security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3716)

Browse Source
This commit is contained in:
github-actions[bot]
2024-05-29 19:48:22 +05:30
committed by GitHub
parent 9d019dcf26
commit 259bab7a5a
1 changed files with 494 additions and 257 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+494 -257
View File
@@ -22,10 +22,20 @@
"version": 112
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 209,
"rule_name": "System Shells via Services",
"sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71",
"type": "eql",
"version": 110
}
},
"rule_name": "System Shells via Services",
"sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71",
"sha256": "f39660853e5b117b27a58684c32fc3028f841c2bfa0676a1716d4775a8fbc5bb",
"type": "eql",
"version": 110
"version": 211
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"rule_name": "Google Workspace Suspended User Account Renewed",
@@ -83,9 +93,9 @@
},
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
"rule_name": "Potential Ransomware Note File Dropped via SMB",
"sha256": "dafd8f85b8e37f96aaabd0405826cb232ac4c2f22571f2878d3a875a0e141da8",
"sha256": "ab12d69ccda9b4506285fbb564f8ce128934caa2d2f9710e9e95f3302456f364",
"type": "eql",
"version": 1
"version": 2
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"rule_name": "Dumping Account Hashes via Built-In Commands",
@@ -197,15 +207,15 @@
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"rule_name": "Unusual Remote File Size",
"sha256": "db958e84da3e58cefee53ec77d608ff51199a4e721318451ce091585bb908cc1",
"sha256": "86c63dfc5a14108858c1a668088b651845e888e1dfa6764e364d7193cda1e105",
"type": "machine_learning",
"version": 3
"version": 4
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "4e653f97afcad71acd94ddf79e5534455c79986773fc543839900cc60e129d88",
"sha256": "7df79a5a45df69924ae972fdd38b36c7a418f9fbf7baa84154a0a62d74b41da4",
"type": "eql",
"version": 7
"version": 8
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"rule_name": "Potential Evasion via Filter Manager",
@@ -221,9 +231,9 @@
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "092ecb6ac6f1197744e2e114398553fa810674561481b66f9665c3ed95ff0017",
"sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333",
"type": "eql",
"version": 2
"version": 3
},
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
@@ -232,10 +242,20 @@
"version": 7
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 107,
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46",
"type": "eql",
"version": 8
}
},
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46",
"sha256": "793a191ad34ae91c56955a490de13ca8298e1f75a10de07ae143ed3766096355",
"type": "eql",
"version": 8
"version": 109
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
@@ -269,9 +289,9 @@
},
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"rule_name": "Windows Account or Group Discovery",
"sha256": "45048599d6d9175e13e297d71afbd3a7d4d80e6d6421abd188c563a5c862bfbb",
"sha256": "345611059c1ff3167364a9fd80b7f975c8cef14393238750bfa8c6207ab12bd0",
"type": "eql",
"version": 4
"version": 5
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"rule_name": "TCP Port 8000 Activity to the Internet",
@@ -324,9 +344,9 @@
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
"min_stack_version": "8.10",
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"sha256": "75554ce3cf2084385c71f589a49912d97a3565e845b92ef27fa2638bc05ac2ff",
"sha256": "d6a0f724b514c85dbde5be35083810d0d6e18c2cd144eef691aa03bd23590370",
"type": "query",
"version": 4
"version": 5
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.12",
@@ -443,9 +463,9 @@
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"rule_name": "Potential Persistence Through Run Control Detected",
"sha256": "6feb69680930d9a84dce295a56510b4938d7455565609a55b6f340a60f9eee5b",
"sha256": "36731a2b745266798a86c82eee4dbc160faad33f2480d2e5d3f489d91db2ba8f",
"type": "new_terms",
"version": 110
"version": 111
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"rule_name": "Netcat Listener Established via rlwrap",
@@ -473,9 +493,9 @@
},
"10445cf0-0748-11ef-ba75-f661ea17fbcc": {
"rule_name": "AWS IAM Login Profile Added to User",
"sha256": "aa8a7eac601e73065c58f11ee43537d79be77a14b5a766d34772f5b1cc74c2e9",
"sha256": "dff5cd6124560d135f2d7393f7c92da107c6f1993843cabdc031a2c21f69d7fd",
"type": "query",
"version": 1
"version": 2
},
"10754992-28c7-4472-be5b-f3770fd04f2d": {
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
@@ -503,9 +523,9 @@
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "94905ad569d414ab1a3c0037dcdb641498c790debb11ceeea8d3354c9b7acd76",
"sha256": "a2621f0e17b9625bfe787a3805bcca24cff11520ce44286c5c5c49488561f7fd",
"type": "eql",
"version": 111
"version": 112
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"rule_name": "AWS RDS Snapshot Export",
@@ -527,9 +547,9 @@
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "c0a79cd64ff9bae3ad1545d8a18809dd34644d93ed177bd5f4586a2bb2cb4dba",
"sha256": "ee76235d5b6aa99a7637cf85a3aa081f0e5a037d0d480e0ea6da5743bbb38967",
"type": "eql",
"version": 112
"version": 113
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
@@ -545,9 +565,9 @@
},
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "37bda4461229741fa959b9d762f3bf17c0d03378734fbc1a04cbe4563675bea6",
"sha256": "cb2a69fa201dd3ff5dce343a170be369ad36f706783f357da48c68a5642d8c0b",
"type": "machine_learning",
"version": 4
"version": 5
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
@@ -586,10 +606,20 @@
"version": 111
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 207,
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471",
"type": "eql",
"version": 108
}
},
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471",
"sha256": "193c901aad4b30bccee51e476e66934d19feb9bf8a576d862630631b848cc323",
"type": "eql",
"version": 108
"version": 209
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"rule_name": "Rare User Logon",
@@ -599,9 +629,9 @@
},
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "c119669a028d3ccf727586836356bcd2113986db9358089ed57907330b748a73",
"sha256": "c2b4ee4ec81537059bb2e8dbd01a49dbad51ed18ff6332efca8726e276992537",
"type": "threshold",
"version": 1
"version": 2
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
@@ -611,9 +641,9 @@
},
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity",
"sha256": "e4aac0fcc25bbc7121134faf7852704142d562d2c72bf9973c69b0dfd8d6046c",
"sha256": "2df03e6f85b643953de58a6655130f275e8abc58041dc624319fc3047cf03dee",
"type": "eql",
"version": 4
"version": 5
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"rule_name": "Azure External Guest User Invitation",
@@ -750,9 +780,9 @@
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"rule_name": "New Systemd Service Created by Previously Unknown Process",
"sha256": "a5967e9202be0f4e0df4d0f82dfd5f067e8bc9eea60585cbc5664b744761966d",
"sha256": "9db1b2c407bc10769394309a57e5e1acb24ac3834a9d1c679e3288ef28b2b546",
"type": "new_terms",
"version": 9
"version": 10
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"rule_name": "Renamed Utility Executed with Short Program Name",
@@ -780,9 +810,9 @@
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "3e6623fdaad77b45863a2c6f198c7624d4b02fa0f1934011776802944a3348fb",
"sha256": "c06e03682393f75d7f4e7c47efac0a2a3bdc53865089656f9628b0e2129f33de",
"type": "machine_learning",
"version": 3
"version": 4
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
@@ -798,9 +828,9 @@
},
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "fc1329361d122f9fce2eca535c54dd0b8a1fee4f8d33775b225227e2d4084002",
"sha256": "c02ce126b5e2476c4b0957b0c3ef37a9b2dba70091c0f7164a46bc10a7ebdcd4",
"type": "machine_learning",
"version": 3
"version": 4
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"rule_name": "Suspicious Network Tool Launched Inside A Container",
@@ -870,9 +900,9 @@
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"rule_name": "Suspicious File Creation in /etc for Persistence",
"sha256": "dde38b44453671943b7ae6cb4d6fef20e85307ac3723a158fe57ee96d8b1f29d",
"sha256": "bf4cceb5ae7a5878a49003e662cdc61a43a63016cf7c081482666a0dac24247b",
"type": "eql",
"version": 113
"version": 114
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"rule_name": "Azure Kubernetes Rolebindings Created",
@@ -1007,9 +1037,9 @@
},
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "276423364d5b8bf0affee9f5efd056cba314fa27ef1d574a4ebe6f5b4e0e542e",
"sha256": "fd84b26c8ab531b1ad59fd8094d8b4856d55f7e7495a323cb5b1982694f6151a",
"type": "eql",
"version": 111
"version": 112
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"rule_name": "Exploit - Detected - Elastic Endgame",
@@ -1025,9 +1055,9 @@
},
"202829f6-0271-4e88-b882-11a655c590d4": {
"rule_name": "Executable Masquerading as Kernel Process",
"sha256": "fa7e58294659262a26ba947cc59044854477a5a49edc98f0d6f896d91e1d9f6d",
"sha256": "6ad1b642bad962d9940a85ca08a1032187176ae60ef68d10052b7a025ecdea46",
"type": "eql",
"version": 2
"version": 3
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"rule_name": "Creation or Modification of Root Certificate",
@@ -1053,9 +1083,9 @@
}
},
"rule_name": "Suspicious Web Browser Sensitive File Access",
"sha256": "adddb3826db0faf4df285ffe2b662f510557180d3576a19d570b65606facbd90",
"sha256": "57ac4bdcc5fcfe22c771505dc39af0653f5f650a87c0886f736f439b36ae7e13",
"type": "eql",
"version": 207
"version": 208
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"rule_name": "Werfault ReflectDebugger Persistence",
@@ -1083,9 +1113,9 @@
},
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
"rule_name": "Potential Reverse Shell via Child",
"sha256": "cda609fdc97eb250f4f9c03ad3abf9c6760ae78ab03cc3f8fad23789f6ca8ade",
"sha256": "52be9ea43b199f813b9c25ab2637afd7569a16c06703b7dc7f5151925b0b2853",
"type": "eql",
"version": 2
"version": 3
},
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
@@ -1101,9 +1131,9 @@
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "093ec92b83608b188904a800b2dc5dc20b93d5e0b11e10e6da27f754f44a18e0",
"sha256": "5950490a263aef327d0d6b9b4f9c83dd9eeb655207043afab349082a0d04e0e9",
"type": "new_terms",
"version": 205
"version": 206
},
"22599847-5d13-48cb-8872-5796fee8692b": {
"rule_name": "SUNBURST Command and Control Activity",
@@ -1173,9 +1203,16 @@
},
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"rule_name": "Network Activity Detected via Kworker",
"sha256": "6169ab76be1ab1b6d165bc6e91e309957523da07f42cfa74c0b2eabc0fff457b",
"sha256": "910c6260475ac0d34a0354b97ff3c19f1b7ef26a8d78a053e3b1fb73f55c7323",
"type": "new_terms",
"version": 4
"version": 5
},
"25e7fee6-fc25-11ee-ba0f-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added",
"sha256": "e07c5774ac9be077fa7a454528f609d611bd70ce18b1d4ae04954c19fd243eec",
"type": "query",
"version": 1
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"min_stack_version": "8.10",
@@ -1238,9 +1275,9 @@
},
"2724808c-ba5d-48b2-86d2-0002103df753": {
"rule_name": "Attempt to Clear Kernel Ring Buffer",
"sha256": "b84e6128363d24d3503b13f1a618bc430f08140f5a82611c3c3e4f3a5271d2b5",
"sha256": "25e2ab660e4188ceba62e4820957228cb86abad97ae790a7202ba5b2531e345f",
"type": "eql",
"version": 4
"version": 5
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
@@ -1268,9 +1305,9 @@
},
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"rule_name": "Account Password Reset Remotely",
"sha256": "b3b4c980cf7d25e52dfb1d1cc53500ac0a87c2b13922dccaf6b9de0b389532e7",
"sha256": "9ab1b757f688e740b80df6299a9fffff15b0b6cf4f26fa752e487d1d0ac57cb4",
"type": "eql",
"version": 114
"version": 115
},
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"min_stack_version": "8.13",
@@ -1330,15 +1367,25 @@
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "f64dc97be4c992f52e4ecf99c9d964a2d99544bea2d8d33d80ba5e96d62d8f80",
"sha256": "108a9286abd12dc31a741f884dfbdc97989a18871c8dbc11e92632e80d96b815",
"type": "eql",
"version": 112
"version": 113
},
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 210,
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc",
"type": "eql",
"version": 111
}
},
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc",
"sha256": "cfc96b6991e4924d103a2158af8da2606918fbec5876bff5d93be7653deb2bd5",
"type": "eql",
"version": 111
"version": 212
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.12",
@@ -1394,10 +1441,20 @@
"version": 6
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 210,
"rule_name": "Adobe Hijack Persistence",
"sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d",
"type": "eql",
"version": 111
}
},
"rule_name": "Adobe Hijack Persistence",
"sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d",
"sha256": "b063bce44c35e4d15cd79869b5732433239a66d51babb5fb8f9d0adbe2001097",
"type": "eql",
"version": 111
"version": 212
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"rule_name": "Windows Defender Exclusions Added via PowerShell",
@@ -1510,9 +1567,9 @@
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "c25dfc5c295e5fe0ef6c4bd03401308cc79d8069474d9a66e34a91f53a75d793",
"sha256": "4ef923e73c924a38e0cf60427e8d215a0402d88bd2d9cb5ede83696a7716d700",
"type": "eql",
"version": 111
"version": 112
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"rule_name": "Malicious Remote File Creation",
@@ -1587,10 +1644,20 @@
"version": 109
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 210,
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3",
"type": "eql",
"version": 111
}
},
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3",
"sha256": "a7e4e52230f1a2f269732a45b210a8cded335e4867e2095abbb2d707d4a0e932",
"type": "eql",
"version": 111
"version": 212
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"rule_name": "AWS IAM User Addition to Group",
@@ -1635,16 +1702,26 @@
"version": 106
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 209,
"rule_name": "Port Forwarding Rule Addition",
"sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd",
"type": "eql",
"version": 110
}
},
"rule_name": "Port Forwarding Rule Addition",
"sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd",
"sha256": "e4d0644e1d41d584ee51527759ef379d2e85441b65044ced77ef38d1e5ee9a29",
"type": "eql",
"version": 110
"version": 211
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"rule_name": "Spike in Bytes Sent to an External Device",
"sha256": "67a35f156241abf955e83450c9f9e4de70743aa2b982ae6e96fe95b1734847ac",
"sha256": "7f778783d142f64fbf3be96cbd7c5059a658dce8b1986144a77ebac82f8c9a58",
"type": "machine_learning",
"version": 3
"version": 4
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"rule_name": "Unusual Parent-Child Relationship",
@@ -1678,15 +1755,15 @@
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "9fa7888003d814e16febe8363b55e5c5d98fbebc187b1134b988a70bfa227457",
"sha256": "702a6f3a2433e5ad66e4dd17b555c7bc979578f8248e27744f421e12791d0780",
"type": "machine_learning",
"version": 3
"version": 4
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"rule_name": "Potential Suspicious File Edit",
"sha256": "ad661308418ae98d99acfbe93160fc7b79bd560af7e212b8b2d582ca93665254",
"sha256": "bf74f549ef8c05505839770cb6d64489d48d766df1312cd3524c9d65450352dd",
"type": "eql",
"version": 4
"version": 5
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"rule_name": "AWS RDS Security Group Creation",
@@ -1752,9 +1829,9 @@
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "3032a13d5103580a7a71c386fb3b0871d65a29e3b195d7c15ef594679579b277",
"sha256": "4082dec3872831be075b4437114dd49a7322440fc0f7650a4de37632a9a6b063",
"type": "eql",
"version": 207
"version": 208
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"rule_name": "User Added as Owner for Azure Service Principal",
@@ -1829,10 +1906,20 @@
"version": 103
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 209,
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f",
"type": "eql",
"version": 110
}
},
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f",
"sha256": "99fe156012393a6350811a3ccf9ecaf4dc0d399569a90aa01cc5cebe44117352",
"type": "eql",
"version": 110
"version": 211
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"rule_name": "NTDS or SAM Database File Copied",
@@ -1876,9 +1963,9 @@
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "e0f94b4cfe4ca344a1904651585a27509c31993709b1767adc5d92d1e020eb62",
"sha256": "12c6038b69842f3fafbe9f2dd9630e0d41734d2b8678ebefe442944fe4a7595f",
"type": "machine_learning",
"version": 3
"version": 4
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
@@ -1948,15 +2035,15 @@
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "2d41f9c292e0cfb545738b9fefb92890c35a74f559c525d8882ff69abb589281",
"sha256": "da80ff0e6020c1f4b703d597ce09ad294629d13d57cddce31f7eac0eb7d51f16",
"type": "machine_learning",
"version": 3
"version": 4
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"rule_name": "Unusual Process Spawned by a User",
"sha256": "605a890392cba9a22d8ca7c2285cf0fe0e562dfeccb201126b50540f02b6567b",
"sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134",
"type": "machine_learning",
"version": 4
"version": 5
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"rule_name": "GitHub User Blocked From Organization",
@@ -2085,9 +2172,9 @@
},
"453183fa-f903-11ee-8e88-f661ea17fbce": {
"rule_name": "Route53 Resolver Query Log Configuration Deleted",
"sha256": "98d3f47b38a2e490eb32fe435fb1a3cdc74636dabc5fe7a97b731551b87ec8cd",
"sha256": "fe85472e289bd363341d59f4b9a362e21110fd6fb58902f400f3575b09f612a0",
"type": "query",
"version": 1
"version": 2
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
@@ -2103,15 +2190,15 @@
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "b3b214a87a2d7efdda2a6e79454b84fdbae8dbfdb3834d1b51bdc0524f4e0b41",
"sha256": "be491095047d3c14c4f0f6ceaaaa57b03ed05e79bd61229fae0171cd3b2edb4f",
"type": "eql",
"version": 111
"version": 112
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "f28a8d21784231d74baa3c2c1bc50c52047b904b90baf5f454eff45f52d1ca07",
"sha256": "8f06fef2e1f4657210c2cac9a74eb6aeaa938041db6e43eb3dfc3f9d24695c23",
"type": "eql",
"version": 111
"version": 112
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"rule_name": "Potential Local NTLM Relay via HTTP",
@@ -2127,9 +2214,9 @@
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"rule_name": "Potential Persistence Through init.d Detected",
"sha256": "cd769b23546bc7c66a492fb80d7c336f31823e527982f3185a9ad7b4c3686ee1",
"sha256": "f475866a4eb28902febd629ce11fefe77e80d41baabebe63a0b893ddd7d9a753",
"type": "new_terms",
"version": 9
"version": 10
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"rule_name": "Sensitive Files Compression Inside A Container",
@@ -2163,15 +2250,15 @@
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
"sha256": "25daf6eb0539fcc0694b22088a27dd0f67fcba06669cc69450e34b994cc642ea",
"sha256": "f73503ecaa32737163abde02d9b27f8d420df219be75d6ce12c1790c04f52a91",
"type": "new_terms",
"version": 105
"version": 106
},
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"rule_name": "Potential Reverse Shell",
"sha256": "d2d12619cc88da5d442a1f223e4ccf1cdb06d037c5ab3440a7814cb9d6b11736",
"sha256": "5cb666b8db28f6ef91c652488905003a54f688578c1a34017e77b80bc87c153a",
"type": "eql",
"version": 8
"version": 9
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"rule_name": "Multiple Logon Failure from the same Source Address",
@@ -2205,9 +2292,9 @@
},
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "13db3c2d1fc38751e03a07125ee9720d077032ecc780b0474951dcffa438ece8",
"sha256": "442cc445286a3163b8aba6078ab86ef9450687d9587a6716e1f7b2c5ff79b893",
"type": "eql",
"version": 6
"version": 7
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"rule_name": "Application Removed from Blocklist in Google Workspace",
@@ -2271,9 +2358,9 @@
},
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
"rule_name": "Unusual Process Writing Data to an External Device",
"sha256": "3659127431f2145c49922aa110bbe7be12f4776825ee1a24f2409945b3f414f0",
"sha256": "d5d28b9af1ed399604eb5bc1744453ce1f5dbc4839e7650ccf12c30616fe3d07",
"type": "machine_learning",
"version": 3
"version": 4
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
@@ -2319,9 +2406,9 @@
},
"4ec47004-b34a-42e6-8003-376a123ea447": {
"rule_name": "Suspicious Process Spawned from MOTD Detected",
"sha256": "5c74f520f2356f579a86fc666a87af41bd62c8e52f1edc1521b9f7bd58b3f461",
"sha256": "5b623fb9915bfc946b7d055f8270000bf239fdb2dcd03021f8d03b24d3b28de7",
"type": "eql",
"version": 8
"version": 9
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
@@ -2384,10 +2471,20 @@
"version": 2
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 207,
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1",
"type": "eql",
"version": 108
}
},
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1",
"sha256": "f5b43f0f0f3a4cd3823fedc6900054657f8adb7bd85b6cc8097f892872bf6f3b",
"type": "eql",
"version": 108
"version": 209
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
@@ -2468,10 +2565,11 @@
"version": 106
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "f88c3c6d45fbe0bb6e1869423ab9e7667f5019abcead82c85039f1775a2b37ca",
"sha256": "cce1af93176b643f8c69e79b1ef19c94e25df9e6f6607ba60b50433fd8914264",
"type": "new_terms",
"version": 8
"version": 9
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"rule_name": "AWS EFS File System or Mount Deleted",
@@ -2488,9 +2586,9 @@
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
"min_stack_version": "8.10",
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
"sha256": "ff6da7f331dcfa0385d733fe7af34367b7a5772236336e8196677506dc53fa02",
"sha256": "2fe35fc63d94df5fa3980bb4ddb1708b8ef9065b2a9d468329b207be8146385f",
"type": "query",
"version": 4
"version": 5
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"rule_name": "Suspicious PDF Reader Child Process",
@@ -2506,9 +2604,9 @@
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "62ae21bef70ecd1965d7f2e666f067077780c120bcbef93083911dea04b33b17",
"sha256": "1e4f39e3118e880f5a867bfacf7e44eb031423fd7f329399580ab13c11496005",
"type": "eql",
"version": 107
"version": 108
},
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.12",
@@ -2534,9 +2632,9 @@
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "522f9edf21b4768c2f43e0e448fb38e2603d76177730b764dd66e50b145aa56c",
"type": "query",
"version": 108
"sha256": "0f5dc350a466574f350a79acdd81b4040d03f2334f636084c3a73ffea4480480",
"type": "eql",
"version": 109
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"rule_name": "PsExec Network Connection",
@@ -2552,9 +2650,9 @@
},
"56004189-4e69-4a39-b4a9-195329d226e9": {
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "60181e72437ae398200e9082d83f05217fb1a24754604f6147a583f83048b853",
"sha256": "288753c0acbb4ead22f3c4e6457bb3ea4019d812147816fc00c1b4c855ae4098",
"type": "machine_learning",
"version": 4
"version": 5
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"min_stack_version": "8.10",
@@ -2651,9 +2749,9 @@
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "abc7e66357468013a69f39627f5e9976245ba741d55515881174e59942bf5edc",
"sha256": "f0266b580614dbb0c7ec5ff4505f577f89518b4141c2b2c116082bbf595986e5",
"type": "eql",
"version": 111
"version": 112
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"rule_name": "RDP Enabled via Registry",
@@ -2747,9 +2845,9 @@
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"rule_name": "Suspicious which Enumeration",
"sha256": "ffbcf6b936ee4ef4c9b312ca9bb5da9d942f9a8680301b5f0debf394ad42c5fa",
"sha256": "c9fb7b1a40fb8a63342f9f814a8e100720fa02eea274c2aeb53db151bed3f581",
"type": "eql",
"version": 5
"version": 6
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"rule_name": "Potential Masquerading as Browser Process",
@@ -2964,9 +3062,9 @@
},
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"rule_name": "Potential Non-Standard Port HTTP/HTTPS connection",
"sha256": "cda94f2b58b70076662143a46548455aa8e987cf042b4b051776a276aa0c495f",
"sha256": "5a3fd12529c9c80182c6867d42fd64119b65ce06f0106fb6c46537b9f536d9ed",
"type": "eql",
"version": 4
"version": 5
},
"63c05204-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
@@ -3070,9 +3168,9 @@
}
},
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "e420ac04ef84bb4a8ad93985e785758ffd16b4e0b44d969bc6f749df31add04b",
"sha256": "a39e945c3402e4c0c2dbb298ac6967a111eed708c37dc104c0883a65040b4115",
"type": "eql",
"version": 206
"version": 207
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"rule_name": "Modification of the msPKIAccountCredentials",
@@ -3226,9 +3324,9 @@
},
"6a309864-fc3f-11ee-b8cc-f661ea17fbce": {
"rule_name": "EC2 AMI Shared with Another Account",
"sha256": "269a6ce9b13aedfce015a85a679e1a55ebf3974fdd7cb9b3c9f84411ed85cafc",
"sha256": "0c4ef4f51a8579747372ea43f8369add1855a2c4ca49c0059a91aca3c86b15e1",
"type": "query",
"version": 1
"version": 2
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"rule_name": "Unusual Service Host Child Process - Childless Service",
@@ -3237,10 +3335,20 @@
"version": 110
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 210,
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f",
"type": "eql",
"version": 111
}
},
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f",
"sha256": "9a2bd321243f33c29af8cab474c2a52763818ef4340040453bf1e111f2e47503",
"type": "eql",
"version": 111
"version": 212
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"rule_name": "Suspicious Utility Launched via ProxyChains",
@@ -3280,9 +3388,9 @@
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"rule_name": "Unusual Process For a Windows Host",
"sha256": "f65a12afc06498c72c6fe35834ef48f2c6cee057748963b300cae83e7a411f78",
"sha256": "1259847bc59ec8a6f2558f519c3d33e6a2166fa18da8ef169a7d2de8a08225c6",
"type": "machine_learning",
"version": 107
"version": 108
},
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
@@ -3552,16 +3660,26 @@
"version": 9
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 209,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33",
"type": "eql",
"version": 110
}
},
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33",
"sha256": "5dc0aa50792a92d4380b7f0f4e326e624d77e221bc6825424687daac0e26083f",
"type": "eql",
"version": 110
"version": 211
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "8ad7865bb2ea255f74f4010cbc3df77b3480c3878500abf1c5ebf0b7c924a7cf",
"sha256": "5b51aa562ef9f4c100f01430fb4fec43fe857716a3c1ac73bbca4920b74b46d0",
"type": "eql",
"version": 111
"version": 112
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"rule_name": "User Added as Owner for Azure Application",
@@ -3583,9 +3701,9 @@
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"rule_name": "Potential Network Sweep Detected",
"sha256": "a076fa96b47fb15ed66e6f90750fdc91ac7f7cf9e496f47150eba1253dcbc6db",
"sha256": "5cb85927565e167772175631c6373aecb6ba3034247b51505c137a7c92c3ca4a",
"type": "threshold",
"version": 5
"version": 6
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"rule_name": "Application Added to Google Workspace Domain",
@@ -3606,16 +3724,26 @@
"version": 208
},
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 100,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0",
"type": "eql",
"version": 1
}
},
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0",
"sha256": "1cd4ba234bf93cf872872658b01960cdc2fdcd04262dadd0399b738cff42d2e4",
"type": "eql",
"version": 1
"version": 102
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"rule_name": "Suspicious File Renamed via SMB",
"sha256": "fc6be263784c700668a9eb4f67231f1786f1750bc929af29d6655989375915c0",
"sha256": "c611056d35cd93fe81c5d897466610121a8eb8824ced600673490ea40deaba6d",
"type": "eql",
"version": 1
"version": 2
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"rule_name": "Unsigned DLL Loaded by Svchost",
@@ -3625,9 +3753,9 @@
},
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"rule_name": "File Compressed or Archived into Common Format",
"sha256": "75b814ddab9122b2dde8034d1daadc9731ff977dce815207b7565aad49cda555",
"sha256": "3d99ad9a8ea1ddbc2a184754459191a84dc56f918bf759be9a52d7649106e44e",
"type": "eql",
"version": 4
"version": 5
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"rule_name": "Azure Key Vault Modified",
@@ -3739,9 +3867,9 @@
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"rule_name": "New Systemd Timer Created",
"sha256": "c5bf7a856bf289f0687f5916c01098906650541047b786e7a120cd6ec3fbb948",
"sha256": "454dae129a07176b215e4ce8d81df5963eecb9144c6b5605e7f23ad1a0ce8e37",
"type": "new_terms",
"version": 9
"version": 10
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"rule_name": "Enumeration of Kernel Modules via Proc",
@@ -3755,6 +3883,13 @@
"type": "eql",
"version": 4
},
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "SSM Session Started to EC2 Instance",
"sha256": "1810d2feab3a3ab42bfb40d5b25dba1fdfff834237355e59824fb8d89879f0dc",
"type": "new_terms",
"version": 1
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "237bea63ac52782481baf16b92d59c08e0e799105d378bec92197c4ad8fad8b4",
@@ -3775,15 +3910,15 @@
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"rule_name": "Unusual Remote File Extension",
"sha256": "e5eeb038f9aa39433fcea8c9410b24a6a1337512da397d2818fc96f5698f767b",
"sha256": "d33a4fa7f5db48036701cd4df4e4586b2218d47f930a796097379a4757023e30",
"type": "machine_learning",
"version": 3
"version": 4
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "93f0d3a27ec93093c91f59d6a1bcd1a34b1f007ff0304b857a730c1c6c35f186",
"sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc",
"type": "eql",
"version": 109
"version": 110
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
@@ -3855,9 +3990,9 @@
},
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
"rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role",
"sha256": "ca0cdbc0af36d4bf4a78a1a5f82fca391580b9507566dd67dd281c61cd510c7a",
"sha256": "7527cb6d613f3cbebb763fc8b4da705569785eb0d5f20552483a9ac4e03c34e9",
"type": "new_terms",
"version": 2
"version": 3
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"rule_name": "Microsoft Exchange Transport Agent Install Script",
@@ -3873,9 +4008,9 @@
},
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "7a9ce57d7b2a5c723facc456a26c549cb5acacc09fe4844360c1af34366c0744",
"sha256": "fa6fb3938e216992ae1c9e990a9b816dd5a092b439406d8fed4ee517a9f45ca4",
"type": "eql",
"version": 110
"version": 111
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"rule_name": "Potential Remote Credential Access via Registry",
@@ -4283,10 +4418,20 @@
"version": 110
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851",
"type": "eql",
"version": 107
}
},
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851",
"sha256": "8f3a4597c674f9eb6b2fe671fad2a311637f3b34c3ecc371ceb3be4dd1675718",
"type": "eql",
"version": 107
"version": 208
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"rule_name": "Google Workspace Admin Role Deletion",
@@ -4366,9 +4511,9 @@
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"rule_name": "Potential Persistence Through MOTD File Creation Detected",
"sha256": "bc9916d1a1cd785c77d6f24073b3b607cdcefc196480e1f09e5e734866ac7fb1",
"sha256": "3f20bb818a986c0e8056585963e3d6541dbf1862727224cb92843599a928c1cb",
"type": "new_terms",
"version": 9
"version": 10
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"rule_name": "Access to Keychain Credentials Directories",
@@ -4424,10 +4569,20 @@
"version": 209
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 209,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976",
"type": "eql",
"version": 110
}
},
"rule_name": "Suspicious Zoom Child Process",
"sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976",
"sha256": "ab6c4f09d32014591e2a374947f000d68295f96989a72225b3e4930e37e5bc20",
"type": "eql",
"version": 110
"version": 211
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
@@ -4497,9 +4652,9 @@
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "482926261657f74d6e44dd1fcdcd25df11184139e079a28e9558d172a94bc94f",
"sha256": "c5069351210fde910d1fd2e5cd136af309fc81ce6510d0828492a2b64ec1e607",
"type": "eql",
"version": 4
"version": 5
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"rule_name": "Potential Credential Access via LSASS Memory Dump",
@@ -4521,9 +4676,9 @@
},
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"rule_name": "Unsigned BITS Service Client Process",
"sha256": "6c6b0a4cca70f6f55c5b73ca65607b2b546521f99bef8c3eeec5a873a4cebdcf",
"sha256": "4f561717a25dc92b70f5d5b880397f4622d3d9795ea086ac8c70373878c3bc51",
"type": "eql",
"version": 2
"version": 3
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"rule_name": "Potential Shadow File Read via Command Line Utilities",
@@ -4666,9 +4821,9 @@
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "378a46774155bf6146f1d357c4e693e994e2122c127ec368b79c9186c4eea17e",
"sha256": "9d1d5ae0e9ecf6ff8ef280ff42061f5ea8236a11570ab2d01d97846f396afcc3",
"type": "new_terms",
"version": 310
"version": 311
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"rule_name": "A scheduled task was updated",
@@ -4738,9 +4893,9 @@
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "6c0ebc416f6fb4c7549a97d6a862ad6d780640637db60c907841fa20c7c70d8a",
"sha256": "4431365d45dff1dc0bb58de9834b1f789ec1644de2b4e9a4fc91939f2daa2306",
"type": "eql",
"version": 109
"version": 110
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
@@ -4829,9 +4984,9 @@
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"rule_name": "High Mean of RDP Session Duration",
"sha256": "22baca917bf8d8852f30384b7d4813aa7a370126e0338be3886963d94f2e6b8a",
"sha256": "55ef145cde18d6c08b01ce4ece7f4903351d9bdd131a8453002647a668aaa5c4",
"type": "machine_learning",
"version": 3
"version": 4
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"rule_name": "Suspicious Print Spooler SPL File Created",
@@ -4859,9 +5014,9 @@
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"rule_name": "High Variance in RDP Session Duration",
"sha256": "0c85e6c7047aef4143e8ed835f2d0fcafad301de7eb334082e04ff5a498e5539",
"sha256": "f40d918cd70e374c3ea932e1a3b6c14fe1d4bea3bc082607586e660708225c9f",
"type": "machine_learning",
"version": 3
"version": 4
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
@@ -4942,10 +5097,20 @@
"version": 108
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 211,
"rule_name": "Suspicious WerFault Child Process",
"sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf",
"type": "eql",
"version": 112
}
},
"rule_name": "Suspicious WerFault Child Process",
"sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf",
"sha256": "e36280a1447f2b7856c4f642be26895f8dc0cc6642aa3d21dde3ddf6aad92b09",
"type": "eql",
"version": 112
"version": 213
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"rule_name": "Unusual AWS Command for a User",
@@ -5039,9 +5204,9 @@
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"rule_name": "Suspicious File Creation via Kworker",
"sha256": "80da89056385e4d385d191289e923d9442a852f1c96b7aeb235b36a9e4a0ca35",
"sha256": "89dd331d158595da7f82292bb3ad35215a29392df1352a0082b0ffae70f15088",
"type": "eql",
"version": 3
"version": 4
},
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
@@ -5051,9 +5216,9 @@
},
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
"sha256": "d43a905984d229cdcd4e06eb6b7f44f165c335ebfb4840dde015f22b680c1f92",
"sha256": "2ea424f3dd8247a4393a0720f27cf711e88eeb3053ef0a9d566a12ccdbff9d2f",
"type": "new_terms",
"version": 7
"version": 8
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"rule_name": "Unusual User Privilege Enumeration via id",
@@ -5148,15 +5313,15 @@
},
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "01e8d9f7974e3c66e2916edad7f04fe3fbd842ed064a7ac1067df9d6d61ecadf",
"sha256": "eef346faba690b1ca2c851bf022d97d9087f5626a0d024a6714c3d09e9ba26d0",
"type": "eql",
"version": 111
"version": 112
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "204caab60a2c4641de7b31aaedca2147bb76d02c5e8bae82907f04607536563e",
"sha256": "4ae2287b6d0d077420869e911bc39f3ab305247f3f0fc6dae6e839ea5885e947",
"type": "eql",
"version": 7
"version": 8
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"rule_name": "Potential Persistence via Atom Init Script Modification",
@@ -5210,6 +5375,13 @@
"type": "eql",
"version": 111
},
"b605f262-f7dc-41b5-9ebc-06bafe7a83b6": {
"min_stack_version": "8.9",
"rule_name": "Systemd Service Started by Unusual Parent Process",
"sha256": "a074138b6a33a4b9b1a130c6f7b65c67cdb9876c041ca0b69884d42473c8b69b",
"type": "new_terms",
"version": 1
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"rule_name": "Elastic Agent Service Terminated",
"sha256": "8abfc44bc5f8a00effd8c97c81a841dcc2cbe6cd3e2da51a5b277f96c2baf671",
@@ -5218,9 +5390,9 @@
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "1e8be0b94b78d86bb0d30e6a4e6d28c81c9c5bdf2b9494ac9c0d7fb465491bae",
"sha256": "aa213b08606a60ecaa3893813321313519164133eef986d6e7514b6d32df9abc",
"type": "eql",
"version": 109
"version": 110
},
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
"rule_name": "Potential Veeam Credential Access Command",
@@ -5252,9 +5424,9 @@
},
"b7c05aaf-78c2-4558-b069-87fa25973489": {
"rule_name": "Potential Buffer Overflow Attack Detected",
"sha256": "3e26fdf6574102a4aa2b239c1e4420684c6f3527b1aca67cf62cc4b42858a6f4",
"sha256": "5380c3038a2af299ccd3b033b1406b58964ffa17c1f58df16c2ef6e5cf6cb8f3",
"type": "threshold",
"version": 2
"version": 3
},
"b8075894-0b62-46e5-977c-31275da34419": {
"min_stack_version": "8.10",
@@ -5285,10 +5457,20 @@
"version": 5
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 207,
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93",
"type": "eql",
"version": 108
}
},
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93",
"sha256": "5b9416b0c074d30e24badf5a0daa0825766bb7ae7d99b88130f7c0999a392af3",
"type": "eql",
"version": 108
"version": 209
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"rule_name": "Network Connection via MsXsl",
@@ -5297,10 +5479,20 @@
"version": 106
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 104,
"rule_name": "Kirbi File Creation",
"sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f",
"type": "eql",
"version": 5
}
},
"rule_name": "Kirbi File Creation",
"sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f",
"sha256": "001f917502544177abdc78801aa208266c38c099300c58dbb69e62bb88128594",
"type": "eql",
"version": 5
"version": 106
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
@@ -5310,9 +5502,9 @@
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"rule_name": "Chkconfig Service Add",
"sha256": "762949859141699af6a491db1a4f5b059db590cbadd27aa2267653760c23d23d",
"sha256": "49a38a189b45b8742927c27e0f3bc16b1f3b9ea5805a11c8eb6cb1abff49eeb8",
"type": "eql",
"version": 111
"version": 112
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"rule_name": "Discovery of Domain Groups",
@@ -5340,9 +5532,9 @@
},
"b9960fef-82c6-4816-befa-44745030e917": {
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "6cf76bf28c6818bd0c1e9cacc68a44909ca3c50f197b96e96bd34ffd2f935ec8",
"sha256": "5601d16f4802d024ee0184d6b289f4e1e69f656faea361a8198509634ecaa94f",
"type": "eql",
"version": 109
"version": 110
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"rule_name": "Unusual Windows Network Activity",
@@ -5443,9 +5635,9 @@
},
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"sha256": "37e01c0b463876a5acee70bb565d205c8a2e8c5a7b3d99a24e16939f97360a9f",
"sha256": "53c2cffe17c4403ed64f81a175a6f916198441844cb2a3e306c3a31ae7b19b2a",
"type": "query",
"version": 3
"version": 4
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"rule_name": "PowerShell Keylogging Script",
@@ -5479,15 +5671,15 @@
},
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "84baf4890842c179a0724a3835388a16dedfe1046dfd94a9b617aa56b37a7a2f",
"sha256": "cc1d705bc605d526d53b66ae99fe04295569f385dba1baf4b454810b18014206",
"type": "machine_learning",
"version": 4
"version": 5
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"rule_name": "Unusual Remote File Directory",
"sha256": "f6b1ce1e97f8a9dd95bb99809d5d9a7bab6a0922fb0861afadc24970477e3b3f",
"sha256": "7b9570bb0ddabacbeccf2b03bf6ea05d0ed3a286165e5b807313c17531ac9116",
"type": "machine_learning",
"version": 3
"version": 4
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"rule_name": "Searching for Saved Credentials via VaultCmd",
@@ -5509,9 +5701,9 @@
},
"bfba5158-1fd6-4937-a205-77d96213b341": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
"sha256": "385716bc0770d6b023580d5b0a92a34581e351560a3bd43bd4ce2b3b01ef84c1",
"sha256": "c3cf350e861be02338f712fd3772691bcefeb7f7d07e9718eec2fbc3476c707e",
"type": "machine_learning",
"version": 3
"version": 4
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
@@ -5555,6 +5747,13 @@
"type": "query",
"version": 206
},
"c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance",
"sha256": "d782f312b97d352fb81b3975873dd9a6ce4bfc2ebf5f5163bca2e8bb181d1efb",
"type": "query",
"version": 1
},
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43",
@@ -5599,10 +5798,20 @@
"version": 103
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156",
"type": "eql",
"version": 107
}
},
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156",
"sha256": "abe5288a1887c88b0839fec82a8e0a973c1dc3b5346edb10d049b62e679386da",
"type": "eql",
"version": 107
"version": 208
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
@@ -5867,9 +6076,9 @@
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
"sha256": "fe1015d6d9d15270cdedd676b577c3057d2552db4ce585e3c82437e7999cc037",
"sha256": "332626f80c0a809547d1b86248b4ac5acc33ad7dd090fb4c94596b699126f751",
"type": "machine_learning",
"version": 3
"version": 4
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"rule_name": "Google Workspace User Organizational Unit Changed",
@@ -6091,9 +6300,9 @@
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "603191c9e9fe22a6f972c18bfb548360ab4f4b1378a58e8a4a24479548e8b1d0",
"sha256": "e216fb5c63c285bab589efe63deac014169c80b00d8d95dfb3629dddf16891c7",
"type": "eql",
"version": 110
"version": 111
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"rule_name": "Clearing Windows Event Logs",
@@ -6286,9 +6495,9 @@
},
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"rule_name": "Untrusted Driver Loaded",
"sha256": "9b90c86424390fccfc1959785af10eeade5e654612545617582dca1058cb17b8",
"sha256": "c22a4b5aaf9a5211781fbafa109ec85e7094f3b473efa585e2dafa6bd86b481d",
"type": "eql",
"version": 8
"version": 9
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"rule_name": "AWS IAM Deactivation of MFA Device",
@@ -6304,21 +6513,21 @@
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "9ebf3042fc83b25b6a39a0cc87927cefb341ebb08bcce8749b4e07166ba98d0d",
"sha256": "cd4b7c5087be13627f1d4c03ecf5ac7eb292b6b9098b1404150445ce5c391a6f",
"type": "eql",
"version": 9
"version": 10
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"sha256": "6ede570261a72bdcdf1e10f2f1fa1f9d331da8df7293f982df1b311120e88083",
"sha256": "1713570247f2e1bb7b031c190b7546980f369ec8973ea723bb30be25038cc2dd",
"type": "query",
"version": 3
"version": 4
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "21882fe93edaef610a0b27aef9155e98576d28411bb1deb9914a0163f9f81694",
"sha256": "be683bec6bd7fd60ce4db6881147225851b8fa7ce4b0fb32987f85457ee5318c",
"type": "eql",
"version": 8
"version": 9
},
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
@@ -6430,9 +6639,9 @@
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"rule_name": "First Time Seen Driver Loaded",
"sha256": "7e66246ea00c9698fbfa57311793c02739cbad96d59bd88bbda9dbc752e4ac58",
"sha256": "1faad3f27c89ce87b1a4f9ba8d28fcd968f1da207d94216c3e71a09884db6eb8",
"type": "new_terms",
"version": 7
"version": 8
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"rule_name": "Unusual Windows User Calling the Metadata Service",
@@ -6448,9 +6657,9 @@
},
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
"rule_name": "Dynamic Linker Copy",
"sha256": "abf419807a9782b1ea278f1682ee0d5be74e340e248aa42cb3303c3a41892725",
"sha256": "c492826e8eb6d6b4fbae1dfc5820adbdcbc847d6f88fbf1e57c06d347b0d6c4f",
"type": "eql",
"version": 108
"version": 109
},
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
"rule_name": "Kubernetes Pod Created With HostPID",
@@ -6472,9 +6681,9 @@
},
"e00b8d49-632f-4dc6-94a5-76153a481915": {
"rule_name": "Delayed Execution via Ping",
"sha256": "c6fa799b2b134a4e7c34302b0b8f543c54dd38aaba6bfa93b1933a3374e41c71",
"sha256": "da0cf4affe1558ec93cbb7b96eac795d58a8770bcb564ff0b2021a7f7622eceb",
"type": "eql",
"version": 2
"version": 3
},
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
"rule_name": "Azure Firewall Policy Deletion",
@@ -6548,9 +6757,9 @@
},
"e1db8899-97c1-4851-8993-3a3265353601": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
"sha256": "2dfa5553eab948bb3ad46437fda2847c3d2d98e63aa80c10f1b8a179eb44b650",
"sha256": "18d369e85745dfad874fe33bb6e7faff482e843a231c6c456cd2668d675040bb",
"type": "machine_learning",
"version": 3
"version": 4
},
"e2258f48-ba75-4248-951b-7c885edf18c2": {
"rule_name": "Suspicious Mining Process Creation Event",
@@ -6643,9 +6852,9 @@
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "20a809b0c9d105e502a250b3d41b6934687bf4d74fbbedd98cef83bdf6d2658b",
"sha256": "ad8079dba717dfa922d05b69f5258721d12980d2f2ddc8d494fb7fcdcda065fa",
"type": "eql",
"version": 110
"version": 111
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"rule_name": "First Time Seen NewCredentials Logon Process",
@@ -6783,9 +6992,9 @@
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "d821998e1160abb47ecede3b1c462e4239e82c189b4c1bb28462bb126a1b7765",
"sha256": "4da13d0d76ba9e3a2eecf43822de33e61b30c935751005270ec604e255028f5a",
"type": "eql",
"version": 108
"version": 109
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"rule_name": "Installation of Security Support Provider",
@@ -6829,9 +7038,9 @@
},
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
"sha256": "1e89013def66c292205e6328af1471ef4e60e7476f31abb7718f73d3602c3e91",
"sha256": "97e36f64a18b7742354c75783032d8c937129028e729388f75253413f03292d8",
"type": "machine_learning",
"version": 3
"version": 4
},
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"rule_name": "Unusual Executable File Creation by a System Critical Process",
@@ -6847,9 +7056,9 @@
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"rule_name": "Spike in Remote File Transfers",
"sha256": "c2714b3ba5f14682e3de18a33b34ee32dd30f9b08a177f6d6ff9c79ced3ef5e1",
"sha256": "f9cfa49163402d6de09bf8956e320315bd0c937785ed3267ad306470bc834a69",
"type": "machine_learning",
"version": 3
"version": 4
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
@@ -6871,9 +7080,9 @@
},
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "d8ff4bf9daa5791d5125e828242e6da12e755fe8e6594f543661711e82994cfd",
"sha256": "d2146dbc0bf3635a79dd508efbeac1edd36c749e19d592d10ca7e5bdd1be2879",
"type": "machine_learning",
"version": 4
"version": 5
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
@@ -6924,10 +7133,20 @@
"version": 110
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 208,
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98",
"type": "eql",
"version": 109
}
},
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98",
"sha256": "bb5fb845d12c3bbf263c579168a458134eef80318f4ee0ceb6feccd45e0d75f2",
"type": "eql",
"version": 109
"version": 210
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"rule_name": "IIS HTTP Logging Disabled",
@@ -6973,9 +7192,9 @@
},
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"rule_name": "AdFind Command Activity",
"sha256": "35efc8cf7bf58aeb31117f913287b60e74e904cbdce764bcd90b1a649e6318e1",
"sha256": "be216ef5b19a903cf029223a2d8a614856a4c6027ed7f3e9f1344c9e850b2603",
"type": "eql",
"version": 111
"version": 112
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.10",
@@ -7071,9 +7290,9 @@
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"sha256": "9512995e5dffd053732011c13901b6e07071c98fbf12ad540b632ebf940f2c32",
"sha256": "90d364f8a22a46e10400502782f9e63b502856dae193ee242c9df80b475350ca",
"type": "machine_learning",
"version": 3
"version": 4
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"rule_name": "Unusual Child Processes of RunDLL32",
@@ -7105,9 +7324,9 @@
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
"sha256": "5182f386430f01d4b91371a123d7323d6c786af55e661ca361224b7e1abaab5c",
"sha256": "910384ce8b7a90baf6621c861b7a046f4764fa0a712b0a51e2aaf95bc8363a39",
"type": "eql",
"version": 108
"version": 109
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"rule_name": "Azure Alert Suppression Rule Created or Modified",
@@ -7177,9 +7396,9 @@
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"sha256": "2c43c3f3a3eab3066a67fa00b1ecf370bbb5c1a7cc41898dabf2a4553b1630ea",
"sha256": "a8184398fcf77152899052a0cdf43691c84de0fa4cf53167476870150736e064",
"type": "query",
"version": 3
"version": 4
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"rule_name": "WMI Incoming Lateral Movement",
@@ -7280,9 +7499,9 @@
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "d6db5d4e54233628ba05c96ce487387f74b8d57d423cae36a1cfa4602ef0c312",
"sha256": "6ee5d0b1cbc2f8f3b11a2689ab4c8e4651d061d0f7728c67b6b86642eb5afc60",
"type": "machine_learning",
"version": 4
"version": 5
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"rule_name": "Masquerading Space After Filename",
@@ -7334,9 +7553,9 @@
},
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
"rule_name": "SSH Authorized Keys File Modified Inside a Container",
"sha256": "d08ada3a6198777da68c1ad854b2c989ea3c25a2cd89c68741c538de9a433237",
"sha256": "7447ba66f5bb3a7f75ebfa0ec16f2c79965e3653b03fc3f3a06ec4e7dc27ece8",
"type": "eql",
"version": 2
"version": 3
},
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"rule_name": "Persistent Scripts in the Startup Directory",
@@ -7365,9 +7584,9 @@
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "78279bb6af6824e60ded36c81c6ef322b9ccaeb26c92549abc2921bf4227941b",
"sha256": "c72616ff8d3f7e52d73f8ecfdf74d2f866c3022006cb09e63b8ddf2949902b53",
"type": "eql",
"version": 110
"version": 111
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
@@ -7434,10 +7653,20 @@
"version": 7
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.11",
"previous": {
"8.9": {
"max_allowable_version": 108,
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642",
"type": "eql",
"version": 9
}
},
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642",
"sha256": "a2061359bd190293621c8e71ff1e35c08834d74f598fc6364b28a74c8af177de",
"type": "eql",
"version": 9
"version": 110
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"rule_name": "Potential Disabling of AppArmor",
@@ -7525,9 +7754,9 @@
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"rule_name": "System Binary Copied and/or Moved to Suspicious Directory",
"sha256": "64a298cfd46dd919d8d6d349126b6a4a90347cf9eb7a23661803b528c1bd2828",
"sha256": "b9d527481d2f38c0ce84090af0cc336bd1a6bca87741cfbbce058b6c037349ae",
"type": "eql",
"version": 7
"version": 8
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"rule_name": "PowerShell Kerberos Ticket Dump",
@@ -7543,9 +7772,9 @@
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "1049a012554fe790510c642962136afe7809f3cb6743d41c94d9064cb5cd0275",
"sha256": "c033fe9cac3214062e42bdc5f3653c396356866c3f62fea669337f7efa7cf7b6",
"type": "eql",
"version": 110
"version": 111
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"rule_name": "Potential Masquerading as Business App Installer",
@@ -7573,15 +7802,23 @@
},
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"rule_name": "Potential DGA Activity",
"sha256": "f1777c34722961e6332a58230876ae5519c4fc7e7a09d1450eb0038aeabe2640",
"sha256": "15260ab808d90ba91587244049c852e308788b4c23ecc6cbb64956384b8d7532",
"type": "machine_learning",
"version": 3
"version": 4
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"min_stack_version": "8.9",
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
"sha256": "8d0088142351af95023ec0cbec030e26da4de32891f90802ece09174e3446293",
"sha256": "e27c9640a969826e48e3a8fd9117ba8a8761dcbce584297813d634e6f5423886",
"type": "new_terms",
"version": 9
"version": 10
},
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",
"sha256": "f2663204a55cb4e897803fbc5d1f136637511d520fa0c559bf7234323858ab5e",
"type": "query",
"version": 1
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"rule_name": "LSASS Process Access via Windows API",