a4f0f2618e38c52f91e897b1fbbaeb75b7d2ae0749", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Directory Creation in /bin directory", - "sha256": "2c803e78bc8f8a94d576257db77fc5299f73a5e7365d61ee7d2ca6168f5f8a1e", + "sha256": "b5fec392950d06c2eed32e7b773c1586b1664272bd889de75bf44e04bae6395a", "type": "eql", - "version": 101 + "version": 102 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", @@ -3435,27 +3452,27 @@ "8.12": { "max_allowable_version": 106, "rule_name": "ESXI Discovery via Find", - "sha256": "5ffb9a4076c8b9782893429052beeb256ac381d1d57cd0267fc84f9f5df944df", + "sha256": "e945a579fb2d4bdd868c12f606098cd96cd82197b76142880a5deab1ab401ab5", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "ESXI Discovery via Find", - "sha256": "fc783c447a0efdf2dbb9749e4af9982fcfe4ca9c0a25e771675c110d1e56672b", + "sha256": "3ce260f07de51346b47a66b5297226e6450cd3bb3e57a902ac1a06fb9bffbae9", "type": "eql", - "version": 107 + "version": 108 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", - "sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976", + "sha256": "2d6cac53a7d7baf61d489765382f2b2d431be53f846101569f7e49a35e59df98", "type": "eql", - "version": 110 + "version": 111 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container", - "sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6", + "sha256": "8c1e8fd8134b90d32749366fb7d20b184a823a0e5e341af7b44f61679905bd6b", "type": "eql", - "version": 1 + "version": 2 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { "min_stack_version": "8.13", @@ -3463,33 +3480,33 @@ "8.12": { "max_allowable_version": 202, "rule_name": "GitHub Repository Deleted", - "sha256": "660476227e525d314ca01414cb724faceba46253e12dc63cc24f8ed8e5014fd5", + "sha256": "bbc9f533b703f0f2a2aec221e6c184c662bae31b89b8e01b2a7483f00fdbb84b", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "GitHub Repository Deleted", - "sha256": "31dfbf633245e9bf0fa40429d05f942caf186ed52c457ed58d90fd309dba218b", + "sha256": "680ea8566ca2b5e114053f331458450f3a9fdbdcda67246619a56e3304d7d4bb", "type": "eql", - "version": 203 + "version": 204 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", - "sha256": "cf3130f23b44875cbdc95a497a47b56ca8d3eddfd51b8275318b17028b7f5e56", + "sha256": "0d6e63fdb711a79ed9a8236fbfa447b8dd9cd9c750fe206e4f69d544b4cb7127", "type": "new_terms", - "version": 1 + "version": 2 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Accepted Default Telnet Port Connection", - "sha256": "d4d536d179c2456b42cc7463e03bb7cc9e7f6b8fc478a861c31138ba803c957a", + "sha256": "a93607d49470b41ab526136a54c50d0d65923b7af46008f570ecf780090ff342", "type": "query", - "version": 106 + "version": 107 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934", + "sha256": "93108f6db43019bf85a026b0e1a0283d1387d43696c8cbff0338ade95de87373", "type": "query", - "version": 106 + "version": 107 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.14", @@ -3516,16 +3533,16 @@ }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "rule_name": "Spike in Bytes Sent to an External Device", - "sha256": "7f778783d142f64fbf3be96cbd7c5059a658dce8b1986144a77ebac82f8c9a58", + "sha256": "b78351582a7ddf68ad29828252540753accedab11361b21c3cb3cfdcd7ea6da0", "type": "machine_learning", - "version": 4 + "version": 5 }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { "min_stack_version": "8.13", "rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts", - "sha256": "b8a5a3e5d42986cc6784293804bea5aa15d3f3062fce2ed4740680f384718d88", + "sha256": "3f28423faced2b8aa0493681362683f095c9464aa5ecb67465ac44f2694aefc3", "type": "esql", - "version": 2 + "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.14", @@ -3533,28 +3550,28 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Unusual Parent-Child Relationship", - "sha256": "914d7f53a2ee88fb24cd106ea8100b9f3a6f609a3e4eab9c8ca6de797f755dd0", + "sha256": "fdf30a404fcf1f457a3530ba76e543daad00de78c6c30a18ca40f103beb6caf2", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Unusual Parent-Child Relationship", - "sha256": "ec66f5859b414a64af3fb50ecdd42328868c38c15d769091fbe8b212c4bfeb46", + "sha256": "19bed7ae3eefe2b9f8d9f9cbd99efbff32206937e70a162d1491cd54c108c103", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Unusual Parent-Child Relationship", - "sha256": "d4084427ba4202e29ea9d52ef3f7dbf75c97b4a6f1a10725f786c723d5659016", + "sha256": "8c2faa0a772b773b9aa59da52cd46c6984b6271a148639ba16b293ccddce14a5", "type": "eql", - "version": 314 + "version": 315 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "4717b0d0eb76707afa4f290f2239c9c078684d413574d6615ec4c298bd38495c", + "sha256": "cb3f4e2e92eeffed4bd1250dcc2811b1e4ee69877e3d14a107578a5b0d10fe24", "type": "machine_learning", - "version": 104 + "version": 105 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -3564,9 +3581,9 @@ }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", - "sha256": "fe046a7846b79f672e4e7b8458d89a2e198eed687295bd94b48f0aa55d4e2d18", + "sha256": "2c9b76f51b6b60aac35cbe7fe3bc6458f23d91c76c8cab96a30d6148b94b3d74", "type": "eql", - "version": 110 + "version": 111 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.14", @@ -3574,28 +3591,28 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "7c1d04e302bd0cc733f293024b81bb5d74dbde9e0d8fe8b71b07db53d4157eeb", + "sha256": "e0de6aabadb9b3edc0355ae72df8fa446a91a842ef12b8ef6ec687e906c931f5", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 308, "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "d70480df37508e5a424c838ac5ccc1002758e722ac2e3a8fdb58ba327ec88eaf", + "sha256": "cd1475178a3952f625d34aa54ca62f9221babf15037db6ad279da8a14ec58ff7", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "6cb28ae624dbac6a4d47e720907a77cdf089d5b190a6cc3bbbc2cc16990dd488", + "sha256": "3cfd44cb623fa5f87fb2bc4b70fb4825b8c30cc422f5ca4959f8affa6a59c239", "type": "eql", - "version": 309 + "version": 310 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "rule_name": "High Mean of Process Arguments in an RDP Session", - "sha256": "702a6f3a2433e5ad66e4dd17b555c7bc979578f8248e27744f421e12791d0780", + "sha256": "0375f50891da2c560d538d9af682bf73815c0e8097191a66c4b7ad3d2d9f85a0", "type": "machine_learning", - "version": 4 + "version": 5 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "min_stack_version": "8.13", @@ -3603,21 +3620,21 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Potential Suspicious File Edit", - "sha256": "bf74f549ef8c05505839770cb6d64489d48d766df1312cd3524c9d65450352dd", + "sha256": "85b4308a095fda0a1a41576379cf8ca6d2bcc3ddb4aaec2c851eb2c5f083e6f8", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Potential Suspicious File Edit", - "sha256": "e3c28261518b3d09fe11ffba93334faea5c28a139351f3b8218907e2843ba3ee", + "sha256": "cdff182cf2a97fd9ff3c7d14e95a5a79e3462d548eeef0db8a2367e2af77e5d3", "type": "eql", - "version": 105 + "version": 106 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "AWS RDS Security Group Creation", - "sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0", + "sha256": "2d9a2d2805620d5537bdc598986669726205be63bf72fd472e586860559f3c15", "type": "query", - "version": 206 + "version": 207 }, "37994bca-0611-4500-ab67-5588afe73b77": { "rule_name": "Azure Active Directory High Risk Sign-in", @@ -3633,15 +3650,15 @@ }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "rule_name": "AWS SSM `SendCommand` Execution by Rare User", - "sha256": "eaca01a4eabb8830d6e1829229535613f1f61dd22c301080198653b3cbbff971", + "sha256": "713fd8c17945bb80c3b98f60f14f907c30c2a333641b4671b9a0c3ff0c5618f4", "type": "new_terms", - "version": 210 + "version": 211 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "858e1ed186fb82e360626319ec5bcc00cd623d9b58317239f8e44049e46d4916", + "sha256": "5f573869ccc59acdcce25fd3eb2fc8e2c968f0706d244c11c7ca14753b018257", "type": "eql", - "version": 206 + "version": 207 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.15", @@ -3649,22 +3666,22 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", + "sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8", "type": "query", - "version": 210 + "version": 211 }, "8.14": { "max_allowable_version": 410, "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", + "sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8", "type": "query", - "version": 311 + "version": 312 } }, "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "2c41bd41d4c6255bf8ef120778c88fea260a76f8400e445def9e9ebb1b6bf146", + "sha256": "335b721089e14060d49efd5a24e91c1234579d86f289c8e2d55a68f139685424", "type": "query", - "version": 411 + "version": 412 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.14", @@ -3672,33 +3689,33 @@ "8.12": { "max_allowable_version": 214, "rule_name": "Network Connection via Certutil", - "sha256": "abedf8ad3f6cbec189082eb584ef1af665eec659cf86b4d8f4c76e7aefa8e1be", + "sha256": "3f6234c8ab1d36fc0aee41b20d47c226fdddafbf988fd7a990edd1967bb6c123", "type": "eql", - "version": 115 + "version": 116 } }, "rule_name": "Network Connection via Certutil", - "sha256": "a46ff963d1341267dc84e8cae348751c9602db28818d086bdbc2d06646e63071", + "sha256": "ee7de9f4e8ab3c5761b6312c919095c5cf492a9db5a0723c83799fc34b584f5e", "type": "eql", - "version": 215 + "version": 216 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "4082dec3872831be075b4437114dd49a7322440fc0f7650a4de37632a9a6b063", + "sha256": "97d4337cd351104a3925d2dee5c322200ea4f2f58aa5b199d556deee79d05105", "type": "eql", - "version": 208 + "version": 209 }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { "rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations", - "sha256": "b27504fdf50603f2d3b2d98b424475dd42fa3e57f3331ab23a5b8290dde2302d", + "sha256": "0300fec34ca31a5cea787eaded914a17bc72892cce35401a358a0cc6aa49fb1e", "type": "threshold", - "version": 2 + "version": 3 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "User Added as Owner for Azure Service Principal", - "sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f", + "sha256": "c794cb33079d83fd0ff1a98396f73fc84073e6498982afb0f9bc08d82db37dea", "type": "query", - "version": 102 + "version": 103 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { "rule_name": "External User Added to Google Workspace Group", @@ -3708,21 +3725,21 @@ }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee", + "sha256": "60c301aadbc57095fbb764f310effa2a4d569269d7b1baa6f08adde2b312328c", "type": "query", - "version": 206 + "version": 207 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "rule_name": "Downloaded Shortcut Files", - "sha256": "3734901c2dbce0d6f0b119ddff90fe866f68c2fc432c33ef166921f6ba83c1fd", + "sha256": "6c9bc695426f3a54fae927672294c7f2717d5cad3fcbfb5f08b482c14ca8939b", "type": "eql", - "version": 3 + "version": 4 }, "393ef120-63d1-11ef-8e38-f661ea17fbce": { "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", - "sha256": "c17aaffab1800f50439ea947e5d83bad847542dce0fa3a035bff758b4b41d5a6", + "sha256": "3baef76c046e4ec7eefef4ea4afd2a3ab5e3087df2e8501087fcd54235a0ea2c", "type": "esql", - "version": 3 + "version": 4 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.14", @@ -3730,28 +3747,28 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", + "sha256": "b4336a223059e535a011019a1195afac85891381ddf49844a802db5e2b477d60", "type": "eql", - "version": 107 + "version": 108 }, "8.13": { "max_allowable_version": 306, "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "fbccc75ff02a26ccb579fc912dbe3bf5e26a7b1c0e7f2084425a15d680bda382", + "sha256": "6fea9ce2228537a8fdd8bed28be66ad7dda0b6cab23977c97c5c546f0d948fdd", "type": "eql", - "version": 207 + "version": 208 } }, "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "33de23d497e65bf6580cc0881d00591732c13e58e5e35d309d5a9bc28346b5de", + "sha256": "e8b70f2aab1ae0ee6ed818eb7bb5e7feb7fb75ac124680f6f0e9e79ae7395e46", "type": "eql", - "version": 307 + "version": 308 }, "39c06367-b700-4380-848a-cab06e7afede": { "rule_name": "Systemd Generator Created", - "sha256": "b336dcc55cb6d9c74fd8f467faab033cf4e5c408d97b06a750b73840b1ba098b", + "sha256": "e121d39bd55b1f521c46bde65369f4dc594bf36659e4f5ccc0716bc3a1179e46", "type": "eql", - "version": 3 + "version": 4 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.14", @@ -3778,9 +3795,9 @@ }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "rule_name": "Suspicious Module Loaded by LSASS", - "sha256": "372861b3a0dbd56bd07c70db72fade23ea4a42e3e23bb7f2abdcb213da4ebc17", + "sha256": "e01f62982334437f828c2aa0c07b8867b2b9811b190a82c5b871d1f47226447d", "type": "eql", - "version": 9 + "version": 10 }, "3a657da0-1df2-11ef-a327-f661ea17fbcc": { "min_stack_version": "8.13", @@ -3794,9 +3811,9 @@ } }, "rule_name": "Rapid7 Threat Command CVEs Correlation", - "sha256": "84bf983155b5e76077e32a0adf47cc76be94453dbd39a996d7cb55b112a6eb99", + "sha256": "eea438035c9adcd9486112d776374a2097e248b2311e73e0feb0d239e6507a7c", "type": "threat_match", - "version": 103 + "version": 104 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -3806,15 +3823,15 @@ }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "7201f6b6243d0d0dc0eac73fe827a1ffb624b049a65a51c6841c687ffe51721f", + "sha256": "32d8adf51c1b7880e73d4cdb4e6b9e4a748807c35a66aea5866abec659490bd6", "type": "query", - "version": 105 + "version": 106 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "rule_name": "Azure Full Network Packet Capture Detected", - "sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d", + "sha256": "136ba855c996285fe602c5a751d85e4d5597adabab876c0840fb892207d97fb7", "type": "query", - "version": 103 + "version": 104 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { "min_stack_version": "8.13", @@ -3834,9 +3851,9 @@ }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442", + "sha256": "f47e578ad81a99ac6ee1bd6045dddbe2ded14cc8f273b02f0f64ab04824557de", "type": "query", - "version": 103 + "version": 104 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.14", @@ -3844,22 +3861,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b", + "sha256": "9bd527185ec4c38596e49c3a7ad276daa080ef3cf609a464de4f59e21fc1080d", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 412, "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "fc39f2acde3920cf811fffeba7c26a81cdba43f00f44e9649e96c6638439f59c", + "sha256": "fbe869ca88d432de9d48ffbb12ee20f5a623aed0aab53eba99bd3e08daf687e4", "type": "eql", - "version": 313 + "version": 314 } }, "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "6607d2b148d51566de12ce0fadb3f13c90bb62e32b04a73759da7217d76f611a", + "sha256": "ae201f63b498ee9be3fb10b20daa1fefbe924dae1f8f7aecdfa986d172ae93e1", "type": "eql", - "version": 413 + "version": 414 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.14", @@ -3867,40 +3884,50 @@ "8.12": { "max_allowable_version": 213, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "69c5c662633b3e2c7294f38dc1d1f983aa3bd4d8861b680baea696b37b0c4686", + "sha256": "9156d62db12466eaacc5c148af5205afdccba699bacc8d950d5d34aa5b2df532", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "7dbd101cfc60e0f4febc19c31533e12bb0a1abb9ecb7563306f9f11e42d65fdf", + "sha256": "dd1b2492ffdf8c527d2d87c4912e2cf19379fed1f522ba7e4db9fcee5d00d046", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "efc4be7065fb21dda602cb05f908b052088f468c4d5895557352b0bb7b435b0b", + "sha256": "d19835254ddf472acf6a543dbe42f0a508febba6db3f7f41149edfda7b57673b", "type": "eql", - "version": 315 + "version": 316 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", - "sha256": "c9f2e221dc5c9b631010dd7a284367f67e996150f41da955b0bcb0608b3c0358", + "sha256": "c64036bdf9d9943178534e62dec4700829eb822cd497d08d1ac1d8f838d9d342", "type": "machine_learning", - "version": 104 + "version": 105 }, "3c9f7901-01d8-465d-8dc0-5d46671035fa": { "rule_name": "Kernel Seeking Activity", - "sha256": "26c46bd62ff0d516a55fc08e17a9f41f3409d3490f4e6eb2c8204567f91e39f1", + "sha256": "647988b210c60c004ffe25efb4cce91136936f1cd83245f9f2b502058e6a2f02", "type": "eql", - "version": 1 + "version": 2 }, "3ca81a95-d5af-4b77-b0ad-b02bc746f640": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Unusual Pkexec Execution", + "sha256": "39004fc8c21df3175d05b13e4a85cc34c55f385af7ce819312b04b1a4df1148c", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "Unusual Pkexec Execution", - "sha256": "f881f99cc51d27e19d500ed2de935f93246a9867a31fa8c9131db09d72eee2fa", + "sha256": "72cce527b0f0efd2f300fcd93f1c0273b4fd5476d6771008722109e0923882a1", "type": "new_terms", - "version": 2 + "version": 103 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "min_stack_version": "8.14", @@ -3908,22 +3935,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "644088f8272495a09f98f2e60b82bdc7e491488962026c367645213608a99d86", + "sha256": "2b9c1287e301ff5273bf46bd4bc28af19a2c2e647f220ca8e0852fb643de0ebc", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 201, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "73219570f39fd74e63d334cf190ecad1456cf55d17635400acccced12f4145db", + "sha256": "cb777b967e2bef0af6adc011736d39ada2837c23d819ee51dde816731fa5a898", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "152d719bdeb4edfad363cab37bbcfc8cba76396e6167e9191f3cee7e4ea76042", + "sha256": "f87fa55947db415ecfae1427203360803e4bb8d727b1e46383b1f6478f252bf5", "type": "eql", - "version": 203 + "version": 204 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.14", @@ -3943,9 +3970,9 @@ }, "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { "rule_name": "AWS SNS Email Subscription by Rare User", - "sha256": "3782f3b4a3f1178ef89a11153e95f81c46ce674abc47b6c266753a0216a05c5c", + "sha256": "0845930f3f6cca07e769a39389e06a1fea6d273cfaf4c9470cd1a04c34b9c947", "type": "new_terms", - "version": 1 + "version": 2 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", @@ -3955,9 +3982,9 @@ }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "rule_name": "Spike in Number of Connections Made from a Source IP", - "sha256": "12c6038b69842f3fafbe9f2dd9630e0d41734d2b8678ebefe442944fe4a7595f", + "sha256": "0c33ca9283c1c2552060c3b5000ec87d338048cd715f4e7be2d3fdefe8a28fc0", "type": "machine_learning", - "version": 4 + "version": 5 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.14", @@ -3965,40 +3992,40 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "8a6f3d4d6d2ab609c03f95537b72d713e9810f920db111edecb52d9d38d8f6de", + "sha256": "c0609df66a0848dc19f078200819edba894a861449ad572c19d8eef041240566", "type": "eql", - "version": 7 + "version": 8 }, "8.13": { "max_allowable_version": 206, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "80ec99e7e9c7ceb86a2819a92409d1afbf4232a8603b961b1c2a06d3d5fec295", + "sha256": "89a4b41e934b13c0e79392e7730805f3e18c7d8cb6c3121b8b54b69a1aef8450", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "ed255a3528818035e55fb704799e92c28c150eb25062d2a1f17bcb57f7606766", + "sha256": "c7ce8b4413d99ed660c419bd822448ecdb2bb29f85095afc3954b5b698f0510e", "type": "eql", - "version": 207 + "version": 208 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { "rule_name": "Kernel Driver Load", - "sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc", + "sha256": "383925a7469fa24f12272515f90f29aa907b908a1f8cec676765b5c5cc5155d3", "type": "eql", - "version": 4 + "version": 5 }, "3e3d15c6-1509-479a-b125-21718372157e": { "rule_name": "Suspicious Emond Child Process", - "sha256": "b6aae2c2f1319d6dfcfceea3d42f2c90a421b25587e321a4bcc543da9488b064", + "sha256": "3cebf88aa246878db291a8148f143b3c0a07f8319cfd99c30942934db57c8a0f", "type": "eql", - "version": 107 + "version": 108 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "rule_name": "Potential Remote File Execution via MSIEXEC", - "sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684", + "sha256": "66d3c7048c18aeeae2d032d26dcdc294b41eb32679eb445839815f7fcf66e4a8", "type": "eql", - "version": 3 + "version": 4 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.14", @@ -4006,22 +4033,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "07b7a1afa550e1df6cbbf323c40b3819f4f1cdbd327efeabd9ad0efac059d864", + "sha256": "5e547726d704a4301dc4615b98d9b7ad1f182d5cc3aedce53b9b6b8185aa41eb", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "495df18eb2e7fce9cab92e0daa1a6fc851b024af00ffe18364998f6349b22c9c", + "sha256": "5185ebda64142769dbcbdea022b195c73dfdfaa284fe60c4447cf57b4ce31119", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "b3772a465fb94393a11a17110e5399564938138ce5e9a99952cecc8c7740c048", + "sha256": "767b7b4563a4fb94ee651353066ae8d1b66db8074cbafea2af6ee54fa111fb1f", "type": "eql", - "version": 312 + "version": 313 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "min_stack_version": "8.14", @@ -4047,21 +4074,21 @@ }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { "rule_name": "CyberArk Privileged Access Security Error", - "sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a", + "sha256": "1a8ce0d911498f3340f7c6af2471615c1614881de45680175490600cd63fdad1", "type": "query", - "version": 102 + "version": 103 }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "4cf0ffba6ff6f1228756a6782ad1152b613568a74869d6299a2bedf9881f9420", + "sha256": "e3e1a89317aac3d3163e762c015186ff6195e391a1d3c206d9ed54926a2cc6d0", "type": "eql", - "version": 6 + "version": 7 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d", + "sha256": "ec3773996957cf55b8cd5ac6098d1fcd503543308d70f1848e13577fa9dafef3", "type": "eql", - "version": 110 + "version": 111 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "rule_name": "Process Discovery via Built-In Applications", @@ -4071,16 +4098,23 @@ }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { "rule_name": "Unusual Time or Day for an RDP Session", - "sha256": "da80ff0e6020c1f4b703d597ce09ad294629d13d57cddce31f7eac0eb7d51f16", + "sha256": "19b368441d2d3df9e36cec3f78601af029ba7a4ad96080e8a8a260e0062e4014", "type": "machine_learning", - "version": 4 + "version": 5 + }, + "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { + "min_stack_version": "8.14", + "rule_name": "Command Execution via ForFiles", + "sha256": "a07d79ae3c7704e2254a7b3acfbb61cb39794537180723d6f351c719ecbba5e4", + "type": "eql", + "version": 1 }, "3fac01b2-b811-11ef-b25b-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "Azure Entra MFA TOTP Brute Force Attempts", - "sha256": "1a4b33f58f3f5e8119f8fdac2f49f61b75eb76cc5b91e8be6045078961c6f24c", + "sha256": "096663ac4f2f65728b65859267b7a5df52cae07f45541fc4df53d7d2c0162a1c", "type": "esql", - "version": 1 + "version": 2 }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { "min_stack_version": "8.13", @@ -4088,15 +4122,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "DNF Package Manager Plugin File Creation", - "sha256": "9b7debfbc518927643432a23e5b412f09c4bb9379485e844cf368b99ac7ebfbc", + "sha256": "fac0417f4ce9d3dd3a95c48c5bc2916286db6bc572c8a5e31160761ffae8cf56", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "DNF Package Manager Plugin File Creation", - "sha256": "1aa2a1b1eca396c2a3f70bbc52d318ee9f31bda76398c543d78e25726cb02d3e", + "sha256": "9720e2ceb0deb64ad3773f7fb220ced4722d2586e68fffe60616480b49faf4c5", "type": "eql", - "version": 103 + "version": 104 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "8.14", @@ -4104,15 +4138,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a User", - "sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134", + "sha256": "224877a0c6c75c03df527910da6a040b10e978b5277a900b3a5ebd606e5dcebc", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Unusual Process Spawned by a User", - "sha256": "201e146529ae1e7eeb0af4b0bc377ec5381676db3b1d5027332f45a8027f195e", + "sha256": "c26260d1977bf5bdca1f886c44ec9eb78f3a2a3f006f7c578474c60debadf653", "type": "machine_learning", - "version": 107 + "version": 108 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { "min_stack_version": "8.13", @@ -4136,22 +4170,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Persistence via Services Registry", - "sha256": "9124fc2a6d76be52cfaaa7edfd6b3c4272290e8964d42e59d8f1d1fba215848a", + "sha256": "f1c3d405ae61b94497a8a3b5ee7ad7b72dcadfec716c42f2975f6e18b624ec88", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Unusual Persistence via Services Registry", - "sha256": "189be13789b4fe9c8186eb9792601f98902e9e4f771519b7b2fa1a3730ac9783", + "sha256": "a73f4f5a3392e6fdcae94374c133aa55cd47a2a5f09dbd25ddec84a3f5d3f29f", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Unusual Persistence via Services Registry", - "sha256": "d4f0b0b8e409cfc73e748281d83319870c4576cc95f3859d8935524d3bc92af0", + "sha256": "5e43f778807201218a8a3cd2b8d33600b9cad394bf1d10a1a6a2bb8219170ffe", "type": "eql", - "version": 310 + "version": 311 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "rule_name": "Suspicious Modprobe File Event", @@ -4165,15 +4199,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Unix Socket Connection", - "sha256": "36c91409f9ebf48e88b25078d6bd2b3b73f9800c2e99335803ecbcbaa0ec45f0", + "sha256": "66104dc588552246b0806f00f248c812a63ff54ca038949740267b9b913b3ec0", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Unix Socket Connection", - "sha256": "48a869a44950954d5f8f9e7e503bc71a3aef2f85baf249208f3562f525347ce9", + "sha256": "4e6ed5c689e74843dfe8eb79179c061375fa76071e31e878a498eb81896a3be0", "type": "eql", - "version": 103 + "version": 104 }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.14", @@ -4181,22 +4215,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "0ec964d19b677c5a3602725e1d6954220c23d9d952c16ff1b6da2eea29a44e72", + "sha256": "eb0e17bd095fd38ddf2c2ed71f1364ac981fb062c0fae437dd381d62debc8747", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "ef575bc7d7acfcd5bbcb58ad8207b7e652bf99f488da62ebd21d3f1f263c804c", + "sha256": "158669641e518716cc54cccf172ae7f2a1640c5c56d8a13c1bfb3ec8b1099c39", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "00d4df4d402cbc68f54277c6595937da99601194d0c3c14f55b63bc2480f3d53", + "sha256": "291b11e58bc1c7474e180f4367210eb8d6c53f5f2d722ba277a503097991353d", "type": "eql", - "version": 313 + "version": 314 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { "min_stack_version": "8.13", @@ -4216,40 +4250,40 @@ }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", - "sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb", + "sha256": "f97c48740ffa8df05329c651c9620651fc36b543d6cdf582bec60f4945539c70", "type": "query", - "version": 103 + "version": 104 }, "4182e486-fc61-11ee-a05d-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public", - "sha256": "fe2c4a17447305354c8b9fb488d5c6fb13c563a31ab9baa5f8e4c630c4ab21dd", + "sha256": "f5901faceadcddad30aa0d48e7489446e561374f349a4bacaf544f9c5c418f6c", "type": "esql", - "version": 3 + "version": 4 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a", + "sha256": "777ea9757b7d3052124e6cc8d8748e0f0b03cc82e8c82535853132c99389a688", "type": "query", - "version": 106 + "version": 107 }, "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { "rule_name": "Mount Launched Inside a Privileged Container", - "sha256": "cbe5528e821d12676b1467cbad8a167c831250bb28080658e40c69119be90c7d", - "type": "eql", - "version": 1 - }, - "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { - "rule_name": "Interactive Exec Command Launched Against A Running Container", - "sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063", + "sha256": "b1264c8dba37013a036a37be5f2224231f056b698da7eacb55869127c98aa729", "type": "eql", "version": 2 }, + "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { + "rule_name": "Interactive Exec Command Launched Against A Running Container", + "sha256": "ccaeaaf1218304a670c49ca863e898fd726c57156474f56613921232d21d71a2", + "type": "eql", + "version": 3 + }, "428e9109-dc13-4ae9-84cb-100464d4c6fa": { "rule_name": "Login via Unusual System User", - "sha256": "66fd861d1fa983a1abce1672b26a0ec424f5021eadbd38113c20cf070607a573", + "sha256": "98d6ad1428c6a1aa6239bfa75936d88f18749d6fb33d148792889108ee6f792a", "type": "eql", - "version": 1 + "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.15", @@ -4257,22 +4291,22 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", + "sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a", "type": "threshold", - "version": 211 + "version": 212 }, "8.14": { "max_allowable_version": 411, "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", + "sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a", "type": "threshold", - "version": 312 + "version": 313 } }, "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "28b663b19f5cf5fbe270dd54c5a6ab816765dd4ff6cb1fc3f6501ac8c353a669", + "sha256": "7de53603ee4b0fe24f98d5eac198e89c58e92243d6a6e67795968369a9fff2a3", "type": "threshold", - "version": 412 + "version": 413 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.14", @@ -4280,21 +4314,21 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Process Creation via Secondary Logon", - "sha256": "525c2144bf947ec8f46831b5237798e93320e6a3b2913ac51d2c48ec4c21c257", + "sha256": "91d70e5b1107013dad8be7bae393bcca1047e1bba36313312bcf1ab8865abe14", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Process Creation via Secondary Logon", - "sha256": "6674dfbc494de648492942264a74378878bd65349a373567ab79725690c27aba", + "sha256": "0a1002224da121ca30f21a8dd641d8128a10f7113c132713aafe7cb287e82fec", "type": "eql", - "version": 110 + "version": 111 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "rule_name": "Unusual Login Activity", - "sha256": "fdcb136029096fba35b1435354f3b4a22f6dcab41a79c2096a9f6a69530cf553", + "sha256": "eb323bc47a138a26bc5bcd92f8c25da588ca83b5b8dd6a8e7203111d13961caa", "type": "machine_learning", - "version": 104 + "version": 105 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", @@ -4308,15 +4342,15 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Linux User Added to Privileged Group", - "sha256": "b36dd6fcfb99d97dac139862308b9eacab7435ef10661b56e29a24b22eebdf4e", + "sha256": "9ea5cc7a7d60adf681ee39ab6a1c142f5864ce9d989756808a78d1d00b5e0a1f", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Linux User Added to Privileged Group", - "sha256": "f1c6054713eb3ad3792dee7d6aea237da18cf74fab7306e92ee2065db3607361", + "sha256": "aed1e55bff87f141c5ea1dd5d2bd5453a61f1e0d72d2c26f2e961a0107d1be5e", "type": "eql", - "version": 108 + "version": 109 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.14", @@ -4324,22 +4358,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "5baf6e3486c22a80384b9ddf3b38bad2c2d273785cd3fddd585a2a2fdbf24d77", + "sha256": "3093b3093e9dfac5593dd9dead91b15345100e95d1bca816d602302c4ad03332", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "55097fe7650ccd542aec1b7f2aa6cbd2363a7907f40ad5d19c69854a09f8a21e", + "sha256": "83e9d41fa1688f6e43f49b8f90e227adc1faa9a2cac3db9e262c7d452e68bc6e", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "d22e1212d466beeea462d473302315e0145664ef7364a5d7055e1e499b1d1543", + "sha256": "c0608c95611f1a89e093cb3a0b2080c46a012ec91358883418506af1cd874eb3", "type": "eql", - "version": 311 + "version": 312 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.14", @@ -4347,15 +4381,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Windows Path Activity", - "sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94", + "sha256": "67bd807b50763f06dc6861bd1b4a7ad996afbb5766a7dc22bec1762999b6b281", "type": "machine_learning", - "version": 107 + "version": 108 } }, "rule_name": "Unusual Windows Path Activity", - "sha256": "041957d983301e74d0e06438e1ee8ac7badf8dd542f3a501ad94e29ad6bf27e4", + "sha256": "0c67162e07a41a693f97af4942752d9557c76b058a4fa0df6be8777647152a80", "type": "machine_learning", - "version": 207 + "version": 208 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", @@ -4369,33 +4403,33 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "c1d407b17617d847a235c98e3d883e34fbac8e998edb79f15b1691b8a196691a", + "sha256": "e05edd0663a23b3dc3d0dd5f2131a31dd196f6d5357755443093cbb8bf3ea29c", "type": "eql", - "version": 11 + "version": 12 } }, "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "05a22c3ee9741e987667e6487211254de88c897b90832c45430c18a6b4582a38", + "sha256": "5fe1ae3d15fd72cc199a3ad6e01a42350d17065a06bc1bb2e3dc03455fe8b873", "type": "eql", - "version": 111 + "version": 112 }, "453183fa-f903-11ee-8e88-f661ea17fbce": { "rule_name": "Route53 Resolver Query Log Configuration Deleted", - "sha256": "fe85472e289bd363341d59f4b9a362e21110fd6fb58902f400f3575b09f612a0", + "sha256": "bca21aeb358e7719e930c2792a3c5b1b899b86341952c8e0acf0f7a4fa84d36b", "type": "query", - "version": 2 + "version": 3 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a", + "sha256": "bc6f767d4be0de3156f54c606bcf218fc712696406e84ecd976a907d90c156bb", "type": "query", - "version": 103 + "version": 104 }, "4577ef08-61d1-4458-909f-25a4b10c87fe": { "rule_name": "AWS RDS DB Snapshot Shared with Another Account", - "sha256": "bc96c80774873e20fc93cc0aeb3cc34e08ce5f4b3109b4218de43a44228be7ed", + "sha256": "ed499f9d7399c1be4f54417888b74be031a5b50a48b1d7c68b8caf33c4e24d44", "type": "eql", - "version": 2 + "version": 3 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "min_stack_version": "8.14", @@ -4435,22 +4469,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "7a07d3a3c11d1364d2b213517c43cc9fab8aab4adc8c2f3595c4bedba3f5765f", + "sha256": "40e7e669f1d9642518565d307ffc5b75f32bc59dbc783bf57db3e2375b38c647", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "7ad3e21c453191513dfe0e226519ce81d8d70e633876b9c5c611b097850e5c22", + "sha256": "e08df69ea36b56a927183010b7fbfe8e60d6c949a5489a3cfc82b7e9f45a3af0", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "911870b02ee518a2da8c3f8f090cd4b295555c15a1be6cd1ebc0aa8b569b12e6", + "sha256": "7546574a8ca4d5b8c758c17fb1658b2b1abbed196bd8d2090721d8efac0ec65d", "type": "eql", - "version": 314 + "version": 315 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.14", @@ -4458,28 +4492,28 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "8c08daa0c05dcee4ed2250136b61ff79be87b9d5b3145a67e7b5aa0114bb3b8e", + "sha256": "9220e8499f32c72c36f2717e2499061f06a342f3e277f61283527351218c1329", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "70ebcc9b4db135969838d698ab1670f702ef00ddc29111226b7fa8d6b0a95f7e", + "sha256": "a2c4ebd5c69128fb78c6779664f8db208871ddc836b4b5854a0cd479429cd1af", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "ef467b076c584bc58e0fb6a3391048706f314e25ebb970eb1c7861eaaac4eacc", + "sha256": "3b0c27765337c2d89b8c6b82102d1f32fda82841806112bc4ac4d54c7d5ec5be", "type": "eql", - "version": 311 + "version": 312 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", - "sha256": "816980152a0f36cc1d798d0b07b1c2c7814d4362233efb481d1f0525d8705fb1", + "sha256": "6cefd4c22a36577834d4d834fc5c1929fed830cef4703c1df262425f4f6b2cbb", "type": "machine_learning", - "version": 105 + "version": 106 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "min_stack_version": "8.13", @@ -4487,21 +4521,21 @@ "8.12": { "max_allowable_version": 112, "rule_name": "System V Init Script Created", - "sha256": "bffd4c3c138597c1e8697e47dd4862d762e32635fa8b8a20e3272318eea1d034", + "sha256": "c38ce796006c8f39b82f0922d30cc71ddfbe8de3d7e7fa13c58947169f07dab2", "type": "eql", - "version": 13 + "version": 14 } }, "rule_name": "System V Init Script Created", - "sha256": "75707b6e1215c02b5b333be4caefad14917a87d8d0d5b38a18c346eb857ba622", + "sha256": "30cfadc148e90c2cfc4382b7c085885ddc67f47211258ad9e8c35e63fb80d117", "type": "eql", - "version": 113 + "version": 114 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "rule_name": "Sensitive Files Compression Inside A Container", - "sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939", + "sha256": "dc24c07ba236a3bb8628763095daaad91b96ba4e6d7905cb1ef854665513ea6c", "type": "eql", - "version": 2 + "version": 3 }, "476267ff-e44f-476e-99c1-04c78cb3769d": { "min_stack_version": "8.13", @@ -4509,15 +4543,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Cupsd or Foomatic-rip Shell Execution", - "sha256": "fb87274ccfb96c0641b3aea5ddf1537d06990126a1c3f7c0406938ea5aaf0f01", + "sha256": "725b79909f3f199afec5b728eac38e0b2be9545c1c9fb3963576649af48a2e7a", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Cupsd or Foomatic-rip Shell Execution", - "sha256": "ee6cc99ccb00b4e64d3f60240e0c12a4355d9c77cb1bbdc35e834683ff68f85a", + "sha256": "f31488d82e4159063e7e92fa484c6c5f2b0d7c8287a8fb02adb790ef55d6242e", "type": "eql", - "version": 102 + "version": 103 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.14", @@ -4531,9 +4565,9 @@ } }, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "24516e60132d4debae6058458462d958f659d37c82f6f68ae24cb1af134fa428", + "sha256": "de0bde89f44173a386cd38d4dd5c6e02a3fba6f877fd803f6e7e9108d609dc51", "type": "eql", - "version": 211 + "version": 212 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -4543,9 +4577,9 @@ }, "47f76567-d58a-4fed-b32b-21f571e28910": { "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a", + "sha256": "27d113fc9dd74c3da88815021fbd3a91cad66fb4959ca57d5033e135ddf75d69", "type": "eql", - "version": 106 + "version": 107 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.14", @@ -4553,34 +4587,34 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "e00daf78742e5d25f05f11ec86efbda6a185e2b45e5738e6abd73e6795530c1f", + "sha256": "cd78c0361c8ca0f7334582409bb0bd2d14c582ec978c231bc26932cbd1a614e2", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "03e1e388a616fd76a913bb276b36b25a9a92ad0d3421a55ca134c175af61f971", + "sha256": "a1ebcfed8cf45331acadbd7adebe5f1eb37206754cdedcbe980c8b27bf0fd178", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "927864e2de84459226772454150dfa72d9134da990b83c7f61d2f4621e2bd541", + "sha256": "ed365c174fdf3dc7616909685c4dc4cafc7d521448ef6e96bb2b224ee25fdf54", "type": "eql", - "version": 311 + "version": 312 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", - "sha256": "33e3379959ca6f93326f5069bb4e5104c77c30f399d41fdb0108d3f4de3d7444", + "sha256": "a396e648dc8058d8a7af3f97d34c5784cc2e81b5a1e4616f31edc818a101ddc9", "type": "new_terms", - "version": 107 + "version": 108 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "rule_name": "Potential Reverse Shell", - "sha256": "5cb666b8db28f6ef91c652488905003a54f688578c1a34017e77b80bc87c153a", + "sha256": "fdc6ca399ab1cfd315850c7822e7120a2710979cfbe329ca647b659fcf62ddb4", "type": "eql", - "version": 9 + "version": 10 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.14", @@ -4588,39 +4622,39 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "36369b787180e53e8d9a0921e177975ce33ac03e4c3e101837cc43faa0aba56f", + "sha256": "787f60363fc9c42dd87f5774f5a6f219c201d492323d12dcfc3ec5d06acd4d02", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "50742a90a9cfc7318d787fe297c644ba6ff7658ae59bda3650452a451ed3969c", + "sha256": "db4dd0177df2c0fbba77ba531c3f6f51c0724b44ea31fd2e84ca4cf2536f6b5f", "type": "eql", - "version": 110 + "version": 111 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312", + "sha256": "4be8032dbbeecc1497aff05372e2139e72011b598bc146763878eaee2be2a499", "type": "eql", - "version": 107 + "version": 108 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6", + "sha256": "070bc3d77b85c97628a5f7626bba0e95d76cf34954f5db82e4abbdd323126b88", "type": "query", - "version": 106 + "version": 107 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "rule_name": "Remote XSL Script Execution via COM", - "sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc", + "sha256": "986c22f239fcc3d437e58dcb98df458a9d9435c5f561c9da3628425f6dcd591f", "type": "eql", - "version": 3 + "version": 4 }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "c43d7caff55a0e669d84e34d8cb65261d090952151144bb98ddc066fb35fb251", + "sha256": "6144987feeea5f57fa67484e121452ca28b0a522c8ee105f48e14de7fd4ef115", "type": "threshold", - "version": 102 + "version": 103 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "min_stack_version": "8.13", @@ -4628,15 +4662,15 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "5a9dab10c85e4612a211b8a0462ad02f3b63ea8ebe7964113b4fe4c6cf0ade62", + "sha256": "e9fba7cb50d7c0edfe213e52665e64b9fbaf596bbc274d66c2677a16b6524e00", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "41858fb1b885aef0b0a2aee2353ba70f43841b18b6fab7efaa3f142a61b7db9f", + "sha256": "bffeae97a26ace150963159905c7c1cb2d3dd3aa299db431b4b0844567c257b9", "type": "eql", - "version": 108 + "version": 109 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "rule_name": "Application Removed from Blocklist in Google Workspace", @@ -4668,9 +4702,9 @@ }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "340f1c9b6d0d92fa721456ed567e265ee5b0b193bb96bea2145541912b19c536", + "sha256": "df02c5a18062b26bd791e0bc8b97a58b4d463df63e0d16dd6352edde4318c54c", "type": "query", - "version": 106 + "version": 107 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "min_stack_version": "8.13", @@ -4678,15 +4712,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea", + "sha256": "2bfb9d1c293185db7cebfaf6649ecce4d26ca6bd6e8f6fb252e811960272d4e7", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "1a3a1dd2c62931e4f4219efcb21815a2873f452e37b5a43a99bc6c1097e5456c", + "sha256": "fbc9b003a74a72df517c09f83f2629428a29346428ee3311faa27da6614488d3", "type": "eql", - "version": 105 + "version": 106 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "rule_name": "Potential Cross Site Scripting (XSS)", @@ -4725,9 +4759,9 @@ }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "rule_name": "Container Workload Protection", - "sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24", + "sha256": "b58a5fb3b121b08852cc186827479ae739d8b155cf8c9d12dbd17fa70d9fd74c", "type": "query", - "version": 4 + "version": 5 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "min_stack_version": "8.13", @@ -4735,21 +4769,21 @@ "8.12": { "max_allowable_version": 103, "rule_name": "ProxyChains Activity", - "sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3", + "sha256": "6d2bb84fbddf0c3a063f3b83fe3182017edbe19020c1e1dafc558ec07a767a0b", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "ProxyChains Activity", - "sha256": "50873c947464e5b7e0f7bf3dc3cf714ad8cb4afc0b467858fac06331df2723f1", + "sha256": "7b6c538ea2e93784ce64d2a04dbb00ddbc28aac92ab6008312821b65a46d8717", "type": "eql", - "version": 104 + "version": 105 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "rule_name": "Unusual Process Writing Data to an External Device", - "sha256": "d5d28b9af1ed399604eb5bc1744453ce1f5dbc4839e7650ccf12c30616fe3d07", + "sha256": "ed51342a669aca3acd05b70564dd2b6c9e0ff02f83266d5665ef6dca3851a6c7", "type": "machine_learning", - "version": 4 + "version": 5 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.14", @@ -4757,28 +4791,28 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", + "sha256": "c6c357f72dda9ad192ec0f1297502bd068bf0cbdcc97ab58e49d86e7cfdde988", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "dd78ff329788e32ccfcd11f3331174f609f2a0b868ccfbf47b8d997dbfd30096", + "sha256": "57c2b49691db8ebbed599f9985cf9d43545ea46a7e458dd4a28bd20f0f0476ca", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "fdac8198180b87285d0dce793712e89ac9bdb36ea90ce122de8f4b1095c4dd6f", + "sha256": "724c9eb77e876a0609dca7f377c3b888ee71c8ace7316e67235b6399e7dde6d3", "type": "eql", - "version": 310 + "version": 311 }, "4c3c6c47-e38f-4944-be27-5c80be973bd7": { "rule_name": "Unusual SSHD Child Process", - "sha256": "482163bba1d5afced4faf24a38e7ed0317164468a4faf3bcb8ecb58d21024320", + "sha256": "1563951eaa26040f25dcd3eae36d9f46c9bdcf45a6f24398ce7a7fc4382da092", "type": "new_terms", - "version": 1 + "version": 2 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.14", @@ -4802,27 +4836,27 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "12adf24b45b80651b336e5b4671fab85fbc28d4537ec3a96a58e9e0dba18da77", + "sha256": "d477a1c1cf4b80c1c4b058813b66f4952e183bd224d21bd44d145c7845ff027f", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "9fac7bb1e34b314d0950b254edfbcb8b0035486525df4e2fc5b9e9cbb65785b1", + "sha256": "276e07ad6386011b5ba83107e7f863831a18b2c1b755a679005768a02b1d9f6d", "type": "eql", - "version": 107 + "version": 108 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1", + "sha256": "189ef68f8b1654ea9486b7831d9a69f4b42554453426d0d7531fe7052cd96756", "type": "threshold", - "version": 207 + "version": 208 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba", + "sha256": "37d2ef8b050dfdece62cbbe06bc676f8199d5b4f1fddca44de9748f463a2ad80", "type": "query", - "version": 106 + "version": 107 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.14", @@ -4853,15 +4887,15 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "bf31596123965d48e9aa656e0e935a6038395a1f7aa60a94aca3e18d72b79dc8", + "sha256": "f68db77a65c50c4489742ca308f8beef345bcd834e6782fd47c79d47c4cb7af9", "type": "eql", - "version": 11 + "version": 12 } }, "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "7b0176c520ea313b2012e6843edc760f64652558471e6f971e2b6d86d90116df", + "sha256": "b8743c73288c176d82f7c326f655ad546ca945eaabe141bf1da60e5f045481a0", "type": "eql", - "version": 111 + "version": 112 }, "4ec47004-b34a-42e6-8003-376a123ea447": { "min_stack_version": "8.13", @@ -4869,15 +4903,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", - "sha256": "dc02518c5ff827d505855e686392c55611d0d5d05b81c9febbb3f9ef60cbbd38", + "sha256": "26c209b252768d129ab5bccfb4006456a5cd64d7ed097dd81d513beb333d8d7e", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", - "sha256": "37e55cdb7d8b2334bc54fc6a9a492d1dffe8309b0ee44811480a42ee01190bde", + "sha256": "f680d6c8ee7249b89249a6710ce30801b2c982cef68f015538d7cfac8430cc94", "type": "eql", - "version": 110 + "version": 111 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.14", @@ -4908,15 +4942,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Script Object Execution", - "sha256": "ff51979abf90a96b0ab21324887f4c1b54fce14ba48a37fa78f1350865e6b77f", + "sha256": "d03461949ea02ae5d1a9afa32408fcc350c90751725cecedddb19bc153f58ba7", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Suspicious Script Object Execution", - "sha256": "87be064ac19c5ea66f69f2e2387eea0c3cd7bf236626285df2b76b760f408845", + "sha256": "21d6ca38910e536e9886d360bd1cfe63932e9d4036a7d6a26af4708806dfecdb", "type": "eql", - "version": 209 + "version": 210 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.15", @@ -4924,35 +4958,35 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", + "sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", + "sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "872ca06a3df823a9c316611272ac1752aab862fc1e64862d1975653a142152bd", + "sha256": "d92cb4bcc5aadaea4dc0e6b7b35a1bf6e2ae910fa754432faf4dfb96696001be", "type": "query", - "version": 410 + "version": 411 }, "4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": { "rule_name": "Kernel Unpacking Activity", - "sha256": "20d605e52736db120b290b4b7629c450f6b3d0a127d68f5aea96d3002df522eb", + "sha256": "d10bf82f2f2925d3893f3170c4824f6e0cd1c812c901dc8fc256f113e735498e", "type": "eql", - "version": 1 + "version": 2 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "min_stack_version": "8.13", "rule_name": "Unusual High Confidence Content Filter Blocks Detected", - "sha256": "b7158a40dd8e99134d485c6d09a2aebc63453ffe622fb446d43f1f4d20247a0e", + "sha256": "c2e729e23f37d687504d5c86cb91f01a1d9363cd489f06a54723e557f02903cd", "type": "esql", - "version": 5 + "version": 6 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.14", @@ -4960,22 +4994,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "13f5cc6ad0ceb744bd444965dad8371e0611a07853e0a95e644693752311fef2", + "sha256": "02b2a3c16d505ff7b41a860c6ba3587cf4376a57a4dfb1d8af17d0620d4dea7f", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "8fcabaf421ead8967729841048f4304562f4719e3d0b887656122fe831a43b9d", + "sha256": "186e25b241af067c22b65d97a6746b5a72b63e2aad403893a00ef3b7d39b1982", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "72eaaba3e4541c4b67787d99cacc0cc2a13b0947f01563d4fb97ee7c1b5230df", + "sha256": "133dd8bfb660f0ac4114ee86831af289b29876b1e47d9868ae4380002e493545", "type": "eql", - "version": 313 + "version": 314 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "min_stack_version": "8.15", @@ -4983,28 +5017,28 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", + "sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7", "type": "threshold", - "version": 5 + "version": 6 }, "8.14": { "max_allowable_version": 205, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", + "sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7", "type": "threshold", - "version": 106 + "version": 107 } }, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "80783610742a22be0730b4d1eb9099aba07a76dd22481771f6f15a4c8175b408", + "sha256": "6a554290e7a84ccbd18f8a19971e557ac7a9838d92308436ae1252d215f09d94", "type": "threshold", - "version": 206 + "version": 207 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", - "sha256": "92832a1d67cc61df5e937f62a495aead9cfcc980486b8d2b754f3416427265aa", + "sha256": "16bcc4e20cbecdeda51970a7c080df121c8c49778592fd2b3384519d93b21280", "type": "new_terms", - "version": 1 + "version": 2 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.14", @@ -5028,15 +5062,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Hidden Files and Directories via Hidden Flag", - "sha256": "12f8eb3b4618ce0341401b73c190673b46bb61613acb4341b028e3e4bec093c9", + "sha256": "48ab779e161fbd3bfc978ec8def0e6511023cebad2f6c5874cc71cd14d2da1d4", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Hidden Files and Directories via Hidden Flag", - "sha256": "daf596f6901bee71cb114cdd3ba6d93425bf62553a144a91ea77214278402800", + "sha256": "b73939a26aed301cde9d16fd437a77e325a4393d91a96a981d2fb92dedb61b74", "type": "eql", - "version": 103 + "version": 104 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.14", @@ -5044,34 +5078,34 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d", + "sha256": "13b9667f77ece11fa75c760717a7f1a7474e6cf3583c6d428b0b835bbb79c161", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 411, "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "12362423f221d5f78a62ede69455b6acc8926caeb7057ac6af76e9e8663839a1", + "sha256": "4605f205b084980b9052a6f82ff9ace18abaddddba5a0901b25ee42d0a048865", "type": "eql", - "version": 312 + "version": 313 } }, "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "6888e4d8dc2ffc69e0f3b29e7601596b7ed396f3071eb3bf4b22614aec126f6d", + "sha256": "a122de466303b9918efe6f15d1a658addad361829c6bf7d515d823a75eb19a2f", "type": "eql", - "version": 412 + "version": 413 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87", + "sha256": "f5a4de0b0ac06eb1a69c2cb23b7f9d7b884a576168db1d956ef9ff6144c5756d", "type": "query", - "version": 206 + "version": 207 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", - "sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827", + "sha256": "5d8877660ac02415a7e931d15a718cadb7de72da25f5bcdc79d9fd493d4c71f5", "type": "query", - "version": 104 + "version": 105 }, "5188c68e-d3de-4e96-994d-9e242269446f": { "min_stack_version": "8.14", @@ -5079,28 +5113,28 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Service DACL Modification via sc.exe", - "sha256": "9c5a9c19d4b67840dde2145064352324b6f1374a3fb8b77016e69e70c047fb9d", + "sha256": "0103f881f5ee4e7c9d82ed15157325d5b5a58d4e397d6367d4da02bbf8ce0034", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Service DACL Modification via sc.exe", - "sha256": "bb0ebdc1eaa518a43a85a25951a8d3bb5afc5efe28ed295961a00afbb0f048f4", + "sha256": "f3deede5cd5976b88fba9f4fe5814c558ca142f46001382dd888e8f1294a9892", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Service DACL Modification via sc.exe", - "sha256": "4966b4c68a294538d5fe7fdd895bf295a7b8220649477a2de843e07ffbbd038b", + "sha256": "2196b597b084d5ecbb13b0b17492f36f5b84dcca3a09a280a2e2d59035ac22bb", "type": "eql", - "version": 204 + "version": 205 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { "rule_name": "Tainted Out-Of-Tree Kernel Module Load", - "sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa", + "sha256": "097a5bc6720f07acfae2d20f11d9a717f1fe350cf94d7145adaa481146c184df", "type": "query", - "version": 2 + "version": 3 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.14", @@ -5108,33 +5142,33 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", + "sha256": "341be9c43bad17537b54fdc7f40f8c156c772443e30caf8193c825ef8ae6e632", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "84c893dffd43871523001e934f53b55aa3560ab0e48927a519cc9890b21e6206", + "sha256": "98bc7f7c240e76cd9d3ecb1a5633fb0d68e571ceffa5569f91e5702c53b02d8f", "type": "eql", - "version": 208 + "version": 209 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", - "sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325", + "sha256": "1e7bfe4a829855d26e56d29a29a24edf68130b67fb19c38c807680c99f335d69", "type": "eql", - "version": 7 + "version": 8 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce", + "sha256": "0d18d9439a5628f8f0339e9c968f779926c27addbf3835666f0b4312115511b5", "type": "query", - "version": 206 + "version": 207 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "fd77da125fda39b0791110d21e18fe7c21233971339f47f4d46a1f228f048839", + "sha256": "94dbbc192b8f9c9fb802a3785bc420e0f318b461c50fb90a879eca803aa6d523", "type": "eql", - "version": 113 + "version": 114 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { "rule_name": "Execution via Microsoft DotNet ClickOnce Host", @@ -5160,9 +5194,9 @@ }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", - "sha256": "55992af5ec9860d11678c489909dda9a45c32e993b83107a655b61fffe7b5fd1", + "sha256": "7705ae36b0bdaf932acba46ebafffb17e3e085213212f44314d4bcc79090bb04", "type": "machine_learning", - "version": 104 + "version": 105 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -5178,33 +5212,33 @@ }, "530178da-92ea-43ce-94c2-8877a826783d": { "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab", + "sha256": "c30eb96fc6194d443c353229802bba9be8aaebc4e8abc78d2734cc5612fd49f1", "type": "eql", - "version": 106 + "version": 107 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "31fdbcd1bcd6c7fd916a92c19c40e5cbe355a75a3b31c97758f5723d31bdf870", + "sha256": "dda8b86ee8d2dcee8026d296c9e5f313eaa3dc3d50eedfd6ae6e19c938486a92", "type": "new_terms", - "version": 11 + "version": 12 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990", + "sha256": "e6c6dd49909f5672bab0d1d27d7ea1b5661d81198a9568926b30ca91064fbe16", "type": "query", - "version": 206 + "version": 207 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deletion", - "sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2", + "sha256": "8227f6204aca346ad00f70681a540b2e14358f63b3415da0a722d3fe8c4bf796", "type": "query", - "version": 102 + "version": 103 }, "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { "rule_name": "Statistical Model Detected C2 Beaconing Activity", - "sha256": "d973fcbb65bfb1114bf7274eec0a49753fc3ac6e545fb635cd87b176b08276cc", + "sha256": "9eafe3af498b5f504346bcbb44ddacf2157ebf9f7dc56a66e0f6512ccbcaa61e", "type": "query", - "version": 6 + "version": 7 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.14", @@ -5247,9 +5281,9 @@ }, "53ef31ea-1f8a-493b-9614-df23d8277232": { "rule_name": "Pluggable Authentication Module (PAM) Source Download", - "sha256": "4506697959db38106a2f20808c7650d71b4bb69ca921ecb433f9f7d437e1b418", + "sha256": "af9d57399895c1474ce02d98053dee54db65bf201345fb22036a0935476ec4bc", "type": "eql", - "version": 1 + "version": 2 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.14", @@ -5257,15 +5291,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Uncommon Registry Persistence Change", - "sha256": "b18ae237ecf1195a3a18d5e282ebbd4f5b841f81e0b4589c75029d4e2509468a", + "sha256": "44240eefb782b212aa0e92aa499c5c53a15dd47c2d5ccd8d5bbd7e730a2ced0d", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Uncommon Registry Persistence Change", - "sha256": "05f4e7d83a92a1aaed215be67f65efbc6491fca10438887f10a7d47cfb88c838", + "sha256": "b7dac84100da5dd86f5b3db2e97a9c0d5bbc086be021a8d71d6801723d7317ee", "type": "eql", - "version": 212 + "version": 213 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.14", @@ -5289,15 +5323,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Network Logon Provider Registry Modification", - "sha256": "9838e651bcc3ca696c8bbe02db34f5ab98e93e30ff733022c2f835f995de5698", + "sha256": "c1d15e3f87d0c06656e38903de062e3f17bdbd3884c26fd330cb747036019545", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Network Logon Provider Registry Modification", - "sha256": "5132f31e51639151e91e5c3302b4650fc9f619e7eb892a051a03487eb3b5e62e", + "sha256": "dccddc93820e882a05daa4e44e2f269398b302098bbe00d5c1571ffd86581be4", "type": "eql", - "version": 213 + "version": 214 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.14", @@ -5305,15 +5339,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "98cb1835def5a7a494d229dd5fe558e75afce8c5dfa2aa0f39ff9e0f71871347", + "sha256": "339bd5dfcc9715aebb297d9e0f1c984616bf99c0dd887935f7b94a77c4b1889d", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "b6183b74d47d3cfe8b22dcff57a47da7713bc366002dbf9f7979a42bf76f6cc6", + "sha256": "d727778c418f5ff259d819e6c8c56cd07c2f086ea12d877c3379792b549ba948", "type": "eql", - "version": 211 + "version": 212 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.14", @@ -5343,15 +5377,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Host", - "sha256": "288753c0acbb4ead22f3c4e6457bb3ea4019d812147816fc00c1b4c855ae4098", + "sha256": "20041d45b1675b29ac029036acb9a791d296507da6fc2d342c22e8ae9d37add9", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Unusual Process Spawned by a Host", - "sha256": "fc15e14ff5e5b9a4e9791cd5a68b234418e8d305be7f057eb8a3d00248eac66b", + "sha256": "3910654eec2497e6c45f9eba623296d166de75f2bf26bf5f27f652de0fe602b3", "type": "machine_learning", - "version": 107 + "version": 108 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { "min_stack_version": "8.15", @@ -5359,22 +5393,22 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", + "sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f", "type": "eql", - "version": 4 + "version": 5 }, "8.14": { "max_allowable_version": 204, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", + "sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f", "type": "eql", - "version": 105 + "version": 106 } }, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "fd2d0b18230dba57e262ff15ef178339f367f10a09d997ff14b5585bb959da00", + "sha256": "a19bb50cba9f9f404a82703239d5f7c37e59ce956e04da03adddfd9a4dfab224", "type": "eql", - "version": 205 + "version": 206 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.14", @@ -5382,33 +5416,33 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "0e87c9e449804be35d7c6b0b54a4b6dac4a0c973fdf92f2645b9f7c3ab8c20f7", + "sha256": "4a4e70e7f50105c48f29f32d7d234cfa9538813b06309ce72c3dcd4a7a21a3e2", "type": "query", - "version": 107 + "version": 108 } }, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "1645e32bd9388cfedd1bbb52f9d608fa1f020e59df807c8c0a24d791979f2fc7", + "sha256": "2b4e8ce5e2579fc3644b048d0eefd8b6c9e8ae17c0eb9201191933d58be50dfa", "type": "query", - "version": 207 + "version": 208 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "rule_name": "Potential Admin Group Account Addition", - "sha256": "1e416a23a57946cd76fb3a0d31a22ba04b7d13ed78b7ea1c9beb9728961216f9", + "sha256": "6f18cbdc2814670890459e8a1b80c7b8bfac998d71d67c250ffa5a3017a0a95e", "type": "query", - "version": 206 + "version": 207 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb", + "sha256": "a12b24ae6304c80c777dd5b7e120916781b2e76b2f09848e292a453d76cd5056", "type": "eql", - "version": 107 + "version": 108 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", - "sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a", + "sha256": "50c3afa5e3c557336820b41946ef7d0889d9f7002f614b9bc7a0f6216fdb24de", "type": "query", - "version": 104 + "version": 105 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.14", @@ -5416,15 +5450,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", - "sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d", + "sha256": "9075bac2c658f9cd09ae5480d64a0005ed4877f273b113b12c5c9d38098e5c35", "type": "query", - "version": 111 + "version": 112 } }, "rule_name": "PowerShell PSReflect Script", - "sha256": "38589e5b42cc43f6e6b822a37057ab671b1596137a108e3c0f6275bbd7821ad1", + "sha256": "60ce649f4376763aa71d2a2bbe3126251aafabb204c1bd51614fab34b09fccd7", "type": "query", - "version": 313 + "version": 314 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "rule_name": "Execution of an Unsigned Service", @@ -5434,21 +5468,21 @@ }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "65439f5e4fa7b0f4bbb310547d8239ea649d5818b5ac6338a7b358f2eb0c03ee", + "sha256": "5ee4cc1bef3bc0cbb466f51fc238d7ea3789de02607f24d664300a4cd08147f0", "type": "query", - "version": 105 + "version": 106 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234", + "sha256": "cef2f25973f7650fc0b3c4e6d49eb118a5216965cb85cee1568ac3a5e26bb119", "type": "query", - "version": 103 + "version": 104 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { "rule_name": "Azure Virtual Network Device Modified or Deleted", - "sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762", + "sha256": "398d5eb8f8ee0c1a9ca69806e64a8879579ab03f3e2f5a29a66c0da240018ab2", "type": "query", - "version": 102 + "version": 103 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "min_stack_version": "8.14", @@ -5488,22 +5522,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "fbf28db5104a48b0e0d2f1bab198d6d68917d37647526eb57c33227ecca28773", + "sha256": "7d36f22f3ea3b4008813322aadd11c5d337d890ad99892df41b2e3154c755ed8", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "6b33c63d553cab599384d2a06a3cbe2ce79ac5637431a647f3c0b0bd8930e497", + "sha256": "fdd70a684195301172c2093025954070437de67b7110b4c2fd82167df76f3b5d", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "566037aa998817fc0a251e782f43cec8f2037e67f0fdfe4fc54256563b8a8994", + "sha256": "c1df3f0030e17676949facaed1368a9f13c67cca442f5b94af0920ed85092de8", "type": "eql", - "version": 203 + "version": 204 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.14", @@ -5553,9 +5587,9 @@ }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", - "sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff", + "sha256": "ccb0acf3cc1b30624083f57a468ae8f3d188ca69b2ae0551b5122b12e90e6b36", "type": "query", - "version": 103 + "version": 104 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Potential Lateral Tool Transfer via SMB Share", @@ -5565,9 +5599,9 @@ }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13", + "sha256": "c2dfdcdc1b0d76b1a905b8e67a67d188594bb8b4665a8c1750ce8e92714325af", "type": "eql", - "version": 111 + "version": 112 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "rule_name": "File or Directory Deletion Command", @@ -5577,27 +5611,27 @@ }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "O365 Email Reported by User as Malware or Phish", - "sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef", - "type": "query", - "version": 206 - }, - "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { - "rule_name": "AWS CloudTrail Log Created", - "sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7", + "sha256": "81b57999573c8fb4a7a366594f25ae06a0af08d40dce604d87d7a8f30dd943fa", "type": "query", "version": 207 }, + "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { + "rule_name": "AWS CloudTrail Log Created", + "sha256": "57e2816be37db7fe8b97b74d890f5f1c173f9f98635f900fc0a239d93de116f9", + "type": "query", + "version": 208 + }, "59756272-1998-4b8c-be14-e287035c4d10": { "rule_name": "Unusual Linux User Discovery Activity", - "sha256": "ee20cd99bcb1d96c1b45a7497beed44d5f9a3ea2acd13f0bb8e35352cbf59909", + "sha256": "62cd203498ed5ec9c26690e7c2c202cf2cdb234c9be6a775889f5d2458744366", "type": "machine_learning", - "version": 105 + "version": 106 }, "59bf26c2-bcbe-11ef-a215-f661ea17fbce": { "rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source", - "sha256": "5faad18f6e8089e38382a04e3ef367fc94f03c5bb03e1aacbdfdae133891e860", + "sha256": "c65dca5d2ab212399ddf5f197ae8f6b71543e67dc4c506edba0250e81a48ba75", "type": "new_terms", - "version": 1 + "version": 2 }, "5a138e2e-aec3-4240-9843-56825d0bc569": { "min_stack_version": "8.13", @@ -5605,15 +5639,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "IPv4/IPv6 Forwarding Activity", - "sha256": "0ac95528a079d01b7adeaa69e09a6ce000a6e52cd17f4fc7984edb24bf715c66", + "sha256": "8662d51b058ba0aaa8beb626fa104c2c7f6ee6f1970db79c6ab2615a567e699f", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "IPv4/IPv6 Forwarding Activity", - "sha256": "98b7c643f9f9b010293863a5a9e79452dd6bd16f72b18e1c8c847b1baf6edfd8", + "sha256": "1cf2ab43dc77c7b8e03becd52f2882b3dc1844085e26351dda5f6b31bb609722", "type": "eql", - "version": 101 + "version": 102 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.14", @@ -5621,34 +5655,34 @@ "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", + "sha256": "195101291410db100f83b2bbb0bb45a23a5d3c84f0b3cc59e3e80543531dd5e1", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "a58979585d4e2dba00ae2bf4cc63ae6bed5e961b9f7644c0dc3fa1cdc1f2a938", + "sha256": "2213291fff0bb1ba56efbcc8b9b3bbeca328b89b52cf3e419b4fb6e70936dad0", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "922c50914d6b49f38e49963069b5aded60978873160d1be2e5ac966b0f38d3fe", + "sha256": "0803f03287c0303a478d35d524621cf58ec5e09afe472fe968a33d05b1f8e025", "type": "eql", - "version": 309 + "version": 310 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "rule_name": "Potential Reverse Shell via Java", - "sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1", + "sha256": "9f4687f96c022e624c6f5414ecb77f6d8b9148dceb9137d3bf0bb37c294bd2e9", "type": "eql", - "version": 8 + "version": 9 }, "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { "rule_name": "ROT Encoded Python Script Execution", - "sha256": "c0274af6f64a052fd104039c8754ea7aa05eaadab769efc8a98bc62711b2b491", + "sha256": "797af136476a4575466ea7dad526fda9d5328930d8f9985a260e5e1177223225", "type": "eql", - "version": 1 + "version": 2 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { "min_stack_version": "8.13", @@ -5656,21 +5690,21 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc", + "sha256": "bf4217022061a7456c301cffe1ab6dd6d9298a3c45e206c125c42667862de6e1", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "22f95e8aa96442f2aaab2baa40a03a32f9a71ab839f014a32f9f57c2bf68d6f2", + "sha256": "efa24aa4e360509d77a32ce3f80aa988c50b5849bf0f3c2e8600efd49b6a384d", "type": "eql", - "version": 102 + "version": 103 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058", + "sha256": "8a9322fcb0f59a2f5ade44ab323e0b057c6019500063a9e67db93eb954461718", "type": "query", - "version": 106 + "version": 107 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.14", @@ -5697,15 +5731,15 @@ }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", - "sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2", + "sha256": "6a40d4a3eb8956f0fa86900cd0f068813b708cf72355b20a006a4ae024884b63", "type": "query", - "version": 108 + "version": 109 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "rule_name": "SUID/SGUID Enumeration Detected", - "sha256": "ecb48f9b2113ef16a9cf28b12062a7336b1fc1183e11978fa97c5d28f733e894", + "sha256": "579398f581b46a408dd3248aa0e706c28ce608e3fcecb9296abc9d328e024c92", "type": "eql", - "version": 6 + "version": 7 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "min_stack_version": "8.13", @@ -5713,15 +5747,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious which Enumeration", - "sha256": "5067ebbb2ae7642ec887f660253ec56fa569320fbf62652220280935c9bff570", + "sha256": "81bdb21ca450212add8a85c321bb3987998e8f5dada389fbc8a46fa1d740581c", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Suspicious which Enumeration", - "sha256": "73c8ca3902ddad43fb2ceb90daa245dc057f3c920067897050295d67a1394cbd", + "sha256": "31644856f49ffea6104635840c58566a40fbe5a81da84366f5eb33be25efe892", "type": "eql", - "version": 107 + "version": 108 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", @@ -5735,41 +5769,41 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "f8b5d6b8dcd9ba7c0a8a5e3c777145a5ab964529eb766fbf5cab16a47349ead2", + "sha256": "35874a6b3415659603a51352ab4aafe03d8e2d816f25c4f343115687e555aa00", "type": "new_terms", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "91c753727cc93c11d0c14042e89f25f4662381aa6ed581df89352758ca0056f3", + "sha256": "5ca5d9dba9c3eda093b2a3b2260982c127108c3167436867c912cf29f5129f87", "type": "new_terms", - "version": 214 + "version": 215 } }, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "aeec107590fee9b7eb50ce2c5790e91eebe4152e23c7a16c88cd8371f4e374b0", + "sha256": "4dcc839828bb5d7e479b5816322bbc8808ee054bc913c811cd9690d54c57ca6b", "type": "new_terms", - "version": 314 + "version": 315 }, "5bda8597-69a6-4b9e-87a2-69a7c963ea83": { "min_stack_version": "8.13", "rule_name": "Boot File Copy", - "sha256": "30d90beef7fd3002ffb27eab0ea0dd20d3a7775ee4e6eb142d5351f9145fac50", + "sha256": "24d0894ed6959d5f54396c957e8dcd3de231026e473c753ef10c5c033f991857", "type": "eql", - "version": 1 + "version": 2 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0", + "sha256": "89f33201ad4d76858ce52afe371130935c8d2f202139ea266bd17c9ac2488519", "type": "query", - "version": 206 + "version": 207 }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "rule_name": "Process Capability Enumeration", - "sha256": "22e7a4474249251e7e0ff02b91956eefe3253c4dbffe219e41537c4fca33d8df", + "sha256": "b59cc8bfab61d96bcdff86bcf5c7a1b13b64354d821ae475efcf40a35b332a19", "type": "eql", - "version": 3 + "version": 4 }, "5c602cba-ae00-4488-845d-24de2b6d8055": { "min_stack_version": "8.14", @@ -5777,15 +5811,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", - "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", + "sha256": "5ae470e75de9bdbb84070a55c7cfbd9143654a72f9e9193782aea6145b12fd1e", "type": "query", - "version": 3 + "version": 4 } }, "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", - "sha256": "e76374e15f51af2dd0d683aacb95c40df7bb4ab2452ca64cab318aa20a1766a6", + "sha256": "d4ae42e3bddc23b1b5b75d60e725076a3baf37caeae03e0794a91fa47346aa02", "type": "query", - "version": 103 + "version": 104 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.14", @@ -5799,9 +5833,9 @@ } }, "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "60be180da0a4d8a02621f58482c7ddfc3b2fc4815bbd722097bef9ec5bfe45a8", + "sha256": "d4accae05fecc5956c2caf27bab5e9eb13b871713c8855c25c6a47bd44a0d2be", "type": "new_terms", - "version": 113 + "version": 114 }, "5c81fc9d-1eae-437f-ba07-268472967013": { "rule_name": "Segfault Detected", @@ -5815,27 +5849,27 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", - "sha256": "c07bd3dc94f7395887a9d16a2c6986600519ec86ba8f4082f4c1c546be147907", + "sha256": "5236ec39f5b96c9f3b575a920dbd695b7473c5bafe7625e03799f60d559b28e9", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", - "sha256": "58a78bbe94aa8e3ce22da6a4bbc47087b53a4e124ed72c30bb71e4c4ebfa89ed", + "sha256": "23f889cc4747d5ad5d505549b4301b18abb715f10d21b48a1c87dbd95cef2f29", "type": "eql", - "version": 101 + "version": 102 }, "5c895b4f-9133-4e68-9e23-59902175355c": { "rule_name": "Potential Meterpreter Reverse Shell", - "sha256": "d07f514f10110b37d711bf355d40833340fbbf7701ba0cc4db57f259713e2dba", + "sha256": "dac377b1d7e688c590f3961e984193d99e548ddf1fa5d9298d724d251cfb7b4b", "type": "eql", - "version": 7 + "version": 8 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "f9a87ae54214bad3a060e755e979bde3234717dd912edb1867dd9bb0f3f658b1", + "sha256": "6699f13d1830f5c9e67d20ffe8e3c35f4cabefe9e630339c8541bdbdff752085", "type": "machine_learning", - "version": 104 + "version": 105 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "min_stack_version": "8.13", @@ -5843,15 +5877,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4", + "sha256": "5be300eea96d7d3fff01d8e2f1ce70318e82a027159669467454f10cf243e208", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "d3dc37d8bb5d0c604f5f739245d5529eada7a5b0873cbfd84c84f37337c57743", + "sha256": "20eb77ba6a8a8323188fa6281186aa530803e86930af2a51cb2fb2140ad57fcf", "type": "eql", - "version": 107 + "version": 108 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.14", @@ -5859,15 +5893,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "5ada5aa4950b558d35b6ee6b887c4c5d19357e656ab559a8be06723f99df0b80", + "sha256": "881e17596c2ce4e314625942adb04235a12e70f19501ddbf53391bfe02dd03f9", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "7d3bf84b8bde799ef371d4a6327bf8f541afea0300cdbf24763d28eb8f8342b5", + "sha256": "9861068f16d7c13e90230fde674392101cfe9ae5e74dbda9522097093911536f", "type": "eql", - "version": 209 + "version": 210 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.14", @@ -5891,28 +5925,28 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Persistence via PowerShell profile", - "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", + "sha256": "e2a9084a8e3062415cf21a33d22098b3e31cd354006e57075af67e820641af92", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, "rule_name": "Persistence via PowerShell profile", - "sha256": "bcfac59564d41ebcb539180ca3a3bf7ce87cc15eef7fe386b497fab430a67572", + "sha256": "0383a8c5a6705916613f80d301ca0dea35cf7ff7cb13b719320e19c6dfeaffb4", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Persistence via PowerShell profile", - "sha256": "f3fa333c7f1b7b2d1da2b134f2a3f535c02a04bbe1e29aea9a07f65dc3112f42", + "sha256": "0f950647d4f0916286902132be8dcaec3f65ee3132b998b43e7eeb93677cafe5", "type": "eql", - "version": 209 + "version": 210 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", - "sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8", + "sha256": "b8a59cdd32843855c38fac2f200184b85c2d6530489e471b8a4130406e8ec85b", "type": "eql", - "version": 107 + "version": 108 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.14", @@ -5920,15 +5954,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "8770d2c4c9b63e14c6650ff49d6189b56e44b26eb7c08a64542b185c65a01e75", + "sha256": "975967ec3e4989e05b906196e1492ea1f24ac1162211d54845e8c1f682036f71", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "98c90d11775a22fd8b8841c192bba0357583dfff531656d7728cefb2a3cf68fb", + "sha256": "3b3ccd623ad35abe21a31e6f429265fff80ee4bb1cb27b4ca7360e556282bea8", "type": "eql", - "version": 209 + "version": 210 }, "5d676480-9655-4507-adc6-4eec311efff8": { "min_stack_version": "8.14", @@ -5936,21 +5970,21 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "6cb0f50b9083f11e35a528ca1c9f073dcef46992d57b6a063637ff826dca43d7", + "sha256": "8f2d6fb941f3e9f2fe599164f806804b1b09b4c08131d79eb3e7ecaab5034c05", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "1bed4177a477d026c410cae36aa7cc8da677f5a62bab50fb6caced420d1dd57c", + "sha256": "0e908a21b5f00f708db56a1f494aafbe52a203ae6f332d5e4e763103aa53e03d", "type": "eql", - "version": 103 + "version": 104 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", + "sha256": "a1c17423de6e19c6f7cf178290eafc3cd6146dbbb850b2c6ac92c5826af80f6b", "type": "eql", - "version": 106 + "version": 107 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { "rule_name": "Google Workspace 2SV Policy Disabled", @@ -5964,21 +5998,21 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Memory Swap Modification", - "sha256": "87f23ecd1afbe1e17093f0f1d038a49132d433f0e99f842a2c1ea2070422022a", + "sha256": "d3233c88cf4a2b91daeca4e6247bb3758023b234d009f522b19223f87aeae20f", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Memory Swap Modification", - "sha256": "923afd5486608e70492a648b58298dd6b5e3a6e9dfea406822d0139d7e84a6f5", + "sha256": "5583dee02ed10b698537738686fdd5974f461d686e6b36f456a6eaf52a661fc2", "type": "eql", - "version": 101 + "version": 102 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838", + "sha256": "3ebdea07f4ef0b08b17227bc1a2482fdf6678f10abcacd02c0a85dfb400a1501", "type": "query", - "version": 206 + "version": 207 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -6018,15 +6052,15 @@ }, "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { "rule_name": "Docker Escape via Nsenter", - "sha256": "11c34c854e425416671771fda4ebe364a729e7203d287c32837120c5426ec678", + "sha256": "453ade8392dd064ac66baaea865224304bffe2e8afac34c7811e8776d5989843", "type": "eql", - "version": 1 + "version": 2 }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Command Execution on Virtual Machine", - "sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12", + "sha256": "75603330eba99f8199e1a118a71eca46d7c50d35b4cd605c1dfc199a15028b4b", "type": "query", - "version": 102 + "version": 103 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { "rule_name": "Azure Service Principal Addition", @@ -6036,9 +6070,9 @@ }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9", + "sha256": "083349bd92f7b6c0a756f5a62567cd8c5a5bc5daadf1eece6de8e8e79978a41e", "type": "query", - "version": 206 + "version": 207 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "min_stack_version": "8.14", @@ -6078,15 +6112,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "bf2b28b3ee264bd7593059a42fb95b93b34b79c0296e85ea353384200ca44764", + "sha256": "aa2c30439a09a0821ce30bb48e9a7ded35e0cd590c0acbca87390d10683bc5cc", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "1baf1fef6bba99c5ccdc2528a1cf37b50b5fa046a869241e7957bc24910a38d2", + "sha256": "1813675633a8a8db3f036f1276035eb83d74c80d29e7e67aa2bf1099ab057778", "type": "eql", - "version": 104 + "version": 105 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.14", @@ -6122,9 +6156,9 @@ } }, "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "0025f93aa161653a794f9a26065ea5e0cc28cde56f00267df2baedba016c4e6e", + "sha256": "3b4775c89f9910cc69fdfc6e3ba815ed3da59f85eae5f23cfba94d923518152d", "type": "eql", - "version": 212 + "version": 213 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "min_stack_version": "8.15", @@ -6132,22 +6166,22 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", + "sha256": "f472608d534083bdf5f50a92951a81599a2b3dce40e413de960019aa9f7435f5", "type": "threshold", - "version": 5 + "version": 6 }, "8.14": { "max_allowable_version": 205, "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", + "sha256": "aee13957217142915e900a15702f1683ba54b1c488d13e92b73e3d8e866779df", "type": "threshold", - "version": 106 + "version": 107 } }, "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "4d6ac1ca8a19590fa0ac7866fe9b56931d6d7515611ebf4cd25c8ee1ecedfa95", + "sha256": "12e0d0b72f404e2086dcd9c36311a6eeb68c65979ce775064dd5c6ea06953106", "type": "threshold", - "version": 207 + "version": 208 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.14", @@ -6155,15 +6189,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", + "sha256": "facf2b369187ce8da1649950be8b3e38f3c4c1ec81f490fa646827baf5d2427a", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "469e57d1084b2101124729bd1a24f0d0de9a3ba693867395cb5e2b2747429009", + "sha256": "2b2a1dca315b2ba3e10a64bdd41f6a67b6cb64924ac2ef44668a7ec80657d775", "type": "eql", - "version": 207 + "version": 208 }, "627374ab-7080-4e4d-8316-bef1122444af": { "min_stack_version": "8.13", @@ -6171,15 +6205,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Private Key Searching Activity", - "sha256": "cfb8fb1ac5550969ade51696c2cce707ef17cb2ba835b59dde324128fe49a3da", + "sha256": "d14cd033b213dd2aa22e191e4316a3e9399efede1e2a54e6b84c28fc98e43248", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Private Key Searching Activity", - "sha256": "6a4cafcee7a10b376ff76157de5011d5f20df6e1ffda15016ffb5030b599d4d2", + "sha256": "5519c882a79e550a82c6cdf78d433feb500b6bd32ef8f72913f9df44a00f8a9f", "type": "eql", - "version": 101 + "version": 102 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.14", @@ -6193,39 +6227,46 @@ } }, "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "d1a41572216c35257141c8fde9abe70f1cc185ba00383bd8a0a180ce1ce6cbc6", - "type": "query", - "version": 211 + "sha256": "fbd13d6ec521fef8ffeaf94e8c126b6c3d610a7440b32fdbec53435987e3e9ea", + "type": "eql", + "version": 212 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", - "sha256": "5a3fd12529c9c80182c6867d42fd64119b65ce06f0106fb6c46537b9f536d9ed", + "sha256": "3a95ccdc273d7d2af093ab0c0445370fc790147be6d43d2a2edb2b9b3cdc82e0", "type": "eql", - "version": 5 + "version": 6 + }, + "63153282-12da-415f-bad8-c60c9b36cbe3": { + "min_stack_version": "8.13", + "rule_name": "Process Backgrounded by Unusual Parent", + "sha256": "208219618907f9af2a97a782d360496106265946d0d6b37aa5eb4369f2bd210a", + "type": "new_terms", + "version": 1 }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by SSHD Child Process", - "sha256": "bf0ca3359e6f32c685d719787f6adfd48d96993c3b01c42812464e6aaed5aa1c", + "sha256": "9bc024ebd7d20dd7d23abc9dbe71bf043edaab5d7afc79551d0da709c4fe821e", "type": "eql", - "version": 3 + "version": 4 }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", - "sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab", + "sha256": "53a873d39857e58ee6e4fc5b7399e895bb152e41c1ab935663837628267e4ec7", "type": "query", - "version": 6 + "version": 7 }, "63c056a0-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Denied Service Account Request", - "sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86", + "sha256": "c8d9810184ef49e7246335b18a3ee60393d89ef7ce8f918026a59c34bcc38064", "type": "query", - "version": 5 + "version": 6 }, "63c057cc-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Anonymous Request Authorized", - "sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd", + "sha256": "17099608b9a995ff056b49ffa5be61ac5b2aa1b25812fa9ca68294450e48a050", "type": "query", - "version": 6 + "version": 7 }, "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "rule_name": "Sensitive Registry Hive Access via RegBack", @@ -6239,21 +6280,21 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Signed Binary", - "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", + "sha256": "66192fcde84de1d9b0e809854015279f1016447b2e2de3d0f3f81aad88df91bf", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Network Connection via Signed Binary", - "sha256": "13ab27af642b6257541d2f7dd40e674512caf3615983668154c3cb69ce92212b", + "sha256": "dbff3c36a4ce01428dd306c519a48b7816f503173ba63ff090c31c9719748cc6", "type": "eql", - "version": 208 + "version": 209 }, "640f79d1-571d-4f96-a9af-1194fc8cf763": { "rule_name": "Dynamic Linker Creation or Modification", - "sha256": "17626f3f8f0d9413631123ff3710cc6bbd765919f591f8cc4cb0b3ed798fd72d", + "sha256": "9d1158eb547e4cbef8792d8e21f04e26ed8f8e6a4205bc87f557901520583a3d", "type": "eql", - "version": 2 + "version": 3 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", @@ -6263,15 +6304,15 @@ }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012", + "sha256": "83a660084e9cace9aebc80260a7b32dde9583c295a54c288ca8cd2bde4522611", "type": "query", - "version": 106 + "version": 107 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "rule_name": "Network Connection via Recently Compiled Executable", - "sha256": "c2a1edb00dafb062774f8a65b34f761d2c5332b1165d4c2282dab5acdd7baeac", + "sha256": "2077b595953101f3fa176295f9adac0453ae759f4adfda777ee54f9285fb893b", "type": "eql", - "version": 6 + "version": 7 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -6285,40 +6326,40 @@ "8.12": { "max_allowable_version": 100, "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "861bc19c8f4196effc1ddc59a6929d979c132b0e3a3507da3f10ac1d760a1287", + "sha256": "0dec5c209de4432366d522c8479caa203fc027282bbca7df21df60a9a9ff41e1", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "41602b6a702f894fa85aeda894b432bf97541e7a789da640b09d1a6ccb020920", + "sha256": "fae229cedfaca7b7e8f9a7e40a573cc0933889bf6fd0a9add01469c2f12bd0bd", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "f777f01e40e9050b0c782526949a439d855433b0f63892411d709ce8cda391d4", + "sha256": "159c5871496b2240dc1edfc09db683fb7932c924589e736eb32c5a80fd21b0a7", "type": "eql", - "version": 201 + "version": 202 }, "65f9bccd-510b-40df-8263-334f03174fed": { "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e", + "sha256": "5ba81546094d936ec84995fbcb3e17bf792328c2426d692c1d219cb256fba423", "type": "query", - "version": 203 + "version": 204 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4", + "sha256": "6883edba26e4283cdfdd6ae341ed445cd67e51d20dc15f1fe106514a29c07af3", "type": "eql", - "version": 107 + "version": 108 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "rule_name": "Suspicious Termination of ESXI Process", - "sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2", + "sha256": "12e2cdafd4870927e64b1a906bbd4a927ea681570396c184a54f119486371411", "type": "eql", - "version": 6 + "version": 7 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { "min_stack_version": "8.15", @@ -6326,22 +6367,22 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", + "sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4", "type": "new_terms", - "version": 4 + "version": 5 }, "8.14": { "max_allowable_version": 204, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", + "sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4", "type": "new_terms", - "version": 105 + "version": 106 } }, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "adcbaa2beb059aabf96136315cfbe4630927b47551e9f53b583a61d7090ba20d", + "sha256": "b8bb1b1e0023c2ce2967ad5ecc17c016a9de356e9f27d2e9f33c5ba979e7801b", "type": "new_terms", - "version": 205 + "version": 206 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.14", @@ -6349,27 +6390,27 @@ "8.12": { "max_allowable_version": 206, "rule_name": "WebServer Access Logs Deleted", - "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", + "sha256": "3d41e0a751de0eefc517ae323b3602930bdfa24fbf61b7c15235e4be117511ac", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "WebServer Access Logs Deleted", - "sha256": "615a81cd545877582b84f8a6524858b3762c49019fa6fc3286e441330c854938", + "sha256": "c437c24eaca8d8d4b1fbd92c21ca0f8dd61115f3a64e0c02f1e23aa0e428060f", "type": "eql", - "version": 207 + "version": 208 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", - "sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a", + "sha256": "f8282a2d5173fd7e6fde9595c6efa24f5ebe48767db9981ec5a6cadffcfcf341", "type": "eql", - "version": 7 + "version": 8 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "6ee19e30f1b9b03cb860b685a9b64b35926db4749f7f4bec889b9061a34dd99f", + "sha256": "676676fdba05827386bf901a05e1f8335bbe5042bc52bc54c688eb0aac55b715", "type": "eql", - "version": 116 + "version": 117 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "min_stack_version": "8.13", @@ -6377,21 +6418,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Linux Process Hooking via GDB", - "sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d", + "sha256": "d6069d2128de9e65240d1c2a03f27f397f632fbdb78102892e58b51e395c942a", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Linux Process Hooking via GDB", - "sha256": "233c3166926ca81a15eeadc2bbe25b0f37ced7d272398ae6ba062b5f21883786", + "sha256": "102f289cddaa0bfdaa48642008df6ac4c7ffe2be9cc0d5ab335ec0647d841c6d", "type": "eql", - "version": 103 + "version": 104 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "a39e945c3402e4c0c2dbb298ac6967a111eed708c37dc104c0883a65040b4115", + "sha256": "e35261396a28f58844455d18ffd0bcc2c385ca3960845c6db9f87949bc561fb3", "type": "eql", - "version": 207 + "version": 208 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.14", @@ -6399,15 +6440,15 @@ "8.12": { "max_allowable_version": 112, "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "d53d5a4467e47eb48356c3b13a7d5a888133b68942c45901923d5d26b6a21804", + "sha256": "71980b7e4a7ca43713bfa72cd0160821533b13c24e3fa1d0e645a42eec4f8512", "type": "query", - "version": 13 + "version": 14 } }, "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "dc7f9e08e370facf03fd788985647ead45419455fbd6e63b7c489088770b941b", + "sha256": "1b9b6777a50eef6af6496d2bc9338d04c6b74efbbc726b1cae58177d40ed8b92", "type": "query", - "version": 113 + "version": 114 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.15", @@ -6415,28 +6456,28 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", + "sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", + "sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "391ca8b8d0dd19a954d1ac1c6117a4872d96d26fecde5c6fae0235674ac4c876", + "sha256": "79a56d12f5cfae0778882f6215f3767e744601b2d0f0183fa71a191bc5d9a8c4", "type": "query", - "version": 410 + "version": 411 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb", + "sha256": "f899b24ce14bb0d0e1c223537cd020b2b65c7b71ad97b87fd5359b89e6bd2e2b", "type": "query", - "version": 206 + "version": 207 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.15", @@ -6444,22 +6485,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", + "sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", + "sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "ebbf273668b9ef832b26d92e659fded91a08edff772f6a8634ed0197355161f7", + "sha256": "33e8c27c30a851ee7f9d49ed14bb20f1cfb5d370320db326fbfffb9c7b855b63", "type": "query", - "version": 410 + "version": 411 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -6485,28 +6526,28 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Image File Execution Options Injection", - "sha256": "4cd0be97857d8107806320934a41077bc479799bc584f29bf9c272ef1159fdf3", + "sha256": "8107c66fd0a677b8966bf0f40409dfdac75050d7a2372a8e4ba10ce0350e6dfd", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 308, "rule_name": "Image File Execution Options Injection", - "sha256": "9cd61cbd2e186a7e79c84c63453170d959f8a17ba7f17226d7b751d3eb3401a0", + "sha256": "2eb29b66dbef8063acbd04479aaeb1f14fc4d5f7235afe9076fdfc86d199e837", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Image File Execution Options Injection", - "sha256": "a0e0e9db739a9599f432f5b67c38f79f2d78548a4048ada364cc2a77c63ad808", + "sha256": "bebbfc9c058cfc51931d5709b857995da179d43ad8e786073c42d4d74c29ef69", "type": "eql", - "version": 309 + "version": 310 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "New or Modified Federation Domain", - "sha256": "63bfcc3ca67c6279f1ed85c444ec4e840c389f3695e4228ed07f322caf108344", + "sha256": "0c327149e5c49e9161bd8a1ef2fb8bbe117febb4c86c9efcaab8a6dc5890205a", "type": "query", - "version": 207 + "version": 208 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.15", @@ -6514,22 +6555,22 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", + "sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", + "sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "1f980273037b0848fed3861a25a250eff82adc719350a67dc34aaa61565776ac", + "sha256": "e40176c9634f6d0f324b5be9bf2cfae0370f3d8fc01188d10e54e5684d5fbbaf", "type": "query", - "version": 409 + "version": 410 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.14", @@ -6537,22 +6578,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "aea25737ded0865363c221c0d1752131a0e908cbb4968ff2138d90d22cb790f1", + "sha256": "d89ab2b28fdd4a4d0ad8ce943d5b320e1978c3ccde5d83d44424b7aa9e1bea55", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "5ea5116cd208e91c51260783d73f21acff4cc3285956fefc376e9fae3941f1b9", + "sha256": "6c476da86e9b4676c87675514ef346fe09280a8911de64c826ab5696fc9a515c", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "ae80e6eef7f02f152d24f72778eb22b6f998fffe08710ced5a60d17513f2ba50", + "sha256": "eb1bb445ec3e2abbd15d674c1b44e5304446e52f281eb18ca65cb039745c82de", "type": "eql", - "version": 312 + "version": 313 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", @@ -6566,15 +6607,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "4bd38dec94cb3868fe998ecf73e90de54d119a585ab9bed8788b9ddd7f43fc07", + "sha256": "a55f600e7c4e20a4be4404040ef2bc40bd6288c5aa54fc3a6d52c192f117858e", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "bb5ce1fe0201d211c3e0ee4e797372019294920771fb9be33e2e03799c925f41", + "sha256": "c0988d5971ae4b85ecac42dfbe57eb1514ddc1c13df5f2bba07ca1f2097e2414", "type": "eql", - "version": 208 + "version": 209 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", @@ -6588,15 +6629,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "10e88814957853e67c86294608c1f7ca56213481a2da75dd1c2ef998722a8bef", + "sha256": "5af182ae30ce25b660aec32433ead1ec5bb2caa3ebb06fc72801ac367d19014a", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "ea3607c104e47097033fed5ea9538819d7ee0e258c4956660fe6bdb792e9e9c4", + "sha256": "e7daf2e718a482222bdf0efce8b58bd0b54b5ad6697d3b9c492962fd802e79a8", "type": "eql", - "version": 102 + "version": 103 }, "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { "rule_name": "AWS RDS DB Snapshot Created", @@ -6610,28 +6651,28 @@ "8.12": { "max_allowable_version": 209, "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "e54698612562724862eabf289b6a0256473aa6af882b84aa9a4fdc520b15c22e", + "sha256": "88f491fbc91172a9ce530e464d3e41d098720ae427782544b68895129cdc1564", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "d9f1796c6d6ad026fc2376b376520d5553dcbd8c64035bb1e86132a90634d94c", + "sha256": "dd1cccfa31ef19b5a08923452387349ef94bd64771d07f0bea725ec4a9d462f8", "type": "eql", - "version": 210 + "version": 211 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e", + "sha256": "9111baa04124fb4545052164f1f94445a22b38269c10ddf9433bccd3112f7b0b", "type": "query", - "version": 106 + "version": 107 }, "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "min_stack_version": "8.13", "rule_name": "AWS IAM User Created Access Keys For Another User", - "sha256": "c0b79735104a736c418ffcbe21e0292334ad5d5ed9c425c75d5d0aaad52463f0", + "sha256": "6f69dc6e309b86b281bd3f02594a03d86ba15d5835011a2b37a7ce21f3da291d", "type": "esql", - "version": 5 + "version": 6 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", @@ -6641,9 +6682,9 @@ }, "69c116bb-d86f-48b0-857d-3648511a6cac": { "rule_name": "Suspicious rc.local Error Message", - "sha256": "5ca0e055dc47c8c359d83d3c42388f2d1da1c8bb7fd5b309f29e81d5e4d767d5", + "sha256": "bd61c67f25dedf7bbc88efd6e7088a4f24faa27595c5ec46bfcbdfef30126b78", "type": "query", - "version": 2 + "version": 3 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "min_stack_version": "8.14", @@ -6670,9 +6711,9 @@ }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df", + "sha256": "e2ba77f3b79dada7823d3ab325dc40c902b56e2272d29bc671c218bf23de24ff", "type": "query", - "version": 206 + "version": 207 }, "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": { "min_stack_version": "8.13", @@ -6680,21 +6721,21 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Attempt to Disable Auditd Service", - "sha256": "18dfc5c1f6dcffb90d7eccf1b9512ec335538d410a838cd95c25f0ba6788fc7f", + "sha256": "f5fa9bfd7d9d2f03fb2e6f1b264a7b0f0f433bfb3953f27bed2afda53a7af098", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Attempt to Disable Auditd Service", - "sha256": "825e810e08bb39ba58fd1dc50b36b28f4128e5448e6061670a62b7274acc3d4a", + "sha256": "a21ae8ad2d9a9aa7f634479e7b2fdea05a56714d0e14c6541044895377b4f628", "type": "eql", - "version": 101 + "version": 102 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { "rule_name": "EC2 AMI Shared with Another Account", - "sha256": "0c4ef4f51a8579747372ea43f8369add1855a2c4ca49c0059a91aca3c86b15e1", + "sha256": "7f27abffb5aef9aadc163768a1f49184de75aebae83c4a7addfa275d9395699a", "type": "query", - "version": 2 + "version": 3 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.14", @@ -6702,22 +6743,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", + "sha256": "5f2f1310bff01d3a4c1ca2605ab01c632f85b21d4078a06cb88c4ffeabc174ff", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "a5aca0cae7c3d4e2af72e551b196aa734185edb840e64a44250875f56954f40e", + "sha256": "0b7fffd5409c0d916c6b441f0f6eb2c95550d8c5c9d74192d312b7ec442372ac", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "43459eeea6bab6c7fd87826c312985fcadb070763b879b2c8918b3cec2435895", + "sha256": "f463a7fe6e3b83f613bbd5fe19c3341fc1281b264a8b32289a081c9e9f5748cf", "type": "eql", - "version": 310 + "version": 311 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.14", @@ -6748,21 +6789,21 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2", + "sha256": "1c1d57466f2540ce62774922d5711359a9650bd523baf98fa3d13d5c17151881", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "8bc0cdc7893a5a1bbedcaaed4829fcf58e1a1c074dba0e0572f917408f4012f5", + "sha256": "4b44cff5ea71dfe44a694925ca874673be82adc62e7000b867108002baa8c6ba", "type": "eql", - "version": 107 + "version": 108 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", - "sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50", + "sha256": "09e49424ce202fe6c5b9e7f31510da79059a0617231c4c0022d2c1825ff55f8c", "type": "new_terms", - "version": 208 + "version": 209 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.14", @@ -6770,21 +6811,21 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "a51928cc4f489accb73c5623006f11d187ddfced85856c1753810c11a3e6ad96", + "sha256": "35a97fde08022de5eb9913eb1b86dc35df3e225ffdf4871c7880402ab13a1c20", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "81dd8799d02ef1ea7d54b9def9a1ab5cddb29910c2a88f978b310fc8b0b4b232", + "sha256": "60d1fc76b949a4e86b9d41bd1ed2f51acc26f54957efb24581f61db6c674ab23", "type": "eql", - "version": 208 + "version": 209 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { "rule_name": "Container Management Utility Run Inside A Container", - "sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d", + "sha256": "d66c939dc799f05fd9549a603ff1d567af4287f8a2e3c0cde5dac918e7575c8e", "type": "eql", - "version": 2 + "version": 3 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.14", @@ -6792,22 +6833,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", + "sha256": "545b3d224a0f1f8ebeb0d9f6ca6077c60c57b650d6a3daa51b4a8b30de55da39", "type": "eql", - "version": 108 + "version": 109 }, "8.13": { "max_allowable_version": 307, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "5c11225cdbbc4109678a5ed167332604297fd7074668973d0b0112b3b4052f3a", + "sha256": "1b469660f4b28888121b5610c6034c3b0a309f63debe06bd347750f423362cf6", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "2fb47f8769b5103eed7d0e994a27d88daa89b306a570f96a16b4a7143462ea24", + "sha256": "7d551332f1288a1e8d53bccfab142a72143c5e61a950b05be6f4f8711ba883c5", "type": "eql", - "version": 308 + "version": 309 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { "min_stack_version": "8.13", @@ -6837,21 +6878,21 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Process For a Windows Host", - "sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203", + "sha256": "a84737464ef6658f7587d12e88f77356e079d797986616813ffb6be47e2abaa0", "type": "machine_learning", - "version": 111 + "version": 112 } }, "rule_name": "Unusual Process For a Windows Host", - "sha256": "76043082e1635afa431a0b6ffd9156292fcec2cb34e12c1d3d5f8a4ac354c8da", + "sha256": "557a4432fcdb67fea0e8dd2558d19664cf507405b6db1317a0c399e9808e851d", "type": "machine_learning", - "version": 211 + "version": 212 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", - "sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0", + "sha256": "f9612a6680c21d0e7472c260b412d0ce245e770722ae4ce351d2724843c22512", "type": "eql", - "version": 4 + "version": 5 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "min_stack_version": "8.13", @@ -6859,15 +6900,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Root Certificate Installation", - "sha256": "823b635b9abe083d089b09bad1fedea72c47d6079538298c3c4059448d5226f2", + "sha256": "f8f51e4211d34c59185c437d929b82051162d84c2c026d0a311fd0d6f40f2099", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Root Certificate Installation", - "sha256": "7b3d5c33a80f686358b9a2c1e87a460372c73e2745f919fb3ea2bd8bf4a3ddb5", + "sha256": "f253848012c90e8fdcf02df03d40dbb169248ea5c7555e85d439610392aa81ee", "type": "eql", - "version": 102 + "version": 103 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.14", @@ -6887,9 +6928,9 @@ }, "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "rule_name": "Loadable Kernel Module Configuration File Creation", - "sha256": "c252a18bf2a68359e1d94df169c9571410f418945f1b4a916cbba7bbc94330c3", + "sha256": "55651a72478c93e332ffd43ceed7bb57e098fd6549e20ff56ce66ede80a49a75", "type": "eql", - "version": 1 + "version": 2 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.14", @@ -6897,15 +6938,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Anomalous Process For a Windows Population", - "sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623", + "sha256": "aa536cbc660cc56dffc7bd3cbb4098aacc6c96df9edb4d4dbe8f33414448b4d3", "type": "machine_learning", - "version": 108 + "version": 109 } }, "rule_name": "Anomalous Process For a Windows Population", - "sha256": "849904e5601ed2b7ca539b15e1b20c3d5fd3a966683bc5a5f0cfa7101f0edcd9", + "sha256": "f51d97afdd1733e5fc284af1e741adc641483e82eab7f5fefd10f0447b2654d8", "type": "machine_learning", - "version": 208 + "version": 209 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "min_stack_version": "8.14", @@ -6913,21 +6954,21 @@ "8.12": { "max_allowable_version": 209, "rule_name": "AdminSDHolder Backdoor", - "sha256": "e93289cdea358a09e2f778fc7c8e54c33ba01ad48013526945a7614333f52abe", + "sha256": "f665de1ecacdaa7b1c6b0556304063dac3048aada63e8f6ef7a725068e85f087", "type": "query", - "version": 110 + "version": 111 } }, "rule_name": "AdminSDHolder Backdoor", - "sha256": "d92aec3ae515b2f1ef5ead2567d90bf9ed286c98404ada51b490d78121809360", + "sha256": "eae617d40bb78ff247049dfa080cc2aa3aa6f67036c79af83b3d0c573bb1375e", "type": "query", - "version": 210 + "version": 211 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd", + "sha256": "3603dc2b2c4d67886879719f5bf7a3028418d0fd6b68942c48a0266e237f5200", "type": "eql", - "version": 207 + "version": 208 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.14", @@ -6935,15 +6976,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "cf3d387a14b5aca9831a6255aa43fa4f3dfabf5b2660333a9750792f6a8acb75", + "sha256": "736e277394bca054547364d6d99541019679fc36129d52d20115c635cea06701", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "e7158ede633bc5e943fe69d3f0dd3ca7dbbb2dcd7c6be7221419dbeb34619d36", + "sha256": "8c0b8e6ae4907a14420c8dc8d06917470f29f360f9604118f6220115e981bef3", "type": "eql", - "version": 209 + "version": 210 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.14", @@ -6973,15 +7014,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8", + "sha256": "eb944b67560451bef538d988be2f0fcfd42f4a6dce1a2f67fc23ef34d93692e8", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "a44f454d7d3b4ac3bda2f2ddfe43c1eb63f445a52c8cc6c7bb56d32440122ae2", + "sha256": "a2bb01debfece4938dd4811b68b388aad80362fd4005573222fab19ba5b3f6da", "type": "eql", - "version": 107 + "version": 108 }, "6f024bde-7085-489b-8250-5957efdf1caf": { "min_stack_version": "8.14", @@ -6989,15 +7030,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "2ee2291d359018227fac96405ae5bd6ac5dba317d4dc3822fa5bd4382a4dddce", + "sha256": "03eb5f7517e61382f1036b5beee21a7d1de836f457cada365be4b8aa39f93045", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "3a007cf6213892afdb51e38c653b7fbb54d64d355bfe16ae31a77fa323fd5fbd", + "sha256": "5cf116ca583a54c21dd2db7e27f62fa234832620236dd9cf062d0599afa18a12", "type": "eql", - "version": 102 + "version": 103 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -7011,22 +7052,22 @@ "8.12": { "max_allowable_version": 103, "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", + "sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8", "type": "new_terms", - "version": 4 + "version": 5 }, "8.14": { "max_allowable_version": 204, "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", + "sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8", "type": "new_terms", - "version": 105 + "version": 106 } }, "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "7563691fd12cf3117704e5a587b34b6e55fca8fa5c50b684ee99bb65466e4ec9", + "sha256": "4b4aaaf8565e177b55da43b3b76e40c256d8df646f804b5548be8f9f4eb95a02", "type": "new_terms", - "version": 205 + "version": 206 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", @@ -7070,27 +7111,27 @@ }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "48ce070e2534c85222ae42380aff08e9cf1051209120195a41abb438dd4f8f6e", + "sha256": "fe89abe29a8070ab4e00e31a6d1cafde62515321d21198ba780381a9cc87d9b5", "type": "eql", - "version": 109 + "version": 110 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47", + "sha256": "6d5f8124605ee8d89f23173accb268a0822ca4c9d19c6ee69a82b72a054b8c85", "type": "query", - "version": 106 + "version": 107 }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", - "sha256": "32963011dca38553023a0d151758f181bed528bee5ecb5b09ac7e98db6994910", + "sha256": "cc0ed08e75b10ef23c81e0eaaeaa4a105adead987b36e625e56b5d3fd95293af", "type": "query", - "version": 5 + "version": 6 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40", + "sha256": "11a00101c170955ef44f1ca300cced85620dfde179c9eed8484b753c960993b4", "type": "new_terms", - "version": 209 + "version": 210 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.14", @@ -7098,22 +7139,22 @@ "8.12": { "max_allowable_version": 214, "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "b88514bbe2cf6ea8319648c67d83c00801179f31734024fd4661549db9e00297", + "sha256": "021ab9fdaf96cad949b46c2810f09637e27d34d4870bb4544afe5e33d4fcc8fa", "type": "eql", - "version": 115 + "version": 116 }, "8.13": { "max_allowable_version": 314, "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "3602a1e97b87858224410b312b908c03fd8de29c7043c6e494f1f906e12bcc30", + "sha256": "b28951fe4ef7053b478f08929474a4220e85d70c52a9d83f2779447c8b6a5cfd", "type": "eql", - "version": 215 + "version": 216 } }, "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "265742cf965a3ba843e506c2a3b295f9cbd5d86e7cd45f85a3135b441230d12e", + "sha256": "25b753cd927ee68be264ce3804a09298ae399947fa04077161f80d8f6db87aec", "type": "eql", - "version": 315 + "version": 316 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.14", @@ -7121,40 +7162,40 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "64895d38f16c2e624a0463473d0bd2e81114b05911dc5179734a38c2df5c25c8", + "sha256": "4465fa5b7551e881e3e5b66b1cfae96e4f8459191b87e2266b1fc1998c26d690", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "8225645357459c0d58f7893ad549d29d2962f1d7223312aab7feb5c8b918fc68", + "sha256": "d39c0a65fabb51bbd9bbf21cda120d03b4b1891934c8d8298addd7d3585b1ccb", "type": "eql", - "version": 210 + "version": 211 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "rule_name": "Suspicious Passwd File Event Action", - "sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2", + "sha256": "9c5e49e4ec3d86b7a5b7018df29cbbaafcaa6bc37f325409687ef18528d09109", "type": "eql", - "version": 3 + "version": 4 }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", - "sha256": "221735c970fc3e380f11afa20a31274e578aab37486d9b912fe880f215412ddb", + "sha256": "53f2d959afe1859d602b087186c2f25fd816ce59109d230336260a9d4c9c2985", "type": "query", - "version": 2 + "version": 3 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", + "sha256": "eeedb6e75b8369f569e27869c6d1cfcc66b89f71b4869f6357e49a43538c980e", "type": "query", - "version": 206 + "version": 207 }, "725a048a-88c5-4fc7-8677-a44fc0031822": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", - "sha256": "34978ee634354ab60ca9b666477fc311458de3badb024f148a5005ee0469187b", + "sha256": "f61560b78b79c873453bce1b3947231b6df1c967d0f2a49efefd56bbfb7bfc59", "type": "esql", - "version": 3 + "version": 4 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.15", @@ -7162,22 +7203,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", + "sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", + "sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "7df6d7af1f3b05fb54ceeb51357f79b43fe4a413cda240a9e75414376bf20cff", + "sha256": "9a377a031cd4fb9cb9842837169396944442098d99de7fb295b107e286c332f6", "type": "query", - "version": 410 + "version": 411 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -7187,9 +7228,9 @@ }, "72ed9140-fe9d-4a34-a026-75b50e484b17": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", - "sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9", + "sha256": "4f3545b509cbd0e36f1170017de36ef566801ca5376fc194fef70bac179466cf", "type": "new_terms", - "version": 2 + "version": 3 }, "730ed57d-ae0f-444f-af50-78708b57edd5": { "min_stack_version": "8.14", @@ -7197,34 +7238,34 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "54016ee23f49287a4fae596a255b45db62a996943f8881ff1dfb1fd2fb8920e7", + "sha256": "14c220c965f94f3d24b674b86ed86d9a0e093a00d8bb6fc8eb670488981b443a", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "e855ed53b4cfc63e2e39c9229565a1c01d7d48221d8070d431e8dc9e876c8f50", + "sha256": "f6fa075f0e990cc2ced9697647d10fa16903bdde80c50a403c2f4bc7b78d7a0b", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "ae1341f2955bd09f391d9e1c7a700bda4d7f98485c0639ce3a9296fd402d7f36", + "sha256": "e129818b4075375d23aede5312cbcac6b1a4b64ce749202fd8a924cdb2ed5a06", "type": "eql", - "version": 203 + "version": 204 }, "7318affb-bfe8-4d50-a425-f617833be160": { "rule_name": "Potential Execution of rc.local Script", - "sha256": "a1de5406513b29e7517ce6db0a932eed198d6f6646dde0fa92bfd7cc13817aa2", + "sha256": "b962ad63b2d98409b515c4dd3a06e95db517c9a7d1b13f171924c19dbaab563e", "type": "eql", - "version": 2 + "version": 3 }, "734239fe-eda8-48c0-bca8-9e3dafd81a88": { "rule_name": "Curl SOCKS Proxy Activity from Unusual Parent", - "sha256": "335243f27a9e9ed1e3642e492e90d9884c17019a2822331a668c6e48b82c46c4", + "sha256": "c1f5f6023527e8ad1b084703495bc9a930c88144a67ab419027b598476b0565c", "type": "eql", - "version": 1 + "version": 2 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.14", @@ -7232,21 +7273,21 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "d92a7d07cb5e81322f02fb2a7166dbdd70da750fa76141da1b95cb31663d9448", + "sha256": "491014d84ab03e206e7acd9755d0269b2830a9b3f9c44913c29682c433c740a6", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "c31f8fce3143f7e8eb7fcff3e3855ec68728dbb708d60e35ebc951c8dea7b0a5", + "sha256": "46384078f361759cefe252f2ab0c88a0782b3c678d19dbdf8f572efaf67b2044", "type": "eql", - "version": 212 + "version": 213 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent", - "sha256": "b170681fb44115e54ae79d975287efafd1d43ef7e8ee33af103b33ab76025f0e", + "sha256": "44bbbdabf96190f26bace4b98f5c51ae42d1a21d7d1da27237875fa98e94a949", "type": "query", - "version": 206 + "version": 207 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "rule_name": "Unusual Hour for a User to Logon", @@ -7256,16 +7297,16 @@ }, "746edc4c-c54c-49c6-97a1-651223819448": { "rule_name": "Unusual DNS Activity", - "sha256": "be2743603bcbf86cc96a4bdfd8c5de3f4377cc7621eeafe530eac2db9e6342c7", + "sha256": "181dc50d849f55bfcf9764f49f182fed0798673d7fa5fbf72be7656432884240", "type": "machine_learning", - "version": 104 + "version": 105 }, "74f45152-9aee-11ef-b0a5-f661ea17fbcd": { "min_stack_version": "8.13", "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", - "sha256": "e302282bacf904630c492f9029228d942da4a53e8c775f0a4d050c1adc149db8", + "sha256": "f5789d775fa4739d37c91b2704142e6834659dfa48c0b2678871113ce335b642", "type": "esql", - "version": 1 + "version": 2 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", @@ -7281,21 +7322,21 @@ }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "rule_name": "Web Application Suspicious Activity: Unauthorized Method", - "sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961", + "sha256": "35c6e99bb87ba74e8ad015a7294177cb02da7be90c3c3eaeafcfc7be552d06f8", "type": "query", - "version": 102 + "version": 103 }, "76152ca1-71d0-4003-9e37-0983e12832da": { "rule_name": "Potential Privilege Escalation via Sudoers File Modification", - "sha256": "22a8ad00011d5f164b7afb9036e0c5c08d16762e2128190811ec8aafe4886bd4", + "sha256": "6af358d3be4d9bb00ef30bfd0dbcf86a28d3137bb9860f1f4798f16b397ca98e", "type": "query", - "version": 104 + "version": 105 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "5ddd8e0de022dc243009f61fe4aed4fd7812fd7d7ce4ff362bb536a2e0dcc1e9", + "sha256": "e909dade063ff13866c5e0f93e3c21f803087e12ab2fec4064af1a3dfa872729", "type": "query", - "version": 204 + "version": 205 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.14", @@ -7303,15 +7344,15 @@ "8.12": { "max_allowable_version": 111, "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "77281c68463fbc2c835a7a2749c534aa6aec79a75e0597d4199b96137ca5e191", + "sha256": "e27879646a752098196f7a4c79196676252e70f55aa7d52e91c8571fcf426996", "type": "eql", - "version": 12 + "version": 13 } }, "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "548fe255b858588807657801d2412f86bb23f3f7be4ad873dc10a2106a76466c", + "sha256": "53ab74d6acf45ef59942b5dd19e0d71f5ca14ae4de1da8c6090b4507887d6e22", "type": "eql", - "version": 112 + "version": 113 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.13", @@ -7319,15 +7360,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Creation of Hidden Shared Object File", - "sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa", + "sha256": "d821f3e5a0bf1e2dedce1bdaf15fe58785f4e47e81a99103fd0c35cb62e5fbf2", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Creation of Hidden Shared Object File", - "sha256": "7d8aba7675bdfd4210d9d2d6fb545a6626a13ccccaee4a669650fb3a6381aaac", + "sha256": "4ca005023766d02d784784bb7849d0cc16327545a1864fcca200f297ab249851", "type": "eql", - "version": 210 + "version": 211 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.14", @@ -7335,21 +7376,21 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", + "sha256": "d7ae7c609b2c09df86e03eb23c9f3d9c19a114f3e9e69d99121828e0555ea7ff", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "49a20927f23290c2e144d1b65851802c17c754cff9a811996be6493bd052aa8e", + "sha256": "79ae7e59e1d03bbcfec778070f91b178ec05f43c08636a10bbffb05ee2bca01a", "type": "eql", - "version": 206 + "version": 207 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953", + "sha256": "84f537c4a2c1c856bfe6d666e3571345b696959542bcca59883abd23143ece1e", "type": "eql", - "version": 9 + "version": 10 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.14", @@ -7380,46 +7421,46 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "817ef65a6a910511dbe215f836ed060a2efe5a05e206abf2224a2480ce861487", + "sha256": "d62e2b76d88602e0cdbf18894a79c5eb6e97d94b79daf465cf55f42a2afa7bb4", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "2b7e8fa40dba01ec3ca76881d26777d3de3ace0c62af4427698b3bd594bd7195", + "sha256": "31b16b50f6ddada62eb767b0e6eb1ff02c6a155e2618729dbc807defff6abe0a", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "d72d3f14698c4424226b130a2b715c698d3064d3c24a739a0927e48acb0f6aa8", + "sha256": "82829ceebd92fbe5abb27cc5e4f5139731a0b337c7f1a8e09ed51ba9d883cc63", "type": "eql", - "version": 314 + "version": 315 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "User Added as Owner for Azure Application", - "sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26", + "sha256": "ade0c6d9a4d9740cdb0024f7c02cc8b73775f63d9be285e4692d87bf29938f72", "type": "query", - "version": 102 + "version": 103 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { "rule_name": "UID Elevation from Previously Unknown Executable", - "sha256": "20a7e5fcb8be7660f1a17f80c4e882a8fc95e82c19a75ad9f1a27620b30bec30", + "sha256": "4c034f3a9c42c12be6b1a00041754822d517d75f23ddab914c20222cab8ebc8b", "type": "new_terms", - "version": 4 + "version": 5 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d", + "sha256": "11fdb1469f92140db4557f4b11369477cd9bf511578238a7b6db0f4a8535243f", "type": "query", - "version": 104 + "version": 105 }, "781f8746-2180-4691-890c-4c96d11ca91d": { "rule_name": "Potential Network Sweep Detected", - "sha256": "9121a1422f15efedecd947633f481a8974363778374dfdb1bdcce1b188167fbe", + "sha256": "2cd6f77377a3d577ab8065dba895a7e2180b5a2c9e63cf70c3c343a2e869befb", "type": "threshold", - "version": 8 + "version": 9 }, "78390eb5-c838-4c1d-8240-69dd7397cfb7": { "min_stack_version": "8.13", @@ -7427,15 +7468,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Yum/DNF Plugin Status Discovery", - "sha256": "23a40162c5772a1d921549e7d5a4282e9d4641cc2e228e211d0b185242db9e4a", + "sha256": "edc1dcf2de6b0222d78f62e7eac490f5069a3917f49022d78a3b84b59739ac14", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Yum/DNF Plugin Status Discovery", - "sha256": "af6cc4cbc5fc5b1750d6673473cc5143ed51bc71ded94a44bef658cd72bc3c90", + "sha256": "18285a5b5c95fc7dda5307e71045134c595f4fc27ce61967134e85c88eb12f35", "type": "eql", - "version": 102 + "version": 103 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", @@ -7461,22 +7502,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "cd3cb9cd7b2638583883de2da1aec04b010b4d8dc850d4e9344f2016ef1f0446", + "sha256": "0005a9a8a6ef5e1175a1455632c00ea760e3a9af4094ad1ac870f68df926d254", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 304, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "bcbc70fad2d9c71913c432c46861cb8ff153465af7f9f11ab464014680f13996", + "sha256": "3ce0e176a839d12ad331e3842627d3025bbd3ab4ab14d6bd3cc4b7647b783d93", "type": "eql", - "version": 206 + "version": 207 } }, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "b4eea876e31435d0c73ac8768c4954d50f6d10e4862c73652ad1fa9d0faa4464", + "sha256": "d898e75beef6831e445cc1fc945041edc9b598e291f5ad76dc7bbe7b040eb79c", "type": "eql", - "version": 307 + "version": 308 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", @@ -7486,9 +7527,9 @@ }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "rule_name": "Unsigned DLL Loaded by Svchost", - "sha256": "bb615c82f76f783f0f58151931932eec4f8b1bab35a8600d646c237df38dcb1f", + "sha256": "74064ff365e610605f23b1e89523fbb13694d5231cd3738b21ab8cf30c6d0e2c", "type": "eql", - "version": 7 + "version": 8 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { "rule_name": "File Compressed or Archived into Common Format by Unsigned Process", @@ -7498,9 +7539,16 @@ }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", - "sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87", + "sha256": "26a1c9c9ec61e57e11380743c01f25a54a74cb7f580dde50a1a6d9d43e4f537e", "type": "query", - "version": 103 + "version": 104 + }, + "79543b00-28a5-4461-81ac-644c4dc4012f": { + "min_stack_version": "8.15", + "rule_name": "Execution of a Downloaded Windows Script", + "sha256": "bd592841bf0b6ad530aa3d406b9a9eab1967356532a3378b75aa5fbb032ce9ea", + "type": "eql", + "version": 1 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { "min_stack_version": "8.13", @@ -7508,15 +7556,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "SSL Certificate Deletion", - "sha256": "89f19de3195f7c7c74cdc64eec4457b9424ec304f8316da04481f0bae74b06ac", + "sha256": "7c7dddf409d27c4336808578a23adad99b63a0ffdc3ca7a3651f429905241271", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "SSL Certificate Deletion", - "sha256": "c081611ae197d81de6a8f032e4e35d9559ed5aa2edde95336b05822f6143e42f", + "sha256": "7e7cc3077f9f831c4c0bf8d8d0cbdb3ab9244f904d9ecc9698a4a1790edb925d", "type": "eql", - "version": 101 + "version": 102 }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "rule_name": "Potential Masquerading as System32 Executable", @@ -7530,22 +7578,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Potential File Transfer via Certreq", - "sha256": "0fa34695e7e58ab411a32781540d80e8b93e9a6162cc9ceaa18a072942d6e319", + "sha256": "0ab2916bfd0a5de67b88a693cf85292e73b61538b72dbdc008f37e561b662f86", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, "rule_name": "Potential File Transfer via Certreq", - "sha256": "c7346c7c1df15029b05df11871734739ec4818f53fd9684c2a583eb85d432fff", + "sha256": "f6cb3500aef0219e60d7a68529a59b0a83d53dc2a4be380f92e62fd0223d44b4", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Potential File Transfer via Certreq", - "sha256": "317afcd5484f4d5ed77732c52136d63141c3af83abc8cc130d698fd7da4ef84c", + "sha256": "e1897e626658e3fe3b447488817112191c5a960deaee23c8b957ef58ee977d91", "type": "eql", - "version": 210 + "version": 211 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.14", @@ -7559,9 +7607,9 @@ } }, "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "fcf721e497f059801651f6332bbdc66878edeac4195692fa7e6e402fbabf0fb1", + "sha256": "391c7298682fb3726536a7f552ccf9f49fd3d8d83acaf1ca3ba74e49aa91590a", "type": "query", - "version": 212 + "version": 213 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -7571,21 +7619,21 @@ }, "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": { "rule_name": "First Occurrence of STS GetFederationToken Request by User", - "sha256": "97ed856d2841e0782bc46e870d33be5ca0ae8b6df0b3ff8f168f828213f57081", + "sha256": "3e8f2ecf0b50b7db1d4294ac9f9a788f8bf8790151183901e7829cca9aea5f20", "type": "new_terms", - "version": 1 + "version": 2 }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2", + "sha256": "f59cd7ace12ad2dc5977115a2a36eafbd45b5f549085525dd8a9e4a84885f089", "type": "eql", - "version": 5 + "version": 6 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { "rule_name": "Potential Execution via XZBackdoor", - "sha256": "b0577394863a57fc35c75a1748f35f6df69d1e0ae476ef4230fbdcd28d3dc564", + "sha256": "5757f1a3f917b887d146a792807c7a05c1495134c028e8a489a70611899aa636", "type": "eql", - "version": 4 + "version": 5 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -7595,9 +7643,9 @@ }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4", + "sha256": "1ba40cb9f4c5c384f4d6b52a76eab02c45e14d33eb930cccf3fb1c329c7455f2", "type": "query", - "version": 206 + "version": 207 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.14", @@ -7621,15 +7669,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "SELinux Configuration Creation or Renaming", - "sha256": "a858e1300af56137b5117d927e962a8daec649ea7ab5b36f42d2b8c21c72fb40", + "sha256": "7b361ea07b92064cb854e35573c5988af529ce6fb75a264cdd27ff53b0963e28", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "SELinux Configuration Creation or Renaming", - "sha256": "fb599d47e089dce25c3906b8a4fb854daf47b44c10decf2c631dea195e9ff4dc", + "sha256": "5760c0ff5525a18ed54b21f9e5b8b7b19658ed8831398454d1df210be1bbe591", "type": "eql", - "version": 101 + "version": 102 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.14", @@ -7637,27 +7685,27 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", + "sha256": "9abb27e289a572393ecc8c26044e5a71196cc1d77d152f84fbee7138251de7de", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "0bcdd2692369252815bb0b5c45cdfcebaea56683de999dfad868be1f725d9ddd", + "sha256": "bb2e07eec501f5e296c694526b219607dca9e18bad1a4d862fd1cab9bac5fe08", "type": "eql", - "version": 308 + "version": 309 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Tampering of Shell Command-Line History", - "sha256": "b29563e9adeb94b3d771f3e0f0316518415fb4312e33347e187c39ba28647529", + "sha256": "886f6f210debfa8b2263107d6bb45787db17443c3f09f62bb792e44159dfdcd0", "type": "eql", - "version": 107 + "version": 108 }, "7c2e1297-7664-42bc-af11-6d5d35220b6b": { "rule_name": "APT Package Manager Configuration File Creation", - "sha256": "c15e188ea1ce6f3177c41bfe4cb9a692bfcdc3416f1af28263ebc1a14ca9404a", + "sha256": "5640fd704ed05c227cd8de85371a84f00b0f3086b3a976bd99359b15b0b4d4ea", "type": "eql", - "version": 4 + "version": 5 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "rule_name": "Google Workspace Bitlocker Setting Disabled", @@ -7671,27 +7719,27 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Git Hook Child Process", - "sha256": "78176482702f10120da2da5c9a3fe712cccd4145cf69ed8b5c4276ecdcd6c052", + "sha256": "cbfd0389fa0ca95a4de245b02e374ee3f3a3981798ed207f5f5ceff7808d654b", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Git Hook Child Process", - "sha256": "bdd3376f6872ff5b5e3f17abeea43a6619585b2c7100c4a5626889edbabbc1a5", + "sha256": "3aeeab0a9f9e1baa8c36a0d3aca397ac0be75278ca1a51b60022819bf9ea8cde", "type": "eql", - "version": 102 + "version": 103 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", - "sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c", + "sha256": "30dc79af79c7ffd88c47ce8902032f7d4088dcc82f73f4da0070e14257270520", "type": "query", - "version": 104 + "version": 105 }, "7d091a76-0737-11ef-8469-f661ea17fbcc": { "rule_name": "AWS Lambda Layer Added to Existing Function", - "sha256": "2b5beb7d7435862fd58aef36fbe1c663e0c9dd064e09b122cce712360569c1da", + "sha256": "1382999f7d36996f9608126c6608707d9d695dcd3298755443448a1d81c27ead", "type": "query", - "version": 2 + "version": 3 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -7705,21 +7753,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "SSH Key Generated via ssh-keygen", - "sha256": "02a3fbd847f6e988ae119d30af0b3b2c0c31611ed3b77372aa9eb99e8c5bb9cc", + "sha256": "7841db675589b43a0132206eb7b239ca46f3ac97ad9193dcf04937159707d691", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "SSH Key Generated via ssh-keygen", - "sha256": "34dce1cb53174696ef9ea5a28676eccf92ecb0de0dc7a010aeaecf9c02a2b2c2", + "sha256": "5a08a86502f4db05eca4b25e854f8f9be1f852325a962075dea70815aacf6764", "type": "eql", - "version": 103 + "version": 104 }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { "rule_name": "Suspicious Kworker UID Elevation", - "sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a", + "sha256": "f0d040485bd01c51e2c8f158dd600fb222395c139e0268bbbcfde6b0c4be3bc0", "type": "eql", - "version": 2 + "version": 3 }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { "min_stack_version": "8.14", @@ -7727,22 +7775,29 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", + "sha256": "f4f3005ebf031857782967a3872088cf11afc078151a683045d3bf756aa415c0", "type": "eql", - "version": 4 + "version": 5 }, "8.13": { "max_allowable_version": 304, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "66858a324d0462bd232554434241130f2856843cf22ef73c579c09e3f6e39043", + "sha256": "da4714c9dcfb5d07b5b39b1939ecbfc5b46b7da8d7d77a91c9093ee2ee6e18e1", "type": "eql", - "version": 206 + "version": 207 } }, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "332111db4905fbf977cb9ea156d2aa394347669370073cd3430efc581d4c41eb", + "sha256": "647288a0f887d8f1f0552ecfef80652333f04873e5f925195d218507a369b28e", "type": "eql", - "version": 307 + "version": 308 + }, + "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { + "min_stack_version": "8.14", + "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", + "sha256": "e03b56ad3cc6e1d81845996b6bf137225573011b20ba352bde3cfbb18e4479f6", + "type": "eql", + "version": 1 }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { "min_stack_version": "8.13", @@ -7750,15 +7805,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Security File Access via Common Utilities", - "sha256": "35fc8b548fcc1523cdea4fa29865704d65b15be3c7601e2a1f778dae2d006575", + "sha256": "46ed777838914f516739b0d329e16d62457fc60aedd877440c7cc4022d7ed059", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Security File Access via Common Utilities", - "sha256": "977a2e7491fde0d4fa3a5f2c80a9e93d7c2e5e0aed313fa99a0ec8328bb8b405", + "sha256": "3b40fd7e087f2c301a1f5742e48c632df6fe05921c88d4cdcaf67053bcc5975e", "type": "eql", - "version": 101 + "version": 102 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.14", @@ -7766,15 +7821,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", + "sha256": "1fcee1562ccb772f6a7729303e250ead257201a219aa8ffee182b66f784076d3", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "95ee9038faef018973ee81cb960175831ba7c20826685ba790ba0f6926232d5d", + "sha256": "a12e4767a30ca28c3ddc986cf3c77848cd65ddfce15fd96b7577dab2afff5122", "type": "eql", - "version": 209 + "version": 210 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "rule_name": "Discovery of Internet Capabilities via Built-in Tools", @@ -7784,16 +7839,16 @@ }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", - "sha256": "1e46fd812061270a2231dca8ec5a7ffbddd0a53997cfb62e0d457cac8e0a45d5", + "sha256": "d28a5fbf12cd038860603dad3a3f927b893dc2a624963063025cbec73932a4e9", "type": "eql", - "version": 15 + "version": 16 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", - "sha256": "3e4f1413412bd00822190208d7e8be98fe32aa44ccde5044c2aa42fb5a0be8ff", + "sha256": "c074c4066439731cdb1ca074f41712d8139ba7383e854e9990c3f5fef99a6a9e", "type": "esql", - "version": 3 + "version": 4 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", @@ -7813,21 +7868,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "3750bd0f420e04cc5b48056c7e39fda3d29f6f4d5427f19dfbae2a2d94dbb8b5", + "sha256": "1106414c1ef42b911e2c96ae0a545a86614b9a568aa9742419c22b0a71a0e879", "type": "query", - "version": 3 + "version": 4 } }, "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "b0bfa7d73d6ccd6142283e63031f550eb9abbf5a4becfb93c6e5c1340752f2e1", + "sha256": "f81754824afd09978cc7c486a795db468b2056bf7fad5883848582f85a47c031", "type": "query", - "version": 104 + "version": 105 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "SSM Session Started to EC2 Instance", - "sha256": "1810d2feab3a3ab42bfb40d5b25dba1fdfff834237355e59824fb8d89879f0dc", + "sha256": "d0cfe0f7d2abfcd56dc76d693aba0e8ff89281385360ae75a90446721d5e85c3", "type": "new_terms", - "version": 1 + "version": 2 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "min_stack_version": "8.14", @@ -7853,15 +7908,15 @@ }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be", + "sha256": "e29105d1b78b1286a5636c653ea518672e193131ac622f0f3ee2de7f1d5e5528", "type": "query", - "version": 103 + "version": 104 }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { "rule_name": "Unusual Remote File Extension", - "sha256": "d33a4fa7f5db48036701cd4df4e4586b2218d47f930a796097379a4757023e30", + "sha256": "f79f2ede08c18655e62fd70d2fdd42a914f43a74abd5019f7356324fbcd96f92", "type": "machine_learning", - "version": 4 + "version": 5 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.14", @@ -7898,15 +7953,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5", + "sha256": "efc3d78e44e73f61be6817f00d4df5af584ce5e02e96ca5fb45a45d84d771116", "type": "query", - "version": 112 + "version": 113 } }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "320a555df4db198a83d99c9c148c34b4bea3d27beec4d6824ea25b077dfdd561", + "sha256": "446a5437935aff86d9b2c78df79189e0201a991a36436313898a59f7706245e6", "type": "query", - "version": 314 + "version": 315 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.14", @@ -7914,46 +7969,46 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "4162c0f3ecc6a4c881309a1c579888218ab3995f564f72409e538076f2e26c78", + "sha256": "6bf952805cab991d5963490e557576ee982dbb3d351e9a2b4b2a18092b5980c4", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "b1820c87c951dea5911f8205052ea225bd0591292ca0283895f1242d165ff6c6", + "sha256": "e4459ed8785c0a590bfca408bc7e0bf79a7101cffb3c56690bac0f7cebb948fd", "type": "eql", - "version": 108 + "version": 109 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "e0f594ae73315999d039f6afdb74b17b186b2daeab2d37cf12f364225219128a", + "sha256": "663d1f8ba0fee571a5dcfb323c0f2b66e1b356104fda2cb7d213cd33a51c6f65", "type": "eql", - "version": 207 + "version": 208 }, "82f842c2-7c36-438c-b562-5afe54ab11f4": { "rule_name": "Suspicious Path Invocation from Command Line", - "sha256": "ea85fe009c0baa447a0bfb2014f8b45d2f3ad35fb65a92097ef9e74c24bc5c78", + "sha256": "c728415c613b2f36c5c323bb7c97a17891786e1986c6e4c9ea1b69e3d1500099", "type": "new_terms", - "version": 1 + "version": 2 }, "834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": { "min_stack_version": "8.13", "rule_name": "Manual Dracut Execution", - "sha256": "293ca3a55dbbb8dfb51898fd8a165e50c1da1faf40482950e3af6498314478f7", + "sha256": "7aacc11b5e41f9a6ee5bb11cc2825d1361cd44bcf69a8fb3d6599be1e9e65c8f", "type": "eql", - "version": 1 + "version": 2 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "135901066ac707836fa9dc5d72517b43f80c3f43f8afdbcd0793ccd7e271f79b", + "sha256": "ed8904ed52554b72e3d4db4b4954ce47beef9e99a0ce76a3106d1cf6c0e89123", "type": "eql", - "version": 7 + "version": 8 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Pods Deleted", - "sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9", + "sha256": "b04ed2cc0d2afeab9a1e5ce21f7ffe90acbd75940c93166660e2d41abaa39070", "type": "query", - "version": 102 + "version": 103 }, "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { "rule_name": "Linux Restricted Shell Breakout via the mysql command", @@ -7967,22 +8022,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "67fac684b46bd0e1e592ed5fb64523fe9b1b6c8bbf695fa5a8c2ca93c45ebeff", + "sha256": "81ca7480b1ca8ad4fd6c7cdddfb2622e9b14641cb9b0b612e22d6bca9e329179", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "13d53b19535acefeb9018df99a3327de628c8cefdf886e9453b33d0f128fb058", + "sha256": "13fd6f48996c900fb7a162c04e7b0e7ea52bd9bb0cf837a4edfb19ebb6c3e8c4", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "13d45d27cdabc4d4143ebc5cccab8fff6f0a87c28bdb2f258d0dab66423371d2", + "sha256": "8f162f40f9630207e21d4ce6a4025ddefcdfc01ac59158bc49c0ef854c20450c", "type": "eql", - "version": 202 + "version": 203 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "min_stack_version": "8.13", @@ -7990,21 +8045,21 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "24507f9fc5eac786e69d16e7a9759e5502f06ae39ca2b0c3baee080c29aed691", + "sha256": "6662212297b3975808144113e634d7165b30280989ae8729d7cd570603f52193", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "883808e835acb845d8ff5cbd80647149a7076f8dea14f01e0b45b5927f744cc2", + "sha256": "6ffa831c31c4b214a52ff08f056a860da877e2c2a926988622839bc3111d7185", "type": "eql", - "version": 109 + "version": 110 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", - "sha256": "7527cb6d613f3cbebb763fc8b4da705569785eb0d5f20552483a9ac4e03c34e9", + "sha256": "01513b5293f4ae3276aacd57b67b38b4957f57cb9447cfc9e4f4e580411b6677", "type": "new_terms", - "version": 3 + "version": 4 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.14", @@ -8024,9 +8079,9 @@ }, "84755a05-78c8-4430-8681-89cd6c857d71": { "rule_name": "At Job Created or Modified", - "sha256": "a987f893268d128252316712332f0deeb89dbfad27ee9595059745bcfc9cfb1e", + "sha256": "b00d2ec654af8f1f110f648f4094160b9ef9e812d8eb7980b94e0879c40ad211", "type": "eql", - "version": 2 + "version": 3 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { "min_stack_version": "8.13", @@ -8034,15 +8089,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential Upgrade of Non-interactive Shell", - "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", + "sha256": "5add5265cea65ff564e6f374b8d963ea6af326fbed8d8d0b3ad11829c55033e6", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Potential Upgrade of Non-interactive Shell", - "sha256": "5164b099f1ea1a21b7b6e07b5f4d72e0e2d15a8ec2d03744d57b3590e96b6d0c", + "sha256": "151e0853d12af096c8290858df71ee81fd2ed9a318fca88206295da8a3cb6646", "type": "eql", - "version": 103 + "version": 104 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.14", @@ -8074,28 +8129,28 @@ }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006", + "sha256": "8c5a7758239101b15cc23eb4fb35a783f8e692ad99783c3801a074cdcd98e637", "type": "query", - "version": 206 + "version": 207 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "rule_name": "AWS RDS Security Group Deletion", - "sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9", + "sha256": "03916533d138f82d6ba43073f971d26e8c8fc154a5722bfb56b1bec42cb8f26f", "type": "query", - "version": 206 + "version": 207 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "rule_name": "AWS IAM Group Deletion", - "sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781", + "sha256": "aee9d293bce7b42db112f783b52ca95f4c163851cb39f56542873a0caeb9f9af", "type": "query", - "version": 206 + "version": 207 }, "86aa8579-1526-4dff-97cd-3635eb0e0545": { "min_stack_version": "8.13", "rule_name": "NetworkManager Dispatcher Script Creation", - "sha256": "cb638e8f75b4b1f3fec56d06aa0146d0f3870081db365cff4e0d2244b03f423a", + "sha256": "183f75eab447dce4523d4f25e514acf26cfbdf05b137fd5a3fd9eb1b968d86ee", "type": "eql", - "version": 1 + "version": 2 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { "rule_name": "Potential Linux Reverse Connection through Port Knocking", @@ -8127,15 +8182,15 @@ }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", - "sha256": "3d33ca4d8cc8f50f00c2a6b7388013c9b1484a65207ad7bdc9dd221460387ad9", + "sha256": "d1b4160bab5ee676bf3eab50efcb4bff6b9ca03017813d404ac83b5d429c6e77", "type": "query", - "version": 2 + "version": 3 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339", + "sha256": "5cb776ec175c443858372adf34644ecc3edc4f4123ab3f91796ab08fa8d0d162", "type": "query", - "version": 206 + "version": 207 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -8145,27 +8200,27 @@ }, "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { "rule_name": "Linux Clipboard Activity Detected", - "sha256": "948181ba2921e5e5ff2e950f272a9fa9cb5797927da206fc67100db0641746f3", + "sha256": "ca936e7322accdce60e6973d70b3e164506cb6fb04d87bbe28ee8f64c9eecff5", "type": "new_terms", - "version": 5 + "version": 6 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66", + "sha256": "23ada8e36279e7e1d4e063b07f108194166709b11de778959bc24e7eff2a55c4", "type": "query", - "version": 206 + "version": 207 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "c982030d976d5caa598abb973577eca20c6a5f49e0f0b746d31b814e3aada81e", + "sha256": "99a91041952f318c45cf4a8f2aa5ea27a2b4d57079dd6844d7ccdb85e88c708f", "type": "eql", - "version": 108 + "version": 109 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "rule_name": "Potential Sudo Hijacking", - "sha256": "48ef2dcad2d1f95fb5e7cd7f890d36ba444b2c045b00f18db67a56565a8fb776", + "sha256": "67beebb88fd866d0c58a2785de107b2bf8f925d18bbbdd790906734f21a39f7b", "type": "eql", - "version": 107 + "version": 108 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.14", @@ -8173,15 +8228,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", + "sha256": "8809aba8865764ab7fa1c657c37778c6657378dc4f2cfb4c6127be5e794149ed", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "23ea84a839f5ac5677f5dcd1bd511e1a590fb3a73e3bf7922f0ac80814489841", + "sha256": "53a213d8996a7876b24f56a45cbd4b7f95f660de24ee6058b95deef9899d84c9", "type": "eql", - "version": 208 + "version": 209 }, "894326d2-56c0-4342-b553-4abfaf421b5b": { "min_stack_version": "8.14", @@ -8189,15 +8244,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "7c29cdef0a6ebeafbe4e910b112d583288fc53752af7e0be673133e731c7b6ed", + "sha256": "9bd93a579ae1a7bbd18dedf1ae6dad6e63793a9512980fd85c8ae941687b452d", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "f41675c0e6c71d8ffce61638873343c099dd76784a16afca7fc2bf6896b4ea63", + "sha256": "81c8f8ed0970f15203496f9c2987f89c5c57a24edfbffac2587aeb52629ec0ce", "type": "eql", - "version": 103 + "version": 104 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -8211,15 +8266,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", + "sha256": "7120f5e967222b6743edb0bc495b3453b4d26dc1f63088bff68607f6220e8b59", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "ca38aa28a331bbae9391539b45d46648d9465bbf8261f1320789c780faf60c37", + "sha256": "14dc4752088817761b090bd9e818c960db21258c4ce1aff3ce6e86dbe199d127", "type": "eql", - "version": 210 + "version": 211 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.14", @@ -8227,27 +8282,27 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Command Prompt Network Connection", - "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", + "sha256": "95c1cb5499a597411e4e3b7103680f9d8fb49cf5fc8cb6f354b9483142545adc", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Command Prompt Network Connection", - "sha256": "20e49f8b0cc9cd52d6a4e8878d070cae67b09b9f66c1d604d4d844a1a31a48c1", + "sha256": "f36e46aabd03a9e82d6e55f6c98dcd0a0f0ae620cd00b0ba0f21e7518a759e2d", "type": "eql", - "version": 208 + "version": 209 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b", + "sha256": "4eeb21145663f19873a7b259f2aedd9a858885571f911ca166304d52bf4a49d0", "type": "query", - "version": 106 + "version": 107 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "rule_name": "Suspicious Symbolic Link Created", - "sha256": "e6768a2a66d26ab7605de86680ec11417c10c845603ad67d0b5768837751b40f", + "sha256": "222d4530ad568937c4a1e40fefcfd3cc4761ff0cbf227edae0193e631274505e", "type": "eql", - "version": 6 + "version": 7 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "min_stack_version": "8.15", @@ -8255,22 +8310,22 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", + "sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a", "type": "eql", - "version": 6 + "version": 7 }, "8.14": { "max_allowable_version": 206, "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", + "sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "0b71b3bc220b822bcf49d55aaf5b6e785379cd4a77023a808ba154f6233e0a7d", + "sha256": "d84240158ef05b04877fc81e2d2f50edb882cd77a53b137f7598c54e84ca5879", "type": "eql", - "version": 207 + "version": 208 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { "min_stack_version": "8.13", @@ -8290,9 +8345,9 @@ }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", - "sha256": "3709b15d60903268e4e30eba20dc1d89c099e0aa71b45dcff996484296a8c994", + "sha256": "79396b5a9e555f97305570bb4e88f328ca55471768c325f8cbfdec62e20c30e5", "type": "eql", - "version": 105 + "version": 106 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.14", @@ -8300,15 +8355,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", + "sha256": "cd861b1c03ef17e10978c9c1e342be58e0362cd9eef31c85cb7b40568cf5fa52", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "2b1670c842dd4482f2d66f4b20ad288dba295639673efae366e467a0b4347eac", + "sha256": "ddcebc2310acf9c6471b9345d63edcd418123b3e163cca09175bc75defd47755", "type": "eql", - "version": 208 + "version": 209 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.15", @@ -8316,22 +8371,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", + "sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", + "sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "3d7de8f86edaeb3db241b7eb724790d7411ef73463ccc7cfed7ede991cf9d3e3", + "sha256": "47bcd8271a1bc8780152afe19fa834ab97946e9cba47bcb65d819e92b6625fba", "type": "query", - "version": 410 + "version": 411 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -8345,15 +8400,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140", + "sha256": "2753a4670d4217cc050e838bf5a7f4843db23df0caa83fc1017d346297e4922f", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "9a0a3365ed112536df8300b00672c2dd8ef6fac49e7deadb783f732a60a102ee", + "sha256": "61b0dd506782ed3d2c0be8ec13e04db7aa0b88f80d4e4900bec06089bba27de4", "type": "eql", - "version": 104 + "version": 105 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.14", @@ -8361,22 +8416,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0", + "sha256": "79486f56c33d6afd1cec4fbf8dc404d0f0e9fc38b19572051d537f800d601ed5", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "a5ba27def82c8a23b306fc36f9fc4d034de167102926baab02506d958ae44b71", + "sha256": "8706ffd6a46a7cdbd2b6400c609ec39bf1f1bf833ecccf2d71a38a9316b96ccd", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "bb22de8a34a7d93efe239f27bf92b15ba453c32860882728ed8eba1e57eba71d", + "sha256": "c15790a8f71b15dd684b959f65fa22034a2fafcf821c26c0a2771f727b0c088d", "type": "eql", - "version": 309 + "version": 310 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "min_stack_version": "8.14", @@ -8403,15 +8458,15 @@ }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Events Deleted", - "sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9", + "sha256": "38bdbda8e1ba1c0aff2f02b3f46c2fc694a92e6a4dfc7244cc948c3e38dfc8ef", "type": "query", - "version": 102 + "version": 103 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "6659d5d4a4edaff5a8ca68cbfaf2a04c0158a37d500c6e10acc18c930935370f", + "sha256": "084b9ec33eedc1699c7dd2f8b5c81771300c6f944ca3fe5c5cfb7039b474cf43", "type": "query", - "version": 104 + "version": 105 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.14", @@ -8438,27 +8493,27 @@ }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", - "sha256": "187f18c4d04b8449ae3e946d3e2dfe18c3a5cd4a22ac2f5a20319294fef4e588", + "sha256": "dd976a4b62d0afc39c2d7af53056e456bfe88f3261cde76fa6df84e4948cafd0", "type": "eql", - "version": 108 + "version": 109 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2", + "sha256": "cf387e78a1d52b36974bd4933ef7d56730af702385f9a128c2d39cdbfe1334e7", "type": "query", - "version": 103 + "version": 104 }, "8cb84371-d053-4f4f-bce0-c74990e28f28": { "rule_name": "Potential Successful SSH Brute Force Attack", - "sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483", + "sha256": "fb77d08bdc9f8ec6a12b4b74458cdc27ffcecee0c8497e4268cd82cc72685eef", "type": "eql", - "version": 11 + "version": 12 }, "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": { "rule_name": "RPM Package Installed by Unusual Parent Process", - "sha256": "9868139ca7255c94edd8b10c7750af9f9be3e501bb386dce4f46e240eca21bc2", + "sha256": "528868f65a9cb81c8c4c131dd0d3f9550a95750bf358c31cf275b4585365bead", "type": "new_terms", - "version": 2 + "version": 3 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "rule_name": "File with Suspicious Extension Downloaded", @@ -8468,9 +8523,9 @@ }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "rule_name": "Suspicious Interactive Shell Spawned From Inside A Container", - "sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e", + "sha256": "bee7fd95d7e5e74fcf59ac4cc197777031c190f90b069ddcbe97bbb18762e92c", "type": "eql", - "version": 2 + "version": 3 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "min_stack_version": "8.13", @@ -8478,21 +8533,21 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698", + "sha256": "b3457a5fe20b9065c1d9ebd5a8629e04c5ec7633c1976306c1002925a7819bac", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "925c7e7ba202c46a58ef9ddf0845eb693f850d8f085c9c701af731a73d7dca0b", + "sha256": "bffefdf6a83bf3a802805b5c6129038b3804ed28da89fb014230a8483be07d8a", "type": "eql", - "version": 208 + "version": 209 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", - "sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c", + "sha256": "b8c3f70d8170292a5f9e3cacb2cee9106f06c4c8f11a83ade3fec287cbf5aa0d", "type": "query", - "version": 102 + "version": 103 }, "8e2485b6-a74f-411b-bf7f-38b819f3a846": { "min_stack_version": "8.14", @@ -8500,22 +8555,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "6df7ece3cdab24f89e189532be69d11605eb972d6f81b444017c7202ba4024a3", + "sha256": "0271ec3b7dbac27363d1768f6fb6633b1ab0c6eaf0382a21336ca11b2cc1f0b1", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 203, "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "3e2c0816b6054ee90afac447a89f0dbd2c8657badf12aedab3b4c1f371c1d799", + "sha256": "1cef3e85f9ce38dcb49c69b0cde38dc80d5d7fe5c048432052116587f371866d", "type": "eql", - "version": 104 + "version": 105 } }, "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "6f20b8e3e7b5786f7b0cc4ec248f9c11431df6e0ee30decc8a98078423a583cf", + "sha256": "3827103da350a27cb215e645399cf8761a45bbe50c525c2876fa8bcad9570533", "type": "eql", - "version": 205 + "version": 206 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", @@ -8545,21 +8600,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "69eda3393bec929f1158fe872d2aac7cd1fb162a851c342ba041fa666a8a09b7", + "sha256": "d9d7ef5d8a35b0d509f6c52f7e95a8741f5ffc80c671295bcb5b24651ae9e8b4", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "53543595176dfe8267e4ad2d5a70fdf91eaa2919aa81daf806a9d56daf0fd67a", + "sha256": "4a2ba32e4ade2dda214d50545bdffa1d1d97099b107e173b18969c0cc6b4fc31", "type": "eql", - "version": 103 + "version": 104 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "2593df86374cf3250f718b43d01f4e492da7574bdf8bc54867aad7fc465a8f60", + "sha256": "d66c39f3899393daf54a7c7c7bda79a52b0733a1e71b07e84a34707b1f8806bb", "type": "eql", - "version": 108 + "version": 109 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.14", @@ -8567,21 +8622,21 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", + "sha256": "fcce93128b54c854991bf62a7016a112b1eae5e6fa8d95fc7f0ce183c1695e49", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "8e6310e520c4ac17999de81799f5ab21b14bad01162d9cc5aa9bd5a8acd914c8", + "sha256": "c4aa90522a7d5aa3b88d0036b85d17990ea683e84e7567bc8c9393ae0bc21e42", "type": "eql", - "version": 207 + "version": 208 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", - "sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb", + "sha256": "2f1fff6789d5ceaa58f36f5b239347b6b2b5b222f513b7cc186e20a943add449", "type": "query", - "version": 104 + "version": 105 }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", @@ -8595,21 +8650,21 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Hping Process Activity", - "sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c", + "sha256": "58160571062e081d702d11bf00b07b9ca2dc75b7463e22d6eb58eb8c00ac7ae2", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Hping Process Activity", - "sha256": "ecea8fb1997a8b5e997b809e522afb4a39b60365f534b0cc14be6897d0df2907", + "sha256": "a60128d77de2c0eca6003d227982fc4c5c80c8c95e0da69ba91713797060a25d", "type": "eql", - "version": 208 + "version": 209 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241", + "sha256": "ca9ec7ec6260dfb4afd6121acdc3f0f01cf82233de4bd473e0a4832ea5cca846", "type": "query", - "version": 206 + "version": 207 }, "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { "min_stack_version": "8.13", @@ -8617,21 +8672,21 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Simple HTTP Web Server Creation", - "sha256": "616c2c8d1ae0e869534ba6f3f7f497bdd72792f46de42e6c51d6bebcf3eebd99", + "sha256": "4717868c8d8d29e5d6f9a575a34fa4d179d67b8a82e17f838845ba5c125ee114", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Simple HTTP Web Server Creation", - "sha256": "a8ecdc54a3793f8b6800533929726fab9b3f467cd74293c788c45f4706fcf60a", + "sha256": "df11460970a3eeb111f933ea0c48401c916e8f2f9ba35b1c8595a215b624242d", "type": "eql", - "version": 101 + "version": 102 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3", + "sha256": "e2adf962cb1b1cfaa01850f2abc72f2b56fb3c131551c98f605640ab10025952", "type": "eql", - "version": 108 + "version": 109 }, "909bf7c8-d371-11ef-bcc3-f661ea17fbcd": { "rule_name": "Excessive AWS S3 Object Encryption with SSE-C", @@ -8669,33 +8724,33 @@ }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79", + "sha256": "139452a8b12f147a4c17f5b13922c44d88f841f111f7b4b06d4aebfd151c7061", "type": "query", - "version": 104 + "version": 105 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1", + "sha256": "eadf846c26261704cc3fd68f5b83bf44f04f3b41d1c3b6392df97969cd66a749", "type": "query", - "version": 206 + "version": 207 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "rule_name": "Unusual Web User Agent", - "sha256": "2acbdd0a26677cad2bb141876358cb764775e21d0e209f84d883f66ed4cc509c", + "sha256": "c52af5241e23b6ee752b9dc026a28a1aec7357c7f102ee305ad6447d3ea619b4", "type": "machine_learning", - "version": 104 + "version": 105 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "rule_name": "Unusual Web Request", - "sha256": "974cc349d144864b4b2c7bf8228f2ef15c5942087c8d3b0c220d50909b0b8f71", + "sha256": "594a91f74bae3a825e91e973e29f5c443e2bdedb09b4e759c751c5a25aa63b43", "type": "machine_learning", - "version": 104 + "version": 105 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "rule_name": "DNS Tunneling", - "sha256": "97758f8c16d53ae0d9fd710f22e21664a5e7ac786569e132352b563c0fec69cb", + "sha256": "1460c1764afdd458a0891c83634804634714ece5f9e22aac3ad9c6bb91cd4351", "type": "machine_learning", - "version": 104 + "version": 105 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { "min_stack_version": "8.13", @@ -8703,15 +8758,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", - "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", + "sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb", "type": "threshold", - "version": 1 + "version": 2 } }, "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", - "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", + "sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb", "type": "threshold", - "version": 101 + "version": 102 }, "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.14", @@ -8735,15 +8790,15 @@ "8.12": { "max_allowable_version": 108, "rule_name": "A scheduled task was created", - "sha256": "51fc451b7a928144398a72653372d93f57fc18535dfb3a3667e6e7c3ec10f052", + "sha256": "d6747d1290f1796ed4e4f87144b3b8399615d65f1fc3916ffb33b2060b900a5b", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "A scheduled task was created", - "sha256": "e5b5be0c7d172af228b2b4d7673159c5732796739b2ca948c4486b38d6b867ac", + "sha256": "38d6ea55b4bc9a334bcda8a6cf1640203f0bb3b12a67a82301f1af5765c75412", "type": "eql", - "version": 109 + "version": 110 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { "min_stack_version": "8.14", @@ -8751,27 +8806,27 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "4c1a9ea8c710b1e04ca1f0f4c3ded936d6b02249faca0a7424388c37e4c3782e", + "sha256": "fa28cefe9751d4a0325f5ebbe3ea32294ce408c668b871efac8d0eb508456468", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "7ac59a9ca2f1b45c91bacb9ec313fd3e400a28a06751a9175f3262892e0f96fa", + "sha256": "1e99903005310727ca5c0bc4cc21adb68f7c312b54bc690ac668324fec1d34fd", "type": "eql", - "version": 104 + "version": 105 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS STS Role Assumption by Service", - "sha256": "098648b0ec9a99626b4b9cacd20f79f9028f13d93cda5ddb8c02d9394c758353", + "sha256": "dcc381b0ea011aaffc99fa2552210fb9bd8cfae3fcd9a246033831836d4f5f3b", "type": "new_terms", - "version": 209 + "version": 210 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", - "sha256": "750c2d617d020e994dadb92ce3e0b585d16bbdc097fb24a656bb3e2f95ccae14", + "sha256": "c31135dc17960a856d35663ed054d09eab76047d10a86f30f4cf5b8ec1a7abe0", "type": "new_terms", - "version": 205 + "version": 206 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS VPC Flow Logs Deletion", @@ -8785,15 +8840,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", + "sha256": "2ff5b58315d4aee44cd2bcec8d5026cc4e7770e3bb4d906ca2489e2385babf3f", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "7363bf0ec1ba1d14c0e88b63d2dd0597d01dc13ab80fcd01d0ca58e10e232b4e", + "sha256": "55c655f3c81ec5fc6d674e2429a40bd0ea00235f4ce1935765a26941a143cde9", "type": "eql", - "version": 210 + "version": 211 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.14", @@ -8801,22 +8856,22 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4", + "sha256": "de92e4d989f9d5610e757c673fbdc4c456231b4ef81e7f4504698b6c264f9962", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 410, "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "b5558abe7fd77b3214d07c369401260d1c211b91845eb37e5f92266ebf92ef54", + "sha256": "d85365573dabbdc204f56fef122dd591e689ffd34004f20d74d2c47e2aa4ec5b", "type": "eql", - "version": 311 + "version": 312 } }, "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "af45080cf231cdc384e6d85e2ccc178fd5b9cc69c739e04396373babe9b31ae5", + "sha256": "35de6ffd8fbe84e6ab25ad60ed8b87c3a2cc1e96bff7daa9699c9e6123acbcc9", "type": "eql", - "version": 411 + "version": 412 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", @@ -8826,9 +8881,9 @@ }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30", + "sha256": "2915057dbeddaff7f8345d24e40dd53ec41319b7192a27d93e593ef5eee6a45c", "type": "new_terms", - "version": 204 + "version": 205 }, "94418745-529f-4259-8d25-a713a6feb6ae": { "min_stack_version": "8.13", @@ -8836,15 +8891,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Executable Bit Set for Potential Persistence Script", - "sha256": "74aed1e2b14f06f985dcdda41a9373194206e0d5b6136dc5af2c15f72a430fc0", + "sha256": "16145a1b22661ff2e88c9e1ba07836862628630beefcda649d52f876480530d4", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Executable Bit Set for Potential Persistence Script", - "sha256": "bc41244d94cc85db15513c451863fe2ca0b0a9340c5b8686813eee0609b3917e", + "sha256": "b5f2d2b732ed56124dc1f618c8aaa4a1b035b3af81246aca47b16d675c5888f0", "type": "eql", - "version": 104 + "version": 105 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Creation of Kernel Module", @@ -8858,22 +8913,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "92f99ada650ca1643ca9d74eeb044541cd01943858f78c837320f22b52db65d1", + "sha256": "4fa63aacb71764801fa191bd2326696f937bd85aa84baa0883b51ec2b967b3b8", "type": "eql", - "version": 10 + "version": 11 }, "8.13": { "max_allowable_version": 208, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "5d504991acb458ceeb163edfc30f03c2b639725ce90470439bd1854d0c508ea5", + "sha256": "1d785de785b00340684b4e0f441211c357cf2ee299f22b28f3bb5e2a3bdf1784", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "5ac9902c4013c4a43232005924bbd2e3ea5837f3b1fb46536414e31a990e9dfb", + "sha256": "10a993dd4620cab6a35f2dfbdfb89ca009ba18a7c60e6e10c93bc8954cacb6bd", "type": "eql", - "version": 210 + "version": 211 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "min_stack_version": "8.15", @@ -8881,22 +8936,22 @@ "8.13": { "max_allowable_version": 102, "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", + "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", "type": "esql", - "version": 3 + "version": 4 }, "8.14": { "max_allowable_version": 202, "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", + "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", "type": "esql", - "version": 103 + "version": 104 } }, "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", + "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", "type": "esql", - "version": 203 + "version": 204 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", @@ -8910,22 +8965,22 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "094d5839307d9e9f979d87f04da382a99499e6932f5c04d08583d33439593897", + "sha256": "30e9709aa596d9469d905ec6593683478b4eeb9a2d40edb724b0c2e5f1ba6bd2", "type": "query", - "version": 4 + "version": 5 } }, "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "6ec2f6a7128677f6221950458047a3b8e1280a63bea437a60b9c6da72c55d746", + "sha256": "d44b1b9ef878285d8dd07da49ecf77844b4892d271d1ebd4ac6631939dd3857e", "type": "query", - "version": 104 + "version": 105 }, "952c92af-d67f-4f01-8a9c-725efefa7e07": { "min_stack_version": "8.13", "rule_name": "D-Bus Service Created", - "sha256": "f153afa77c393c47714f3400013c4ee67412920ecc93b851d389d74b5f049040", + "sha256": "f49342d2753a20175c2dbbc0a575357ee2a7bbc665af3267b73778f6270b6bcc", "type": "eql", - "version": 1 + "version": 2 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.14", @@ -8965,34 +9020,34 @@ "8.13": { "max_allowable_version": 102, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", + "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", "type": "esql", - "version": 3 + "version": 4 }, "8.14": { "max_allowable_version": 202, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", + "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", "type": "esql", - "version": 103 + "version": 104 } }, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", + "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", "type": "esql", - "version": 203 + "version": 204 }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", - "sha256": "85feced66a2d2b2c88a257f2aa26916b9bff95d08871035e142b35191149d8cd", + "sha256": "433032becb5c8020450493b9158692e4e8e93ce81f820b25705231f2942dd2bc", "type": "new_terms", - "version": 1 + "version": 2 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", - "sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9", + "sha256": "79d1b7004319abbd6311a32bb7e63bdb9edf25beaba2503a2bb7fe596b63048a", "type": "eql", - "version": 2 + "version": 3 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.13", @@ -9000,15 +9055,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "File made Immutable by Chattr", - "sha256": "554e2d9f8e0757200b05413ef711c554856e94d6e704b08e57b934f69a26ba7c", + "sha256": "61a885e5fd8caa58db1e46f7ac46a9212cb60f45987a57654e44fccf0044273d", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "File made Immutable by Chattr", - "sha256": "86e3735f45437f53bd1261a8da6628e3dfcb6825b335f3447c39923c2c38690a", + "sha256": "2cccc89db8fd4c8b5997d76d60b9d16e04ad9016804c886fefb7be5155c551e4", "type": "eql", - "version": 212 + "version": 213 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.15", @@ -9016,34 +9071,34 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Create Okta API Token", - "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", + "sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Attempt to Create Okta API Token", - "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", + "sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Attempt to Create Okta API Token", - "sha256": "2cdb992ac7d1102df02c4ebc8d329dc538c2e5c9c67ca727b0e130a3ad873b19", + "sha256": "72dc3ad1b6b20812a65c1e7f6cc607abd7f61572f341de9e3914d9355437b4e5", "type": "query", - "version": 409 + "version": 410 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", - "sha256": "dee0fa159010c2aba6be29979a0ca7a24423ce4b2897d3bde2f635ddff3fe6c8", + "sha256": "d242e9b768158e113d5b497903704bcf3417ee47dc9240caed8322566a25a388", "type": "eql", - "version": 12 + "version": 13 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Access to Keychain Credentials Directories", - "sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63", + "sha256": "a58b0877159c33e555ae1f66edde525a759a987fcc04a91aabbd2a35aa5cd863", "type": "eql", - "version": 207 + "version": 208 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "min_stack_version": "8.14", @@ -9051,46 +9106,46 @@ "8.12": { "max_allowable_version": 107, "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "59ac20ddf0ad6c973682600530ec32145c00eecd4dadbd7760ff440d6eaee57c", + "sha256": "61c1a4427e02b605bc3f9c668f45b6c876d901b271b04e6d5ab681b96370ef3c", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "d04ceea45c0ac0f1155e702d8add70dc3c753a765f23720895f180232c65a4a4", + "sha256": "a3103e7a211a1b85248f488f250216ebfa31f23d029f49d87340c7c74ebbf34a", "type": "eql", - "version": 108 + "version": 109 }, "9705b458-689a-4ec6-afe8-b4648d090612": { "min_stack_version": "8.13", "rule_name": "Unusual D-Bus Daemon Child Process", - "sha256": "fbbfbd97ebae57de46748c99eeddc873d89daf60f1b8c8f95b9c1a99420d1285", + "sha256": "047f6e5a12bc33a0db9822bfcc4d9532eb5bb20f261dc8d5d0a6b9d335db1175", "type": "eql", - "version": 1 + "version": 2 }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", + "sha256": "996edcf7b84f597c5b917b95706acfa718b8b78ac0fbaaa24a1c9a164374d32b", "type": "query", - "version": 206 + "version": 207 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6", + "sha256": "a68596e0c8c08057fe0d449a485c3024b5c19a131d0f8e73a91070d52b2aa5e3", "type": "query", - "version": 104 + "version": 105 }, "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { "rule_name": "File System Debugger Launched Inside a Privileged Container", - "sha256": "8b70f35aa7a70d475832890edfe725b921a6d72b0a57011af9fb02e3d81525b9", + "sha256": "38153858d0ad809d23edde22212b8e76f0e17a2813aeb4b4b8144dd46c1dc699", "type": "eql", - "version": 1 + "version": 2 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", - "sha256": "4ef7bf5e39de2d55f436f611e2de8f1d905d1ea116d8ff8000753ceb8d2663fc", + "sha256": "15acaee88ae03f37d33254f0274ae68eeef32455fc96461fe20aefd88e49b24d", "type": "query", - "version": 207 + "version": 208 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.15", @@ -9098,22 +9153,22 @@ "8.12": { "max_allowable_version": 311, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", + "sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1", "type": "eql", - "version": 212 + "version": 213 }, "8.14": { "max_allowable_version": 412, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", + "sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1", "type": "eql", - "version": 313 + "version": 314 } }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "008509519ef384a0fe13547767628714a007b44d9504b72e47cd06f58eda5286", + "sha256": "31c83a49dd77cb7c92b81b820392ab0edaff0810927f55cfe52754a54a43a48a", "type": "eql", - "version": 413 + "version": 414 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.14", @@ -9121,22 +9176,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious Zoom Child Process", - "sha256": "5f50216e837aebb5103936a65d7bb07f9ef153d873db29761cc5fe034c150aea", + "sha256": "9de7f3413eaf33a9a4c7ff77a174eab1cc42d1f3c3f4327567efe65ce7c7db7d", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 413, "rule_name": "Suspicious Zoom Child Process", - "sha256": "60e026edebd1c4bcfd0580ec04e257e406ecedb6ace76131d14a9bbcad9535ee", + "sha256": "d2b8083ef96d8b40fa12bfc2f2ef8433f49b06144264a9bb5cf5d805f26f34e3", "type": "eql", - "version": 315 + "version": 316 } }, "rule_name": "Suspicious Zoom Child Process", - "sha256": "3db79975854f188574aa5d5aec5b4fe1e5375be640e0ac15fa02437975ef0d7e", + "sha256": "75a2acd6fec4e5e9aa275a9b8af68eb1de804913337ede2bfbcd0420422bc0ff", "type": "eql", - "version": 416 + "version": 417 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -9146,9 +9201,9 @@ }, "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { "rule_name": "Suspicious Renaming of ESXI Files", - "sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39", + "sha256": "4ca383b998699336db64bc99ee8c2a7b52c0fe6e2e57a2a424262b1656f15539", "type": "eql", - "version": 6 + "version": 7 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -9158,21 +9213,21 @@ }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "rule_name": "Startup or Run Key Registry Modification", - "sha256": "d8b7b25e2fefe1dc94dd57ee87b2dd576cc089e5d7a78dcb91f493b33e925285", + "sha256": "814a1903fe60035acd9815188db701fecb3cd77f622205487cbb5dcdd5895034", "type": "eql", - "version": 113 + "version": 114 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", - "sha256": "13bb60d5c1f5306bc12b67f81f15a38dc8238c2cd154896536269d9668d075cc", + "sha256": "9af59876aae930d88fa37449a4e391434ac253a1a3a68a7f19aa8142681af396", "type": "eql", - "version": 4 + "version": 5 }, "9822c5a1-1494-42de-b197-487197bb540c": { "rule_name": "Git Hook Egress Network Connection", - "sha256": "8e57b1dbf16d5746922b8edafe41713555a95bb09c7bc1b9f9f63a00bd5c3724", + "sha256": "c07414c56696bd71465558933f65566b033635cd7cf42419eb70a7695eddf4ac", "type": "eql", - "version": 2 + "version": 3 }, "986361cd-3dac-47fe-afa1-5c5dd89f2fb4": { "min_stack_version": "8.13", @@ -9180,15 +9235,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", - "sha256": "9921b21414e5f26b0a92efb35b3aa687685d77a03473e8f2f74e4eb5def0f2c7", + "sha256": "71605f19bbfc7c7d7b38c3c938e25db98327f11a8597bfc3707c0b7936fc407f", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", - "sha256": "bf30f1636a07e74463574f49efab7d6e8b0cb58dfdcbc00486a72ea8388c3439", + "sha256": "0c916283ee1f0d1637c62ca43d6d9d0ecedc506d586db6f76fbb4760f241bca3", "type": "eql", - "version": 102 + "version": 103 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { "min_stack_version": "8.14", @@ -9208,15 +9263,15 @@ }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff", + "sha256": "2df4707335bb89c170cda8fb27a189ca2e1da3b0a558637041354bc560f3c934", "type": "query", - "version": 104 + "version": 105 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c", + "sha256": "193707cacca422693c80b0f220dc512aceef3c53ab09b92a266c678eb5066f0a", "type": "query", - "version": 206 + "version": 207 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "AWS EC2 Snapshot Activity", @@ -9226,15 +9281,15 @@ }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa", + "sha256": "635f24d3547bdf9acf3c89fcf9ca0a208ab9c5728c280fb1ef000066cf7d0b15", "type": "query", - "version": 103 + "version": 104 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584", + "sha256": "d58c1f45d74532cc49086f3fc2b1694098a7286463f0cea3fe7512d6b681a085", "type": "eql", - "version": 107 + "version": 108 }, "994e40aa-8c85-43de-825e-15f665375ee8": { "min_stack_version": "8.14", @@ -9242,15 +9297,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "295b6b5f0bcc7c346200669736ff41d92683604648d0d0c729da6030e1edd0c3", + "sha256": "f9bab10027d4eaff5c7cadc5613cfdfe2caf71917f01c2298779b3693e458905", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "85e5f6ced29ac3d6e31d6e1f4a7c0b4f2599e27e53092e952773acedced38cf5", + "sha256": "aff8ce3c97b8657b94418ecea700cdbd08933e40dae51fc4cac6978e212ebbae", "type": "eql", - "version": 110 + "version": 111 }, "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.14", @@ -9258,15 +9313,15 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "ef4ab01243093fb107143c9c879d95c94d0a15e29c620d322d4436d62edd5db3", + "sha256": "d1a480f7832f8712d06096eb7dd3d5ff5ebd8c57a23ccb530abd85f8523c12ad", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "4bf6f2a660c85fd28a35ddf6782205584eb0a142d6df00a0777a759911565330", + "sha256": "c655401d4db3c1c8925fad88f4c58efa5897f96092a4eb5e5f39f19ee391aa73", "type": "eql", - "version": 310 + "version": 311 }, "999565a2-fc52-4d72-91e4-ba6712c0377e": { "min_stack_version": "8.13", @@ -9274,15 +9329,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Access Control List Modification via setfacl", - "sha256": "56c8562c3f638627b4748c065a8c8c771c5192aeeafeb828cb96f7150784c66f", + "sha256": "59b417d5b2a03bba13ec5f3948f8dea5787846aa669acafde0f1edf8f4c9179b", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Access Control List Modification via setfacl", - "sha256": "5fabd6c9b8a348ecdbb6ccf61bd29115e1088e89d594036cb436531de8418315", + "sha256": "fd3dc1350984a9b8467d555f148ef21d43fb04f913791ca642896a5a39069f55", "type": "eql", - "version": 102 + "version": 103 }, "99c2b626-de44-4322-b1f9-157ca408c17e": { "min_stack_version": "8.13", @@ -9290,15 +9345,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Web Server Spawned via Python", - "sha256": "34fe21a4d673170b9d5de7326cc8f18a359a13a6b97d49085d89e96cf0f9952a", + "sha256": "590abb2de8685e9ba6ac1bb26b5ba6e6799b404bca1b24fed7d7e3c37f8f4452", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Web Server Spawned via Python", - "sha256": "20fb46e1ca6890605aa87f9c08a2190c217b23b3759cc7eca032edf59af64ec3", + "sha256": "177d077650fa0b0c0a8d232ffd7f502d9de98c9d95e244261e6accf6e9f047bd", "type": "eql", - "version": 101 + "version": 102 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "rule_name": "Spike in Failed Logon Events", @@ -9309,9 +9364,9 @@ "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "min_stack_version": "8.12", "rule_name": "Endpoint Security (Elastic Defend)", - "sha256": "a4dde703652ee6884fe682bb32efc9fe966aaa7df53bca5436de63d993527889", + "sha256": "fe3e81fc1a5dd73c6932676c7b09d087a3b3848733fa74eb5a2b18f068972549", "type": "query", - "version": 104 + "version": 105 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { "rule_name": "Unsigned BITS Service Client Process", @@ -9321,9 +9376,9 @@ }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "aa9fc82aa5324a0f942d1115e319178f8cb830f3e6d3a881a1859865b3768db5", + "sha256": "957303ee184b536fc22f9671dbb2ed19527c497f148615b01ab438db8d2d1748", "type": "new_terms", - "version": 209 + "version": 210 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.14", @@ -9331,22 +9386,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Explorer Child Process", - "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", + "sha256": "dd9f2215be389c33f7a237f9116f9ebfcdc92de051c6babfea314a2664c84bd0", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Suspicious Explorer Child Process", - "sha256": "8911b89e1d09588deb7e5a942983225efff7df52cca7afc92f98f0875de1c7e2", + "sha256": "a2a0a26741e33b91efa6e94308f5e4734607222ce87fffcf03ad1682e63fe624", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Suspicious Explorer Child Process", - "sha256": "155a1370c4fc3154277e3947dd506fb75a99bd378727d59485c4e1947de04ecc", + "sha256": "e26c452a699c5910201336b89c6df67ad2e167129b2cad1f19a687282dc07362", "type": "eql", - "version": 309 + "version": 310 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.14", @@ -9354,29 +9409,29 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "51c952240fcbd97d71e3989752daabd44ef67ec404062d9ac0aa77ec5eefbd88", + "sha256": "a89728e7de28de1f41f89eae6884b7434dbd8f948cd682f6a0621a4cd7027067", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "f3167a9539280f0deb3103a26e2dad2bc7f971e05e60885f5a533db2ba730fa2", + "sha256": "bb878ddab8423add89b2fa6d67e8fb17d61aea08318d7adcc5f16859511228ec", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "6c0f3e8a857f02183dd2476acbc51cd2417ad39b9a38013caea85872f6c0495f", + "sha256": "bb1dc73390bf4205bc5518949d88f85a8ab64938716323d47e6c8a36817c07a2", "type": "eql", - "version": 310 + "version": 311 }, "9aa4be8d-5828-417d-9f54-7cd304571b24": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", - "sha256": "19bb01d2bfc28053a0a6ef4bba3cc428e187d1c71998e94cabcc80b2b15ef822", + "sha256": "5261d7a8d3df0f503139f70be2c16478f9da435dcb45315321b70c9f0136c973", "type": "esql", - "version": 4 + "version": 5 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "min_stack_version": "8.13", @@ -9384,15 +9439,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "GitHub Owner Role Granted To User", - "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", + "sha256": "161fe9bc03f0a9bd845c1f1a27a75b057d54285240798bac0af9d268896a8ec6", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "GitHub Owner Role Granted To User", - "sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68", + "sha256": "17b30931a90a1e2a268c89b8ca1c50d33a9ad847cf40b03526748115fa47df6f", "type": "eql", - "version": 206 + "version": 207 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.14", @@ -9400,28 +9455,28 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "f84d0750e79c7e23c031d4418102d9813c8bf40cf0c1c297bb68b2e68ecd6662", + "sha256": "034dbbe0e465dbc6001136495954743ac55334e869c7c26cc9a626641ff6aa1b", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "890f3569bcc29ef77a9be476b20376ebe51917937cb2bde1ca196f0698b6c9ff", + "sha256": "0912aa1b6bc991c999aa95627f0b21c7a306638eb24927bdceb97a8ff3299250", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "894cde78d489d010f90f6c225dc210803634f3e1d380a685cea35bd4605694ef", + "sha256": "a374edbd21cdd1d173a65c55d3d972a408a56b5c6350100b0dac8c36141ab105", "type": "eql", - "version": 313 + "version": 314 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", - "sha256": "818ec7b5077ef339d297c377bd56ef3592dbf978c6f01eab575e082d7ec31f59", + "sha256": "cb064b54fbccc8e07affaf57e4d14856f67f6918ff0c44205cd1c23aa4dcf427", "type": "eql", - "version": 4 + "version": 5 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.14", @@ -9441,9 +9496,9 @@ }, "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": { "rule_name": "Unusual Interactive Shell Launched from System User", - "sha256": "b203af3a5e4914073b4c50ace39c1cd98fff18e024f1810b36679a1ae394cf3a", + "sha256": "b351f332d2ee0c37576188cba134e30d7fc288887cfb5247b494162043ce2343", "type": "new_terms", - "version": 1 + "version": 2 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.14", @@ -9451,21 +9506,21 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "247721b2ad4e7f9a94e9bbd1effaef53279a2504856ed04ae48b17a46729cccb", + "sha256": "3e15a597d73ad4a145c44b02a7b7c7cd1825b1cd4c5a3278a1c07008434f6a08", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "9860fa33ea3768742f597c39c25196697991a88b7dc7cf668e73827b1da60387", + "sha256": "dc1a5b32175347af1afd41737265cbb2862a8c64a10583b52fa85a49f73f1afa", "type": "eql", - "version": 109 + "version": 110 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { "rule_name": "Potential Enumeration via Active Directory Web Service", - "sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1", + "sha256": "a5aa8f87141efb58c5a9fc040430072979a81838fc6185b652fc5d08cae05ac5", "type": "eql", - "version": 2 + "version": 3 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.14", @@ -9473,22 +9528,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", + "sha256": "97790052feabd6d8d92049481818933f920d5128b459958b23b4f454788e1926", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "382fed94a5329814298bb2fe0283ed3c63d2c0ff9293e69efad3950dfe08121e", + "sha256": "b70867b53f9047d648a74ee785fbfb344461397ac17e24dfb7d85c50b80bd906", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "71bbd98aa70c506906a99a90cb6f320ba14cfe6276decafe44eb330c1a9e7428", + "sha256": "d16970d52f5665857e15296e8ce24758baf698ceafc64a1ac5355b5c221c2692", "type": "eql", - "version": 310 + "version": 311 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "rule_name": "Google Workspace User Group Access Modified to Allow External Access", @@ -9508,15 +9563,15 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", + "sha256": "c6feee8b5f84305767251a5980243998d9d4ba2743ad9874895791e3fa10e948", "type": "new_terms", - "version": 211 + "version": 212 } }, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "37eced0f6fbe00d0d4f72c4340aafc08a0e4649d41713d82af3cbe9cdec35360", + "sha256": "8781554bff624a0faedf21aec63a088525699563be1aa50547303cc3af235151", "type": "new_terms", - "version": 311 + "version": 312 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.14", @@ -9524,22 +9579,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "dbaff78cc444435417a8dc117e92fac3f383f660e8ec2efc3882be4df7be8641", + "sha256": "bfab358531d2fb7cfa9b7a47b1508d37b00322f539ac43fa61530596a4eb2466", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "1a76f0bbf93f2e947cf44f3a49de094b9821895129e1861a2e6f30b6af1e9ea1", + "sha256": "29e49c1b420b1f8b800a4ac388b31b3bdbd3de5b3d1bd4a25b3655c2879ec8ed", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "b231de2975d9c748c61f7f29bd2b82eff7dc7eeb84a3b7e15858428d7acce811", + "sha256": "3462d5554238a5314c72b9c3f0c56611fd6c922c4c7ee065d1ffc95969e14966", "type": "eql", - "version": 312 + "version": 313 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.14", @@ -9547,15 +9602,15 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "a49d6fb17cca15bf6ca569b7a9ed627b4ac76c4508e50fca28a4a267dc420ad4", + "sha256": "1658b389087bc7cd6ee91ffc89a1714168b562dd44451d4c4d6f72702036b9a4", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "e5c954ed07e9fd47ada5f8b7e54e8b4a9dbd25bee53943caa9897ffba3703f10", + "sha256": "ba5fd2330dd1b6032d2553050acd7351a5e7cd9c1f74152c0fc5a78d0732b6ae", "type": "eql", - "version": 213 + "version": 214 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.14", @@ -9563,15 +9618,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", + "sha256": "0bb18ca3b493310ba23b616de3d39cfba94773b53140eafec03abd781a5897c2", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "402957a0efead0143ad51d2e826e9107da5aef344e559d2c85478257a3aa15b0", + "sha256": "aef7f15ace1ec416d8e85249577e2301f49840b905843d141189269d3f904f75", "type": "eql", - "version": 210 + "version": 211 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "min_stack_version": "8.14", @@ -9579,15 +9634,15 @@ "8.12": { "max_allowable_version": 313, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "357cfd30e6d72e8067b8fd85480960fc82ed8f8735df37e327c18110e32d637e", + "sha256": "e084fdc2aeb3587b28f10bf09ec2903a8523537a67b3b1538f46727a736d16f8", "type": "new_terms", - "version": 214 + "version": 215 } }, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "11b4fc95052ff2e6c25c718c92d10ff5bfcc0c4e6b2dfce4802d5ff828416772", + "sha256": "35156b3e9740e59353d84856c46b8780be71d93b456573600a2f5093cea01698", "type": "new_terms", - "version": 314 + "version": 315 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.14", @@ -9595,33 +9650,33 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "eb466a234b50a51692e4c5678572f202d8d11c886c5676f92df089866b6613dc", + "sha256": "6e08e0961e8712e3fa798614ceba20842f1fd9e78569f3efb5b0236bd2ffaadf", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "cb223017b8d3219787c5490b16190472e106e9b56b2efb8d0d5e50af116f48d0", + "sha256": "926469208de2cc16311faa56f835813cb0da62cf3ee0ff79366e3c2572a11edf", "type": "eql", - "version": 207 + "version": 208 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8", + "sha256": "ee6fd1c193ca3176b28e1944ae22027cdbe34e8151a5571d2c9571ae0970960a", "type": "eql", - "version": 106 + "version": 107 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "1c176b99688c3dfffb29f7fd942a5db17890c0e4c8507595266a7ef192f0698c", + "sha256": "4ce9e353cd70a52c2d7d94beb8a05952a35ff6c117689d5ce2d9a7da5af011aa", "type": "machine_learning", - "version": 104 + "version": 105 }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", - "sha256": "d5b10fa1230219482d9260c9b3abc29a378aad24325e84d344be2fa223a72b04", + "sha256": "aad06c86f00fc49143d2b0b6c0f3b27380ed7eff0b3cf20193f5338fc2ea0a9f", "type": "eql", - "version": 2 + "version": 3 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "min_stack_version": "8.13", @@ -9629,15 +9684,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079", + "sha256": "3e4eea02a43d60f58a4be4bea2a88713ba7724676b52851025572c1bbe451d5d", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "ba184af85327ab0b30d44303e6f197aa3633bf956b71268bfb4c1cdb7ff0e0a0", + "sha256": "e49d72b63706bac64f750445fb8273899588eb0881286ee1c15f8cbf3d4b495f", "type": "eql", - "version": 210 + "version": 211 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.14", @@ -9651,21 +9706,21 @@ } }, "rule_name": "Potential Credential Access via DCSync", - "sha256": "42787461cd6ccfd67f8830817f8a5a08ce5c23299a470a46c9b4f09e6db3d307", + "sha256": "c827437febd6573bc72e13eee68be8b34803f97343b531bf5a4ac64899989cc7", "type": "eql", - "version": 215 + "version": 216 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", - "sha256": "9c5b42e9d0ce3be94bd99e088bd928d5dd6f6dc750cf9a67b5cb20c6067bdd0b", + "sha256": "5d7f431713626a4dcd90230cc90a452231a2f4f09ce222c8f023205f6921b8b3", "type": "new_terms", - "version": 211 + "version": 212 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "0c2d0945e3f41272d93b2c57b804fd2de409098f64d87e59387ed6edc5f29da9", + "sha256": "7b2b92f74b503fc18cf5ef70b93536fbb877f88952c072c944b062b3f8f647f7", "type": "new_terms", - "version": 312 + "version": 313 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.14", @@ -9673,27 +9728,27 @@ "8.12": { "max_allowable_version": 108, "rule_name": "A scheduled task was updated", - "sha256": "c135f8efdd7137ef937b19eb29aa4a88640d556690f529620d1c24f6c391ec3f", + "sha256": "73081f6875d6de77e1cfc1de7cd27bbd885b7f016546a3e004f06be2c614c254", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "A scheduled task was updated", - "sha256": "749ba895080051e4aa8e4a2df55b64ca9fb5e99c35767bb1f288e9c07842211f", + "sha256": "b4abe619c6873dbbf537a259fb41b785fd39c973534f78af8f41347c1f9a6834", "type": "eql", - "version": 109 + "version": 110 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "rule_name": "Potential Privilege Escalation via Python cap_setuid", - "sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3", + "sha256": "4fb0c2f13b78a878839b6ca5deae3f3256aad7e97fd364c5e60139f495f526ad", "type": "eql", - "version": 3 + "version": 4 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93", + "sha256": "2192b6dc1346c8016c7f7e18d0e4def61f38a7359cb4c665235f7c7a35d81646", "type": "query", - "version": 105 + "version": 106 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "min_stack_version": "8.14", @@ -9701,15 +9756,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", + "sha256": "009c0f45c6d544d656f91b1a17dc4ca36d2fa5cda90732b95d8cc0840b82684f", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "539e9bec28c5ba2b0d44bd1a2c646f203f6b4a07abe0fff58707c93fe20a2684", + "sha256": "3826d8c2ea0005de5c96f492c5dd896a58db738ff754a638c848dacf6514d220", "type": "eql", - "version": 207 + "version": 208 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "min_stack_version": "8.13", @@ -9717,15 +9772,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "File Deletion via Shred", - "sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48", + "sha256": "cb4768e9cc77383814b6bf126bda3c193dae302c4d755159f2ce1e4079e49733", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "File Deletion via Shred", - "sha256": "3d589003c93cc87bb316a3627d284b1a283da55956d2cc4761debccb078a0b8c", + "sha256": "88cad104e97ca755480aafaa4a712b418afbe8b9eab3dc5b3a7f41b78982ad6a", "type": "eql", - "version": 209 + "version": 210 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.14", @@ -9733,15 +9788,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "11b482716d805d5718f0923dc1b0127ca26a5c89ac02df96dab7fe8a371199d2", + "sha256": "ff0cfb580ab3d4b49d481e29249862e6b6880e365188f6042d40d1b3773f1b70", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "cbb9883d7a92a6a590c0f8f1280653d30652d6832ac8209e13d9fd8af07494bc", + "sha256": "12d937324cbeaaa49e957871d3d23a99d065e3a5070e763111e10bcb6a0e9a92", "type": "eql", - "version": 208 + "version": 209 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.14", @@ -9749,34 +9804,34 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "254753d1734938715fc36fb23e5d45f5d37a5b2accd3f353a456fa14849072d9", + "sha256": "60b4da3686af1892886ef1568adc3da363b41fa02069a8ad5f02c1f13fc5e375", "type": "eql", - "version": 8 + "version": 9 }, "8.13": { "max_allowable_version": 207, "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "a67ae649a271e68ef17b80ec7a1d6cea6f39d80a5dec0803424fba96df9a9024", + "sha256": "a95daf1b60dd955c84fe99495d627e26da5f8c3071938bff985159d488d74b35", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "0e7f58671c9058c1194ab7cd3b496010e9aa320e5ca20b4bcc8b196c7fafdb4d", + "sha256": "ab452a27753833a9982fac9a2797499691153c3fcc51357315acc246796bce7f", "type": "eql", - "version": 208 + "version": 209 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99", + "sha256": "1c1a346a5c44ffafc16e7a28a4703248527b03dd10eea79fe823ceb5a035ce73", "type": "query", - "version": 104 + "version": 105 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { "rule_name": "My First Rule", - "sha256": "6e0a27cbad2201b443c14712e096547ab0f70144d8a1777fbc9a7118b6f31701", + "sha256": "63fb939bf754aaa427be9132c2868915140e558a8c69ce185d547593c05ab4ba", "type": "threshold", - "version": 4 + "version": 5 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "rule_name": "Potential Reverse Shell Activity via Terminal", @@ -9786,9 +9841,9 @@ }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "rule_name": "Linux Group Creation", - "sha256": "93d8a95d1c43dedafd6cece3fab8d0b375e5a15801c84585d037fd2c7f361076", + "sha256": "6318c4dff530e8b0d50c646549d60a859ca4d6d4881dbcc94e3b5c26620390ce", "type": "eql", - "version": 6 + "version": 7 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.14", @@ -9796,34 +9851,34 @@ "8.12": { "max_allowable_version": 210, "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "65d599f0ff2e8109bbdc28ad1f87017cebf9333caf2acc9368f2051f87e9cf36", + "sha256": "06f788f98600e28f36873cfa890ce266317a1b101169c481fb3099d9c0e35eae", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "64d63c9fc9cd61923e9f98811c5823a1bb8a27a525a4b54b969fdd7051bb4649", + "sha256": "db4b51eff904ef0ef94f2e68fa3ac4e7e64a9bc8c6e03af8a426537789e233c8", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "ce9a658724c78ad0fb002e88c88c00891614f43d625181cf23e6541447ff4daf", + "sha256": "ad7b4900548730f045e3b58898846a5953e28138ddc81ea4b2cb5e8f7bc4f30c", "type": "eql", - "version": 311 + "version": 312 }, "a22b8486-5c4b-4e05-ad16-28de550b1ccc": { "rule_name": "Unusual Preload Environment Variable Process Execution", - "sha256": "30e15837fc2299fc5bd51618f8f9d726a4f81121c3e9213c9f0f37b7f1922784", + "sha256": "9e16a6d58c5f5a677f1cebc91183afdae5a7ecdfcce34207fcc6f62f65367152", "type": "new_terms", - "version": 1 + "version": 2 }, "a22f566b-5b23-4412-880d-c6c957acd321": { "rule_name": "AWS STS AssumeRole with New MFA Device", - "sha256": "cfb03e9127dfd2a1580d29f64f412173261e28a1c22ca8b51e484f75b870ff8c", + "sha256": "bfb7eddaa9656dc8832f4d1a089450b5b180a6620a1dd22d601c7bed17c286de", "type": "new_terms", - "version": 1 + "version": 2 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", @@ -9853,22 +9908,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Execution via local SxS Shared Module", - "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", + "sha256": "c70b5b61b3ea697efa1bbf34aede51b77d26f0af37f29414c403967c589fa37a", "type": "eql", - "version": 108 + "version": 109 }, "8.13": { "max_allowable_version": 307, "rule_name": "Execution via local SxS Shared Module", - "sha256": "2084297807278d91612b5ba01c82c2f10551b23506d0009a391feb6f63287dbf", + "sha256": "7f90a2bcf9eeaff4a2dc027ec117964bf311dedcbc86cba03a8615c9780c68bc", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Execution via local SxS Shared Module", - "sha256": "1bb9e2021e6b0db51906eb89a0556e7513a62b080972cf61ad4b7dd2a7f01e2a", + "sha256": "0411088910bff1036ccad0a0a7e3e47b669f970b76031d73843f1a6ee00aa168", "type": "eql", - "version": 308 + "version": 309 }, "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { "rule_name": "AWS EC2 Instance Interaction with IAM Service", @@ -9890,9 +9945,9 @@ }, "a52a9439-d52c-401c-be37-2785235c6547": { "rule_name": "Netcat Listener Established Inside A Container", - "sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146", + "sha256": "04ff1b708f21926ca8673e536f01751da5464d3c618e199dad5190935569c59e", "type": "eql", - "version": 2 + "version": 3 }, "a577e524-c2ee-47bd-9c5b-e917d01d3276": { "rule_name": "CAP_SYS_ADMIN Assigned to Binary", @@ -9902,9 +9957,9 @@ }, "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { "rule_name": "Potential Reverse Shell via UDP", - "sha256": "107d9dba2ad9b03f457311eef2f1d29f5c30f692db76b52c0ecb7ad90cb1bba0", + "sha256": "dd7935aa4635611792001b36012fecabe2d6bbb0b7a8cc2f80a706b7bfcf659b", "type": "eql", - "version": 7 + "version": 8 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "rule_name": "Potential SSH Brute Force Detected on Privileged Account", @@ -9914,9 +9969,9 @@ }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df", - "type": "query", - "version": 209 + "sha256": "9b292d485484c3753314bef6df52ec945933baa8293f6967b3f4a326ef8daa1d", + "type": "new_terms", + "version": 210 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Azure Active Directory PowerShell Sign-in", @@ -9926,9 +9981,9 @@ }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "rule_name": "Threat Intel Windows Registry Indicator Match", - "sha256": "911df9a41bce872a7cd60687c487a8d1b6d05ca3e4c2748968cefb7fdc63f3b3", + "sha256": "c061bcef15efcf1c65649493512805d27d383b262ef29f1ee14d2c941e88724e", "type": "threat_match", - "version": 7 + "version": 8 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.14", @@ -9955,27 +10010,27 @@ }, "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { "rule_name": "AWS S3 Bucket Server Access Logging Disabled", - "sha256": "468acf9925b683cd43a8c9d55cff0117071c66f66e7c1a1dfe43b164b6cb22a2", + "sha256": "b597402a792a29e82c02d56787dfb0088afb24fe4681fccf800ec8ff10a08a10", "type": "eql", - "version": 1 + "version": 2 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", - "sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287", + "sha256": "cbdf047624c4be0c4e5064b465f23c279737467edb36c6a8f0f51d8081900042", "type": "eql", - "version": 107 + "version": 108 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "rule_name": "High Mean of RDP Session Duration", - "sha256": "55ef145cde18d6c08b01ce4ece7f4903351d9bdd131a8453002647a668aaa5c4", + "sha256": "16d442bb0e68cceb100b590cd99c27126094ef873e1557bc0494c33f672351ba", "type": "machine_learning", - "version": 4 + "version": 5 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious Print Spooler SPL File Created", - "sha256": "96b2fcbc3924d11fc9c3eed38fc768bf6f97bfe8fe667f084d210769af057164", + "sha256": "1a8db1f12af5f8f6acda01d02bf1f7858b64b591e8cc97e80b1f821fd01b136b", "type": "eql", - "version": 113 + "version": 114 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "min_stack_version": "8.14", @@ -10002,39 +10057,39 @@ }, "a80d96cd-1164-41b3-9852-ef58724be496": { "rule_name": "Privileged Docker Container Creation", - "sha256": "5550f7f742c87f9bd39c1e4db8db24caee9b67540120dacf5f7b201023626f25", + "sha256": "04dfaf2e0ab843431c44a2508695e0793ee75aea13aa78ee94a7c26e31c27c5b", "type": "new_terms", - "version": 2 + "version": 3 }, "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { "rule_name": "Entra ID Device Code Auth with Broker Client", - "sha256": "1cf36e99756517a71c3c4daeef8d7ed86213399d94ede19cb11a01ad05ef7323", + "sha256": "3b36ca3385b038425d51a7e5ed4106e263b270fcfb2b2b3f080d747370eb1bc4", "type": "query", - "version": 1 + "version": 2 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", - "sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88", + "sha256": "7af20755d35869e009f843fef6fb3ad74173f1f9d745b649a798002ecd3fb640", "type": "query", - "version": 102 + "version": 103 }, "a8aaa49d-9834-462d-bf8f-b1255cebc004": { "rule_name": "Authentication via Unusual PAM Grantor", - "sha256": "60aa85a93569474f9a1f9615a864f2472923f7f351a0f0a5e4770e668e072e3a", + "sha256": "7dc8a4e76f836a2dabc1f97682ff2a8788770c2df8b3c977a9a21e48600874bc", "type": "new_terms", - "version": 1 + "version": 2 }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { "rule_name": "Suspicious File Downloaded from Google Drive", - "sha256": "41c537740053f42fad23d5168744e96453f28557cccc97585c0f976a10ef5178", + "sha256": "9067b8538121e710f6bc88912dc5b959b87527aba3c8d4799197e2b1155bfafa", "type": "eql", - "version": 4 + "version": 5 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "rule_name": "High Variance in RDP Session Duration", - "sha256": "f40d918cd70e374c3ea932e1a3b6c14fe1d4bea3bc082607586e660708225c9f", + "sha256": "b10636c16f0df07435893373776847351520e760d2923c0ac25814bba42a51c1", "type": "machine_learning", - "version": 4 + "version": 5 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", @@ -10044,9 +10099,9 @@ }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2", + "sha256": "6388eaea93dbea69b2def246d3830353851466710a017a1b197cf97d811e445d", "type": "query", - "version": 206 + "version": 207 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "rule_name": "Google Workspace Password Policy Modified", @@ -10060,27 +10115,27 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "a1e28dabfeef53ea08300663108d337b108ffbf92c169af41ac29938f2ad0d5d", + "sha256": "521b0deac4fa27230216cb8daf48bee86c9bbef64c5b0dc90d5dbd5acbb31f0e", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "4687afae3e7472fed3b420f99cd3124158312bfbab94cd1f7303fda1d1a139bd", + "sha256": "3408526e0c0dac93e7765ada0f10c56843aec79f4e3c80ff93f5afb3ec32e96a", "type": "eql", - "version": 209 + "version": 210 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "f6ceb7d4ece3477e49b056e9dd3e833f999b2eee034004d015ed34cab40f8df5", + "sha256": "c5e9563513ceff85a4cd305b620e50b46d0abdcd6b749995b72d1dfe43f137f2", "type": "query", - "version": 105 + "version": 106 }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", - "sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f", + "sha256": "05234b27bd38c05a4148c880399948bb9f659dc2409c560ff2c17735d399fdaf", "type": "query", - "version": 104 + "version": 105 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "min_stack_version": "8.13", @@ -10088,15 +10143,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "System Log File Deletion", - "sha256": "caebd910311dc1b958558375bcae2a9bd22b4ef344988046c43684e838d9d350", + "sha256": "9e7b2926bab16d0e65d0b84a1ec35d2ebfe3b10e1f219c4a9f7a8d87a9e5a132", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "System Log File Deletion", - "sha256": "ada984096f2d14c711d004bdf03cf6f511a543fe021a46c40c89c501a6a2b6ed", + "sha256": "90cddbc10f4f4760da203311ee1ccaaffddec3e97369b36fa049935b55906f94", "type": "eql", - "version": 212 + "version": 213 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.14", @@ -10104,47 +10159,47 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Remotely Started Services via RPC", - "sha256": "f3aa0fe1214d034e842ff8839a0f07ba427b7c6f884aa08ce89c3802c4d4c6d0", + "sha256": "c5ae21879f28fadb1daca353f3c354f8f96a89ebe15eb191af73bbe85a2e1b0f", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Remotely Started Services via RPC", - "sha256": "3bca920a328d271bc638274d9265324896cb1635894bb09d8c7628ee499617d2", + "sha256": "470c7c8413962fc0f844e61a7bf6314d1a2eb8517d76b793b627d1ab6c0ee1cc", "type": "eql", - "version": 213 + "version": 214 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { "rule_name": "Veeam Backup Library Loaded by Unusual Process", - "sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3", + "sha256": "b09c6bdf53c574bd6a13c29289040f6d39647434595c2ef5e908596c2f87e744", "type": "eql", - "version": 2 + "version": 3 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "e1161667047c076c8d8e436e3ce9b940a7089c5cf8587b557f3b3b52119d231a", + "sha256": "dc906d8e338b0fba7e19f677e0f95691c4e1c94fab8b366f0f0fa007db2226e3", "type": "threat_match", - "version": 8 + "version": 9 }, "aabdad51-51fb-4a66-9d82-3873e42accb8": { "min_stack_version": "8.13", "rule_name": "GRUB Configuration Generation through Built-in Utilities", - "sha256": "78ab7ba6d046b4901b164ee6e3fd63c4c9c277b9bd16337514274902f4322388", + "sha256": "6c9d7d72e70ba8fa7028586f7dd96f22a714aea37e9b6a748c48f4c2b84cf5bd", "type": "eql", - "version": 1 + "version": 2 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", - "sha256": "d83d4d35e0bb8980567f6aed233e06d8bcb4824a6e438a8f8606f7318ce7f204", + "sha256": "8969379383985fd2ccf5010b8b1c8c4e72e6c2508b920cfb65101ab13bfaa620", "type": "eql", - "version": 115 + "version": 116 }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "min_stack_version": "8.13", "rule_name": "AWS S3 Object Encryption Using External KMS Key", - "sha256": "3aff4d1d49850118022efab0afa8765485da6c1fdc1d96b20d05fca3803b18f0", + "sha256": "c58bc9bcee72af710a07f880ed3df3eceef229e97454f6ad449273d078b06c4b", "type": "esql", - "version": 2 + "version": 3 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.14", @@ -10152,21 +10207,21 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676", + "sha256": "83e5654634806cf836873526072beb4a411dbe215b4be002f799dc0eb0866d82", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "41d9773b53e26197a39fa675ffa40d07b17987dd304c38336693138b0222111c", + "sha256": "62b3cce8bb0d092c2759ebc4697ef92d744a740ec8e418ac7370a52052d0d04a", "type": "machine_learning", - "version": 206 + "version": 207 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", - "sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9", + "sha256": "5b1015d4458273b2f101dd22674b7cc73970fd91015c91ed9c22fc5049ca1729", "type": "query", - "version": 108 + "version": 109 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.14", @@ -10174,22 +10229,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious WerFault Child Process", - "sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10", + "sha256": "5a3182ca2012152d9bd5c912111d82b1f3214a893d6da8417d00cde83cc42f7b", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 414, "rule_name": "Suspicious WerFault Child Process", - "sha256": "c1b3b8d2072d918930efe998f724cf12942ee022c135971e24778f2c1821eb4f", + "sha256": "9e5fa90d4dcc2b7ba457b5d5c1701304fd158e99a68fb7fddee7dee79f9b55f3", "type": "eql", - "version": 315 + "version": 316 } }, "rule_name": "Suspicious WerFault Child Process", - "sha256": "cf59420deb50d843084ffc3320ad39588acb649e55c3c0eb12c54b1d52a3b4aa", + "sha256": "2093382d45530ceba2ddf764b031af27fef9087e0b6f90f1e6cb535a04e5798b", "type": "eql", - "version": 415 + "version": 416 }, "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { "min_stack_version": "8.13", @@ -10197,15 +10252,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Git Hook Created or Modified", - "sha256": "baf94c030f8649e89628d8d83f0e90cfebbb67da5b711c8a8c4063d48a01cd64", + "sha256": "ec16be4f5fe86ad7212a2520875b8f40ee71728666d7085220d272f1e3929d89", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Git Hook Created or Modified", - "sha256": "f2f13e4195a1e04b1288a31c748ca8bad1eb7112fc9e77a2a5547b948f54a5d4", + "sha256": "0c1a8c2bb10aaf8e8c9dc4c3c70b9fcafe1230ffe0687aa31e5909bf176ee7e9", "type": "eql", - "version": 103 + "version": 104 }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "min_stack_version": "8.14", @@ -10213,22 +10268,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Outlook Home Page Registry Modification", - "sha256": "a21b4408a3539687dc2e34b0165fd2633928f3f84e0389722ccb822dc45dae83", + "sha256": "9e311415c8086b3934da0eeaa5ccac777e192f9c2c9953b705e3368c14fad664", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Outlook Home Page Registry Modification", - "sha256": "1adad2fbaac61dd3b02e58f8271efb1177aadfc906d7c20a2a30ce2f984ae27d", + "sha256": "981f0b0dbe49943a8536ee475f57749dedc4e10f1c32351e9ee5c122813eed48", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Outlook Home Page Registry Modification", - "sha256": "02cd6bf4e2e371ef2e60d5a1df762ee51868c135ad78304ce723d27a91a4c7f2", + "sha256": "cf576e47d585c50b59b5886c7f0802f74deb1e56177dc7478d66d1e3a7379fa6", "type": "eql", - "version": 201 + "version": 202 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "min_stack_version": "8.14", @@ -10236,15 +10291,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "WPS Office Exploitation via DLL Hijack", - "sha256": "006e257e7f3f415df5102ead250e9554e6755e192771f58bdab3c554075b7ae5", + "sha256": "f0b9a400aad8092fd6bd78cf6124173e5d87d3a8d40fb37af54e7611a60734de", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "WPS Office Exploitation via DLL Hijack", - "sha256": "ffe2ee7667dba6c6d5b6c0f2e759bd20739ce00b74f2ff55cfa78eaac5c6167a", + "sha256": "6d20396d3b2ba5db4a1fd80aca9c645d4b789dcb0d39161b5dfe9b1d4f1f216b", "type": "eql", - "version": 101 + "version": 102 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", @@ -10254,9 +10309,9 @@ }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Potential Protocol Tunneling via Chisel Server", - "sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9", + "sha256": "244086ab4aa98317bccdb56cbe25ee1911c6c8b1b5d6b56e5da66e969e9a1aa2", "type": "eql", - "version": 6 + "version": 7 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.14", @@ -10264,15 +10319,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", + "sha256": "73aa4e201e1220c47c689009c0c24f4ef6a0dcdab57655d7f25c5525472d28b4", "type": "query", - "version": 110 + "version": 111 } }, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "b419d7a1beb994f9b021b2477fb9df633c75879e1523c5d9042f5f83dc1f98e0", + "sha256": "e75ecddee03f0ecd4c9052ef2974471d669da03a7d25fd6c4c46ad39537304b6", "type": "query", - "version": 210 + "version": 211 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", @@ -10282,15 +10337,15 @@ }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924", + "sha256": "c893c9924f303a60bf8cafdffaf2cd627c6fdaae221bd7469fe25ef355839d32", "type": "eql", - "version": 106 + "version": 107 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential macOS SSH Brute Force Detected", - "sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9", + "sha256": "0634c4cc8994181d8d803e1f8a015b27a0287326c7bbe72e41f6caabaec65771", "type": "threshold", - "version": 108 + "version": 109 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.14", @@ -10298,22 +10353,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", + "sha256": "71cf5c81124dd45113bcb530642c295387bd2b68ee1236cb2a3e8e2f0f0aca2a", "type": "eql", - "version": 108 + "version": 109 }, "8.13": { "max_allowable_version": 307, "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "6bedea5ed62553b3faee7de59fc7d5379a82ec9a852980276971dc29d0c0b345", + "sha256": "86ac334bd5ab8b6d729a0fd45b6134932f7b204b865b83dd786664d0984c3da3", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "de021f1c7c7f774f5ae581c5a8dcf13e91eaa358742311cabddc983f8bd428e0", + "sha256": "88a18ab3c5f799879b46bf994ced31f7d53b1188b29318f70d67e7f1fe7bc832", "type": "eql", - "version": 309 + "version": 310 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.14", @@ -10356,15 +10411,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Openssl Client or Server Activity", - "sha256": "5535a4f110cc1281d1ad303fd5f73ab8f18de03b4f7055194c5f86cb79cef0ce", + "sha256": "8eb908bf23fa02ea31de0dcd624ff3541d1bc60c2389d04820670c32bd4b7244", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Openssl Client or Server Activity", - "sha256": "7f976d99bb3f172f171e5652c8cad18cbd56030f72633c4a5455b0c8f420a2f0", + "sha256": "1b7199791c6d84167d236ea1e7b0d434bbd215be6509536b9d943c0be646d2a6", "type": "eql", - "version": 102 + "version": 103 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.14", @@ -10372,21 +10427,21 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", + "sha256": "e36bc47e8ad58d550eb0511c38b7e7ebe9f68e088ec6215f78f7a2780d0f4e24", "type": "query", - "version": 112 + "version": 113 } }, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "23c56aed37124f4d42a7e066da164226be49cc33c8358d269cb23b54daa61b9b", + "sha256": "014ab6a9d47a402634c60580acfcdbc73e02eda99e30868cdb84bd27f75bfe59", "type": "query", - "version": 212 + "version": 213 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6", + "sha256": "fdb9bfb1476b606fed9fb9f5d813bd2649bbfeb1e82522dbab72f7f63e379c10", "type": "query", - "version": 106 + "version": 107 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { "min_stack_version": "8.13", @@ -10394,15 +10449,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "4cbd3476d128aad590e86079b7e07f0db490326f4339fd74b5c8b596bee4bc0a", + "sha256": "a1f733e8c14c8a8ddb91a5c919f8598d6578b992ab231ea6130ddff737d80b25", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "a44fc3ff83a0e6aaabac522e599b8f92b95cce50059049fab47a1a16e41c5995", + "sha256": "746d0a429f9ff030e458664ae3eaa0292ccbc3c15e7f707921cde5fa37659e91", "type": "eql", - "version": 104 + "version": 105 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "min_stack_version": "8.13", @@ -10410,21 +10465,21 @@ "8.12": { "max_allowable_version": 209, "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584", + "sha256": "883178d57a5f0e0cf1ea5d9e4c778051a895d0e41a27aea175cfeec0058c9573", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "fb1931f01dca4a44f26a9e4a4226b6ed2eb886d1ca2435600262bbdac2d279b0", + "sha256": "1da815d35ec17c8073f83a5113a2ecc2ed46bc4ea6694beafe243f8bba9f4f43", "type": "eql", - "version": 210 + "version": 211 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", - "sha256": "1e6f2fd1e6f9b02629b2f190c0872668bcaaa1d2b3b8011b1798f1e6ebda905d", + "sha256": "36e34a2abf002a55bb25f1d7c6333a2b2ab927c5e1e735f1ee9b1ab5e41b29aa", "type": "eql", - "version": 6 + "version": 7 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "min_stack_version": "8.13", @@ -10432,15 +10487,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Suspicious File Creation via Kworker", - "sha256": "a932bb2a7c777540aee96e3bd9ed937cff8e801ad0e9351bd907f5111f8a94c6", + "sha256": "cc84e69331853cce8fdc6642b517c1976575b91f66f2e049315267bc2bc1c035", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Suspicious File Creation via Kworker", - "sha256": "02ab7ea5b4914325e4e7cf18374acd1f9a35821031152a35fa098ed270466f3e", + "sha256": "638df02131a857a0c394365561637358f6a3ffb4aaa634e28f95a56dc649878a", "type": "eql", - "version": 105 + "version": 106 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.14", @@ -10448,40 +10503,40 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", + "sha256": "e98a3d6c4df8d691ad52d2e09453788cdd9059b5d1d1417f8c27adb82ad82604", "type": "eql", - "version": 5 + "version": 6 }, "8.13": { "max_allowable_version": 204, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "bc36274c731c5231be458f7c7b13cbefb5bbe0dba08f745f6d3a65c6f02bbbf6", + "sha256": "6f87d083a88525ef7eb03a6d4dde91d57fecb67021008268bbe38eddcb8de46b", "type": "eql", - "version": 105 + "version": 106 } }, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "8b17583a4547a22fa32e210797078688b3ea53cdd67f93494107cbc65d3e69ab", + "sha256": "6457c55cd14c40cf20aaa69545261b5acc6f52e94266a412cc7eae717c18f7d6", "type": "eql", - "version": 205 + "version": 206 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "rule_name": "Shared Object Created or Changed by Previously Unknown Process", - "sha256": "e0f82917421c7696991e4560a68459553d9372473b32461c5f4dfefc5ad1c98a", + "sha256": "baa6bc2ea280de9151fdfe8e52180a5e692bd39318a6d37a5177670803b9600f", "type": "new_terms", - "version": 9 + "version": 10 }, "af22d970-7106-45b4-b5e3-460d15333727": { "rule_name": "First Occurrence of Entra ID Auth via DeviceCode Protocol", - "sha256": "cb2725c021473f600c5a345ec6f8d3ff117b7ed72f2b96bd4e98d625edcfc640", + "sha256": "c873fc0c596cd973f1b742aac95e71e5cdd88437995ca1108204c81efb510ef3", "type": "new_terms", - "version": 1 + "version": 2 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "rule_name": "Unusual User Privilege Enumeration via id", - "sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123", + "sha256": "3b1d96fdac5914fb91eecbc97fa8f38bc40a93377e7b9b291e2521e0d62884e8", "type": "eql", - "version": 4 + "version": 5 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.14", @@ -10489,39 +10544,39 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Local Scheduled Task Creation", - "sha256": "49119f3e32864392ca8bba4c86bdc7d44cfa6076f3e6390401a646767f3b45a0", + "sha256": "153a680562c2db766ddc13960ff0b1b1d40590dbbf944177fdb07680c4695cbe", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Local Scheduled Task Creation", - "sha256": "866c1232689b9c39d30a1a03948c4544423e632af7fc8b8b42c69e4a88ca637c", + "sha256": "a9a640dba899a3c92c6a25fdfce9b2ce29774069d5e4b49e89209b64d0bd8431", "type": "eql", - "version": 208 + "version": 209 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "rule_name": "Network Activity Detected via cat", - "sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6", + "sha256": "7be4987e791da9dfabee670a6146bc8feecdc79d6116df0d953a8ba12d281ac5", "type": "eql", - "version": 6 + "version": 7 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "rule_name": "Potential Privilege Escalation via Container Misconfiguration", - "sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19", + "sha256": "9f17380d50e88b7451dd13c376b322d5597ee174ee532322e00728ddd30236e4", "type": "eql", - "version": 5 + "version": 6 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", - "sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4", + "sha256": "f446d6a851c5fb5c1d8c57353f72923d40776727f9f1464155a7eb802e6a9d92", "type": "eql", - "version": 106 + "version": 107 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f", + "sha256": "c76e638ceb65578acea1d18f1415cffa579dd2b5922507665d774472de710a4f", "type": "query", - "version": 106 + "version": 107 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "min_stack_version": "8.14", @@ -10529,22 +10584,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Netsh Helper DLL", - "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", + "sha256": "ae6521e56ff6823f52f0061b21556a43efe712f7fd43485bcc1e437849bb0c4d", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, "rule_name": "Netsh Helper DLL", - "sha256": "12a75647b89fa1a4bbc61d7654d7f62e6c69fd20f55ad24ff83e672bbb8ca97d", + "sha256": "f6a3950e6a53ae6b222eafb2db8745cb0c160be006a075c08b5fd6a0a7f9a7aa", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Netsh Helper DLL", - "sha256": "54f00272d79b87fe262ae02033486e748e84d4ab22a02b091b094c3cb456d4d5", + "sha256": "8b1858525694ec6e7adb1eb4300cdd4ad1e6e4721418a4c30ff5567d37ed66f4", "type": "eql", - "version": 202 + "version": 203 }, "b15a15f2-becf-475d-aa69-45c9e0ff1c49": { "min_stack_version": "8.13", @@ -10552,22 +10607,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Hidden Directory Creation via Unusual Parent", - "sha256": "9775897dddd3d5ea2fa72deb33baef8f2737925ad1d5be0ea764df8986e49111", + "sha256": "6108a4f29f29a7a3de508648ab5fc9681b4307662435aa380267f50682002e00", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Hidden Directory Creation via Unusual Parent", - "sha256": "801f1305ee382a5aa0d97a9fe784df8f025d7b4a31f0a0560ab3165dc7731fc9", + "sha256": "354b847a7f132052a3849af3c53e5def5104dd2dd73db94eca1fed67cfd83e8e", "type": "eql", - "version": 101 + "version": 102 }, "b1773d05-f349-45fb-9850-287b8f92f02d": { "min_stack_version": "8.13", "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", - "sha256": "b4bb7df60780eda7a7112af699e8f9eeb886859104a14dc0c0e590d88fbdfc26", + "sha256": "0ec57bc339f3fce1eca49752d9517e31d376889501714169d4c2e86fc43c6d2e", "type": "esql", - "version": 3 + "version": 4 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", @@ -10593,9 +10648,9 @@ }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", - "sha256": "de46ac771569265cca83a3eb78ca92c48cf3478e0c49d68ffeb12dfeeaeccaf5", + "sha256": "b3411c6b99d0c79d2fe1c0df6b34fe5c2a9866107f061e8bc8b9c5ae08a66c80", "type": "machine_learning", - "version": 104 + "version": 105 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "min_stack_version": "8.13", @@ -10603,21 +10658,21 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Remote File Copy via TeamViewer", - "sha256": "a29d0b9a977b708aa1a61691d747913dbec9f7c2b91dbc0a40e511177f53deab", + "sha256": "0d0bd0de1c42b394ca6d718a32761db9128689309c818676ea02bd44009e6f48", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "Remote File Copy via TeamViewer", - "sha256": "0c04cfa96ede82a6bbb59d8e384474d50b45f25914ae1e80b8f511c08aeb6711", + "sha256": "c8f3a33a1eda62ed530a6fc161bba9b0b5971ab42727c08f73a793be0b2199f8", "type": "eql", - "version": 212 + "version": 213 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf", + "sha256": "723230c66b898eb377542e469559e3654604ede32b8721af457c83afa144c4da", "type": "query", - "version": 206 + "version": 207 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "min_stack_version": "8.14", @@ -10625,27 +10680,27 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Compiled HTML File", - "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", + "sha256": "8eed8d54357b27cc75f72fb6d8bfbf8329b2bd2a0c09b43187d7132a3a6e195c", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Network Connection via Compiled HTML File", - "sha256": "116a6ad1cd9cb04c665956e8d54a4b226e296be8ffbf0a20f7073e7b6329ed3a", + "sha256": "7399a81fb47d057bd4c83b8a488b4fe9e614fe9fbca03daa78018eac37dcc058", "type": "eql", - "version": 208 + "version": 209 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", - "sha256": "a06f31bcbb968f4b0f7c2b9729c84a695e91e13c34ea63cd6aaedb3ccb06324d", + "sha256": "2eb4c2399504f67ff666102ceed72f7d457d96362545c820950c951e0fa3c5db", "type": "machine_learning", - "version": 104 + "version": 105 }, "b36c99af-b944-4509-a523-7e0fad275be1": { "rule_name": "AWS RDS Snapshot Deleted", - "sha256": "5ef62fe38d22a4511a897c8008ac45dc5666daf58d4330f04538f49decbbeea1", + "sha256": "b66f1e7d1ec9f7028453eabcbf79b0a385bcd2f7f051b6c42fc560f604bf3ebb", "type": "eql", - "version": 2 + "version": 3 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.14", @@ -10653,22 +10708,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "8dcb7952ad32b417b17af0842d510e13cc6cdbc53392b0faf1d86f3f4ed08817", + "sha256": "788aa64f654d1ac9b8ffd4d72359798797fc89867374541a87bbe9a894fcf4e5", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "67351b07df4aa1f47a5962233ac558f0f841b0b99dc69791d778f50a1490b724", + "sha256": "319f2d05d6abb9b5ba124cc01beac7e744ae47dc12b992b2bed1a9e23f17d27d", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "0cf7c5888e6bd4702f883dc4ba471a0d9c383c885d4588e6fe1a7ff741df7a15", + "sha256": "36ec98bc6180df8ef468f9c0214119135f7e9048ef4758dc1373818fc33d81e2", "type": "eql", - "version": 313 + "version": 314 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.14", @@ -10676,34 +10731,34 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "168f65fff8c879d2ac1d9d8f75f943f5bfc82f8f42fb32accf1cafe4fa2f394b", + "sha256": "e8d26c789dc518e64dbc8a2ebc802ec86ad2ece06bdd9b24713721e87e4c3f2e", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "8abbd6548883de2d4be1a5b3301cd6db8b4794b27c6795d260aa7bc4563dbf15", + "sha256": "8e1370bc732b7ca13a8a4398d2978e5fbce22c79d8ed69889d4271f8500f9347", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "40c7f66bf4e89df1d59470f6039032a32e6991959d8e11a12649604b2ba79da1", + "sha256": "ada7de75fee9e8d288c51a4bea4856ecbad5060b978f2319b741a67989164c15", "type": "eql", - "version": 210 + "version": 211 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900", + "sha256": "bdd06953c595a6c37482e67037eb72fb0d5301b42a5f4343e549c01b8c7cbb52", "type": "query", - "version": 106 + "version": 107 }, "b45ab1d2-712f-4f01-a751-df3826969807": { "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670", + "sha256": "2f8c1a57650a8885345541c39bf72fc1fb21b8a10ac375920f107bc8110e7c76", "type": "query", - "version": 206 + "version": 207 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { "min_stack_version": "8.14", @@ -10727,28 +10782,28 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", + "sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", + "sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "2809e87ba46854079f02b132262f4babb3421ed1439ed5a93fa93365d8bfc5d9", + "sha256": "7e95af47b812b851ff7c0d56818e3f8c2aa918a77fc10b771a33f6b34d47291d", "type": "query", - "version": 410 + "version": 411 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", - "sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93", + "sha256": "e577352f4e85cfd958d5873c0804e639b7b3bf1f869e7ccc0f203e6d2492672d", "type": "eql", - "version": 5 + "version": 6 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.14", @@ -10798,15 +10853,15 @@ }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { "rule_name": "Systemd Service Started by Unusual Parent Process", - "sha256": "f7dabab39fc646885b39c4c9afb130a28ee22c77ab5d59c1661931a5024b5ea4", + "sha256": "632c8e11b721e5ec61820d811a8007bab97cc61f20dcaac08301345e24d0651e", "type": "new_terms", - "version": 3 + "version": 4 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", - "sha256": "f3649a0d50320a3030f75006849ddad5a4d2da60d180156464fccb95ead0343d", + "sha256": "fff06615434083388a264c460161ae05556bb720792b5e921a635a843dfd4739", "type": "eql", - "version": 107 + "version": 108 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.14", @@ -10814,15 +10869,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "aa213b08606a60ecaa3893813321313519164133eef986d6e7514b6d32df9abc", + "sha256": "60fa1c1f92316dff5dbafafb8828c4493eb084e0a892fef14665afb65d337269", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "4f452d9f56b62a85917e5573aa9d6ccec3f73e1f315ed4713033aa6c121baad6", + "sha256": "972276704cff979323a1023ba183a94c4a7811ffb359898829ab87df4c85a032", "type": "eql", - "version": 210 + "version": 211 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "min_stack_version": "8.14", @@ -10830,22 +10885,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Potential Veeam Credential Access Command", - "sha256": "b3f8b7e37e939e3cd6163ab49a982617cbd2281cc8245da41d7f0b07ffb9ac0d", + "sha256": "1f948ef193a4bd5afe3496e85933faafaa574a3999c3f5ebdb743dc559799312", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, "rule_name": "Potential Veeam Credential Access Command", - "sha256": "a781b7d7d5cb0610d58d9d15d1958e44ecdca51bccac374b26439493b44aa19e", + "sha256": "668a4b5083f2e5cddf17ac87a8d72dea5459ecb274000056b4b1190cf8cc9bb5", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Potential Veeam Credential Access Command", - "sha256": "72b427f54c6695f023af0e9104a96d6c24a4b1b4656b3ad7c04ec87636e4af2c", + "sha256": "bb6f902b009039096c1412de2474ec0ac73ebe4aa60b042d2c63f0b0a7d3d2bf", "type": "eql", - "version": 203 + "version": 204 }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "min_stack_version": "8.14", @@ -10853,21 +10908,21 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "050e1cfaf93c6b295453f348901119d4394b12f7e0cab4e059bd351a1b69dd62", + "sha256": "84cb2fa184205ec6c7b5ebef44c3cf43d7a24ecba9aec4c0f148e7a5973fe61e", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "af45308979a39d4eaba7f820d1065c522553f97422f59b37e1ceaa30e384f5b6", + "sha256": "ea54cd3fdb16046632a7a7a59ce1c225ff10aa9102c2044d0a293ea1b71c04d0", "type": "eql", - "version": 102 + "version": 103 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", - "sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09", + "sha256": "cd16ad7a073247fc161d8c2ca330792ee681647ebcd1f37bb77fdc876df61cda", "type": "query", - "version": 103 + "version": 104 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "min_stack_version": "8.15", @@ -10875,28 +10930,28 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", + "sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", + "sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "22ed71c03d4cb3f48d0f982ba99da15abf24f3e69cca06212522c11dbd8b7c48", + "sha256": "08c9c6276d365fc690a88084ebcbae48a7842785385a954b0ed862a4b2a174dc", "type": "query", - "version": 410 + "version": 411 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", - "sha256": "5380c3038a2af299ccd3b033b1406b58964ffa17c1f58df16c2ef6e5cf6cb8f3", + "sha256": "11fb2c414420fb768ad7993fc68b1c74c07ed35b6a72c9b94fad1706a163e9d3", "type": "threshold", - "version": 3 + "version": 4 }, "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.15", @@ -10904,22 +10959,22 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", + "sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", + "sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "f93d27a63ab602b347414513ec2b4a19c4b61d0750629e5f80bb1721d7e397ff", + "sha256": "e169dafee56e838f29e144fabeded937b7f9b89958e3b1bd0ecaf6001a8cab9f", "type": "query", - "version": 409 + "version": 410 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", @@ -10949,22 +11004,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04", + "sha256": "07495ad3087d7d941d4ac6b44ccb6b4afffd0b7a10b6cd91e41dc91e2c8bf5df", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 410, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "5fbb8e28328ce0d6b8eb601ed88b02aea94913e0aaac62864d73965cca3ef190", + "sha256": "dbe3ce72ae96d9a388571dbaee69e57b2e0783bfb28d89c12682e731babdc79f", "type": "eql", - "version": 311 + "version": 312 } }, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "1a2bd980116032f3b23c60f6ff7d330af67914677769ffb5257e3c4586c81cf7", + "sha256": "f6b6199880ad069f381932ed419cc9eb6a89a0bdd3a8643c23bdf0f8ec1375b6", "type": "eql", - "version": 412 + "version": 413 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.14", @@ -10972,15 +11027,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Network Connection via MsXsl", - "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", + "sha256": "6fa622d8cf25c559993ee681c4c59fe4875676f7a1e75fae7f9837ae73c39837", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "Network Connection via MsXsl", - "sha256": "2a8d4623d634d9ba410321005df48a3d01e6223aae8df69789c9d8d06ba0b095", + "sha256": "1d3c54055176ee07cd35f819d276249cbef1c3a9d0f0f4e1baa830336b20aaf7", "type": "eql", - "version": 206 + "version": 207 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.14", @@ -10988,22 +11043,22 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Kirbi File Creation", - "sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22", + "sha256": "c10cf18764bba367c5dc4f521024dc94ef68710285c6f90a067c4237780913a5", "type": "eql", - "version": 7 + "version": 8 }, "8.13": { "max_allowable_version": 309, "rule_name": "Kirbi File Creation", - "sha256": "d4bb7b621d40378ce8bd39a87d46ccfedd440b733962e100fa3813f738a80a22", + "sha256": "e4040481f58c3fe815861e36ac5ce0ae5800f0c677fbfe8fb4f3b92a3ed843e3", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Kirbi File Creation", - "sha256": "9c52cab4c0ede53965241d9332ed5d03335a7efa2d96067f2cd95ea3844f3e1b", + "sha256": "4657563a7e924aa8d3e22e93a3d7b63359d96a5f3fca0bcc8b2acf48620e8517", "type": "eql", - "version": 311 + "version": 312 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.14", @@ -11011,22 +11066,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", + "sha256": "58aa89bc163a9683f9b49afe3a23214fc5db86e93510a6cec8b716e16e93cbe1", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "0cf05a58ea4296f5dd53393e3fa87a56decafbc24ed8a95c02173a6278d99696", + "sha256": "cbcbee9fed32c048febce9bb94050b601d2a11f48b70199fced4a32261b24be1", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "214ce6ab3146a3459a0af3b78a456204ac356e19d633e99e5b038f6e42f1306b", + "sha256": "5279287a7c569096f588da6a81739ad2b52940bb1fde4b4cdfc5e18d4c91a8f7", "type": "eql", - "version": 309 + "version": 310 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "min_stack_version": "8.13", @@ -11034,15 +11089,15 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Chkconfig Service Add", - "sha256": "9c7a8cfb8eca73b67ec15c23255ca9cf126e741100f64dc1894d35746f8b2985", + "sha256": "86f0056ad335bea28f944aa15d086beedcd4cf45c699a155c5d200a3c5f35630", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Chkconfig Service Add", - "sha256": "79b56443468b45ce575c9a254a235d16a81c2aa037b5f0b8468ab2ba1ee11c68", + "sha256": "21e5aa78000484a6ec71a88a5576fdb6b587b05dcf7dfce464c4f80c2acb36cc", "type": "eql", - "version": 213 + "version": 214 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "rule_name": "Discovery of Domain Groups", @@ -11052,9 +11107,9 @@ }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", - "sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c", + "sha256": "19d1c906ae5392003ceb75e3b5029ddbf145381cfd2a57fe149af0c098078bcf", "type": "threshold", - "version": 4 + "version": 5 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "min_stack_version": "8.14", @@ -11074,9 +11129,9 @@ }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "96c38ecf43de8a4a33c0288d46a9ba72c818241dbfade2a921c8c79a69ed4faf", + "sha256": "6eb78e4e68db04a09adf0fdb65a67e357d7241e22256f53fa3efe38323d47515", "type": "eql", - "version": 111 + "version": 112 }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.14", @@ -11084,22 +11139,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "71e9aa09fa89569defb2a149c30bf379e219b2f9cba453977f75c6ab69845847", + "sha256": "30d3fcfb86a4c9e23c5563059dc2df4b75f106ceedf2a7f57f7731cb984430bc", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "bda5b68f6a9ce0faa83bde7e30a5eec3d8841869e427b86112cf0f0a52a6353d", + "sha256": "021d6661e231a18c2c0c62fe88c1b3a16cf3dfa20e449e7d6c704c50f70616ce", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "9623c43706d421a241ab6b399c014dbf39d8e09e1801bf1e8527980848090a52", + "sha256": "8448fdad37a26284d2c146a1c6f84be4345849b97567a3c0faf586e92b59aada", "type": "eql", - "version": 311 + "version": 312 }, "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { "min_stack_version": "8.13", @@ -11107,15 +11162,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "File Creation by Cups or Foomatic-rip Child", - "sha256": "7c771e2cb6b8fc6e241c50beebc9871ffb34e29e2758e25d9042b45a8104f2b4", + "sha256": "19b3cd102fa17756195c9b9ed7ab06bb5a730f2d79302f0afa39106c89e7525e", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "File Creation by Cups or Foomatic-rip Child", - "sha256": "7290db76baf9144af96253a9ce550a595a2a9f73702c03d611771e991ad38f20", + "sha256": "bf75ba62f1105bfb5b0c1a6818eb8027febd42efb55d134e7d5d25f967e06369", "type": "eql", - "version": 101 + "version": 102 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.14", @@ -11123,27 +11178,27 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Network Activity", - "sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57", + "sha256": "cd715d2616e427081beaa901230dba625ab6c14e52d0571ae643a92f04c77435", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows Network Activity", - "sha256": "0a7119838ef1bbfcb9f54801d64f16dd3d98728399c20c2d35f94a5ce6ad4ce4", + "sha256": "006889f0bed32a73ed4d97e42325e7b69cd13e35ed45d30f6b58a091b6f54973", "type": "machine_learning", - "version": 206 + "version": 207 }, "ba5a0b0c-b477-4729-a3dc-0147c2049cf1": { "rule_name": "AWS STS Role Chaining", - "sha256": "58bc4d819e8f3c20c185397da3f15f20e53974723a07372c04ba0d8368367511", + "sha256": "78203718bf9153ae050ec6e0c41b037e34f6916e09b6cfb0d771158a41500c71", "type": "esql", - "version": 1 + "version": 2 }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", - "sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844", + "sha256": "33f5ec32f53d28ddc67a858bea818290a2defa25dbb7487eca3dc127a6b2c2e9", "type": "eql", - "version": 3 + "version": 4 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.14", @@ -11151,51 +11206,51 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", + "sha256": "998cfcfee5231e24bd5fb08c5921e0c9915f8d4b9db65d1b7daaa574cbf601af", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "94ce634225344b3f6df8c3497393fba829c409f0d01520f34d4611a74ed8bea3", + "sha256": "bf12d588236251e2feda39ddb4621aab72de0d06c0cc78366cfb8cde48293fc9", "type": "eql", - "version": 209 + "version": 210 }, "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": { "rule_name": "AWS SQS Queue Purge", - "sha256": "8173c3edd7611e8e6ac7f67f431510c5f5f03b166aebaf51c63f23002e51efab", + "sha256": "5142cc67f154e6eca142e3365f66a98511c0ea7276fa784ece159df9c9204371", "type": "query", - "version": 1 + "version": 2 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deletion", - "sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576", + "sha256": "ee0a9985f47c61b4899e6db0ffb46a7ecbf7889137cbc89ba4af8a83b184591e", "type": "query", - "version": 102 + "version": 103 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834", + "sha256": "38ebab645d36ccdb700fab60ae741b7fc1fdcd857893d3f9a8bd8d8104af6e69", "type": "query", - "version": 206 + "version": 207 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "rule_name": "OneDrive Malware File Upload", - "sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa", + "sha256": "b6bae391783faf8fddf063267243569a829caea469887045e326ef63f991dada", "type": "query", - "version": 206 + "version": 207 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "rule_name": "Potential SYN-Based Port Scan Detected", - "sha256": "0586e7ec163e6ee3f44ce1f67ad461e83904af39fd44217e236e606f06b3631b", + "sha256": "05243ad8bcf1c489dda20542d41494fe6641f590a7c9163823244bca9ef5e080", "type": "threshold", - "version": 8 + "version": 9 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3", + "sha256": "d2591be6119e7fd59bceea00f9241d1477bfca0672c2bddffa9aa118eba5e5a5", "type": "query", - "version": 207 + "version": 208 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "AWS Root Login Without MFA", @@ -11205,33 +11260,33 @@ }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "rule_name": "GCP Storage Bucket Deletion", - "sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d", + "sha256": "0e92d2b35ccf8e91dbd05bb2cf976add13ed7c2ebe9e7b8f3a14e6ba4423ddfd", "type": "query", - "version": 104 + "version": 105 }, "bc0fc359-68db-421e-a435-348ced7a7f92": { "rule_name": "Potential Privilege Escalation via Enlightenment", - "sha256": "6401927f8fccbd1a2df04a2676ccbbb51a67242c1fed8afcc893fdff0e431642", + "sha256": "c495eca6bcb598a318fb77f1671382014e7772f5465284d0f6c25913744e6e5d", "type": "eql", - "version": 2 + "version": 3 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "rule_name": "Attempt to Install Root Certificate", - "sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972", + "sha256": "ca00d2bc624c0e0eb4f4138104ba3f44baf33fe7d37ef8b693d45c8809e8f686", "type": "query", - "version": 106 + "version": 107 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "rule_name": "Azure Conditional Access Policy Modified", - "sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c", + "sha256": "585daba14bfe511045ed1f9225e2c8ef3004686898d5598678574811ce335190", "type": "query", - "version": 102 + "version": 103 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "rule_name": "Potential Non-Standard Port SSH connection", - "sha256": "97bc67179bba8f6cfb7b0f1f51016d7a35525d4394522b1dff503b2777675b42", + "sha256": "af251fd5a27dc1da60e95a6f5bd4dcf2a8651ea1becf053232e00e667f4eaac8", "type": "eql", - "version": 6 + "version": 7 }, "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { "rule_name": "File and Directory Permissions Modification", @@ -11241,15 +11296,15 @@ }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "rule_name": "GCP Service Account Disabled", - "sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace", + "sha256": "e63ea7699aec49aa63199a96c6f12b53d541b10b9035007f16c27383a357cd39", "type": "query", - "version": 104 + "version": 105 }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", - "sha256": "41097481c1fd5da6e1bd4c66305518ee0a92846e0a69ae89fd936b10338b1c33", + "sha256": "4c0f453a7ee9fec7e8d4245344823941109f187ed0b227e6556e050122701cdf", "type": "query", - "version": 5 + "version": 6 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.14", @@ -11289,21 +11344,21 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "d3a4fe36f9cfc3992560267e468577a3a244bcf0ef337b17dd9d40cfc525840c", + "sha256": "e65486c1eace3f2cba2f77b32a8523d31ee20a81635805ba14e9344aff57dabc", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "db7cf9c80bdb8b5893f2f43e48a7d7df98a942bf350a50d63170ac69fa939a6f", + "sha256": "f993d429934670b2858130841325ed6efbed63e48d06218e4b98f59688c119b2", "type": "eql", - "version": 208 + "version": 209 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "208ae3e9f868bf1cce7eb02281964c937adbfde045a989a1092be5f6762da5f5", + "sha256": "3631d09f36db2837c95c7275f4a50e82f4de95b0d0073c8f8e590b4962170e27", "type": "eql", - "version": 8 + "version": 9 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.14", @@ -11311,15 +11366,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "88869a90ff8b60cea2e3b311a3cff7348cabd05ea463923dacb7e7810c9063a8", + "sha256": "c8d4db837c40680f29b2140e0f41995c0ce4aed2dbca551b70894be0abd9fd37", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "648bf202efc778e1ea44b6f4bc7c7ed4bc604a577fcc05f919cf3c4039e47be7", + "sha256": "2100b7b6c9f3ce481f1dcf4333c039e84300cc7aa056627d9862759994df042c", "type": "eql", - "version": 209 + "version": 210 }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { "min_stack_version": "8.14", @@ -11327,15 +11382,15 @@ "8.13": { "max_allowable_version": 100, "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "fa9ae9a7e20aab6c162d2e5a0efe0f3abacb8e51ecc0dfde0e1e9ada66b911e5", + "sha256": "128e25dc4dd9800c4db478e306a37b6768835a4ef62f53f680e0cdd502d7d9bc", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "de2a9f336f392f64c5a8f2b0a31498085b0ef328787d7393babf01a457d396ae", + "sha256": "a97e98b65f9fd4cfb965319493b00bacc31ef7a46fb0a50e22baa11a6fba7ac7", "type": "eql", - "version": 102 + "version": 103 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "8.14", @@ -11343,21 +11398,21 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "cc1d705bc605d526d53b66ae99fe04295569f385dba1baf4b454810b18014206", + "sha256": "a2ccf5e3e960c49d64850d992659f30b31d2b4619143f6ace9586298ada41e55", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "33fbe922a809500b90b0b747bca167cf62c51e06ababa878a628223092488470", + "sha256": "9b8577a62bbfbbcec6a5aba3c11a4d4901222b6a7403c548c74dda4a01e5f84a", "type": "machine_learning", - "version": 107 + "version": 108 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "rule_name": "Unusual Remote File Directory", - "sha256": "7b9570bb0ddabacbeccf2b03bf6ea05d0ed3a286165e5b807313c17531ac9116", + "sha256": "02fd93eaee629a0cd91484e1809579b28f142b07255c4e850b358d3255e40870", "type": "machine_learning", - "version": 4 + "version": 5 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.14", @@ -11365,28 +11420,28 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "9fccd84e0d8fb3b15fbb84c2772e68bece05e41bf66896555fe409a03f691dd7", + "sha256": "1bf926c25f9a52807b31c6c522765f3687f5c07aded267e5efb051935cd32426", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "db1f6c9c5239a78f6c915ce9494aaffcf9463f9e6f0dd22ae5f13015228ec267", + "sha256": "50a2fccdd9f12b719de8bf5aa6575e9411a70beb5f69f0d624a2d57b94565894", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "f4689b888fd798880d919b9f8ffbd6b0e6a45d941a01ac44077e773d933a4b5b", + "sha256": "760c0bdbfa8e2d2cbd1b79da8d81f2bef5f54a26c29695209f466ed712a2ba4a", "type": "eql", - "version": 312 + "version": 313 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", - "sha256": "0703a09b818a7309df61f2173cfadcdd04899c0f597c70caebec0a6a7a077968", + "sha256": "5ed9f6f791ac753a0f0fa1e54b8d921e255e589b1e837cdbd454b8d4cd6703a5", "type": "eql", - "version": 207 + "version": 208 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "rule_name": "System Owner/User Discovery Linux", @@ -11396,9 +11451,9 @@ }, "bfba5158-1fd6-4937-a205-77d96213b341": { "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", - "sha256": "c3cf350e861be02338f712fd3772691bcefeb7f7d07e9718eec2fbc3476c707e", + "sha256": "ea23ea39e92ba2c5aa62c8b58b895f5fc1b9ed7e1645e2d1ebdf6f94725f24de", "type": "machine_learning", - "version": 4 + "version": 5 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.14", @@ -11418,9 +11473,9 @@ }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579", + "sha256": "d1081bdf15942c3ead0b673aca3c61da00f6a80d02751edf2450107ee01283ad", "type": "eql", - "version": 107 + "version": 108 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.14", @@ -11428,29 +11483,29 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "db80515372b13521184021a9451c545f6e530fc191866f76eb9a2c1584f99210", + "sha256": "7e6ca9dcd52afbbcb0b9a55e6aa6e2769fa1ec0eea2be911c612512a3d980c07", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "46f5dedea1c425098d98714b5c270d6a19a1448ac58d30298bfc61ed75871e39", + "sha256": "2c89d3ecf4ae5e9471d08131a67258ada5c25e166066700187f8fb376b224e4b", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "22c604dcead155c536a23f4687ff4c4ff12c55e14328e455fe26c9d245f4db2f", + "sha256": "b27fd36d7d58fc1103502201694ebb4f9711505eb7be212b1970a49aa4018803", "type": "eql", - "version": 310 + "version": 311 }, "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "AWS IAM Login Profile Added for Root", - "sha256": "e97ee0da03a10eab7cd326f1e77d4b2c462848200bc15e183a7be0b2074dcca1", + "sha256": "260baba4a026a272e648f568530059f1eea3a4f0c91f0895da0a4110d7f684aa", "type": "esql", - "version": 1 + "version": 2 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", @@ -11460,9 +11515,9 @@ }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3", + "sha256": "a4ff1c4f9d920c7e68294561498fe4fed983eb988fb9f5f2b48394a7deebc588", "type": "query", - "version": 103 + "version": 104 }, "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { "min_stack_version": "8.14", @@ -11482,15 +11537,15 @@ }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "rule_name": "Suspicious Renaming of ESXI index.html File", - "sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa", + "sha256": "7bfc1be6cb1b3f2bc6acd909ac81053d7da40a859ce32f301f7448b76a17d4fe", "type": "eql", - "version": 6 + "version": 7 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63", + "sha256": "ae318338980158a5279e376699053252b367bd3ad4618eeec9bd5f9d18ca9749", "type": "query", - "version": 206 + "version": 207 }, "c1a9ed70-d349-11ef-841c-f661ea17fbcd": { "rule_name": "Unusual AWS S3 Object Encryption with SSE-C", @@ -11499,10 +11554,10 @@ "version": 1 }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { - "rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance", - "sha256": "e91c1937b74003d85688ec403aaac6adde3afedc30ff608772e3b3f8346e2bdc", - "type": "query", - "version": 2 + "rule_name": "AWS EC2 User Data Retrieval for EC2 Instance", + "sha256": "d6549a9282b2ef25313f167c7193896b02cb13efe287b26ba00e59de84647195", + "type": "new_terms", + "version": 3 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "rule_name": "Unsigned DLL Loaded by a Trusted Process", @@ -11512,9 +11567,9 @@ }, "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", - "sha256": "7eaafe9a1859aea975f3a42c61875d9938e374647239d4b28ad396c47e79b439", + "sha256": "639384f73345b48b0a96eb16e0b3f8160d8573e672cdc7743e710a69b00c200a", "type": "eql", - "version": 3 + "version": 4 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.14", @@ -11522,40 +11577,40 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "fbee6d2c06dbbfc87ca0b8695bd5b6d9f72acbb751ce228da8e4cb479b01d60f", + "sha256": "29903b3865bb0e5568138436f842ca97f4731359045b7bff776424130946cc06", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "75e92ba876a46ba416822bbfaaed256d7fa604ac8d9cdcaebf4485f15cd91632", + "sha256": "69a7694bbee8a347e6b1f706a60da157e9a3f4ebef346e841475709ae3d55f67", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "6d389db925ca6ff91bfe40b09dda0749379ddfca071421d7cd921cb6eda3b48c", + "sha256": "dab86b9d33245df07123dcaad409fafb00109831e1aaa7d92ab104baa5ac8f46", "type": "eql", - "version": 312 + "version": 313 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "7d982bb13ae1a04e1debe5ea0265e3e5d576b25838f8bd13877d6c5a1b77a681", + "sha256": "8d8ee64704769447bf2d40b32ebb9e6d6425a52106d8fb1761fdbfe190f269a5", "type": "machine_learning", - "version": 104 + "version": 105 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", - "sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa", + "sha256": "aebb2d6e14deb297e5776a1b9acbd4365a9ca16d04e7f180425a7d9f597c79e4", "type": "eql", - "version": 107 + "version": 108 }, "c296f888-eac6-4543-8da5-b6abb0d3304f": { "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", - "sha256": "ea98f3aeb649cfc57e8d9c4a04ecb8f4599dd683fc28415e8146ca925c02d14d", + "sha256": "c56c5fbae20de71b0b2282d5c481c2ae900325075c2feb25b32907fb7565593e", "type": "eql", - "version": 2 + "version": 3 }, "c2d90150-0133-451c-a783-533e736c12d7": { "min_stack_version": "8.14", @@ -11563,27 +11618,33 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Mshta Making Network Connections", - "sha256": "c874d8e0df6ae897a277a01aff80ac0258b1defdaa7722e37539a516348e7624", + "sha256": "1df29ad5d0ca0a28702b68944cb3950151ce264faeed1d0cac6cdc59be122b4b", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Mshta Making Network Connections", - "sha256": "9f77b2b2eebd6e08c007e73536752a8651c85bccde0c72303282ccb671a8ed42", + "sha256": "35ebb1787e73b188c74759108e7580f588b69fec28e602e40297dbe2e08a1709", "type": "eql", - "version": 208 + "version": 209 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5", + "sha256": "cadcbc3ef71a2fdf85c7b7666569914967f3b8045422bfb42a860c4aa73358ec", "type": "query", - "version": 103 + "version": 104 }, "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": { "rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters", - "sha256": "0708e23a034fee01df470474eaa8c8f2f7a058631b83a0987e39af15bc538007", + "sha256": "18af645751efdccc31b367d06c1f9221851668fc7dabdcc02e9be3bc6d1268f5", "type": "new_terms", - "version": 3 + "version": 4 + }, + "c37ffc64-da75-447e-ad1c-cbc64727b3b8": { + "rule_name": "Suspicious Usage of bpf_probe_write_user Helper", + "sha256": "783dba9bf2adf9672499975f28ca2c251157407146f529383f27229b8b03b597", + "type": "query", + "version": 1 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.14", @@ -11591,28 +11652,28 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87", + "sha256": "2f351a320cf7736fa0382f0a514fc587d7a9a6e9df3e0fa798996b1378845e86", "type": "eql", - "version": 108 + "version": 109 }, "8.13": { "max_allowable_version": 409, "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "3ee641a856aab0e4e1f23e3bb55717a5567eef2d8e52cd2264595fff36224273", + "sha256": "858019a92e6dbfe1af3a06f1d96710314aa12802e6db988f1f4a9c5bd6fbfe5a", "type": "eql", - "version": 310 + "version": 311 } }, "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "84190df73efbeee30c435b862e6339cd80ea290b44deb8a5717118537039b954", + "sha256": "aadadca71e75e01e994ff9148f368bfd7b277c1ddfdae04d6f9ea3aecf1e2ce2", "type": "eql", - "version": 410 + "version": 411 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "rule_name": "Potential JAVA/JNDI Exploitation Attempt", - "sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8", + "sha256": "280e239c6b53224a5351f5f23e4f4660518500fe9da555ca1218ac45abb6caf5", "type": "eql", - "version": 104 + "version": 105 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "min_stack_version": "8.14", @@ -11620,22 +11681,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "4f666b4d6483dcf490a23c94ca65dce3962f9a0dc3d482280c676c363d4bf77e", + "sha256": "bc1b90a1a5d02845a8233abdaaff8ca068f4d6ccb29b7d6e8df55c25ccc8190d", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "050a77ee2d2b2c854c6320a07694f747e48b09086e2645e5e46e63cda03729f0", + "sha256": "66d36844c67b648b4c4559b7763008bb43f79e6e5a69933731f037b434d1b553", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "d8d527c314b2a860bfd447d4f890c361324c76dafb9094cb24b83ce8992a998c", + "sha256": "72af0267f6d68ef9e8303b0f95ca9b116c0ab53dec1fbb65653f47f1db386071", "type": "eql", - "version": 311 + "version": 312 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.14", @@ -11643,22 +11704,22 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", + "sha256": "04b3ecf212987b57bdaedbb14a301b6f913473e5abb301dc94b6371c56d73567", "type": "eql", - "version": 107 + "version": 108 }, "8.13": { "max_allowable_version": 306, "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "8895e76598306332603174aa736fad580b191085cfa16e063a5e68dd62cfd102", + "sha256": "3cde3fd44462edc279d64b412008d521638ddabb0029d151dc594348b04ed627", "type": "eql", - "version": 207 + "version": 208 } }, "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "471171679c1f48fa93954b8787198a0094598e326a0f6c24ae1b22c07b40251d", + "sha256": "1ad69e32d7a2cf3559f0ee82cc8620601c5d764ba5c054292e16e4f9e5953fbf", "type": "eql", - "version": 307 + "version": 308 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "rule_name": "Windows System Network Connections Discovery", @@ -11704,28 +11765,28 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", + "sha256": "f23375e5d2e676c1e1abe448a171c858dc5ad2300e66ef5c599e7e8325cb3390", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "d7461fda5a82259331589a9df2a3a7f39630bc5f8e08c25f2190e7f8bfb1ae29", + "sha256": "fc5dcf6dd48339a257eefaebdb911d38f7a3a6bfd632423bee74a204c7834344", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "9f78c640ad25e83eafe47ad5226ce12c169358048d03ffb119f9b94df969c3e5", + "sha256": "71cec7c47c2c7d46230f68fe874142b0c1e36dec0aa4bec9023d29d4c4f23a15", "type": "eql", - "version": 309 + "version": 310 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276", + "sha256": "ae48749a0c3d555094e1e400445796ffab2c7a22025f4ec856e582107747e9ce", "type": "query", - "version": 104 + "version": 105 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.14", @@ -11733,15 +11794,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", + "sha256": "7e9ee856f86f121f008eb8a3304b4955828d5b4d5333a47de3f36d478e0562e7", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "7c57916d4cbeb0fde51ef91819b1a5011019694b631ce8c734dd6aae5bede3c6", + "sha256": "0fc2faa2b6a15a4dcf2d5aa403a414c13d8d9f33fc943f74616e6d4f067d98a8", "type": "eql", - "version": 208 + "version": 209 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.14", @@ -11749,22 +11810,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Installation of Custom Shim Databases", - "sha256": "a4e910236d8c8466806752afee8114c07605a36292529e463c8e66e44fb8eb3b", + "sha256": "e23bdb57b42ec1bbefbace5a408e8ede22db9bd8be59fae66e1ed6803db76173", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Installation of Custom Shim Databases", - "sha256": "71bfefdca279f32dd86cd0b316f2315947b2489ae20e1246bbe17df82f6004e9", + "sha256": "5a38f511fb995bba2a90739bb1fb7a241b0db108f50e9c84fb52f75652a1ab64", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Installation of Custom Shim Databases", - "sha256": "ae8bc9d069de44bffb8c71f3b18a9843bb54f74eec29f1e1cdd40651771676a0", + "sha256": "322920ea0c3accf1a5852f8ffd6d3e8861e45f262314f49ba54569768ea085f9", "type": "eql", - "version": 309 + "version": 310 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.14", @@ -11791,16 +11852,16 @@ }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "rule_name": "CyberArk Privileged Access Security Recommended Monitor", - "sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f", + "sha256": "693843ef15d63ac5a1119459660ea9638b60f814907ca37f1dad377b7ee0e382", "type": "query", - "version": 102 + "version": 103 }, "c5fc788c-7576-4a02-b3d6-d2c016eb85a6": { "min_stack_version": "8.13", "rule_name": "Initramfs Unpacking via unmkinitramfs", - "sha256": "4c57f2ddcfdb1ebc7a9fa5222aca8bbf15a1b5cd862dc64ee9bf4719eee56581", + "sha256": "e0db18142f2246b20e8ced81755abfe720896bdb3f739e08b18c4aab3a6a9f43", "type": "eql", - "version": 1 + "version": 2 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.14", @@ -11808,22 +11869,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Remote File Download via MpCmdRun", - "sha256": "c2186669d5261bfa7c34dc39f93fc099d98e0e2e752839199476fe5c176ccc2c", + "sha256": "264309c3db8c109a609e4940bae53e25b00cd85ca02cfd4adbf27f2113815950", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Remote File Download via MpCmdRun", - "sha256": "5ee5259c1f1e782f05ada777a136193574b44d4a693c38ad33781b6996a42ee3", + "sha256": "3e854ebb07cef539caae7a12bdabdbe67a2d9931c64e2558b2fce09bcb270e12", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Remote File Download via MpCmdRun", - "sha256": "a8f43c737d22256ef316daf60178182defb4bff24396c497fb6d3b777514ab10", + "sha256": "c4bcf943fd4ffed84dca06e325620fcd175c62a4953b6070d11085699584bb0f", "type": "eql", - "version": 314 + "version": 315 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -11834,9 +11895,9 @@ "c6655282-6c79-11ef-bbb5-f661ea17fbcc": { "min_stack_version": "8.13", "rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source", - "sha256": "6ab179e3a47d3f25210c43b3d5af0d43eb7a3cac375c01c3181c75c095864ccb", + "sha256": "5dc411adacd7845d2c32dfe1d1b08f2b7cfb75f5e07a9ca693f8b1050edb2fa3", "type": "esql", - "version": 2 + "version": 3 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { "min_stack_version": "8.15", @@ -11844,22 +11905,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", + "sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", + "sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "fe87eee2d50e3c74804fe1e519a14befd42e90b5b03257628e7406389d455ab9", + "sha256": "16dde6466f20cbc871b8fc349b4b46bb900cb9e48a0fd8eff6d2b4d73115074c", "type": "query", - "version": 410 + "version": 411 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.15", @@ -11867,28 +11928,28 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Modify an Okta Application", - "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", + "sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Attempt to Modify an Okta Application", - "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", + "sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Attempt to Modify an Okta Application", - "sha256": "74a88132078b114dc023a5b61f024dc9362e64c23274b892eed47d376b0d4010", + "sha256": "7079d9fbf68d6f1ce6eb93ce13bf93d12eb165900aa50027e2212ef5af7dd8f5", "type": "query", - "version": 409 + "version": 410 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", - "sha256": "316a1006bad5109ad8ef036d4b8ba5142bcc0cd4822c7c4c0e3f4852e1860f20", + "sha256": "bd9585b91a7e002b9713af6ecd82da4971298f71e200464b58abff6e760480cc", "type": "eql", - "version": 1 + "version": 2 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.14", @@ -11896,21 +11957,21 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Network Connection via DllHost", - "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", + "sha256": "1cd890b963ab7a701f5a6c45943d20f22cb173ff36b6ca80955b13239be44860", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Unusual Network Connection via DllHost", - "sha256": "2ec487d2c8aa01cad9488f877c4a770ba69fb9065a728c79edf06e8c31aaf20f", + "sha256": "dad569a0e953afbb3adc4424aa091610da67d623add251f2f923f920cdba014c", "type": "eql", - "version": 207 + "version": 208 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "3220434ae7ebd56669033cb648bf9d422b8aec1fb59053d8472bcb7a69abf1a1", + "sha256": "c02bd45f7127af6e3e516d36e39ddbf02d871d2d11196309d70a1b09b8e4d618", "type": "query", - "version": 204 + "version": 205 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.14", @@ -11918,45 +11979,45 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Unusual File Modification by dns.exe", - "sha256": "a52a50c6b43c02c95ace52b42924ca8e064e2f859b4d50fdba2866d47ac9d182", + "sha256": "a3a91a39decef3a359f4dc95bc8be0401664ca49546b526ad694a3154ce425b6", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Unusual File Modification by dns.exe", - "sha256": "84418134bc5c4c6ecc1151adcb9fbc62839c51dd865a24dc270d5f1d3dc50363", + "sha256": "5055c42206d7d3df32f4241bed3b12ec940e263d0cf696d8de05ee4a4b71193a", "type": "eql", - "version": 211 + "version": 212 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", - "sha256": "f4b60bfd164d4de31f46f95a825acf02d2de3a0105fbea2b689f27ab7e13639c", + "sha256": "7e12650d2a7699b7d95e3bd4ed1a6ecf73e9dd59f940d81fea5fface3186e1a7", "type": "machine_learning", - "version": 105 + "version": 106 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37", + "sha256": "7b938e8a5930231c6667e1dfb87fafbc50238e0b6a32759a79dfff9a24132c45", "type": "query", - "version": 107 + "version": 108 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "801e97235c25019c80a78237b5ef98ff66883e7e236ae9ff293f74ec6ae09aad", + "sha256": "9ee8e6d69ebda1834191eedfbf0049afb38007ac2ba4e7e9899fac953921aca5", "type": "query", - "version": 104 + "version": 105 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "SMB Connections via LOLBin or Untrusted Process", - "sha256": "5d272b19dcb9cdb2beaf0e6124ebad3b1ecfd48dab9d60987f7ef8bc5bab5318", + "sha256": "43cde79e14c795e66c93f424bb5109e68b3c837ecaa1139fd6031167225af203", "type": "eql", - "version": 112 + "version": 113 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827", + "sha256": "ea18c1e7446051bed3554cc614f300bd88307747e1963a329a0971f9ec41562b", "type": "eql", - "version": 105 + "version": 106 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", @@ -11966,15 +12027,15 @@ }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { "rule_name": "Parent Process PID Spoofing", - "sha256": "b829c4a07bfb5c509b1c4bd6241656300dcb169905e9882e8e5c905f621f03d4", + "sha256": "0dc688321ac70be1762f4deffdd16b19f17b750ce8b9dd956b7aa04592517439", "type": "eql", - "version": 107 + "version": 108 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "beed8f315f35277cafc2f3c69e1efaa6dbb44c60c2a4898cb869bbccef4035c9", + "sha256": "1c866f4e679c1ff78ef5ea91bd349d56335ecec0516fd39e16fa829dc5b0caa4", "type": "eql", - "version": 10 + "version": 11 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.14", @@ -11982,22 +12043,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "240ef030208238909ed116c65fb35bd1e2c030a6abaa3dffd50c51e79a4e2c78", + "sha256": "b02f2bf5fccfed2accfb810dd6c38be499cc9fd52c4d23309848eb8170f374a8", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "d67260cfe20ef2ee8eb9e8acf13d36352e2608a38716e5270b57bd531fec9191", + "sha256": "c33b3be4b6a67c4dae7fba0831280618a7986cfaaebd4795ec7543db5a63792b", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "d560617a0b7c26d4a8f02dc76d6e3f106206eddf439a88ea24de0dc33126e896", + "sha256": "ef305abdbae7d8f1ecfb6ca40a4142dd81af12b9b5cdd154e063c7a98a5d8589", "type": "eql", - "version": 313 + "version": 314 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.14", @@ -12024,34 +12085,34 @@ }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "de1eb0970073590a08bf755681e729281d7d797a171493a9134023136554d391", + "sha256": "5532545b1d0648dc1414555d4be90a43ffb80fef68bc1f2e63af6b28990b4556", "type": "eql", - "version": 6 + "version": 7 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3", + "sha256": "99ae1a62762bf7d0262c79b33658fa930f597568a1ae9fc8331c333dfc91bbe8", "type": "query", - "version": 103 + "version": 104 }, "ca3bcacc-9285-4452-a742-5dae77538f61": { "min_stack_version": "8.13", "rule_name": "Polkit Version Discovery", - "sha256": "f71269394fd431ce68136702833ee5771eb6e4bb037e00776ecc9c7e4e4e6a28", + "sha256": "9b78faf57a8b5d10a2f71d6ab2ab00366515792348714943ad1aa1ee2d303d00", "type": "eql", - "version": 1 + "version": 2 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", + "sha256": "f9d687c9e6c694138baa5bac44dcc183c2cb70c69a7580e14fd4188c01bedbba", "type": "query", - "version": 206 + "version": 207 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "0f0023fc74fadd22887ee74c13f93f0c5174f8b66d140965587e4972eb2d3647", + "sha256": "ea099bf7bf302aa4eb27d5adcc8c2e0187e538d3b042ad83abdfaf4e869b5e3f", "type": "eql", - "version": 9 + "version": 10 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -12061,9 +12122,9 @@ }, "cac91072-d165-11ec-a764-f661ea17fbce": { "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "a8cbba8e757bacc0d4a491555d42b7d66a7d1eec1394da1a8f1cddfd82cf5bb9", + "sha256": "17830a8c24378fb8ea0b2c0fd6b002089e0761f86d47ae0af127d74ec05489a7", "type": "new_terms", - "version": 214 + "version": 215 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "rule_name": "Google Workspace MFA Enforcement Disabled", @@ -12073,9 +12134,9 @@ }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "rule_name": "Suspicious Calendar File Modification", - "sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da", + "sha256": "dbf5167ff460dda688296a49e1d5d48d5f1d0f19ca621f413100a1cbb02eedb5", "type": "query", - "version": 106 + "version": 107 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -12085,9 +12146,9 @@ }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { "rule_name": "Attempt to Enable the Root Account", - "sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d", + "sha256": "b89a2b2d3038c777d4599aaebf7e06253ae8c022cdeee090402de4e373b22654", "type": "query", - "version": 106 + "version": 107 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "min_stack_version": "8.15", @@ -12102,28 +12163,28 @@ "8.13": { "max_allowable_version": 203, "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", + "sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd", "type": "esql", - "version": 104 + "version": 105 }, "8.14": { "max_allowable_version": 303, "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", + "sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd", "type": "esql", - "version": 204 + "version": 205 } }, "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", + "sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd", "type": "esql", - "version": 304 + "version": 305 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", - "sha256": "332626f80c0a809547d1b86248b4ac5acc33ad7dd090fb4c94596b699126f751", + "sha256": "c81d5f537f0a2c406763b42d4ef5ef5a4bad745e4d41176ac84c5d34598e6c1e", "type": "machine_learning", - "version": 4 + "version": 5 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "rule_name": "Google Workspace User Organizational Unit Changed", @@ -12133,9 +12194,9 @@ }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408", + "sha256": "0f342ddaebb8be170f8947b26bbf9976454a9609a3fab69ef43946340d965b1f", "type": "query", - "version": 104 + "version": 105 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.15", @@ -12143,22 +12204,22 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", + "sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2", "type": "query", - "version": 210 + "version": 211 }, "8.14": { "max_allowable_version": 410, "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", + "sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2", "type": "query", - "version": 311 + "version": 312 } }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "fd0aba3ff53989f01ee9078c0ea58ce24c9e6d309d6e62d54aaaf02f41f7d74e", + "sha256": "e077043096bb995208ae7655f2088f680ac0954e54eef38a732a21fbf54027d9", "type": "query", - "version": 411 + "version": 412 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -12172,22 +12233,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", + "sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", + "sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "7e8147176fd51e46174c3524a9048c6878bdbb752d019c933df10a94925297d4", + "sha256": "690e620924cf220b5b56c70024faf4279be53fcb1832f317bd52fd6b70db9705", "type": "query", - "version": 410 + "version": 411 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -12197,9 +12258,9 @@ }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "71e437f699c5d256f96075db61c66ace40b1ed47dd875360db1c99de905bff79", + "sha256": "70003b5b25514505d843dd9aee62ca085795777f69e03784b7df399a89f5832f", "type": "machine_learning", - "version": 104 + "version": 105 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "min_stack_version": "8.13", @@ -12207,21 +12268,21 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Kernel Module Removal", - "sha256": "4899db29eec2e7c875e0f09ddbaf04bd8c73d3e360259279916f0e08c135ecb7", + "sha256": "d72671bd3bab4e18d0837fc746481567bb678e23b73c20159cfbcaa361b9912c", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Kernel Module Removal", - "sha256": "184bbc37170d0bde143713a342eae3b1a1a6b6b01d294dbb267b6043fed984d7", + "sha256": "0d900e5572e3000cc32b07c35ac1201dca0eaa32fb23af0b0a837bd4a66af0ba", "type": "eql", - "version": 210 + "version": 211 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", - "sha256": "96627951c8f79991a7e7ad2d73372aa5abe51ca5b57851c08dd650ab77f12760", + "sha256": "4ea12333f42f437aa58e54d2644f3646936a8a5f93c6814a0ed2c67dff925da5", "type": "eql", - "version": 3 + "version": 4 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.15", @@ -12229,22 +12290,22 @@ "8.12": { "max_allowable_version": 310, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", + "sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759", "type": "eql", - "version": 211 + "version": 212 }, "8.14": { "max_allowable_version": 411, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", + "sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759", "type": "eql", - "version": 312 + "version": 313 } }, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "7f705d4fdcc46721e2773e18dad5230ea702911cc032bd3fac545a16e0119857", + "sha256": "f642652974fc308178cf8b88483c24d61cae898a7b3b2f9e3254e4dcd182cb40", "type": "eql", - "version": 412 + "version": 413 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.15", @@ -12252,22 +12313,22 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Okta User Session Impersonation", - "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", + "sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde", "type": "query", - "version": 210 + "version": 211 }, "8.14": { "max_allowable_version": 410, "rule_name": "Okta User Session Impersonation", - "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", + "sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde", "type": "query", - "version": 311 + "version": 312 } }, "rule_name": "Okta User Session Impersonation", - "sha256": "0b588a73db66fc4e366209fa591307051cc0be8902e926d0e3c63e42df1695b4", + "sha256": "3aa673f1c0c34cebfc6e3e55a3be648b570843086b6289d22c44ef3c70ff4f0d", "type": "query", - "version": 411 + "version": 412 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.14", @@ -12275,21 +12336,21 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b", + "sha256": "a02aef3d53b50e1841dd01ee25f506dc63a897f003265f8678ef3f82fa618670", "type": "query", - "version": 12 + "version": 13 } }, "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "6262fc93d9b9ad2723c123c69d5d878e62bdec2dc156698f9ad18a818677df0c", + "sha256": "ab4ec07b2bdd59f75529ab2b6f8e58098bad8f3f8a08c9e0b2261cf7500d3015", "type": "query", - "version": 213 + "version": 214 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { - "rule_name": "Shadow File Modification", - "sha256": "ab59547a675e69ef560b0060dc95a158b1e98d40da959d1e6102a4474c39afbe", + "rule_name": "Shadow File Modification by Unusual Process", + "sha256": "31811725296500b46a530f4167b50a90a1939a9a30ae575a5f1605db107c530c", "type": "eql", - "version": 2 + "version": 3 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { "min_stack_version": "8.13", @@ -12310,9 +12371,9 @@ "ce4a32e5-32aa-47e6-80da-ced6d234387d": { "min_stack_version": "8.13", "rule_name": "GRUB Configuration File Creation", - "sha256": "64ec1097b715394beab2e75a36a9208a2ea026844e9af45605c73a09a0de896f", + "sha256": "cf29eec9c7946126d6e84a24c8c726e02c45cc182ef0dbc48dcb9b388761509a", "type": "eql", - "version": 1 + "version": 2 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.14", @@ -12320,28 +12381,28 @@ "8.12": { "max_allowable_version": 209, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "d66af889a4f25a88bf895b4dccd150b6e7d236baf15963c969ac201ed5bcbd65", + "sha256": "d6cd204299d4a7613c0652ab78b54b1b97f5c11b4f208fb0b5fb05d0f142656f", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "3124a4ec07d5162829476ceebb62530a7ed736152f13b37c55791b32ecf351b4", + "sha256": "abd7f59b6a23d28908dddaf17edaa914939c9587f387ef557ca5faaff341abd2", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "306a951d4400b5b1612097ba11a9eeaaa71e1d40a54b3f80d5a82ad3660c4b84", + "sha256": "90451475ce48d53de51f8ef8c31ab01801580c163221def965e9ed6c9b7d3b3b", "type": "eql", - "version": 311 + "version": 312 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967", + "sha256": "7917f89564301d83f5dcb2013db39240afa955863bc98f21a1016208a37ea998", "type": "query", - "version": 105 + "version": 106 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "rule_name": "Domain Added to Google Workspace Trusted Domains", @@ -12367,22 +12428,22 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "265d820856193f4c1a981afc09dbd2e2455f2585cfa15e0e47b99a46c1e157fe", + "sha256": "8db9e44ecf31d95be5241f20bf1dda7fee037f97daf672d1c60aa48ed16fa84a", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "bb4695e9b2608cae2d13b3bd01ab45072258c75394dfc44f816bf2516ec760d7", + "sha256": "a54a9feef37567feb968c9bb2bbd6e0343c7c1a2371538b9d448e491e4870ce4", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "c89e2ffe082dc78f5ead10fa743f39ea35e1333b8a50a74298ef5d9b66ff1397", + "sha256": "627a9ee7b45a19df7b70233781fb7c76b129346cdb7286aeed83bdc9c87a7da6", "type": "eql", - "version": 314 + "version": 315 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "rule_name": "Archive File with Unusual Extension", @@ -12396,21 +12457,21 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e", + "sha256": "0f000268fdc695dfbee160cd34e2e1321d37c12eac2a69d832aef01d5306655d", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "239b829877d333ed75985a7eab0c2a2871778d3d0e8c4fea043f8a5f4157955e", + "sha256": "a34a38a2bd69b76b11a281c127669096bb54a71939d3a68397b3b21f872b0401", "type": "eql", - "version": 109 + "version": 110 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "rule_name": "AWS Credentials Searched For Inside A Container", - "sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e", + "sha256": "b3f0dfc6f24cc6c2787d62f56817932713a1a3feddb8a231273e9a0e3c66a88f", "type": "eql", - "version": 1 + "version": 2 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.14", @@ -12418,22 +12479,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "7b61d91f3b32b7c2abf856dc7c191977667022be4b7d6c9bd819615c622a1a35", + "sha256": "4bb55e1f7ac32a17597deba9c24186c785abfcd6953b10305a596ff29a27dd63", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "a6887e5edda607f541eedcf84f05242bf6d66840c91d08ea1cf84fc80283fa70", + "sha256": "c97fbd41a9b9ac3b79c7459e0bf3c636d1652d33043f7e530ccd2e038f258b18", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "fe172ebb9b9cc09ac3418473f8bbbe1fd438fc8c7f5e2711984cb8c781070f18", + "sha256": "0d395b1f9a4f028fc752ec37396aaea0a8b3896f2ac3318fe2edbd6daae092f7", "type": "eql", - "version": 311 + "version": 312 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.14", @@ -12460,9 +12521,9 @@ }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "rule_name": "Expired or Revoked Driver Loaded", - "sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2", + "sha256": "232255e1a27a32df53f7b03d4a328673ddafc73b3d701b901c20ab79e1b5e28a", "type": "eql", - "version": 5 + "version": 6 }, "d197478e-39f0-4347-a22f-ba654718b148": { "rule_name": "Compression DLL Loaded by Unusual Process", @@ -12472,9 +12533,9 @@ }, "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { "rule_name": "AWS EC2 Instance Console Login via Assumed Role", - "sha256": "16a5255bebd2dbea413bcd674ddbbe9fc7c0e8a6c372b513b9a452bba2274d8a", + "sha256": "c4baae65ca422ef39a7b46b0def65701fd04eaaf1b938ab2d950984acde5db2a", "type": "eql", - "version": 1 + "version": 2 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -12484,9 +12545,9 @@ }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2", + "sha256": "95008cbe23f1fc8380e8181c4dac5e28c0ed9c9315589761e18569e50c4cde9d", "type": "query", - "version": 106 + "version": 107 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.14", @@ -12540,15 +12601,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Remote Windows Service Installed", - "sha256": "d3d7e72381e6345a67cffab43f821b026927d01ad097fa644718316d8b841386", + "sha256": "aa6cdcf93a49ab5e86235d0f4bef6b42dd410c7af99275ef526c0d215b127609", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Remote Windows Service Installed", - "sha256": "7483da5c5a66152f79d48484ff586847c93f9cd9f44c51048e4dcdfbbf18bc12", + "sha256": "ca8463464ebf568c419e1064f2ee75dca25cfbe1117c40f7af9a92a48acc6ac3", "type": "eql", - "version": 107 + "version": 108 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { "min_stack_version": "8.14", @@ -12568,15 +12629,15 @@ }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", - "sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd", + "sha256": "200625c2fbf06bb29f0c8238d440907deefa32e29cfc3982a544f408d9b7fdd3", "type": "eql", - "version": 107 + "version": 108 }, "d488f026-7907-4f56-ad51-742feb3db01c": { "rule_name": "AWS S3 Bucket Replicated to Another Account", - "sha256": "fc10d87ef74b91aafdf6f789f6c0f7602e2a1f222d20a3433c18424042268f55", + "sha256": "01c816014f421370ac32bb6369f8a83bc036b4cc7a1f817e5f34eed99deaaa01", "type": "eql", - "version": 1 + "version": 2 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.15", @@ -12584,40 +12645,40 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Delete an Okta Application", - "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", + "sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Attempt to Delete an Okta Application", - "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", + "sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Attempt to Delete an Okta Application", - "sha256": "11f05dcf8137ce57f2d00d46f6ca15ed79efcce76b106b9790f8b24272236a4d", + "sha256": "90f5212b5d6f828360ef355e1f922212881b33016383d2d9c78719cd37ed1639", "type": "query", - "version": 409 + "version": 410 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", - "sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7", + "sha256": "6ad7ede3c52ca6d191275bc53d5af195bd6c4bac16d37b2a0d2c8431ae4a33dd", "type": "query", - "version": 102 + "version": 103 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "a740cf8d2af1163a0caf8571d1fa427c9ffbb89c38d76d67e0c2b0c96f6a6eec", + "sha256": "589f094b4f15686c52f3a6b3e8d0b26b2f6bc93446f91d37f0deed5dacbc30ca", "type": "machine_learning", - "version": 104 + "version": 105 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "52036d5d366833aa7013ae971eb5ed3ed41df8bea6cf821f0e49dbd0a551fa1d", + "sha256": "526a1d698d53c469d024aa72d1d2b07ea56ac34aa51fb0104c5f69fdce70948c", "type": "machine_learning", - "version": 104 + "version": 105 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "min_stack_version": "8.13", @@ -12625,27 +12686,27 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06", + "sha256": "3ac7fcb80411d506306b5e742ea93bc2592f558ea93ac74f82e98b6453cf1094", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "a75a1c1f4f8d7379bddad6e879bb080e101d602e3a08c9e102a3af15d389b70e", + "sha256": "ae69c61f5dab3f5ba9b70f690911dca4cb31c94c9b851172f3093c18ea67a459", "type": "eql", - "version": 106 + "version": 107 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "sha256": "aa8a522f28deb9884ad3020ca10c320a35f2efecbaa26d0aae94519585b590cf", + "sha256": "6362b1916a2b6791294870b918126ed2b46b5a96f795bd03409f2948502d95a3", "type": "eql", - "version": 6 + "version": 7 }, "d55abdfb-5384-402b-add4-6c401501b0c3": { "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", - "sha256": "f6afb5d7d43edf7f2bb60691606cbc408d2e5790f4939177bdf5b9822c465fff", + "sha256": "c49807873cce90e54f6113c815e7c5772bf5e8273efeb370a5cb2812efcf171a", "type": "eql", - "version": 3 + "version": 4 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.14", @@ -12653,22 +12714,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "60df5eed46bbcf083835c15802642a1d7dc80990487cf8c6f593aeb2bbcd6625", + "sha256": "517d28ddbcd9550ac85394cdac2cee0844bc448d4be9b4e4aa81be52e1275002", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 307, "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "ccd6f0e1dc7444cd01f7f1273379600f001c8ba2608cd8c1e4744f5de3f677a1", + "sha256": "76d7e76f6c26a0e245b833dbed9be07a49f80004d68992ad351a789ab93f06d6", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "b882bc3921a13712f0db559c292b13772f12aaeb5673711e227685ccad9e7c56", + "sha256": "60b8eec12452b573096d484a711a30dba4b444661e967528e029b47d6ee84f62", "type": "eql", - "version": 308 + "version": 309 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.15", @@ -12676,22 +12737,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", + "sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", + "sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "039f4a7ce95ec9e9263fde6e222baf44ab21a47719f820afe63cdbd7442a1af2", + "sha256": "457f9745d44991b7dbff97c8032d25b5f3d5c631adb8dc0e909ea948b837ae41", "type": "query", - "version": 410 + "version": 411 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.14", @@ -12699,21 +12760,21 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Service Command Lateral Movement", - "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", + "sha256": "0d07056086afc2ae7fc3933f654811d9b31cbcf86939f52cea27261c807c0b8c", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Service Command Lateral Movement", - "sha256": "17f85cbe91c6b5fdcfe53a17b2b99e0ecb72d024dd472cbc509963acec2b5ace", + "sha256": "e767e2798904e06d27a494fdecd4eec49bb912ec8b0c6940d3992927ef6354e1", "type": "eql", - "version": 207 + "version": 208 }, "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { "rule_name": "Unusual DPKG Execution", - "sha256": "24402d8ab6122a577c5617dca6a28ef35fbfe7ce2ff4051aaed28f9fd8640891", + "sha256": "895b0b421e83d0c19bb678d6d2924fd5fabe2fe53d4b1c5bf1ba548d6ffa65ac", "type": "eql", - "version": 2 + "version": 3 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", @@ -12723,9 +12784,9 @@ }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4", + "sha256": "bdfafb9c68e9892fa7b9ca7598f201f97e7939ca8ca8c33ffc98baa5c1c46cdf", "type": "query", - "version": 105 + "version": 106 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", @@ -12751,9 +12812,9 @@ }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91", + "sha256": "64a63407de9de164073767409d81c4ad49dc544271236c164345d1a626d94c3a", "type": "query", - "version": 206 + "version": 207 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "min_stack_version": "8.14", @@ -12777,28 +12838,28 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "8fbf7a1dcae87ae50b11fbc90ac978f7238819b6fffdbff9e2762e2ba3cef2a9", + "sha256": "eee49e97f8be4dd945fdd081627a3fa84151189394053407c767cc654b03f61a", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "7c19ee463ecfc62c87fee685189cb441ee9abfb2ea897009a6c11ee131b6ede9", + "sha256": "636a5aa15d3dee30f441ac50911f29d0c8a99035e4b8d1e57294c5957baf6b73", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "17eea5871c73f5fb356a051968d7cb36bd835774aeff070acb752283235c8009", + "sha256": "77f519e1c25064d73042352df755adbf55aaa3901bd4c338ef309863f9b8dbd2", "type": "eql", - "version": 313 + "version": 314 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d", + "sha256": "641ef2451b1987a3e9cb28358fcfd308d956ef099cab89e13168b853db4d48c1", "type": "query", - "version": 206 + "version": 207 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { "min_stack_version": "8.13", @@ -12806,21 +12867,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious Memory grep Activity", - "sha256": "62d90a376ed43ac65cbd84ee0b7d37b598d450de07cfde82408db98cfee04d6a", + "sha256": "be15becb96ba5f7d3bbfbb8d336acdd122a95f155d4235a4e3941eefa4d8fa70", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Suspicious Memory grep Activity", - "sha256": "f153c6dee45aea70187e026f52bda5867a4d86ac55deeab921bd0b98f1386ea1", + "sha256": "ec4ccab9d3dd84614e45cc02c3ca638790f46ac21b6b52ea32b08885e416649f", "type": "eql", - "version": 103 + "version": 104 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", - "sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091", + "sha256": "4c5994d232095f98e72abc6b0a4ff08477e6c845b50df9de6e6ae92745f25835", "type": "query", - "version": 206 + "version": 207 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.13", @@ -12828,39 +12889,39 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541", + "sha256": "aa0975e7620cba81ba4d6b2b9aa05da8913d3f309cb4803fbff2ac88f7d9a4e0", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "e74a4d15744de9d351b31df43db4c14a3c027cb74eba3f0342dabc2b9d4ae03a", + "sha256": "f2c6a851be425812db9800238f821905d9956db9ec85937da8ce5b2d78f563b4", "type": "eql", - "version": 210 + "version": 211 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Permissions Modification", - "sha256": "346cc434526ad0dc7188a5077b3493b8499b644cfa218fe758d584d9f9e9074a", - "type": "query", - "version": 104 - }, - "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { - "rule_name": "Spike in Logon Events", - "sha256": "c88f7b8030359f06613e9c7fd1bf60b5c1e8f86f7d7febccd34c7969e1077bbc", - "type": "machine_learning", - "version": 104 - }, - "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { - "rule_name": "SMTP on Port 26/TCP", - "sha256": "fafc9b93a08a48425d81e9b8d77c65427d4a0059c9002836e7cd43db72fb0365", + "sha256": "b6f7d9e1c6d3053f849ee87cdd0567aa3e046fbf9c1400a060021426261838d2", "type": "query", "version": 105 }, + "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { + "rule_name": "Spike in Logon Events", + "sha256": "e6d5824de70c85d84e7bf5a4158c0893db7265f5bf6a4310aadd7a4cc1806bde", + "type": "machine_learning", + "version": 105 + }, + "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { + "rule_name": "SMTP on Port 26/TCP", + "sha256": "dc4aaaebbe30ceb017d1b3100fec840afc7c916a2519037418a91ea060b581ea", + "type": "query", + "version": 106 + }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "rule_name": "Untrusted Driver Loaded", - "sha256": "c22a4b5aaf9a5211781fbafa109ec85e7094f3b473efa585e2dafa6bd86b481d", + "sha256": "9d627c046b1d969fa3cee29c64c2ede631bd7c2f11e2d5b0195467910718d443", "type": "eql", - "version": 9 + "version": 10 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", @@ -12874,22 +12935,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "NTDS Dump via Wbadmin", - "sha256": "34ce5f9596b36a1b992575548e8c62b16a49e5261440a67f784671e4eb4bdbb3", + "sha256": "a3662b99a5aeaba17b20017e4f74a5a700018221aa4f539eae6586749aef123b", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, "rule_name": "NTDS Dump via Wbadmin", - "sha256": "9a7aecff18c2b2c03fb09f108eb19cf4062741ef26df0abd91a13a980b793f8d", + "sha256": "6d5f2be14d23c96aec4e7d179a2f0102cb02ce3f198dc30016b6ea842a71fdb1", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "NTDS Dump via Wbadmin", - "sha256": "0c9ca98240f1da76e24997c3f0e416ba94169679df7c594faaded88c0928357d", + "sha256": "432106a3b18e6a6c3983f2db37cc0d7c3d3a12ef2622c48805e23e67fc76576d", "type": "eql", - "version": 203 + "version": 204 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.14", @@ -12920,22 +12981,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "0dd9b1e590a4b301d83ffb6fbc022556f692630bef01e7d31223c89a7032ecdb", + "sha256": "f33fa3c2f6e59b87d777b60c36ca2f7b49b83e7d55fd70bda7b51c5164f2e484", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "4100ea91fd5746ceabc0b3056bf622961cb4e56a6733775ccb8b74fc1394d4ff", + "sha256": "6992b10f898c3dd9c58648107a909375f088a7cbe752dfa3e89ad95f36d12be6", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "f14448c067e0a0e0be1f51976cbc11fff0b37b0f5da3205c8afde1ae167e0eec", + "sha256": "091d2119d9f9bd8b91745b62a2dcab088dd2631acb0cbf1eb5b855fa829ef778", "type": "eql", - "version": 201 + "version": 202 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.14", @@ -12943,28 +13004,28 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "4a1be4588f4264941f314924e28dbfaf3791577f1aa8805dd33a0e1d2a49a53e", + "sha256": "fc23e41a7d22a46223a5b1ed558336101405e6adad108127504e440c44d82a19", "type": "eql", - "version": 11 + "version": 12 }, "8.13": { "max_allowable_version": 210, "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "d9efb6f5bfab991a95e185da00b9c3797f891983b8b396c9d7dbf292e759abe7", + "sha256": "9d490d625ede5483e6874408d935d1e8ae2e654bf38990bd8ec90cac8d61e7e4", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "cf52711a1189dd89d5cc0b35fc53b8cf7cf58f927144ecd794a969dd6245ad54", + "sha256": "0ac7d1624e694cec67982400a822b5692087df342748f9d9b10eebc1de8ffe03", "type": "eql", - "version": 211 + "version": 212 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", - "sha256": "84e89ef6464acb25c59d3bbb6ebd82d470bd3a6ad2ea4cb023ea9406ce17b797", + "sha256": "6f132baef5851efd00f760a31aa6cfdd4a68c0bd286f6abbf8cd245ebc635745", "type": "query", - "version": 5 + "version": 6 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.14", @@ -12972,15 +13033,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Suspicious Service was Installed in the System", - "sha256": "2b3b6416e094f6fd0f246cdccd204f657433c0899082d352eee17f0a42c6e5cb", + "sha256": "0d596807e4224d804bdfe2e04ba7a55241ebcd35ec0c8329585b908e6a811d4c", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Suspicious Service was Installed in the System", - "sha256": "4a237b6a951c3e4530bac7e5c14e1b5270fc7263a9cc7b53c6355f05422701df", + "sha256": "8c5a1b27f6a02621b57dc23c369f980d79cbceb34f18024d02dcf75ca46ae963", "type": "eql", - "version": 110 + "version": 111 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -12994,15 +13055,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "c8d78b9a264919f6a100901cb87b338a1148ed52bb4f422e912c4a9b4c534a5d", + "sha256": "6e675455e0691aa059267316b5c588a3be00378d5ffc8f0d62d327ea9cf9bf9b", "type": "new_terms", - "version": 6 + "version": 7 } }, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "605a26973cce40e167abba5375124060d5ae04432693969be8b5bee370e4185e", + "sha256": "e40d42488b5d12045dd32b4d104b2128f4032fc3e2a66c9578576d8f75e093b3", "type": "new_terms", - "version": 106 + "version": 107 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Multi-Factor Authentication Disabled for an Azure User", @@ -13016,22 +13077,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", + "sha256": "f070b0885fd560dca726ee750baad0826feb31d8d40ccb087eb224a1ea7abfbc", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "ea295acc9a2c0d920da2e8cd84ded801c713a06ad473c948126091def230b5ad", + "sha256": "042a48825a4fad14bc7163dd1ec03c4495809a3b597ef85c391fa358b2abf475", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "452e5fbee79ceeb158518545ac367412757396a660f25ecf4e8940a04976f311", + "sha256": "6512a9d12fa4ef27519126e321762a291e72b255d30192405b4cb411001266c6", "type": "eql", - "version": 203 + "version": 204 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "min_stack_version": "8.14", @@ -13039,28 +13100,28 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "86c73ee5160e7e68a9e03ca44a7191655b1ab3644edf3c7468b433eb42722f54", + "sha256": "1ec2b5f008f9e9bead822c864926d9183431f584d472eb22e8ff3ce2939b9c8c", "type": "eql", - "version": 7 + "version": 8 }, "8.13": { "max_allowable_version": 206, "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "7d866450dcc8e535903a7e7d28333859b7c1e5b20cf243b9885c0ba2fd3e3bfa", + "sha256": "daf311a52ba5b293679091a760f4b56a52f62f96e0ab510ea01cd988baa19167", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "d238242db88c4dffe3b45b6338748daa6638b409ae25dcebf555dc5fbd22ef37", + "sha256": "20558f6e7908c8dea171a7635ec499e0ebeccbe62d14d7f06850636afc8283f6", "type": "eql", - "version": 208 + "version": 209 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65", + "sha256": "d51a9914cc58576ea6fcc57df0fb35de299f08b8acf0ff37597124b12b9862db", "type": "query", - "version": 103 + "version": 104 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "min_stack_version": "8.13", @@ -13068,15 +13129,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0", + "sha256": "d4648bbfa3d971cafd0c2664cbb8da0fc57af62582278b2246e279b1c7dcaa2e", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "bad0d95c6a8551468b0c035ca98e1d1f47ec295b1d544833a75c04ae31f18d44", + "sha256": "cfb81693b34a2db216c043943162205581d94349579a2b66a2675e3afedec5fa", "type": "eql", - "version": 105 + "version": 106 }, "dc61f382-dc0c-4cc0-a845-069f2a071704": { "min_stack_version": "8.13", @@ -13084,15 +13145,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Git Hook Command Execution", - "sha256": "343b1b3846b8995220cd5a2462610b56200a929f418593766ed4d6be59d611c6", + "sha256": "dd6719030d3fe2a0ee69963aabd0b10598548861f0ca6a7ce968eb283b8a96f0", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Git Hook Command Execution", - "sha256": "3bac5605f2f7f71fbee8e939fdc4662424cab31681bb8fc5e2dd50983610fdf6", + "sha256": "3ad68272adbc2c5c4f5b945a065b67154c91b826cef8f120af822a44d62724e1", "type": "eql", - "version": 102 + "version": 103 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -13106,22 +13167,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "69570f9ed79d40fc1f9217930bb3117b6392d515cdf063f8cde02c53c6e7f60c", + "sha256": "e16de17547f45513cc6097ae2c1fafc3fb841a3d7cd4876355dfdce3bd42d171", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "4ec4efd8bc14d050cda2446ffa046c47cab81bedbea602f51c64f53582b57fa0", + "sha256": "0578fdb139348058c8c4a2e14b5a6ac8ae540f83b3f732433b174db4e0725628", "type": "eql", - "version": 109 + "version": 110 }, "dc765fb2-0c99-4e57-8c11-dafdf1992b66": { "min_stack_version": "8.13", "rule_name": "Dracut Module Creation", - "sha256": "51f31e2decacb917b2045e791f5b03e17de861b13042f271441c3df1a71461dc", + "sha256": "af7a3f72ed7f24e50bc14f940937bc9cf2bc1f6872e1d672d463b5165d85d1dc", "type": "eql", - "version": 1 + "version": 2 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.14", @@ -13158,22 +13219,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious Execution from INET Cache", - "sha256": "6890ee7e9f98fd62cb7e5660852cebcf2ec9c6a367072ae8b1660ee40eca75da", + "sha256": "6aecf0b6e2c4fdfeae54ec1cfaa51070bd371c150206b98a27cf2be01bbad3a0", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Suspicious Execution from INET Cache", - "sha256": "ff4e6f8fc8ffdad46c9ca8403e225098989a5548343270fe5420b6a1021d3fbf", + "sha256": "e97febd5beb392ed445ad0e67d7a284e6d6588dd93baad573301b7714cff4c46", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Suspicious Execution from INET Cache", - "sha256": "6a04f4ffaa5c40018c58ab7ef7d0b4986d678da98c9dd78706e4c645c8bc71a5", + "sha256": "ab1e64f0d5a84e58ddf9a0fdbe54ccd23b6eeda4909f99483374237a1c2c74c1", "type": "eql", - "version": 204 + "version": 205 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.14", @@ -13181,28 +13242,28 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "7209db8e30fa81579cc3b28f823b3efc3f48863b31868b2c52ccee2a937887bd", + "sha256": "8475f6c6b1206c9fd3c5085bb9b4677b0b6e931699d1763068961d84d8aa46a6", "type": "eql", - "version": 8 + "version": 9 }, "8.13": { "max_allowable_version": 207, "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "db373be5d72255dcfc03d21367e6a23f15576fe50874ec53d75ff7edf26e222d", + "sha256": "c4104efeb172e0634cf59ac025d803d9d3171803756060c76e6bf8cfd3d88a90", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "eb5782b9024f97b13ced9ed9a27e3af47b54101824f8592c383c4fa46f18bcb1", + "sha256": "795b6a57e976d8a06dd804326ac7ea4f673753436de7405e506a7a6ea8d8974a", "type": "eql", - "version": 209 + "version": 210 }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", - "sha256": "9d09534c9e25cb62cc2ac0983ac2a41afb47c19dfec4625145ed0922d5c490d6", + "sha256": "877ce9bd8dbd29cea230dc9f74e14b082161a6dbe3fa64633fae76d569dc6b3d", "type": "eql", - "version": 3 + "version": 4 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "rule_name": "Reverse Shell Created via Named Pipe", @@ -13216,29 +13277,29 @@ "8.12": { "max_allowable_version": 209, "rule_name": "NullSessionPipe Registry Modification", - "sha256": "2dc4ed28b131d5fcdb67907c89c6524e73a884148e5d5ad792d42e65f619c8c2", + "sha256": "84f5b0cc9b45784f5f3268b1f1cd252e3e460a30225570b04bd90ed819e7cd75", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "NullSessionPipe Registry Modification", - "sha256": "6581546aba5c9cbdb29e1998c5b3ce1a10bba7abbbdf5036de332cc395e4d74b", + "sha256": "c53af1114c332c599481a0ff4eede6a5a9b7a2b80284a201c3c7c5c3ba9dae11", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "NullSessionPipe Registry Modification", - "sha256": "50633d69f921b67ff24e8f6a63aef23b74ed335c0104445871dbc3945e3af63c", + "sha256": "e723d0b3254745f488ccac62bb67e6d2f069196659d17cf778fb42a524933135", "type": "eql", - "version": 310 + "version": 311 }, "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", - "sha256": "400a598f9f5f9aa9ee82ed31b38bfeea4491ad833f44cc808bb637777e55b74e", + "sha256": "c129a707d58db25a4c45591577570e807c1cda2be7e4167c44a922ada89b2939", "type": "esql", - "version": 3 + "version": 4 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.14", @@ -13246,22 +13307,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "64088266c02ecdf9fa7132deb1addf06105d09c902e7ec255a0b536395272ff8", + "sha256": "dc59f461ee6eaded59582a8d9d1665d294369cbd7cefb74b93fc69c65b3626e3", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "a7b99e7aa7cbd5a81b8013087a2b9fccead7841f4219882418dcbd63763d3608", + "sha256": "d48e91e2df3b46dddd47dc1f8381eccd2d4ea3654875665feb8871b7f7df2498", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "cbc93e8df0c9561bcf71aa5c1c047699a17c624200c322609b788853594cca6a", + "sha256": "0e4c1d925e33511a5ca1c1b97c6b325baac1871f6c4426d17058007044aadf6f", "type": "eql", - "version": 312 + "version": 313 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.13", @@ -13269,15 +13330,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977", + "sha256": "2110c27e62d99781d5a1189a8ed1fe2d6a400568585a8e6573fb473f783f9761", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "46f4ce8dd188feabf7a2bb0fb7aca87218ea33ea2fbd8f82ed35ca46faf70489", + "sha256": "a1fcc107efdf93073c6b20ae1f2c19b8fd281cc4cb1e5877c5c362869279c555", "type": "eql", - "version": 210 + "version": 211 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "rule_name": "Query Registry using Built-in Tools", @@ -13287,9 +13348,9 @@ }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "rule_name": "First Time Seen Driver Loaded", - "sha256": "1faad3f27c89ce87b1a4f9ba8d28fcd968f1da207d94216c3e71a09884db6eb8", + "sha256": "6323546ce88a2062ab9b777768a0a4282ac1a74384c1f21449a3262202208011", "type": "new_terms", - "version": 8 + "version": 9 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "8.14", @@ -13297,21 +13358,21 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e", + "sha256": "92bb89bd0e84c9232dcf024b09b211d04bf914a34e8ebcfcc2700c0f9f4154f6", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "d328e86d5da5551f9015b551689158237ac673a65a0d2980967ff93f1b9638b3", + "sha256": "e7e813348ed80c496689f948ecd7de5edfefb9f63b906114a57bb6798b9253ae", "type": "machine_learning", - "version": 206 + "version": 207 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", - "sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669", + "sha256": "8fc27e74bfd62fc69cfb08bc0944fb02643fbb3fd3e9b84ef1e6b06e36ccba3b", "type": "query", - "version": 102 + "version": 103 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { "min_stack_version": "8.13", @@ -13319,28 +13380,28 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Dynamic Linker Copy", - "sha256": "c492826e8eb6d6b4fbae1dfc5820adbdcbc847d6f88fbf1e57c06d347b0d6c4f", + "sha256": "c129b0c687239213e54f4f95219e0ba6f09ce259ad97d16efe4789c56b4c1205", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Dynamic Linker Copy", - "sha256": "15a7a2d4be9e298988ff4d281539bbae818f22ccc5f95a1423e09fdb21f76bd2", + "sha256": "158bf61594522a3d1f0fdde66ec6ddedf8126dd16a556cd2b9a67ea025ae233a", "type": "eql", - "version": 209 + "version": 210 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "0aa047864e74cf8a18fe9dd039cc10fc1cfadcd1b2b98de5cfedf9afe1c98251", + "sha256": "ac73d656120d73f8776a9afbdc0c8a63ba9863321b9153d9529c67e61651a5a9", "type": "query", - "version": 204 + "version": 205 }, "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", - "sha256": "87f99fdccd4153758ed878449ec6d1fd72e56f20cd92bda5b802fe99fd9856e1", + "sha256": "f33b42f628062aaf94789a5880e98522fa684c465bdf6da024d16c74a4f02efc", "type": "esql", - "version": 3 + "version": 4 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", @@ -13354,34 +13415,34 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "be7d0516427d16d13075a9c6cbeb259c965436b814a3a00c02a5a879e239aaaa", + "sha256": "f14455fd6ea9bdc73123f4c69cb12843cfcbe7747b51b622198eb087bb953f08", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "7b6acf6b548474373227dfe0d95525762951ea112531f064e226bb790080e8b1", + "sha256": "f7fcd4ec131f7e648b7fe8bb86887bfb768bd7bf3a006340a5e9fca5467205bd", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "d0fe93377143f6c21a5d7bacce642eca85c15341cbdd34b6b4254173a819008c", + "sha256": "2b622d8bb5228a5ab103d2c5197eab64a8c1a0977cbc0594097fe979c66d2034", "type": "eql", - "version": 203 + "version": 204 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", - "sha256": "da0cf4affe1558ec93cbb7b96eac795d58a8770bcb564ff0b2021a7f7622eceb", + "sha256": "8b63af67b0b77e5d770c49f6e9a9216ab92f9f7aba27fe58b2f87b38dfd3b24e", "type": "eql", - "version": 3 + "version": 4 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure Firewall Policy Deletion", - "sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0", + "sha256": "3145c97b2a0f8a3dbe953d706b20b0db89737e622460e8eb92f562e46316b78d", "type": "query", - "version": 102 + "version": 103 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { "min_stack_version": "8.14", @@ -13389,15 +13450,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "5b56188233f9c0e6251065b18ac9a7d80ebd1b7cd9a55d4dfbc2fa8735b403cc", + "sha256": "d66a68b32ae569978a6ef6580b94f0b86b0f34b30ebec5e7173db7138003bce5", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "d73db62405efc39a8ad58641974ba0785e0ae2f01440c19c88e84e81a194593a", + "sha256": "93383cc44307548a071047b61fc0df04c3b9f6b286e64e7f6d26fcc4f6e1b84c", "type": "eql", - "version": 208 + "version": 209 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.14", @@ -13421,22 +13482,22 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", + "sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5", "type": "threshold", - "version": 211 + "version": 212 }, "8.14": { "max_allowable_version": 411, "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", + "sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5", "type": "threshold", - "version": 312 + "version": 313 } }, "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "9bfcd68bbf114751fd78efc3b74026c22f9b576e4f7985482325cf2bdff6e238", + "sha256": "0f1797f4458f41926c4fb9920e9bad30476efd48173d83db37c845ac553c2e1a", "type": "threshold", - "version": 412 + "version": 413 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "min_stack_version": "8.13", @@ -13444,15 +13505,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "bbc79c31a49dbadfd95c068a4bae83f11457d10bd83b3a13b598049767cb3119", + "sha256": "6147022642131c87ac6702fa482fbae2afa75394591d2a12545a08d85336f5f2", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "a94c98d17b9a4ba79fbd2db8a440aabe9f52a55a651464571a9bf18937b49a4e", + "sha256": "10bdf2a8cb060ef98b459f111677380e45c54d687124dbe465153fc00b2a538b", "type": "eql", - "version": 105 + "version": 106 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "rule_name": "Whitespace Padding in Process Command Line", @@ -13462,21 +13523,21 @@ }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deletion", - "sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7", + "sha256": "55c15bc0ab3e65a9e0dcb4e9babf915de29b34b26b842fe6ad70c153dbc50212", "type": "query", - "version": 102 + "version": 103 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "rule_name": "AWS Route Table Created", - "sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5", + "sha256": "c76bc6e2331f0b9bbf3d8f05a6f363c267e1509a793f6949082fc196e12f1fc6", "type": "query", - "version": 207 + "version": 208 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", - "sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6", + "sha256": "7b5a2e8745804344d0c558af38ae871fb0c48a51a92c943f98830876bce353b4", "type": "query", - "version": 206 + "version": 207 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "min_stack_version": "8.13", @@ -13484,21 +13545,21 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Connection to External Network via Telnet", - "sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5", + "sha256": "28c7ce83de51514d2b297b6590e71038a20120a59fd3f1b8f1693e98dc5c1d7d", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Connection to External Network via Telnet", - "sha256": "eb720eb1df39451162379dd73ebb8021f2d6d061f11536dd6890358652908bc0", + "sha256": "d720edce6b79fc47c791e12e5f56665107bda8a672446989a274d7b62d630320", "type": "eql", - "version": 207 + "version": 208 }, "e1db8899-97c1-4851-8993-3a3265353601": { "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", - "sha256": "18d369e85745dfad874fe33bb6e7faff482e843a231c6c456cd2668d675040bb", + "sha256": "79e7d8b6c91ff85bfe18be26bfd2bbe3de8d62a447c19e86c2250d6f10e25dd6", "type": "machine_learning", - "version": 4 + "version": 5 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "min_stack_version": "8.13", @@ -13506,15 +13567,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9", + "sha256": "2e1ea018087510cd48cb9978f295dfc7ae3df5e33ae6087605fe0c171ee6f7af", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "a9d9a985224bb2c25aae53626c351423299271473fb94800bbec865b77549cad", + "sha256": "573c1614e9fd8cb5c852934bb98d126cd819067b93989525581aa5526b540646", "type": "eql", - "version": 106 + "version": 107 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "rule_name": "Spike in Successful Logon Events from a Source IP", @@ -13528,15 +13589,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2", + "sha256": "aceeffb1d2d30da61a5c975b4c978c1a8dd0687ddac7214c80ae21c9067eadfc", "type": "query", - "version": 113 + "version": 114 } }, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "ca835ae54902b43b43600be560e50e3ec172b5bab2d1419520717665a9b443e8", + "sha256": "ed908ff078c5a2e7569fc9967c30cc040397ed9122a09287031c0a4e5d04e377", "type": "query", - "version": 316 + "version": 317 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "rule_name": "Network Traffic Capture via CAP_NET_RAW", @@ -13546,9 +13607,9 @@ }, "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { "rule_name": "Suspicious pbpaste High Volume Activity", - "sha256": "a4c8f8bfde8a3b923156ef450b75f64bc7fe03e04671221bd7040e12c3e98c02", + "sha256": "2190e84f9e7192e1648c8b1673576f046c4e03d475bb75045c7b9e2e12bae237", "type": "eql", - "version": 1 + "version": 2 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", @@ -13568,22 +13629,22 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "b9a7b32c3dfb500b067eb62db94be7e669a714213f44475884a5d82188a89576", + "sha256": "8d70b76836720ce1d1bfc90c83ef511c63192ceba13afe89de6d4bd71db8d10c", "type": "eql", - "version": 8 + "version": 9 }, "8.13": { "max_allowable_version": 207, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "e20728e2d7fdb11e0c89fe8b59339217c06311f3e887ecc68c878ac02e342c43", + "sha256": "8c937a63efdd09c306a4b062fb0111216523fadb6b29f8ddd000fc831dffb3a3", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "e700c3aa1868cdab411187bb9463c15130cb104b333c4aeca0f322d52bfbe885", + "sha256": "16d97ecf035e7b51f4cd64bf55a659d5b15dd93323fc78280d023922c5e1d00a", "type": "eql", - "version": 209 + "version": 210 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.14", @@ -13603,9 +13664,9 @@ }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", - "sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe", + "sha256": "44411255b771a99faffe0685c0f5e63977818e21d073d24091ff91bd9aa33b51", "type": "query", - "version": 104 + "version": 105 }, "e302e6c3-448c-4243-8d9b-d41da70db582": { "min_stack_version": "8.13", @@ -13613,15 +13674,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Potential Data Splitting Detected", - "sha256": "e9c73adb2c1f6cce1863d61a9079baab27593eb754bed9dfb7462a2a0e757dfa", + "sha256": "7b1c198e74d0e4f3d7b01f471cbcaf92ef595343883d73f4bcca641970102396", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Potential Data Splitting Detected", - "sha256": "c08a0ecf0d3956e8250d8f80883239a461489dd8a2b1a3f25bf3ddee0e528d5f", + "sha256": "e5a627c8877854a1743a8653bf701e6a542b29ef63ac512764742090ab97f019", "type": "eql", - "version": 101 + "version": 102 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.14", @@ -13629,34 +13690,34 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "433f8b6dbfbb827e6060d659633ff337f13f121b38b71de98f5e0c71cae016bb", + "sha256": "c66a168ed3b1aa0efc9fd8a2c7f723b9b814fd5d0c3d2b6f04b437cf128a89ff", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "b2ec162d5e1153e3aec75388d239610723efecf8e84f07bed191977174467f88", + "sha256": "076f262b0c9c62805bd7d969fc2bc5a6e3ae9dcbfa5c30cc922041a3087b7a7f", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "af6bff4d9b0f88e5cadd6ce1f24e77dac8a706d375a23109a8c681c97c6b4706", + "sha256": "77d77852881da5c7de3250605cbf8440cfb6dae48e1b9b767e4aad194d02688d", "type": "eql", - "version": 312 + "version": 313 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525", + "sha256": "f2d736a544e71eb0be5118b7e11cc5ca78ef900a8f8d7225e8c0b03ad08c6587", "type": "query", - "version": 206 + "version": 207 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462", + "sha256": "6b3dadd40aa120848fae2bf405a3e564a4f8f1f135f3e43273c9a5990cce5592", "type": "query", - "version": 103 + "version": 104 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "min_stack_version": "8.14", @@ -13664,15 +13725,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", + "sha256": "15425280f466c2729b02c0af122c6c595b30165cd51c4f683fee546070d396a0", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "b96e61601debc0c2b8731cd56031412334418497e035336cb8c471af5f70b60f", + "sha256": "151650631c31a43c201b4eaea3749b4f13790dd576c4420057b75b9cd51c740b", "type": "eql", - "version": 207 + "version": 208 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "min_stack_version": "8.13", @@ -13680,15 +13741,15 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "782e6ea2ec801b948326c6dde829cf378f884c812681328c4577234da4bf90fa", + "sha256": "3d6b19ea3b397ac9a3e1d4779f0bfbbbe891a2b9352cc8331b3d1b21b3492f86", "type": "eql", - "version": 114 + "version": 115 } }, "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "8af95982bc5bf6ac79c1640581bac78450e3467512b7640c60b0ecf139a19a45", + "sha256": "55762f454327d9065371b5165062d4e75939cd27c5a7b9d08a60987b18431cbc", "type": "eql", - "version": 214 + "version": 215 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "min_stack_version": "8.14", @@ -13696,15 +13757,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "020a011d15d2d0ad7e19782ca05849aee2beece8563925f3c5ecba763271bf0f", + "sha256": "15409282fc22300e62bdd9cfa9c3699264d000fb84da5ff6405ad81aaa842305", "type": "new_terms", - "version": 5 + "version": 6 } }, "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "ffe14ac65dfa2a8820245873c21a9e1c00089649ed9d3be35102f434e3824639", + "sha256": "e2d4147e9b55b1a927716d2a92ff1672ed2857f83721c419e597fac90cda2559", "type": "new_terms", - "version": 105 + "version": 106 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.15", @@ -13712,22 +13773,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", + "sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", + "sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "f18c885e92e617b8feda9dc5a5cbd8c23e84c073e585485a552b5c4f9c86d1c5", + "sha256": "e7a1afdd3aed5b8990f25c5c3ebc89a3d4e1911e68296667f6b6e4cc13e21407", "type": "query", - "version": 410 + "version": 411 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.14", @@ -13735,15 +13796,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "b0f8db3df27e01d7b12cdd167287aca6d31dcafc2878624cdfc8971185e9c74d", + "sha256": "efce8f9ccb0652297ffed54f6d3ccb3c621da9704c8b1a147357fe1b2dec9780", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "9eb77e0dda391b5aa9d210c7d318596248ca59b969e138c7cfa6d9a2fcfd72ad", + "sha256": "beac001dcd5095010c452fd5a86f0733003a76aa6c8e8f3de2c8d7abef8fa9e1", "type": "eql", - "version": 206 + "version": 207 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.14", @@ -13757,9 +13818,9 @@ } }, "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "aad6c2b791f2afc079b2ed0ef7a166717dc6a09cc6de90722d6ebf150ddc70fb", - "type": "query", - "version": 213 + "sha256": "4f3219372b857ac80a9bfa981a981b8fca89e436d209e90b51d436bb7e8becbe", + "type": "eql", + "version": 214 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", @@ -13775,15 +13836,15 @@ }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "rule_name": "Bash Shell Profile Modification", - "sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3", + "sha256": "8893356dd5ca661718d8f5c32e3d5b4e2e31ced5866bad1aac12f2ae4b1837b8", "type": "query", - "version": 104 + "version": 105 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "rule_name": "Authorization Plugin Modification", - "sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e", + "sha256": "abc854ad84c4df75f33b8a3ec0b322047c931d738de30da1996883afbdd7b799", "type": "query", - "version": 107 + "version": 108 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.15", @@ -13791,34 +13852,34 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Possible Okta DoS Attack", - "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", + "sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Possible Okta DoS Attack", - "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", + "sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Possible Okta DoS Attack", - "sha256": "048e2b732c95e535f676081e8685ce53b76cd8569c7d433cc82e6fef1a54b579", + "sha256": "d31797a2a9ebd8114c915f01f1b7222689f61769135d5406738283834a175f72", "type": "query", - "version": 409 + "version": 410 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51", + "sha256": "3dbf9bc9fd85cfb35ac80dc541572c5d63b43929630586389dfb4d21d5f3abea", "type": "eql", - "version": 107 + "version": 108 }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e", + "sha256": "a33b86d48c3d3d62db7a1fa07ff45e3dd2ec92fa332099989635eeb934db5345", "type": "query", - "version": 104 + "version": 105 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { "rule_name": "Potential Credential Access via Memory Dump File Creation", @@ -13832,15 +13893,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", + "sha256": "8e916c6e5e28236cf4e78bb6c9a7cb8991800d108c6dce8a147b6196ae27b89c", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "a7f9e12e26f22539b2c1e4f2c784361d72a1bbc261ff0bc1fa9ba30bb48845a1", + "sha256": "745553dd4b4f167afb3f9d8aa2a73cb88e8a9984dbee97b741c011740ea72306", "type": "eql", - "version": 207 + "version": 208 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "min_stack_version": "8.15", @@ -13848,28 +13909,28 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", + "sha256": "0eb9b50416c959551b3b273ef5326ae8b96145ec4ea717bee0033ea99d133af6", "type": "eql", - "version": 106 + "version": 107 }, "8.14": { "max_allowable_version": 305, "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "06bda64b32dbb62509ffcf7e3377fab8e420bc69ab7b80f0984dba9a06b99a0c", + "sha256": "123c8d391974a063625df859c1b10d7a95232b0f02f302c5097d70074e697164", "type": "eql", - "version": 206 + "version": 207 } }, "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "c27d3d535d30d3af01b3d9c4fefd1fffd5d4aece3da4eec4fdcdd0ee716bdd22", + "sha256": "b11cb97ba4927fbd34141d3a5cc49333cbae82890c27eb7731e165ed71b3cdbc", "type": "eql", - "version": 306 + "version": 307 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { "rule_name": "Potential Windows Session Hijacking via CcmExec", - "sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a", + "sha256": "fc6696281aaff38aabf5ef6dfe7b56c731c027f5daa36aa8fa27db356d1836cf", "type": "eql", - "version": 1 + "version": 2 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "rule_name": "Unusual Process For MSSQL Service Accounts", @@ -13883,22 +13944,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", + "sha256": "0bea98ee6e9ce10eac166784de0d4aeceb2b4e690051357201bb91cffc7e5edb", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "8aa16b6d5c72cbd8db236cecb394fdb3419409a9334e5de3e489cba322b17da1", + "sha256": "5ff7838c257d23a22ac81dc996fa1bba6e80734971669cbf6c8f5bdfa6314f5f", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "91c9567bb907691834edbcbf81478eea228783238516ba4840d2a6678945a3f7", + "sha256": "8b9fb79800f9757717537734e0e8fd81eb27c77c51f3bea4933b4026af77e360", "type": "eql", - "version": 201 + "version": 202 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "min_stack_version": "8.13", @@ -13906,27 +13967,27 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393", + "sha256": "ecaad70591f430b71f38353b51514e955299f312f6299c043edbe78296d96c47", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "33f6b8d02db10f4facbc48d16e77be33e52f39438aef54bf79c28fac85947e83", + "sha256": "6863009c2b3d1dcd070aa298d0dd85428eda56639d10b0cd9df2fbf806b56ea0", "type": "eql", - "version": 108 + "version": 109 }, "e7cd5982-17c8-4959-874c-633acde7d426": { - "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112", - "type": "query", - "version": 207 + "rule_name": "AWS EC2 Route Table Modified or Deleted", + "sha256": "e56e718a9723a794c9e062425a957d4e952f2a9984792aa9df06ea86c7310dda", + "type": "new_terms", + "version": 208 }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", - "sha256": "5537d2a44f881bfebdb8606aac6d5674c620607d55bb4822209da2cb5f3caa40", + "sha256": "a8e2f8106c708db68e63844ac1cc428b8667fe3c36c280e89ff02504ec867eeb", "type": "eql", - "version": 1 + "version": 2 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.14", @@ -13934,15 +13995,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "23319cac9de2bde953f91039aa5aaf01a9dee132682c44d6c32a15b80a48bc70", + "sha256": "32055c8d4af293ff9a8be66666fca76693403db6496116430450aab41050d035", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "a674e578cfbef5b95a62b11671aeca823f09b5f2f63129f91f2557fa46d972e4", + "sha256": "90408a5fd78cdaf27de15d201a1c9a85a6ef0ded0315d91be4d71a8ad7f8ac51", "type": "eql", - "version": 213 + "version": 214 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.14", @@ -13950,22 +14011,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Installation of Security Support Provider", - "sha256": "d43ac925cacf9d6a9f783a2368854c53d33a41aad5cc37d722423671a5f4d0b7", + "sha256": "b539da6b7c1b1227bdb42936daceee9540ba7d0f3605ee4daa85bd0c836ac05a", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Installation of Security Support Provider", - "sha256": "3d579bb92fe8249d3708f287ce73068e3e1eb7d3da4d7457b71e6c95ec5e6491", + "sha256": "4921dd59a49f0857c4a5a11360976efc71f083994125f28706e6071dc19c7473", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Installation of Security Support Provider", - "sha256": "e863b1547c1a211479f64783701a48f31459decaff80471ecc40d7b3f7d64f0d", + "sha256": "d3e972fca563427e3d76bb4395afc5f71c455501294696f9dc6df982b1d28abe", "type": "eql", - "version": 309 + "version": 310 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.14", @@ -13973,27 +14034,27 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", + "sha256": "e8fd6440c6d6d88986539c259693d1ee14c53bbebd9bce21eab23ced642d5c02", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "a8d0addea981abc201c8075ddf84cc71cf8e889932f1c06e212d64d43a19f083", + "sha256": "a50076fcb40d588e056f081e1168588950939d6c95a97f2facfed56882ce6f9e", "type": "eql", - "version": 107 + "version": 108 }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", - "sha256": "14242eb38154b8a8e1a58bf61c0bfb74b5979a402c8daf3ac16d945e00cfd816", + "sha256": "a666b794f171a1a2c008b39794d12cb837d0fee82e293f8dc6601f749a723645", "type": "eql", - "version": 2 + "version": 3 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "53547d9a43a3fc0d757d092bb75810899bd2886e9a0ff67b393c97c069bd4753", + "sha256": "b54a9721e854b951bcffd517564dba55d3d9f5a1b13ff4bc738ee5aa7e4f9bc5", "type": "new_terms", - "version": 107 + "version": 108 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.15", @@ -14001,34 +14062,34 @@ "8.12": { "max_allowable_version": 310, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", + "sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4", "type": "threshold", - "version": 211 + "version": 212 }, "8.14": { "max_allowable_version": 411, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", + "sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4", "type": "threshold", - "version": 312 + "version": 313 } }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "d11da02598d181a9b5b98bd81d2ed0fa75917c9272927db866e2ca9fe71a1425", + "sha256": "18719e990037ed4bcedb7040cb575b1b244fdea008bf902c36de0c0dc87262d9", "type": "threshold", - "version": 412 + "version": 413 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "AWS EC2 VM Export Failure", - "sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c", + "sha256": "0cc0882f3f4079767583e56fd8ac76f94fe773a3ad47b80a5c7ef1f07e5afcd2", "type": "query", - "version": 206 + "version": 207 }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", - "sha256": "97e36f64a18b7742354c75783032d8c937129028e729388f75253413f03292d8", + "sha256": "b7a20dbebcf0f6ecd941a69b135191989886cb45781f0e23444e523bfaa03208", "type": "machine_learning", - "version": 4 + "version": 5 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.14", @@ -14036,34 +14097,34 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", + "sha256": "6ef104d85ec9575226338908f304d5def68a7412883399913f6bb68378d6decb", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "9273914a7b7945fd48d1b65cbaca22cac9b1a363e215a919dfc7d7f2023e6a9b", + "sha256": "5f4f414a3ae8185a194ee698b33f60372d7733ed66e23b8ef56fe4c06edb3dbc", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "3472059c099b888efa866c73f5ebda8a7cdd81a96a7c4c6c01e327c1d1fa2aa6", + "sha256": "2ec2b40b6d719512b8aedec3c65efa2e1ce6b38aa2dfb387edf32b43516c9421", "type": "eql", - "version": 311 + "version": 312 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "85a69d2c3599e4ee1bee8122b9a14c0b9148c3db5d510013e18e96dd0f9ec389", + "sha256": "5b5c778062c60175f66184a03ec8cc58deaec9c8d47e50b7e62d75b592eb203e", "type": "eql", - "version": 106 + "version": 107 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "rule_name": "Spike in Remote File Transfers", - "sha256": "f9cfa49163402d6de09bf8956e320315bd0c937785ed3267ad306470bc834a69", + "sha256": "8d2b4cd0d07e0114cbfc97e7836712efaedb13d7941b49ba32df06344bed130f", "type": "machine_learning", - "version": 4 + "version": 5 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -14073,9 +14134,9 @@ }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", - "sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078", + "sha256": "ca8b561fa907119476109df0f7f86007194ffc80c3b614c4f69522d366f15e92", "type": "query", - "version": 102 + "version": 103 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", @@ -14089,15 +14150,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "d2146dbc0bf3635a79dd508efbeac1edd36c749e19d592d10ca7e5bdd1be2879", + "sha256": "9305b82ec96b801a1ce3d03306069610691b62051ca30252e654c38b624f7c55", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "273ab111885b862ada1a91bda7e0c52c082564cfb0bd6c60905f01285ffdc336", + "sha256": "263dc5090dd778a47400fbeb93a47512defec5bc3e78d7bdd173ab8dd1c95910", "type": "machine_learning", - "version": 107 + "version": 108 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Brute Force of Assume Role Policy", @@ -14107,21 +14168,21 @@ }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", - "sha256": "260bc7516505de6ab2ad79dccd957b4dc8c0f76dcbf987df647077cc0ced1f52", + "sha256": "fc408da92fc5febf3e95b3e4466fadb5f9c59ff6f98e5b71c5ba830dbebc52f3", "type": "machine_learning", - "version": 104 + "version": 105 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", - "sha256": "805fa189545f981d575ddc36086ba698c6cab425b1ecf2c09c8f857aa7db539f", + "sha256": "709ead5c81ab3e462057c1d8214a1ba0a83c82b80ff27328133a1e0faf4c29d0", "type": "eql", - "version": 4 + "version": 5 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", - "sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6", + "sha256": "cfe3ec83261ca32ec7fa6c3ec8fe8c6d8b42361b74fc363e99795dcce182badb", "type": "query", - "version": 103 + "version": 104 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { "min_stack_version": "8.14", @@ -14129,15 +14190,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", + "sha256": "0df8fef46aadb6e55f99fcb160c20a7c50b5b97687a0ae824409284676656051", "type": "query", - "version": 6 + "version": 7 } }, "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "452345c390a3f58cffe2ad756b136a031115a28fa4243770374662c6c857f01a", + "sha256": "34b8cb6cbafa6c8284ce99c7c6cc95be28e2423a480b5e56d46de73e21ecb72a", "type": "query", - "version": 106 + "version": 107 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.14", @@ -14164,9 +14225,9 @@ "eb804972-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Behavior - Prevented - Elastic Defend", - "sha256": "ec5e33322a047ec2ab8e5339bcbc0a666083f428226a5c77f0384a4fc1d25e4f", + "sha256": "a02516be221389871603168f7a42128228b546471c99d60bbf22ea310f6e54e3", "type": "query", - "version": 1 + "version": 2 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.13", @@ -14174,15 +14235,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Disabling of SELinux", - "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", + "sha256": "68bbdb25d3a0f0d088bd7072fdefec01a701b6549176297cee71b31463d90ffe", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Potential Disabling of SELinux", - "sha256": "7c9c059e8f30a4e218760af3d2ca27b7b63469eee383e2e939b224fa3db2c470", + "sha256": "ddbc5c95a5cd722eb6547a67e6e8d7f04835cb44907b7480f2c46b5b94bc56c7", "type": "eql", - "version": 210 + "version": 211 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.14", @@ -14236,40 +14297,40 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "410db635d79cd7e1e9e08c48ec74e3d535e371c84cceb06dcf0bca6f5a3c36ce", + "sha256": "59220b274ab98c211eafbd5205e41e943cadddbebe78776bd28a88a2b38d017b", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 311, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "7b1ad0930e0d399848cb3814f29f4114d11dc749c1117fe69b11dcfda2aa05d4", + "sha256": "dae2d05e8c9a23744a3d55ec56c1540501141276c8789e74c7e1aa33e787721d", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "b5ef38fb69f464a4b3a78df77efdff1973928840166119bd81ec4834d944cac2", + "sha256": "76b8d3439003b72e5e932ff9c74478b5688253f8092575aea6c69d58e043bcc5", "type": "eql", - "version": 313 + "version": 314 }, "ec604672-bed9-43e1-8871-cf591c052550": { "rule_name": "File Made Executable via Chmod Inside A Container", - "sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54", + "sha256": "c4678239b073c9e1c28fd96f625436ef8f93ab27e0b80d9d2da6d39d0ced459d", "type": "eql", - "version": 2 + "version": 3 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df", + "sha256": "4572e35abc9f3fb1f7be34775ed498cbbbca8890182cba8ca5beff3a53bf673f", "type": "query", - "version": 206 + "version": 207 }, "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", - "sha256": "61702c8dcf0374f8bb444a8a111fb32779c6ef86dbbfa133ec1fdb56321c8db1", + "sha256": "5a63abf64de763c9eee2d8689dc1c75693f79b684903c4b6cb6941ea024892e0", "type": "eql", - "version": 2 + "version": 3 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "rule_name": "Executable File with Unusual Extension", @@ -14279,15 +14340,15 @@ }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58", + "sha256": "35c7505a4a7e2503e09a6d55f986977e180f79e72dfde6b46e17c48fff3342e3", "type": "query", - "version": 206 + "version": 207 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Azure Global Administrator Role Addition to PIM User", - "sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c", + "sha256": "31edfa8b99be2305a6bb1447799c69cf2f60e5a834ce4b064a4b4665bea80dd1", "type": "query", - "version": 102 + "version": 103 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.14", @@ -14318,22 +14379,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", + "sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", + "sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "7355fba3ce55aec17442765a90407b699e366f736cc86d29b33b49d60ef6041a", + "sha256": "f254d125f5da752be3671f52f44af3671f6730739ac5e5fe785f8bd0f831b628", "type": "query", - "version": 410 + "version": 411 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.14", @@ -14341,28 +14402,28 @@ "8.12": { "max_allowable_version": 212, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "d9390521fb8ec490fd84fdba1668ebb433862673b898bc446455d90b71cd13a8", + "sha256": "495c9c3c998abfebae7ebc1d58f5d3fbf791ad4eaf2718e83c11d65598b43fe3", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "bdcf41c9d261562501f02bbc0fdf00741c278f827f8c4b389c9b44351aaa466b", + "sha256": "3b0ac08f7d0c601b06e44b9edb38650af8ddbdc85f786151f275fa96f595fe72", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "b1477cad6a3940c5331b5aac48248d75f2d9628f206c15ca3a83c52a0f2fde0d", + "sha256": "9a796bd4864dce9764f4ff2cbf3bd4ccb3217521e23209f69c4e18ecf9ad41d1", "type": "eql", - "version": 314 + "version": 315 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "rule_name": "Linux User Account Creation", - "sha256": "4af9d5eb4553ab22a10d185542796bf3827c9c57126d958da584089a9b4181a6", + "sha256": "5147bc8232ad7a92a84e036bdd81d4fcbcc9ce09fe2b0a2697ae01769ec50e20", "type": "eql", - "version": 6 + "version": 7 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "min_stack_version": "8.15", @@ -14370,22 +14431,22 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Okta FastPass Phishing Detection", - "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", + "sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24", "type": "query", - "version": 106 + "version": 107 }, "8.14": { "max_allowable_version": 306, "rule_name": "Okta FastPass Phishing Detection", - "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", + "sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24", "type": "query", - "version": 207 + "version": 208 } }, "rule_name": "Okta FastPass Phishing Detection", - "sha256": "c7814e9adfd30ef636099ce00d44774b41fdd034978678ed1f1da809a6766c54", + "sha256": "7ff673016488bafc9ac4a344918957eda1629b68b0dd51bdc773ce2f9ace05a3", "type": "query", - "version": 307 + "version": 308 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.14", @@ -14393,15 +14454,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Unusual Print Spooler Child Process", - "sha256": "1c4b115ce0bde803fa63edbabb634df01af0720cabb3012ed329a5031cd7c961", + "sha256": "0c4cf82321253f33a4bf12dfa7306b7c39b7082304cab83766ef69126f83169e", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Unusual Print Spooler Child Process", - "sha256": "986186036dc086ae57af371ae59653ca11d16660a1311a709a7137fa6c7e6fd5", + "sha256": "83d9b00ad3282d46a266bd3524f468f382c3f23737c05e7e9196acf838551cdf", "type": "eql", - "version": 209 + "version": 210 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "rule_name": "Shortcut File Written or Modified on Startup Folder", @@ -14417,9 +14478,9 @@ }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc", + "sha256": "ad6a020e96bacaa9b0609d324df1d4bede5193713d80abfaa29dd4bb5b83370b", "type": "eql", - "version": 107 + "version": 108 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "min_stack_version": "8.13", @@ -14427,15 +14488,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "BPF filter applied using TC", - "sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2", + "sha256": "446f19bb2ea5d80c1e18160601ba2b38ea8e81328974575d0c5369662901dfac", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "BPF filter applied using TC", - "sha256": "6084cde353a59189dfa571e84e654b91e3ede46be8519e25dbf59b69aab4724d", + "sha256": "d93beefad79cf7690a39e4923afdc93fe4ed9d5dcd991c142db3b53b8c7edf28", "type": "eql", - "version": 208 + "version": 209 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "min_stack_version": "8.13", @@ -14443,21 +14504,21 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7", + "sha256": "f4ee5791bd579b8b6592dbca0af0c3eae7553a3f4d087397f873f3621c85d929", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "207a4a55c909e48b5ef7acf11d3790c83f34a5e398cc4094eeb9346d2dd39c97", + "sha256": "a6758e15fce5ea6d93d0095eea2a912b516de9b55a219b77b27a978d7f17f588", "type": "eql", - "version": 107 + "version": 108 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "rule_name": "Potential Container Escape via Modified notify_on_release File", - "sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04", + "sha256": "f08d245a0e30752adf439c2153063782f96520a044e2dda10798503db0580fcd", "type": "eql", - "version": 1 + "version": 2 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.14", @@ -14477,9 +14538,9 @@ }, "ef8cc01c-fc49-4954-a175-98569c646740": { "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", - "sha256": "90d364f8a22a46e10400502782f9e63b502856dae193ee242c9df80b475350ca", + "sha256": "deb097d91aed42823bd3a3204774168f890ba2423ac4e4253b9d060f32f50e79", "type": "machine_learning", - "version": 4 + "version": 5 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.14", @@ -14487,21 +14548,21 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", + "sha256": "23beebafef0bf295f6aaf5f99044dc15f8db23dfc7a6f68d46c1cb7a9416c43b", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "c27a1557272e16660b29e32abdf339448cda357be42a5df8ff09e7cd7089e867", + "sha256": "6f3bb7099a9a769fb898a67560799db56ad58c5624c016b1d46a98b1bd12e651", "type": "eql", - "version": 208 + "version": 209 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "rule_name": "Suspicious HTML File Creation", - "sha256": "30a4a9a823ba20654cac348d46d6ed2d266e48a105d74d2b07cd97485f45e644", + "sha256": "2d7643f5258ea00499f6a724d37680b18ea9e51cff76a508b397813d06cc2023", "type": "eql", - "version": 108 + "version": 109 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.15", @@ -14509,40 +14570,40 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", + "sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", + "sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "54113f776052fa20104f5a9fcf0ba1657432f62c148fdb06fefd8b06f63651d1", + "sha256": "7dec7b69a9ae716233a2cc4ee0bf5ce3e8f108b425d0be073ef6d211e7eaeb3a", "type": "query", - "version": 409 + "version": 410 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", - "sha256": "910384ce8b7a90baf6621c861b7a046f4764fa0a712b0a51e2aaf95bc8363a39", + "sha256": "f28f5314da6a041075848884c58593ba3bf4868e10c7789f92de570c17b6a730", "type": "eql", - "version": 109 + "version": 110 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "rule_name": "Azure Alert Suppression Rule Created or Modified", - "sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270", + "sha256": "dce40c891055fa59c868c0409223dc95efa62252fab387bc182bf9ad3f30eb55", "type": "query", - "version": 102 + "version": 103 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb", + "sha256": "ddd5f8f0b1dbde6fb7d9d9802b9190fa54d38d94c423afe4c859794d73da4720", "type": "query", - "version": 106 + "version": 107 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "min_stack_version": "8.13", @@ -14550,15 +14611,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7", + "sha256": "c678c2e4d480d9276b6bc7967e6eb21e4cac673058c59d4b70b8be8b00bbf699", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "8067c8aa2719fd9d74fa030a8d363993b52cd2f7157cfd90c33082869504b004", + "sha256": "8f51b11fbb85ef6502fd4aeef70d40c1a0a94600569968410fcbcfe78e864fd2", "type": "eql", - "version": 107 + "version": 108 }, "f18a474c-3632-427f-bcf5-363c994309ee": { "min_stack_version": "8.13", @@ -14566,27 +14627,27 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Process Capability Set via setcap Utility", - "sha256": "d33378c5ef77b55469ab49d5282bcb0e357dc6b4cf3f8ff308937bc39f50f0e2", + "sha256": "8104467acd6f82c9b69239d6bebc8750dcce6da3f4f4efbad4a57197063174ba", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Process Capability Set via setcap Utility", - "sha256": "d5f6b2267222943dbe00ff7f33af89e030ceabde1cadb4e0ee50680d0305a6b2", + "sha256": "c7c1780ea2c3381899f8df2aca24d636619832fa7d0cc4a7637a1b519513a2b5", "type": "eql", - "version": 101 + "version": 102 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "rule_name": "Forwarded Google Workspace Security Alert", - "sha256": "da7ef3b91f3643cdf38700c894afdb9c990e17ed9711f5e4a7e4133589c98b04", + "sha256": "53a99b49697dcd944871a7610cafdbf834659d68f5631056a35cc52f1c8e1aab", "type": "query", - "version": 3 + "version": 4 }, "f2015527-7c46-4bb9-80db-051657ddfb69": { "rule_name": "AWS RDS DB Instance or Cluster Password Modified", - "sha256": "4e740008509defdc52f3ce580a43a0c02b9f679ad77ebf0f4136253adef5b1ec", + "sha256": "684a674daf52a0659d98f70c6854676100390d6c0cc41568e4450ec8568d1115", "type": "eql", - "version": 2 + "version": 3 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { "min_stack_version": "8.14", @@ -14606,9 +14667,9 @@ }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3", + "sha256": "ef281309a553487eec147442e89518ebb16d626f9c63c5ffd94663b7a1e6fd89", "type": "eql", - "version": 108 + "version": 109 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.13", @@ -14616,29 +14677,29 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "54bc98f1c6f0db859bc9db57ce3fa7033db199f814bbc55ce03bc6940bd8efe2", + "sha256": "d34b536f30334984723914ab4d44bef45a48785b1ce33846ea6fa8169f40a9bf", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "809020a2abcd5cbc4905175fa9c340ce4d03a5badb092749e5582d500fe84741", + "sha256": "6779913c9f6aa81caa57d89b94072b01b0638454d4faaa9433f37e902cd65b5a", "type": "eql", - "version": 210 + "version": 211 }, "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Malicious File - Detected - Elastic Defend", - "sha256": "7b9a35f4a8a0e47cd62338e301fda982b665581e69582f6f07a420516a7c5d81", + "sha256": "b483ff55b947e2e93555fb3aa39f1789262e4edb4e5694c10bc19b8a2c486dbf", "type": "query", - "version": 1 + "version": 2 }, "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", - "sha256": "c38cb3e116786c25852f4790593e82bfaff12642ff456bb3fa6fd5dab8596b3c", + "sha256": "42cba0422e9398684922e14a9f8bcb52726504673ccd9369a94911561994ab23", "type": "esql", - "version": 1 + "version": 2 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.14", @@ -14646,22 +14707,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "SIP Provider Modification", - "sha256": "e7285256bf0c38b5fbb2b1c6f458037f9fed88e1e8238438993dd0b6347aa48e", + "sha256": "3171aedb786a6c4346ca2d6e875c736ea14d23e12331aeea3c994e5dca963238", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 308, "rule_name": "SIP Provider Modification", - "sha256": "d738dfc708658d71ae14be394ef74073c038935186dcd52452963824dcff6832", + "sha256": "29662765828508b5d2ddf5905237089fde83513f4c34bd44c93f0e27849d77c3", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "SIP Provider Modification", - "sha256": "ee278465be6f3dbb091ce5d5a2f86ef626accfc7c850b1fa069f00a2fd0b4b72", + "sha256": "e0ac3c29d4a3e05055331a8c99eae6dec675fdf4637d6585c80557b3dc879681", "type": "eql", - "version": 310 + "version": 311 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.14", @@ -14669,28 +14730,28 @@ "8.12": { "max_allowable_version": 210, "rule_name": "LSASS Memory Dump Creation", - "sha256": "7e795307c7ee80d811f2bdbe317f0b5e563dbd232e6ff795ecb0a1f21dd1e2c4", + "sha256": "f8cbd6a379d828f24d80c53ac9f923bccfcf5f6db7532cf8567c55c09446dae2", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "LSASS Memory Dump Creation", - "sha256": "14a9d741acb3030e8466bf9a59a206544298e89f5fc3fee49bf83f99a7e052fd", + "sha256": "c0268c1e96cb8a7dfec0cb7f803ec42df015cf80a71719b1a544cc4285ed0087", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "LSASS Memory Dump Creation", - "sha256": "254a89261a7919cd601e7aa8a8c9aafa993f9a2f38062b4f3f6b1839c39a0993", + "sha256": "accf15ffd7f736c713d38e6f024889430d4031685a6588588249bb092332d720", "type": "eql", - "version": 311 + "version": 312 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "AWS RDS Instance Creation", - "sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166", + "sha256": "3bb082fe7f035d7f0edb310d42459b011a6ecb97c9b46e008e1c1434840e95a9", "type": "query", - "version": 206 + "version": 207 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "rule_name": "Google Workspace Object Copied to External Drive with App Consent", @@ -14700,9 +14761,9 @@ }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", - "sha256": "5111cc2b59ff5a00ad2e2d02625d13fb2da0a6e5c8a7c7cf41cb0c023d1f0321", + "sha256": "84a652c9dcb5ab611cd8888bcb7def8d9e6ba1a10712c28017fe35cceb6d07de", "type": "query", - "version": 5 + "version": 6 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.14", @@ -14710,46 +14771,46 @@ "8.12": { "max_allowable_version": 209, "rule_name": "WMI Incoming Lateral Movement", - "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", + "sha256": "bf322fd08b8f2bfd47228ee56470b9301a500aa181f75f9594d50ed79033e3a5", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "WMI Incoming Lateral Movement", - "sha256": "f68bad409924e59b8443d6a7bfa105b2b48cb4d88da36172d95d7094cb3a3375", + "sha256": "3ec45777f4c943a7de5082d971bee5996e5cf726ae6f42fc987b77c52f13bf8a", "type": "eql", - "version": 210 + "version": 211 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c", + "sha256": "ee7bf6773bfbc573d11e5c0660564ca53d3a9b917ec5f64c87a3b7e9d4b86fa7", "type": "threshold", - "version": 104 + "version": 105 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { "rule_name": "Suspicious Network Connection via systemd", - "sha256": "45c7e70c63f0babc04075bb7fcacaf276c43f3f76f27788e95a22486dc947598", + "sha256": "d1171e16d5e8259411aec72aea33cb1c2682fd2d4af82e789944805eceac591d", "type": "eql", - "version": 3 + "version": 4 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", - "sha256": "cf0a030c5e18e30adb504961ef9b25c02002c86f068800908ed13e0f329267de", + "sha256": "d523f9e7b0b0a672bde61148eda10896934ae0f610892a879adf5a29cd789057", "type": "threat_match", - "version": 7 + "version": 8 }, "f401a0e3-5eeb-4591-969a-f435488e7d12": { "min_stack_version": "8.14", "rule_name": "Remote Desktop File Opened from Suspicious Path", - "sha256": "cf963b5d775862505a178cb58178b33fb23107afcc00e561160961a865e46b4f", + "sha256": "903fd6d4ce8c22d0a4ed7c11940e77eca417f1bc8b231482bebb4e46f6aad27d", "type": "eql", - "version": 1 + "version": 2 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Potential curl CVE-2023-38545 Exploitation", - "sha256": "a4f60de34a9b8854d098412627c483a602372a1752481e4bb94ee32edabdfeb4", + "sha256": "75349fcdfe56a8631cc9346fd2f8623691f57c7e7fa533feab6431c354a3b8e8", "type": "eql", - "version": 6 + "version": 7 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.14", @@ -14757,28 +14818,28 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", + "sha256": "d8fa297a02bd05755728ee6202070fef2ebc8f2f5ae3d46617d78034d80e24bd", "type": "eql", - "version": 108 + "version": 109 }, "8.13": { "max_allowable_version": 307, "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "c065074afa1efd59796f42921ce27c145b88b963e7472fa5c5269c74503e3647", + "sha256": "111139bb2a9a56c179012f91b0e217c614e1527fc3eb2a4b713943763e5a7a40", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "0ceb15eaac8188f45c14c3dd7bead9ba70e09eb4b5f51deb6b9a8c126b63c78b", + "sha256": "67cc9ea0dae5af83aac83f80454998408a24eeb1e521ae441963e51278f54b7a", "type": "eql", - "version": 308 + "version": 309 }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration", - "sha256": "28451a124942aacc3132dc4aa9cf07779c9879d2e81581d9a09e0715aa18514d", + "sha256": "6f77b4339b6982feae60ae38491e22c8bf8931801527efe93368ab2d675017c6", "type": "eql", - "version": 3 + "version": 4 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.14", @@ -14792,29 +14853,29 @@ } }, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "a501daeafd36d21146d80fd784cd66a942aba32df467a451a98e26818a2e661b", + "sha256": "98da37735724187372bf1f311df3eb82e1dcc9d8792eb8c6faa5d20cd518c69d", "type": "query", - "version": 213 + "version": 214 }, "f4b857b3-faef-430d-b420-90be48647f00": { "min_stack_version": "8.13", "rule_name": "OpenSSL Password Hash Generation", - "sha256": "effca7dd9c856bc18468aeecb9135470738b7c71ceceb60943c78cbeeb3f8f8c", + "sha256": "04b4c9ecf43e0acf3fa6b298371accc63a200e07eb118a4d5edc9430aaca263a", "type": "eql", - "version": 1 + "version": 2 }, "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", - "sha256": "e018ec0346e1abac5468b4f741a4a3036311473e101a7ddf11bca9b702e142c0", + "sha256": "67cfc341651734d5dc809fca49d66ce14a80f2ba8535da9515f18242adfca0cc", "type": "esql", - "version": 3 + "version": 4 }, "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { "rule_name": "DPKG Package Installed by Unusual Parent Process", - "sha256": "c9f84cce8696eb7c2dc198d566da5e106e018e6fe6cd9e016fd243ae72c741b4", + "sha256": "aacfd52ed0aee2049e2ec00c2475153a185d83bbdd407232e9012a142292ac95", "type": "new_terms", - "version": 2 + "version": 3 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -14824,9 +14885,9 @@ }, "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc", + "sha256": "89e1134e735b229a7ad239acdb9c85a68c40b34f96a19fe908c12ded3f7e5410", "type": "eql", - "version": 6 + "version": 7 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.14", @@ -14853,9 +14914,9 @@ }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "rule_name": "SSH Connection Established Inside A Running Container", - "sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7", + "sha256": "9d8c510e4b95da8e5072e5d93be80f049c9f4ed253d40845f7ac67920ddf4158", "type": "eql", - "version": 2 + "version": 3 }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "min_stack_version": "8.14", @@ -14863,22 +14924,22 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Rare SMB Connection to the Internet", - "sha256": "0994ac029d0e0256082d0a61be3696ee4a982af12e3efc1a96d975cb575ce7c2", + "sha256": "1a52a9efcabc5597110829afe735c6831cc9b2e64ed6169e8e81459e8669c83c", "type": "new_terms", - "version": 8 + "version": 9 }, "8.13": { "max_allowable_version": 207, "rule_name": "Rare SMB Connection to the Internet", - "sha256": "c40aac172f1cdf1b7ccb004c0801fc47510425f767724967677d2084cdbf562d", + "sha256": "0002a051fa57648d20e54eaded6c44a1f3bf1c307e7e8ec68200ff562fd22790", "type": "new_terms", - "version": 108 + "version": 109 } }, "rule_name": "Rare SMB Connection to the Internet", - "sha256": "d22f0fbb911966cb407185b46199efd05573dd405193ce51ed521b9b72d30289", + "sha256": "b913881e92e1a38bf6737390fd81a1138292cbd48aa0fb8c2d3c85957650ad7a", "type": "new_terms", - "version": 208 + "version": 209 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "min_stack_version": "8.14", @@ -14918,15 +14979,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "45c7bf0dabebd2c0f6761522c9e451ba672ebe426611de5c126c314fc0006ffd", + "sha256": "3ae5e32591f980bca7b3064fb9a680b9329a75f4ddc4dc888391659a4c1f654f", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "01204cf3f85db104581872555673b018a1419abdbcce249e52f10ae764026cf8", + "sha256": "6ecb726bdefbe3899c1e739affa928cfbfd0e6eba44de225efcc3d904dab6007", "type": "eql", - "version": 106 + "version": 107 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.14", @@ -14934,21 +14995,21 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "6ee5d0b1cbc2f8f3b11a2689ab4c8e4651d061d0f7728c67b6b86642eb5afc60", + "sha256": "a3bc6cca188a55aa33021f1b9c7d396bdde78a3350f1c4fabb974a4fcffa5ca4", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "cd92b6d8bfeeb796c8aa85d4173fc81fada02dcee2eba62947319524f50b8bc3", + "sha256": "b133ffedcacb83e511e320e25d6f4afc9f2d638fa12afbe470fab88a6009d07a", "type": "machine_learning", - "version": 107 + "version": 108 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "rule_name": "Masquerading Space After Filename", - "sha256": "5f2226e282c0f810754301af6a21ee8303cfc152b5003db4500df84b536cc373", + "sha256": "05d412610d0acf976c64885d739c2519d44630cc8036b7dba0c8533c92385d15", "type": "eql", - "version": 7 + "version": 8 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "rule_name": "Account or Group Discovery via Built-In Tools", @@ -14981,9 +15042,9 @@ }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", - "sha256": "e4f93dc05162bf6cad753a1327db0e023df793034c6204d0b08a1d15f6d23b4b", + "sha256": "aa4abbe944c50eb6c464d33d4880bedbb1778ff5139693b5f95e1f81e54a05d4", "type": "eql", - "version": 2 + "version": 3 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.14", @@ -15010,15 +15071,15 @@ }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b", + "sha256": "076beef00e93e7c5cea8221f52feed6734107ad9cfb9a62a293d50a066132e1d", "type": "query", - "version": 106 + "version": 107 }, "f6d07a70-9ad0-11ef-954f-f661ea17fbcd": { "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", - "sha256": "791121ea6aec69d7039ecb415a62b0a87915433516a225fa0103e30dc1fb3eb9", + "sha256": "de4cb537409466e76a7f865cb93e0842a6fc8f04b9402caaa3b8f56928916711", "type": "new_terms", - "version": 1 + "version": 2 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { "rule_name": "System Hosts File Access", @@ -15028,9 +15089,9 @@ }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "rule_name": "Azure Service Principal Credentials Added", - "sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103", + "sha256": "901f5b0b8cf2e223bd55f2b15863c0285e7df7dbae24b8ae528572bd52df13a6", "type": "query", - "version": 102 + "version": 103 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", @@ -15040,15 +15101,15 @@ }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { "rule_name": "SSH Authorized Keys File Modified Inside a Container", - "sha256": "7447ba66f5bb3a7f75ebfa0ec16f2c79965e3653b03fc3f3a06ec4e7dc27ece8", + "sha256": "dbb02018892869ad01ea50413f348fb8681007ab55495ec2669108a301956156", "type": "eql", - "version": 3 + "version": 4 }, "f7a1c536-9ac0-11ef-9911-f661ea17fbcd": { "rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance", - "sha256": "9d9ea4b2bef0475b57635433aa6c30663d72eb3226baf7e94587e17374f9c08e", + "sha256": "135091eba79744ed7a55ef7e0825fb4a5189f443b6940d9f322b755d28b98d0f", "type": "new_terms", - "version": 1 + "version": 2 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.14", @@ -15056,28 +15117,28 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "3e8f291e2a3c067b9b355896116b130d4aea64f67e03fe8b2c4551ddfb9c83ac", + "sha256": "3bb11d5684b0514f8d1a5326d1645b8787ea37ae7731db6df5e7d94945f6ef1c", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "19dabb4cdeb3093420fb56b9c94ca6687ea7ee3479e605b8b9f331cdff2466c3", + "sha256": "4cbd3242743b94fc54ec1eff6658bdf2a9009dad93fccbc3354272cc5c10196e", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "07caba511c046edeb032f0a4b75979d94cf1cadf75a7bfea159e175815bb0c48", + "sha256": "0265f205075afb8a44fcc9339b9b8e7819b11ee960a7fcadff4ef19c40407944", "type": "eql", - "version": 312 + "version": 313 }, "f7c70f2e-4616-439c-85ac-5b98415042fe": { "rule_name": "Potential Privilege Escalation via Linux DAC permissions", - "sha256": "c019dc62df736fd44d9e738556bb88927bb5a3381f6dd541d60087ba788d3255", + "sha256": "6a6d4fc7401921ef468189f6dbd0c74591dd1d15fcab4c0f5b4033610123be2c", "type": "new_terms", - "version": 3 + "version": 4 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.14", @@ -15085,34 +15146,34 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", + "sha256": "e36c1fdb2b34568b5431017b6d35a86a116bc34c7b9af52fbfeaf4548233dac3", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "c4a613fb04e9f97b6a884009449a139ee5a135556512ca5bf96bb5b803db7d8d", + "sha256": "a577211254c57b0fba47713de661ab81bc197366995a8d14d939f8667dde3ffa", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "41f949b2f55eaabf986b67891e7037a89ce1a7964a42ef6e88352b92d52778bb", + "sha256": "fc3a25445b0ecc88878661c840092042b33a21a6b66a2307253219ea04c67913", "type": "eql", - "version": 309 + "version": 310 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87", + "sha256": "402f5404fef876bbbd2aba0a471857bb32c2a7c711af599817c9834d0db5c2be", "type": "query", - "version": 106 + "version": 107 }, "f86cd31c-5c7e-4481-99d7-6875a3e31309": { "rule_name": "Printer User (lp) Shell Execution", - "sha256": "187045fe170ec5d73a01ae484c2beb785ba6d685cf6973c52d6dd63393600eaa", + "sha256": "deffcca6a713e80f7c6197c17ee1be6a9f98b582e6c922548acf9ab45a49f882", "type": "eql", - "version": 3 + "version": 4 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.14", @@ -15140,9 +15201,9 @@ "f87e6122-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Malicious File - Prevented - Elastic Defend", - "sha256": "9b4dc0fb3aa575631ab1f19f6059c644319158dc055b3ebf6dac4148d593c119", + "sha256": "67ffe83c5432e13fcf6b7e4cf476f32cfa6c44e604a32fe07f2cbb1ac508042b", "type": "query", - "version": 1 + "version": 2 }, "f8822053-a5d2-46db-8c96-d460b12c36ac": { "min_stack_version": "8.14", @@ -15150,15 +15211,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "2a62a3a177beecf69edfd14fc1bbccd14a17f2f6228349c6766b2dc90ca8fa03", + "sha256": "de3cf59b7dd66998abe201a8eaf36dbba367e448780f8d30c428d89610b5c18f", "type": "query", - "version": 4 + "version": 5 } }, "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "9302b94451cee85bf6f7911e5a81caad7dad04e6d5d9271549085ee41f25cfe5", + "sha256": "bed1ed023c04637d3664efd5fbb73d3aa0cfea24257dfb18a925fea3d2cbef3f", "type": "query", - "version": 104 + "version": 105 }, "f909075d-afc7-42d7-b399-600b94352fd9": { "min_stack_version": "8.14", @@ -15166,15 +15227,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", - "sha256": "d8dfe4f7a77d80cdf2454af910950a75588c1c7ad2eb770140cdf8c992dcf6ea", + "sha256": "e26f15abdf56aa1b61415ba7dc51da814455d36335a30451a9089c7e28074d99", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", - "sha256": "c4508dc7b6251d648197e8d7704c8fdafc973a1a99006c1475d76e67e7d195d3", + "sha256": "f38f93c88e156a79c010dfad2f862d22927fc7fef7c08ca2dfa59a780b3d8e9b", "type": "eql", - "version": 101 + "version": 102 }, "f94e898e-94f1-4545-8923-03e4b2866211": { "min_stack_version": "8.13", @@ -15194,15 +15255,15 @@ }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", - "sha256": "d2f746819d1c581d86f596e696374d72b6b6ef60f9710488f0f34085b80a3e59", + "sha256": "d11d9b7a7104ede9ec52c99b7a22fda51997f927c44ba71a8317a0870bf39b4d", "type": "machine_learning", - "version": 105 + "version": 106 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS", - "sha256": "85e0e9eb2f56d40ea5aa97a05e3c9ef70749ffbf72276dfe626c72d1889217c6", + "sha256": "a65eed2cc5b097a57b4e7baac0a286e05e9272a546e2fa4ef98c84b45efbaccc", "type": "eql", - "version": 8 + "version": 9 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "min_stack_version": "8.14", @@ -15210,22 +15271,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Browser Extension Install", - "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", + "sha256": "13264d82b596b30f4a39bca88800139df7d59f7e5714ac3294aecb8adb693f2b", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, "rule_name": "Browser Extension Install", - "sha256": "33fea2e19640fd39808aae6bf7267174995cc0a7e7973f07a4b21fbb2b842970", + "sha256": "2813c84680c133570b552af8010cab5df5b2cf9ce045b7cb05716d286729bcdf", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Browser Extension Install", - "sha256": "cdd8f7c92285ec6406bbb7e06fef02eb1458895deda96a9bbd299be408be2026", + "sha256": "420b3c2fb3cad25f5312065eb38e2944b8220eac1111dba2dd1088b95141b687", "type": "eql", - "version": 202 + "version": 203 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "min_stack_version": "8.14", @@ -15233,15 +15294,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Privileged Account Brute Force", - "sha256": "e5f51f4e2b82a0b05641ba03fe55a1433a719fe509d21bb8023368ef4e81425e", + "sha256": "a3e155da55738446b14a3519a8631b9d6a3f2a2420e7abea9743574cfa5a699f", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Privileged Account Brute Force", - "sha256": "8237fdea989fedadcbe0c3d264d0f2e33c15879386f11721c8effccb0b5a1d28", + "sha256": "d609cef02e743a187baf0068f42fe95b28bef7bee1d26bb067e3d09188bf7281", "type": "eql", - "version": 110 + "version": 111 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.15", @@ -15249,22 +15310,22 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", + "sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", + "sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "aacb2192034b6b4b84c04bf19680030dac7c1101a41ba402d20ac154cf89f317", + "sha256": "9f8a0e0868d43b262c98653adb7bed57c23c2509b0fec88ebeb33b1a92853293", "type": "query", - "version": 409 + "version": 410 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.14", @@ -15272,34 +15333,34 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "b5403c097f3e0017c48a4a4c0745a2c73e8cf2922e3c43377e79ecc1dd37eeca", + "sha256": "38cd36c0e10b5e71de73e548f13243d29e06b1bab2ca10c74ae875da1606664d", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "c57ede22981de8ec65a677f491d04e110c3dcbe758924fc37fc34e2b031677a2", + "sha256": "2ec223a448f81f94a8f428864b7dc4f7b173fb01a997740f6f29143c0496219c", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "e2887448f525e4d2fc06229b8d743d4dca3c5ec090ff66e1b0395b0a14a6ffe1", + "sha256": "4300b10c7504d0440412581634a019e1a6e58f0db412301ee1b20b04516532bf", "type": "eql", - "version": 312 + "version": 313 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "rule_name": "Potential External Linux SSH Brute Force Detected", - "sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda", + "sha256": "c8d1d95ef6525a3da18e35d890b332565c8b7453a7c89f16c87080264772d9ac", "type": "eql", - "version": 7 + "version": 8 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c", + "sha256": "cd83e2dee4122108d811abf45e532d0dc27fdac8ec1673c2ad306e85c97819f2", "type": "eql", - "version": 7 + "version": 8 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.14", @@ -15307,22 +15368,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc", + "sha256": "e416bd900c26017a9a2e60990ee7ae09ced3df13618bbbc45b29fb2340de74d1", "type": "eql", - "version": 10 + "version": 11 }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "e76797913ea8f33de2a02341ab5af40b4efd31ccdadbb67daf8fcdf5281830bc", + "sha256": "34eeb28ee7412555964397a4969d1d55098b05a4107dd4330ea8ac5dd242d54e", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "d31107882201846433a5c59aa2d72a82cb14836b79e86eb8a93521116638d30a", + "sha256": "d4eaa3dfb8b078f3a464ad91d4dcd5424f2faf343c977d6dd7df44cc08e87065", "type": "eql", - "version": 314 + "version": 315 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "min_stack_version": "8.13", @@ -15330,15 +15391,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Disabling of AppArmor", - "sha256": "e045c3b1003a5042d8b759b06796c80d5f32b4a56185301e5de5bcc2f1d4544e", + "sha256": "dcc5486dac299e23f474eb39e2b40231213ec061f4460cc66cbd25bc8ea1b927", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Disabling of AppArmor", - "sha256": "01508640f0055cb89a305cbdf1ef43cd6f104545bfdc21eea76eaaf2e7e7909d", + "sha256": "dd0c697b12d206fc9f3004381077e6f7a2367ed6acc0112544ccd443afccb2f3", "type": "eql", - "version": 107 + "version": 108 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "rule_name": "Potential Masquerading as System32 DLL", @@ -15352,15 +15413,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Registration Utility", - "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", + "sha256": "b4eed2ddeb40f2bbedc702c4789e5748c0f303fb263208a2bdcd2974c12346b5", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Network Connection via Registration Utility", - "sha256": "8aae81ad83c8f0921e01112594259350cacae84e8b7a5991c5774c2b12228d7c", + "sha256": "c04bf7494ed4c20a8a87bbe9bb3f2876b8e92b7af292dfac1b2d2f847593dcad", "type": "eql", - "version": 208 + "version": 209 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { "min_stack_version": "8.13", @@ -15368,15 +15429,15 @@ "8.12": { "max_allowable_version": 203, "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", + "sha256": "1b149111089ed10df74c8975a4801b321f429cbc00bddf77eebd2f154d5355e0", "type": "threshold", - "version": 104 + "version": 105 } }, "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "aa706a6df1832c500f882ba46028eb2732a866b5e6335c33fd62c18d90a7d870", + "sha256": "babeac41d262653f7ef7c8bddf78a7573fb7894ae7b8c2c9b3f48fc07ef6452c", "type": "threshold", - "version": 204 + "version": 205 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -15386,15 +15447,15 @@ }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004", + "sha256": "7953f99ece9b3629d330947f9c59294d7504c35d5eb9415e8410833f95063b4d", "type": "query", - "version": 206 + "version": 207 }, "fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": { "rule_name": "Process Started with Executable Stack", - "sha256": "817c1bcd002aee4e4e20b0ec867435b39e734957b1032925a405161c91e1ff2d", + "sha256": "0463c0b25ecbc17c558c90dfd80f29d64776de9fba2451a8768448d09293b378", "type": "query", - "version": 1 + "version": 2 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.14", @@ -15402,22 +15463,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", + "sha256": "59543020be10655d8e81766d6a80fb95792cda6820556f739905cb54943ddbce", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "4ad908e9c0e001298a239314cbd4fc39fb76e0789a62456d4601e31ea266b35e", + "sha256": "80e05f76dd4e8c2e94bdbd3924f85a5877d9ff5a47c410d308b96f7a1d390525", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "db69f7867e43c1d9991d02ca50a537f1688974ffa821585058e225fa254dfed5", + "sha256": "afa60af2586a1e3458855aa64f4d3fbbfe063c3f35b3abc5a840d616f77d9841", "type": "eql", - "version": 309 + "version": 310 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { "min_stack_version": "8.13", @@ -15437,9 +15498,9 @@ }, "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { "rule_name": "User or Group Creation/Modification", - "sha256": "d1ea785176a27ff76f628305fa1d57041f59595f8b6e09f99b4b4349c18f1811", + "sha256": "e492a1d379ef0524d4b531024a7edf8a09e7b8174850fd8fd2d8824d76499df7", "type": "eql", - "version": 3 + "version": 4 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { "min_stack_version": "8.13", @@ -15447,21 +15508,21 @@ "8.12": { "max_allowable_version": 203, "rule_name": "GitHub App Deleted", - "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", + "sha256": "c0689f3c0e7636572f0800557c0480309dbcf71e0107dc51b0ed362728a0c927", "type": "eql", - "version": 104 + "version": 105 } }, "rule_name": "GitHub App Deleted", - "sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7", + "sha256": "77d5e70dceb83e72c91dec0a125b56e67e4f66b20ca31374060260c91887c03d", "type": "eql", - "version": 204 + "version": 205 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", - "sha256": "6e4722f7391334da9fa02d2bfe859e94a1110c6b78b728f62607aaa9380b59e9", + "sha256": "7c1af1a785726996f19edad02af0353a331e9ccd7a6095127460e2ee4da6beb0", "type": "new_terms", - "version": 2 + "version": 3 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -15475,22 +15536,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "9f7d06cfbaaf01ad88f6a276c277892a422e7537769e0d96e7070b2598e9ad63", + "sha256": "fb02d9d052a80cb71ebc3d197b2737a8bb72f875dc6f26fcb777715dc8ea8007", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "0c0fb67b6f1fbc64b54c4eaaaf3982e6abd871234c9d741e32cf6111a4b95348", + "sha256": "003cbead1025ca8c3bb1f33eddf4a98de00f555cb184077b194142cc838263b0", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "3a5c29d43ebbadfb3a010e164c997dcdbc2c550226c3129d9f7256ad4204f204", + "sha256": "8d5354802a1da8218bdca789c1118dd3c0e75072f015978e3ce65b239357204c", "type": "eql", - "version": 312 + "version": 313 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.14", @@ -15498,22 +15559,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious CertUtil Commands", - "sha256": "65a47d83fe08648f0df1cee5903ebfd3630543555b6fd161876fa448da9c527c", + "sha256": "13dd1c7c1c9bea325d7f705da1527335b7e0e12d8f5e7d942ed99c6b9d1a7a5d", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Suspicious CertUtil Commands", - "sha256": "d5f199269d0b8d8ffcb51d4a5be03858a06c561d4d7b5e76ccdb0730fbf5212a", + "sha256": "2ab5b41ea028baf2c8143494762615137f2d9daec219a470c3ac43a8dc70d0d5", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Suspicious CertUtil Commands", - "sha256": "d283778b33a2eb881ef6542154d6a7a4f20f42620f533ab95ac6e3d92989605a", + "sha256": "9e178f0e88993fc08a6e3bf41eaf0502281774f9ebbfe9477e09a20b55e8fc8f", "type": "eql", - "version": 311 + "version": 312 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "min_stack_version": "8.14", @@ -15521,22 +15582,22 @@ "8.12": { "max_allowable_version": 317, "rule_name": "Svchost spawning Cmd", - "sha256": "e120819a00740e66d735aed46354c8c204941e187fffe5705afac9bc20b2c37f", + "sha256": "fd2168d3b0db808329e092b89905660cf80f6a564f9e3218506dfba05e409c61", "type": "new_terms", - "version": 218 + "version": 219 }, "8.13": { "max_allowable_version": 417, "rule_name": "Svchost spawning Cmd", - "sha256": "3496b237c65ce8b5c66a99b52546e49a3564913f15df60b8ab5ff3831bd56e7a", + "sha256": "89907452efa6d5a092c9819fec02d0a27a824e7e526e5a031f271cd0a9cce5be", "type": "new_terms", - "version": 318 + "version": 319 } }, "rule_name": "Svchost spawning Cmd", - "sha256": "2140d944bef1c61a87c150671d805d24438ca8fe7e109ef377a97dbc5a4efd83", + "sha256": "e648c831b55c6701ce80a615623526f8eb2024dd98dd5a6caaa49692191e85d8", "type": "new_terms", - "version": 418 + "version": 419 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", @@ -15546,9 +15607,9 @@ }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "rule_name": "System Binary Moved or Copied", - "sha256": "49225541197b4b6b4988a3f6f4b5e6540977b229a825bfea0d1292a82a942d39", + "sha256": "3f455b9a9fc20d9dca4d989e3236437d2b7c702d96e34fe01c0e21181bd9cc34", "type": "eql", - "version": 13 + "version": 14 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.14", @@ -15556,15 +15617,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "e706f825293f97ffcf09c0d6cf29360f290b2af6f4fd63321077a785996970b3", + "sha256": "87b8915f4df4e07283d519a5459b89600a2e9018c07136f10a454968ecec7522", "type": "query", - "version": 7 + "version": 8 } }, "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "d2f0a42229c44c3071f0ff420fc676660dd1a831a53634858ff9c59b0df0e7d1", + "sha256": "21800d17e1a701df364ecf5e4dc921c47a9978bd53f4290052756476349613b3", "type": "query", - "version": 107 + "version": 108 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "min_stack_version": "8.14", @@ -15607,9 +15668,9 @@ }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", - "sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5", + "sha256": "6d71e2f5b064aa990886b9f8855595def2146202b93e657c62c021e3bc852c84", "type": "eql", - "version": 4 + "version": 5 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", @@ -15642,45 +15703,45 @@ }, "fef62ecf-0260-4b71-848b-a8624b304828": { "rule_name": "Potential Process Name Stomping with Prctl", - "sha256": "6d66bac41360553f30a7ec77711cac7525469a4649853c093e54807182e05880", + "sha256": "4f8d4f17d7899a44961b0ed15bd61e32234c08c800dddbae9b75aa238bf40541", "type": "eql", - "version": 1 + "version": 2 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "719015ef6c70c2739f12adb7f4e21683f10083d6e8cee6deabba37fcb821f02b", + "sha256": "7c706cb36925b68e3326c38052f0bc6a5afdfc8ef02a33dc200e92fae09dbb2f", "type": "query", - "version": 104 + "version": 105 }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { "rule_name": "Potential DGA Activity", - "sha256": "a6828508851318616e927d9f819f6d7c5130b830e0f3eba41135daf75ac99758", + "sha256": "ef8f045d4a373ebb67741cef329ed0e2b3a356b64978bd6dcad9716fb2f3f592", "type": "machine_learning", - "version": 5 + "version": 6 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "rule_name": "Cron Job Created or Modified", - "sha256": "b0c6daed3da044ef0e0ce21a69c8b2b1a79c9e7b050b3d2d21597432dc235d90", + "sha256": "2bb9047a12faecde8952e7f0bfe8c12187345c8e1016fdd19c1ebcfdb379f298", "type": "eql", - "version": 14 + "version": 15 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", - "sha256": "7842115a7191021a44e61d69bdc1563edc6e9d471a1237af41d228647df07824", + "sha256": "cb20be6b7c6db1a5ba68b0ab829e75e5faad09e13d4ad4db8d1d303a36958a26", "type": "query", - "version": 2 + "version": 3 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API", - "sha256": "7d8c295d9d5382ec04a6755af94ef4b2f9e3a87942594dc7a1708854f48db9bf", + "sha256": "af8119ce553fafb567f949620657a037808e29169ff198277765c4f54f6aea09", "type": "eql", - "version": 10 + "version": 11 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88", + "sha256": "fd7869fa1dfb7814d85e599eddf43e2fe64eeff6d58e4bc655b81add4f748fe5", "type": "query", - "version": 206 + "version": 207 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { "min_stack_version": "8.14", @@ -15688,28 +15749,28 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", + "sha256": "142aa8456d0c3151257b8d40bb29b00d7880561940ea1366b6c850725a7fa90b", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "a5dc5c08ba531d44f22ea6769d5c2df16f15453f794a715ed59b46054ce95996", + "sha256": "593b01d8d7d60109ab9ad569f65be57c3c9e8efb4590d58f871e61d7ba6a8cfa", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "fdeb2235369b54f09b8e618dfa7db46fc187a691bc5b60955e67e9bfa1d1a008", + "sha256": "1b182aabc1a25362770238d8e6fbd5d91def7ad420cbd29f0ec914985f603673", "type": "eql", - "version": 201 + "version": 202 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", - "sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068", + "sha256": "dbdeafa2e40515c24f4df798e5a2d653973541813b5f25cad1c52cf8e334f69f", "type": "query", - "version": 104 + "version": 105 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "min_stack_version": "8.16", @@ -15717,14 +15778,14 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", + "sha256": "b3468a2a0f4b606f04c16270c18b6b7d2a77491078aa852a13f671f64b328173", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "d9a50180875a16c7d3cfedadf27a0c3bb75bd18b950d188993f9ba0f43f504ca", + "sha256": "b3a0fb9a91e96e465bf2e1a9c90fbdfcd2446a6bd3d40d9b7b245f49e82a8155", "type": "eql", - "version": 107 + "version": 108 } } \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index b687b7c05..92c3db8e4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.4.7" +version = "0.4.8" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"