security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3615)

Browse Source
This commit is contained in:
github-actions[bot]
2024-04-23 17:59:01 +05:30
committed by GitHub
parent 7673ba484d
commit 374f21fbc4
1 changed files with 376 additions and 360 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+376 -360
View File
@@ -64,9 +64,9 @@
}
},
"rule_name": "AWS Redshift Cluster Creation",
"sha256": "b1c8e121fb4363f74d0c8928f3335aa2f374919f5257a9f4b17483773c49f348",
"sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca",
"type": "query",
"version": 205
"version": 206
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"min_stack_version": "8.3",
@@ -243,16 +243,16 @@
"0635c542-1b96-4335-9b47-126582d2c19a": {
"min_stack_version": "8.3",
"rule_name": "Remote System Discovery Commands",
"sha256": "3d344eb978705ac0e25885898c67ade3ea3a02d52dcb020ec9eb4b253f2a0ef2",
"sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4",
"type": "eql",
"version": 111
"version": 112
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"min_stack_version": "8.3",
"rule_name": "System Time Discovery",
"sha256": "d5237e35b753d923902ad797bb8384e1f6c0cb0ba658c922501345f214656ad0",
"sha256": "c26f50ed371b312a315bf0bbbc399f65d446218ecd7f63e471538c0e145ea7c9",
"type": "eql",
"version": 6
"version": 7
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"min_stack_version": "8.9",
@@ -350,9 +350,9 @@
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"min_stack_version": "8.3",
"rule_name": "Windows Account or Group Discovery",
"sha256": "bb76e59c53a0b50ac513121a9591fecea2eac83851584542c8860bb511c0785f",
"sha256": "45048599d6d9175e13e297d71afbd3a7d4d80e6d6421abd188c563a5c862bfbb",
"type": "eql",
"version": 3
"version": 4
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"rule_name": "TCP Port 8000 Activity to the Internet",
@@ -370,9 +370,9 @@
"09443c92-46b3-45a4-8f25-383b028b258d": {
"min_stack_version": "8.3",
"rule_name": "Process Termination followed by Deletion",
"sha256": "ee3f7d78630d4adbddf7402565e30e9e5b09adbfb02eaed22e884dfd5429bc8e",
"sha256": "8628999b147b10ff30f618a79c4aee2123744abc0e2bb05cc8c98d11017145ad",
"type": "eql",
"version": 108
"version": 109
},
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
"min_stack_version": "8.3",
@@ -522,9 +522,9 @@
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"min_stack_version": "8.3",
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "35d7c86905c491f7aaa616dc6addc861d534b1c4fc511bb07efc6b60d2bd8086",
"sha256": "e6fecbbaa834a04e699f62857b0e60f7e8c9bb3cb40d033165265ace22ac1cbb",
"type": "eql",
"version": 109
"version": 110
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"min_stack_version": "8.8",
@@ -559,9 +559,9 @@
"0e79980b-4250-4a50-a509-69294c14e84b": {
"min_stack_version": "8.3",
"rule_name": "MsBuild Making Network Connections",
"sha256": "701a943332292d3362c7d6526d2424e65e81768d57a45e983232712722f31a98",
"sha256": "c8013d923873ed418f022b29c77bb4c548a392af89e2a3cd747186d534386880",
"type": "eql",
"version": 108
"version": 109
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"min_stack_version": "8.6",
@@ -661,9 +661,9 @@
}
},
"rule_name": "AWS RDS Snapshot Export",
"sha256": "8ad9d6381bc6ad8046516f5f50cdc304ccb0958161af21a171928b95088b6b17",
"sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c",
"type": "query",
"version": 205
"version": 206
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
@@ -697,9 +697,9 @@
}
},
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "ee7d0fde7179ecae486163263d6baf71e90dd5e6048b4db1674a4d4eff6f2975",
"sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7",
"type": "query",
"version": 205
"version": 206
},
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
"rule_name": "User Discovery via Whoami",
@@ -771,9 +771,9 @@
"12de29d4-bbb0-4eef-b687-857e8a163870": {
"min_stack_version": "8.3",
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "6a69ca21111665ced0b0cc269c53ac00d37ac29fccb5d3e5d04abe8e0de046d6",
"sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a",
"type": "eql",
"version": 2
"version": 3
},
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"min_stack_version": "8.3",
@@ -826,9 +826,9 @@
"14dab405-5dd9-450c-8106-72951af2391f": {
"min_stack_version": "8.3",
"rule_name": "Office Test Registry Persistence",
"sha256": "dfc7bc44c6f6d34fee6331a065d25992ba9f2cb18ddddf1d91a9c581eb4f15b8",
"sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2",
"type": "eql",
"version": 2
"version": 3
},
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -856,9 +856,9 @@
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"min_stack_version": "8.3",
"rule_name": "Execution from a Removable Media with Network Connection",
"sha256": "59fddcae552c2d4781435a2f28a96e640148621b9b484f76e9ac48786281e4bc",
"sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4",
"type": "eql",
"version": 2
"version": 3
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"min_stack_version": "8.3",
@@ -921,9 +921,9 @@
}
},
"rule_name": "AWS IAM Group Creation",
"sha256": "b97182b40fec27cf6728746f838be74ee2cf5ebee183fc5d0f6eaf338b7d90a3",
"sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1",
"type": "query",
"version": 205
"version": 206
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"min_stack_version": "8.3",
@@ -1078,9 +1078,9 @@
}
},
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "dd01a147a8898a4f6c696c83a4c436bf0325ab7552a03039d7cd71ff0b6c00dc",
"sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b",
"type": "query",
"version": 208
"version": 209
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"min_stack_version": "8.3",
@@ -1115,30 +1115,39 @@
}
},
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "95e2cb6322ef7b2d7bc2fc96460cbfcb4c76f0eb17351a134c783936996adab0",
"sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d",
"type": "query",
"version": 205
"version": 206
},
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"min_stack_version": "8.3",
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
"sha256": "adb03450ce940d93270413ee4211f33bcbefbc94ec549c6de5d858270806b036",
"sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516",
"type": "eql",
"version": 10
"version": 11
},
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
"min_stack_version": "8.3",
"rule_name": "Potential Process Injection from Malicious Document",
"sha256": "585cc415f1c54e220db615a5f052321909100ebc7b9e63b944e6b19a6a4e6404",
"sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1",
"type": "eql",
"version": 1
"version": 2
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 211,
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "bf4b6f557cbd3c0c009d3f0aa39401b563a920b2ed64f0d20ef86c9a95fc5e45",
"type": "query",
"version": 112
}
},
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7",
"type": "query",
"version": 111
"version": 212
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"min_stack_version": "8.3",
@@ -1164,9 +1173,9 @@
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"min_stack_version": "8.3",
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "60a215ef5aa075a861936f82ee97680319d20350b0ea4856cbea6c57fb9d2a51",
"sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a",
"type": "eql",
"version": 107
"version": 108
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"min_stack_version": "8.10",
@@ -1178,16 +1187,16 @@
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "832060e257db6ee9888b735d2c5547f3a6f1f10f262604b9222ddd3ea1c16ccf",
"sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed",
"type": "eql",
"version": 109
"version": 110
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"min_stack_version": "8.3",
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "d08e975b8630d786933967d9de847dfbdd6fc6a5447715691a1a27ee3b22198a",
"sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433",
"type": "eql",
"version": 107
"version": 108
},
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"min_stack_version": "8.3",
@@ -1213,9 +1222,9 @@
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"min_stack_version": "8.3",
"rule_name": "Execution of File Written or Modified by PDF Reader",
"sha256": "9a227ba0760d3b8989f89767b53f66fd4968b5f2e9b34006af48b1e5d9b7cb32",
"sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d",
"type": "eql",
"version": 107
"version": 108
},
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
"min_stack_version": "8.3",
@@ -1236,9 +1245,9 @@
}
},
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "e88e967f368a84359155555ed5b6de403b41fba8223ea19c9b7449a06e834192",
"sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1",
"type": "query",
"version": 106
"version": 107
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"min_stack_version": "8.3",
@@ -1257,9 +1266,9 @@
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"min_stack_version": "8.3",
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "c4d1ee33d81051c5ff7f08405dd13f19bbce0e914ff0b347df5862b2f40d568d",
"sha256": "411958937e7a1d399c000c3ee9bc6e256d0b92a5aea3474e468b84f5991e8bed",
"type": "eql",
"version": 2
"version": 3
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"min_stack_version": "8.8",
@@ -1285,9 +1294,9 @@
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "7d596dca903c48dde13a6b90746947628693b11dd9140e3eb89ca6eba10ae966",
"sha256": "3e850845c9653b3956dd9ccfe15415b8f6399a899dd58c87a592f2ae81b921de",
"type": "eql",
"version": 1
"version": 2
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"min_stack_version": "8.3",
@@ -1299,9 +1308,9 @@
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "81d0001b73c9d80fde270c788e6a904cc6c3b79db4c4aed85323e65d2440ef94",
"sha256": "276423364d5b8bf0affee9f5efd056cba314fa27ef1d574a4ebe6f5b4e0e542e",
"type": "eql",
"version": 110
"version": 111
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"min_stack_version": "8.3",
@@ -1343,9 +1352,9 @@
}
},
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "7512cf97f8885a42febe293ecc8c04d77f6369d4ba87372fcd3ef38a204f9af3",
"sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297",
"type": "query",
"version": 205
"version": 206
},
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"min_stack_version": "8.3",
@@ -1357,9 +1366,9 @@
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"min_stack_version": "8.3",
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "6178ac16e7a1b92253a4eae0123a253627554a9bb2d28ac941328fb97f5250dc",
"sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982",
"type": "eql",
"version": 1
"version": 2
},
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
"min_stack_version": "8.3",
@@ -1377,9 +1386,9 @@
"210d4430-b371-470e-b879-80b7182aa75e": {
"min_stack_version": "8.3",
"rule_name": "Mofcomp Activity",
"sha256": "d42c6a1889b42bcd83cb46d9838038cfd4248b792d5fef1abc4cedc81b269d4a",
"sha256": "a7bd50e06e9eecee6eb4de339db9e9e7ffc5b08ce32a9bc2a119b2aa4f2fdf45",
"type": "eql",
"version": 1
"version": 2
},
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
"min_stack_version": "8.3",
@@ -1437,9 +1446,9 @@
}
},
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "7804226b0da1b8d6dde3bbfed024feab1da6c23e091dfa55852b50309f4dd9fe",
"sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629",
"type": "query",
"version": 206
"version": 207
},
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
"min_stack_version": "8.3",
@@ -1604,9 +1613,9 @@
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"min_stack_version": "8.3",
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "f282273c006e841c6c64f909e05053110d210e1205f0a504977cd4e701a175a7",
"sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b",
"type": "eql",
"version": 108
"version": 109
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"min_stack_version": "8.3",
@@ -1634,9 +1643,9 @@
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"min_stack_version": "8.3",
"rule_name": "Account Password Reset Remotely",
"sha256": "bd56a7406f9eb92ed5ae5f56f3b907b56ac2f13892cb6f81d1fc8810651fbedb",
"sha256": "b3b4c980cf7d25e52dfb1d1cc53500ac0a87c2b13922dccaf6b9de0b389532e7",
"type": "eql",
"version": 113
"version": 114
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.3",
@@ -1691,9 +1700,9 @@
}
},
"rule_name": "AWS Security Group Configuration Change Detection",
"sha256": "f057a319aa5b049290fa8416727ae3ef64bb9ac7779901a61713efe9acef57da",
"sha256": "193c2c66e45942d40a519ed5a0c174f69daf4d7c4057ce0af2cc77baa1e9658c",
"type": "query",
"version": 205
"version": 206
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"min_stack_version": "8.3",
@@ -1883,9 +1892,9 @@
"2e311539-cd88-4a85-a301-04f38795007c": {
"min_stack_version": "8.3",
"rule_name": "Accessing Outlook Data Files",
"sha256": "143b6346fd2ca02b863de7457499fe60da116e99bc385dce6d07aa870d1e2054",
"sha256": "d2e5a15c87b68da8ded83c3f04fd1cc0b2f38a858d9d58825ea43aa5b4d13c9d",
"type": "eql",
"version": 1
"version": 2
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"min_stack_version": "8.10",
@@ -1939,9 +1948,9 @@
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"min_stack_version": "8.3",
"rule_name": "Startup Folder Persistence via Unsigned Process",
"sha256": "c77de421e7a60ec97356465d4a834fc49fed6b0b7ae28debbac3786b07459d62",
"sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813",
"type": "eql",
"version": 108
"version": 109
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"min_stack_version": "8.3",
@@ -2053,9 +2062,9 @@
}
},
"rule_name": "AWS IAM User Addition to Group",
"sha256": "e6dc79527703135b1ce027a5d88baa39dd4c3512d0a5f56a036b8a27eab4ee81",
"sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46",
"type": "query",
"version": 208
"version": 209
},
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"min_stack_version": "8.5",
@@ -2067,9 +2076,9 @@
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via PowerShell",
"sha256": "0843453e23fff6268308485d859e6668867b85c5cf0ed912c931d28d040ca4f7",
"sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976",
"type": "eql",
"version": 109
"version": 110
},
"342f834b-21a6-41bf-878c-87d116eba3ee": {
"min_stack_version": "8.8",
@@ -2173,9 +2182,9 @@
}
},
"rule_name": "AWS RDS Security Group Creation",
"sha256": "6ed9dc7097e846293dbf822a322406b46fcbd9d6642245a4dfbc73aabd62537b",
"sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0",
"type": "query",
"version": 205
"version": 206
},
"37994bca-0611-4500-ab67-5588afe73b77": {
"min_stack_version": "8.3",
@@ -2202,9 +2211,9 @@
}
},
"rule_name": "AWS Execution via System Manager",
"sha256": "f01c87073629652bd0f1abe3f300881145bb533a262308717ffcc0bab17a3dd0",
"sha256": "5262f35d3a77b7ea661f2c08269986f36b47c9e01836ec71acf45e6f3653b88e",
"type": "query",
"version": 208
"version": 209
},
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"min_stack_version": "8.3",
@@ -2232,9 +2241,9 @@
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Certutil",
"sha256": "5414bbe55d4a1b7968cdfe547ef66a16e2ea14fb2d57b9e982376fececd8c951",
"sha256": "6f47f5ed6240c55d50a34719a69f8cc06e2e1a96b3d7dbf8caed23d34f6fb612",
"type": "eql",
"version": 110
"version": 111
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"min_stack_version": "8.3",
@@ -2269,16 +2278,16 @@
}
},
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "ad7864116d4d41fba90af76f8325d2a86358ed55b0b9be7204d8983cc62b2614",
"sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee",
"type": "query",
"version": 205
"version": 206
},
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
"min_stack_version": "8.3",
"rule_name": "Downloaded Shortcut Files",
"sha256": "362ab87565072831948627491a1ba91889340030ce6f1438122322ffa57acb5d",
"sha256": "a78fe7706bba28d2e8916c6285d2aa614ab127534029912e8e9ad9ab133792dc",
"type": "eql",
"version": 1
"version": 2
},
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"min_stack_version": "8.3",
@@ -2391,9 +2400,9 @@
}
},
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "889bfc3e221a4919949c2b2fab1b12ee9a96a75c27e1e249c243318f7bd81063",
"sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262",
"type": "query",
"version": 208
"version": 209
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"min_stack_version": "8.9",
@@ -2426,9 +2435,9 @@
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote File Execution via MSIEXEC",
"sha256": "0fb96a14a8d3a0b8997c74edf2be7897a1b81413fae271d17d5fda854048013e",
"sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684",
"type": "eql",
"version": 2
"version": 3
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"min_stack_version": "8.3",
@@ -2651,9 +2660,9 @@
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as VLC DLL",
"sha256": "ed65c5d1379b83e560f4fa24ff1f51887de783c7e8f3fc329b717a14700a859c",
"sha256": "d9597f07d834346b49d0ec5d44b690415e313ac8d159ee72e5fa8335fd7e85fb",
"type": "eql",
"version": 2
"version": 3
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"min_stack_version": "8.3",
@@ -2792,9 +2801,9 @@
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"min_stack_version": "8.3",
"rule_name": "Remote XSL Script Execution via COM",
"sha256": "d4882ff69ab688f9fca0f0a882c05bf12a3ff514316d6e48ea51e1083291d3d3",
"sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc",
"type": "eql",
"version": 2
"version": 3
},
"493834ca-f861-414c-8602-150d5505b777": {
"min_stack_version": "8.3",
@@ -2836,9 +2845,9 @@
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"min_stack_version": "8.3",
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "37099aca1b1bdce63f77e75103ff60a0d61898af8036c43eaa2f4d672bd326dd",
"sha256": "3760e37b4f14a48147ffb42a0e6ac8615c7a41564dcffc483719244adf4aac52",
"type": "eql",
"version": 3
"version": 4
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"min_stack_version": "8.3",
@@ -2929,9 +2938,9 @@
}
},
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "4d3e2e99bc3f1b8cc5fc76a37bc23ff9e7a01b972e0c6ae67f78d0df8e43fedb",
"sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1",
"type": "threshold",
"version": 206
"version": 207
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"min_stack_version": "8.3",
@@ -3008,9 +3017,9 @@
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.3",
"rule_name": "Windows System Information Discovery",
"sha256": "2c0c54011671e9e99d2654529520c137188a4bbcf8feb0beb28c196f0525d88e",
"sha256": "e7f81d69a9300bde47134faf67e74e663bf52d62682494acfafebc8afa114273",
"type": "eql",
"version": 3
"version": 4
},
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
"min_stack_version": "8.3",
@@ -3059,9 +3068,9 @@
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "3bb0daad18a9bb9f1c5014056a849623263d9a097b91b0a8e5d52ea4d636131a",
"sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a",
"type": "eql",
"version": 107
"version": 108
},
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"min_stack_version": "8.3",
@@ -3082,9 +3091,9 @@
}
},
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "238e31f86ad8ffd8ec077358374a122a8c7bbee39ce994f761ad3441be820a9c",
"sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce",
"type": "query",
"version": 205
"version": 206
},
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"min_stack_version": "8.3",
@@ -3103,9 +3112,9 @@
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "40ece191efd016ebfb044b7230e0f376d6a8aa416a6e0fde39cbee724c7bef0f",
"sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b",
"type": "eql",
"version": 108
"version": 109
},
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
"min_stack_version": "8.3",
@@ -3152,9 +3161,9 @@
}
},
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "28f9744c81cfffbf8417f66ee1911ac9da89e9e352c5db4f0af9d725cd73c907",
"sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990",
"type": "query",
"version": 205
"version": 206
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"min_stack_version": "8.3",
@@ -3180,9 +3189,9 @@
"53dedd83-1be7-430f-8026-363256395c8b": {
"min_stack_version": "8.3",
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "8ece78d3d804106f87c006fdd8a027648880338a3a56c52e28a393d8f18aff40",
"sha256": "5932e2f55f6f1e70ca53785865b24d7c502633270fe5df05d898167c0c36ab43",
"type": "eql",
"version": 2
"version": 3
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"min_stack_version": "8.3",
@@ -3224,9 +3233,9 @@
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"min_stack_version": "8.3",
"rule_name": "PsExec Network Connection",
"sha256": "9027e8682b8b7ad7e0aaf6ae8383aab2fe403067262c1ff87cfcd7606334fcf0",
"sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66",
"type": "eql",
"version": 108
"version": 109
},
"55f07d1b-25bc-4a0f-aa0c-05323c1319d0": {
"min_stack_version": "8.3",
@@ -3305,9 +3314,9 @@
}
},
"rule_name": "Execution of an Unsigned Service",
"sha256": "67ac84282d2bc8987b76b1e8952870cc1ca8a5f6e785c58287418e2891195912",
"sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9",
"type": "new_terms",
"version": 104
"version": 105
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"min_stack_version": "8.3",
@@ -3340,9 +3349,9 @@
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"min_stack_version": "8.3",
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "88ae25fb6df6c66c976902e4f17c39a5af63c217bb4aa298e7f898b003fa484d",
"sha256": "8529bac526d51a184db69b13d9f15bf676bc2b0c6152f40ae73019f4dc20c408",
"type": "eql",
"version": 2
"version": 3
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"min_stack_version": "8.3",
@@ -3368,9 +3377,9 @@
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"min_stack_version": "8.3",
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
"sha256": "a9ada00d22041e1fc97021dfb923cb62dfcafe5849324b04534f7c53a65903d4",
"sha256": "09b2312a59b33f13a4be41c88d7b5a3177bc1c158c0fa3c8118d4f33d7ccfe08",
"type": "eql",
"version": 107
"version": 108
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"min_stack_version": "8.3",
@@ -3382,9 +3391,9 @@
"5919988c-29e1-4908-83aa-1f087a838f63": {
"min_stack_version": "8.3",
"rule_name": "File or Directory Deletion Command",
"sha256": "f9ebc148c3faecff5518d839295aa1dbefa51d7ba038dc12a382d2c27dff3458",
"sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a",
"type": "eql",
"version": 2
"version": 3
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"min_stack_version": "8.8",
@@ -3414,9 +3423,9 @@
}
},
"rule_name": "AWS CloudTrail Log Created",
"sha256": "84221ea6d1d7084ea241331b852a80ca276abc757430ea68253a3add4daca7a4",
"sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7",
"type": "query",
"version": 206
"version": 207
},
"59756272-1998-4b8c-be14-e287035c4d10": {
"min_stack_version": "8.3",
@@ -3484,9 +3493,9 @@
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Browser Process",
"sha256": "2d94e33407ad1d25db5a4b56b151dc596b9c6ea33d2cba827569ae0b97f87ca1",
"sha256": "bd50fb4c4b5ec6a4ebd52c50a505e5dc1fe75637d51ad57a0f0e79dff682aea5",
"type": "eql",
"version": 3
"version": 4
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.3",
@@ -3507,9 +3516,9 @@
}
},
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "333f27913815c1e4ec223cb266bc34cfadb31ac1a598d1fac7a8de01ac3abd9b",
"sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0",
"type": "query",
"version": 205
"version": 206
},
"5c351f54-4187-4ad8-abc8-29b0cfbef8b1": {
"min_stack_version": "8.11",
@@ -3563,9 +3572,9 @@
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"min_stack_version": "8.3",
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "347fd2258a98937fc06440446d38f771f9d3df4b733661fc32c8df5a556b2c76",
"sha256": "63aa403181709c3d123a628bdd843aacbbc3fff0eca0f17fccf30788068d58ef",
"type": "eql",
"version": 107
"version": 108
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"min_stack_version": "8.3",
@@ -3673,9 +3682,9 @@
"610949a1-312f-4e04-bb55-3a79b8c95267": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Network Connection",
"sha256": "4a08fcb6969163f3185960eff8e6f857bccc8b6b58bb4012c974122f821c8433",
"sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c",
"type": "eql",
"version": 107
"version": 108
},
"61336fe6-c043-4743-ab6e-41292f439603": {
"min_stack_version": "8.3",
@@ -3730,9 +3739,9 @@
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "9aeb2b172981c284928fcafa5ba3a36cf1ad533f528d660525e3565ab131fe7a",
"sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e",
"type": "eql",
"version": 106
"version": 107
},
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"min_stack_version": "8.3",
@@ -3772,9 +3781,9 @@
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Signed Binary",
"sha256": "938d227bdd5dac89d120e5dc8e065081e1a1a3b549923b3897447a2293306f15",
"sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49",
"type": "eql",
"version": 107
"version": 108
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"min_stack_version": "8.3",
@@ -3850,9 +3859,9 @@
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "8e989fcdb846e7c3c657728af8bbcfd54fd55209fe4cea539ff6aa9eaad2360e",
"sha256": "e84ba56d6d8e91ca39c85b7d46288b10add00a1a5c9fffae67a1f5212410be6b",
"type": "eql",
"version": 111
"version": 112
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"min_stack_version": "8.3",
@@ -4007,9 +4016,9 @@
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "7c8ed46851e8daee3bb76f18182fe1a8fdd9ab9833804cc6172b5d8641cd8438",
"sha256": "9e2d92b09b248d78181d6b8283ed595c2560ea046d17365515a8e57f6cb1679c",
"type": "eql",
"version": 106
"version": 107
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"min_stack_version": "8.9",
@@ -4023,9 +4032,9 @@
}
},
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "6c4325ced0b53d29535ee5afd746cd09fd120823f660b5bd3518ca50fadca146",
"sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399",
"type": "query",
"version": 208
"version": 209
},
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
"min_stack_version": "8.3",
@@ -4053,9 +4062,9 @@
}
},
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "62a819dfff5aff4d9a71c1af4dbee137aa6d96683a906088769effac0fdbd8b1",
"sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e",
"type": "query",
"version": 105
"version": 106
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"min_stack_version": "8.5",
@@ -4092,9 +4101,9 @@
}
},
"rule_name": "AWS IAM Password Recovery Requested",
"sha256": "31f084b4192870ca6c93d341a1f9e6d9eecaaefe046fcf6687209ec23866edf3",
"sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df",
"type": "query",
"version": 205
"version": 206
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"min_stack_version": "8.3",
@@ -4206,16 +4215,16 @@
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"min_stack_version": "8.3",
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "cb67e6c4131d3fc5f1752e2baee22974dcdc21c1583a9c159732462b3d7f074f",
"sha256": "f66c92e627ba4aabff1fb546ee38cbdf15e88ad11a4e5fc9059ba9be41db31f3",
"type": "eql",
"version": 107
"version": 108
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"min_stack_version": "8.3",
"rule_name": "Security Software Discovery using WMIC",
"sha256": "dc54aa513d06e0bce6794ccd0fff26f4918902cd8733faed3f9752ecb27d5f3a",
"sha256": "191d08e949cb9f57e2853a307b82f336896da072f4dea0054f301ee50bebfd89",
"type": "eql",
"version": 110
"version": 111
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
@@ -4277,9 +4286,9 @@
}
},
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "6eb194ad10e7ea8d3c8547593a150c60eda885a07be0a3dc57dab3dc0d993314",
"sha256": "f23d0872d802001bbc030b70a5f6be00760eb331e2c1ea06a5e57d15d2e336c9",
"type": "query",
"version": 208
"version": 209
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"min_stack_version": "8.9",
@@ -4293,16 +4302,16 @@
}
},
"rule_name": "AWS Config Resource Deletion",
"sha256": "16521ebadcb6ecd1ffe3b12756c604b96cf8b5daedd95eeec1e1fd2eef096dd9",
"sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f",
"type": "query",
"version": 208
"version": 209
},
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "934721c56a14fb6b1ea672f4cedb14eae9cdafb81a8e9bf35230f542a602740f",
"sha256": "2b0a113e37d67649e6f11b5bf035ca1a3a6649ad4996a27b1e788651ae11b846",
"type": "eql",
"version": 1
"version": 2
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"min_stack_version": "8.3",
@@ -4461,9 +4470,9 @@
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"min_stack_version": "8.3",
"rule_name": "Service Disabled via Registry Modification",
"sha256": "c653ba7a8ebd99c0b7c04528b1b96f4449c827220889523a00d2f33355290e21",
"sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a",
"type": "eql",
"version": 2
"version": 3
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"min_stack_version": "8.3",
@@ -4621,9 +4630,9 @@
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"min_stack_version": "8.3",
"rule_name": "File Compressed or Archived into Common Format",
"sha256": "be9ac3680ee5c8c008e6e5def969d5d0bebc37f8c3be3d8e1cc2cc215cc3e33b",
"sha256": "75b814ddab9122b2dde8034d1daadc9731ff977dce815207b7565aad49cda555",
"type": "eql",
"version": 3
"version": 4
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"min_stack_version": "8.3",
@@ -4635,9 +4644,9 @@
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as System32 Executable",
"sha256": "1943ef42d3d41a9bb7d30423c06e9e6f16b6f75bb01a8658560bbae4295466fa",
"sha256": "a613c9495f4b8b1cd51df4eac684c578f26aceaa65e6d20faa875e280f3a0912",
"type": "eql",
"version": 3
"version": 4
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.3",
@@ -4691,16 +4700,16 @@
}
},
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "05d7545eb5be8c088900939645d5a75858e48029b72b2926c878627697576a85",
"sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4",
"type": "query",
"version": 205
"version": 206
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"min_stack_version": "8.3",
"rule_name": "Windows Network Enumeration",
"sha256": "73a7d70a9efe2589929e776414b415cf7f3b9baf7d9fd4340955d09517d930a7",
"sha256": "76d42ebe68f574a31fb590b3d96321d2e8d048306a8159b2f0b36be83255e855",
"type": "eql",
"version": 110
"version": 111
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"min_stack_version": "8.8",
@@ -4764,9 +4773,9 @@
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "8f53ee79caceff82b54ee596c4fd3e6377d1ddb889f1ff41a0b6e2c0ce1c37dc",
"sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2",
"type": "eql",
"version": 108
"version": 109
},
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
"min_stack_version": "8.6",
@@ -4810,16 +4819,16 @@
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Extension",
"sha256": "849158b9fff15cf3e795600d5fe440fb36196a94c269e1824b18a91c2981e613",
"sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a",
"type": "eql",
"version": 3
"version": 4
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "e07fdca00c03cede7dcd07d161752b6a5fa31a5987779dde490803e67071a0f7",
"sha256": "237bea63ac52782481baf16b92d59c08e0e799105d378bec92197c4ad8fad8b4",
"type": "eql",
"version": 1
"version": 2
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"min_stack_version": "8.9",
@@ -4924,9 +4933,9 @@
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "4383cbf7c18295b3e2ac4e14842000dc2ceae22523d545c4d807d0ad1e41d2db",
"sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412",
"type": "query",
"version": 4
"version": 5
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"min_stack_version": "8.3",
@@ -4977,9 +4986,9 @@
}
},
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "f9a3ba3b45d5b33b1e73c806495b984233a6b2bc200082fc945fa31d8fea41be",
"sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006",
"type": "query",
"version": 205
"version": 206
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"min_stack_version": "8.9",
@@ -4993,9 +5002,9 @@
}
},
"rule_name": "AWS RDS Security Group Deletion",
"sha256": "0c9d4de210e608efca7e588b59eeb71ca5f96b5b20c083daee0e8d4035f0cd32",
"sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9",
"type": "query",
"version": 205
"version": 206
},
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
"min_stack_version": "8.9",
@@ -5009,9 +5018,9 @@
}
},
"rule_name": "AWS IAM Group Deletion",
"sha256": "f4898405685170f2b55f69bcde2b41a0cb8b861ef6040f86e3257bf0abf93383",
"sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781",
"type": "query",
"version": 205
"version": 206
},
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
"min_stack_version": "8.3",
@@ -5046,9 +5055,9 @@
}
},
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "bf5d21e0ace96205fd8f8db491ac9d75625ef089e4f5b3499d4a4209268f9719",
"sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339",
"type": "query",
"version": 205
"version": 206
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
@@ -5125,9 +5134,9 @@
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"min_stack_version": "8.3",
"rule_name": "Command Prompt Network Connection",
"sha256": "1b88c2b79976a9550252e384b74a0b8301dc8ac07eee5df05231dfe40e6181b7",
"sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271",
"type": "eql",
"version": 107
"version": 108
},
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"min_stack_version": "8.3",
@@ -5248,9 +5257,9 @@
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"min_stack_version": "8.3",
"rule_name": "Potential SharpRDP Behavior",
"sha256": "b6a8ffcc1a8ee2a11059084442b0318bebe5bc120cfafa14f65b4e1d7b321062",
"sha256": "133e1acd35b1b06ce036bf672f04203863a4f2e1c535cc722321f198d71bffda",
"type": "eql",
"version": 105
"version": 106
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"min_stack_version": "8.3",
@@ -5262,16 +5271,16 @@
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful SSH Brute Force Attack",
"sha256": "1fa94ce682e693433be3558f19ee8c0d0122db6f6970169bb1cf5775d97f9002",
"sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483",
"type": "eql",
"version": 10
"version": 11
},
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"min_stack_version": "8.3",
"rule_name": "File with Suspicious Extension Downloaded",
"sha256": "e41fc833a05de05b304b09e2ec0982c3dd204b76ba262d05796e49162ea088ef",
"sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0",
"type": "eql",
"version": 2
"version": 3
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"min_stack_version": "8.8",
@@ -5297,16 +5306,16 @@
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
"min_stack_version": "8.3",
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
"sha256": "4d2494baa6fceb73dd108e6e1c5f1584cb2577a49f8edea428ac9b6d5f49ae88",
"sha256": "e724d32f7d8923ac1608a48ba78404bda59c6db4b1475a392ad766f4e0853459",
"type": "eql",
"version": 2
"version": 3
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"min_stack_version": "8.3",
"rule_name": "Bitsadmin Activity",
"sha256": "c07d18b1bad6186dd2af856dbf2362d78f773b50369e7044b1e1329cc0f23cce",
"sha256": "39ca4c3ed7500f428501bf32d7b5361c687e94b712b9d7742406bb4c804bb53b",
"type": "eql",
"version": 1
"version": 2
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"min_stack_version": "8.3",
@@ -5325,9 +5334,9 @@
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "255640fff5ed7925f70536c53d8938bf0533206a892d48e893a058e93a20b979",
"sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68",
"type": "eql",
"version": 106
"version": 107
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"min_stack_version": "8.3",
@@ -5361,9 +5370,9 @@
}
},
"rule_name": "AWS Deletion of RDS Instance or Cluster",
"sha256": "52ad2c61bc4217845afa6a13fe3e23cd405324f6bc6779b2ed3a21ecda615e14",
"sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241",
"type": "query",
"version": 205
"version": 206
},
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"min_stack_version": "8.3",
@@ -5375,9 +5384,9 @@
"90babaa8-5216-4568-992d-d4a01a105d98": {
"min_stack_version": "8.3",
"rule_name": "InstallUtil Activity",
"sha256": "c1312553a07dda6fa6995c57f31922c18dbb00fe5becd831c6d1bb4246bad8c0",
"sha256": "b3e654521bd77a07433f951786a8b37f3f4bb9ef9459f8cbfd080af927ebf5f9",
"type": "eql",
"version": 1
"version": 2
},
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
"rule_name": "Auditd Login Attempt at Forbidden Time",
@@ -5404,9 +5413,9 @@
}
},
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "ecd61bd19c50c09347fdf33fed3a2f8ec9fc77dec053398a5b62f534e297ebdb",
"sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1",
"type": "query",
"version": 205
"version": 206
},
"91f02f01-969f-4167-8d77-07827ac4cee0": {
"min_stack_version": "8.3",
@@ -5478,9 +5487,9 @@
}
},
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
"sha256": "b0edd6d0742b92fa2ebe2c3d5ea02c63f8a1edffe0b0f53320b86ed419ab8fb8",
"sha256": "b0f5b4e396353924df242d69030559c5fd2dab01d092d3573750a4611ce59860",
"type": "query",
"version": 205
"version": 206
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"min_stack_version": "8.6",
@@ -5510,9 +5519,9 @@
}
},
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "408b41a86252884a996ece1031334c7b73d4870202ad4a65c1a74d5392ad3454",
"sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6",
"type": "query",
"version": 208
"version": 209
},
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"min_stack_version": "8.3",
@@ -5600,9 +5609,9 @@
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"min_stack_version": "8.3",
"rule_name": "Remote Scheduled Task Creation",
"sha256": "13fe787d37ebef87d8d7877e4cfa4ff487b7a7929a8ab437a22dd341c40db27a",
"sha256": "efc5bf9425039882bd50862795a48859ffe194bee570ae43e2268a9fbea9fe80",
"type": "eql",
"version": 107
"version": 108
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"min_stack_version": "8.3",
@@ -5704,9 +5713,9 @@
}
},
"rule_name": "AWS SAML Activity",
"sha256": "6205667e0b3ffc035feaf7ed17e089eb50ab5ff04926b74e65bb83f73d79af8d",
"sha256": "37af41b152c5085758547bee67d9f0387f5f07fcba690c925338905f100cc43d",
"type": "query",
"version": 205
"version": 206
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"min_stack_version": "8.10",
@@ -5767,9 +5776,9 @@
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
"min_stack_version": "8.3",
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "c01ebbcea37de715c7c123e6eac64a6049906339a0d60bf1f146d677061bbea5",
"sha256": "1a205cf65c5d3958f5a75ef9944f9e7c7f8edc9dce54de95c5cc236303ed1416",
"type": "eql",
"version": 1
"version": 2
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"min_stack_version": "8.3",
@@ -5806,9 +5815,9 @@
}
},
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "3c5613df7cc89e9a173b0632a5db11d02b917f05f3c24cb3d44c416a679a4056",
"sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1",
"type": "query",
"version": 208
"version": 209
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"min_stack_version": "8.3",
@@ -5864,9 +5873,9 @@
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"min_stack_version": "8.3",
"rule_name": "Unsigned BITS Service Client Process",
"sha256": "095fc86e65f65030c66df81f286788b89fcf9160e7970ddbb409cc824fc40fd2",
"sha256": "6c6b0a4cca70f6f55c5b73ca65607b2b546521f99bef8c3eeec5a873a4cebdcf",
"type": "eql",
"version": 1
"version": 2
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"min_stack_version": "8.6",
@@ -5943,9 +5952,9 @@
"9c951837-7d13-4b0c-be7a-f346623c8795": {
"min_stack_version": "8.3",
"rule_name": "Potential Enumeration via Active Directory Web Service",
"sha256": "17ac2376542784780fa798b0756416f6c54757e2d72dab6b2ddd28dfd165d3b3",
"sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1",
"type": "eql",
"version": 1
"version": 2
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.3",
@@ -6009,9 +6018,9 @@
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "62bfa3320a728b9d22e217c934dfbfe064bfd12070d28fd4111d641cdc7c66c8",
"sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5",
"type": "eql",
"version": 109
"version": 110
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"min_stack_version": "8.6",
@@ -6099,9 +6108,9 @@
}
},
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "ef816e620eb5e1c235c15a867cc0e00fcdb617192bd0f3bd48b5bde3c920230a",
"sha256": "378a46774155bf6146f1d357c4e693e994e2122c127ec368b79c9186c4eea17e",
"type": "new_terms",
"version": 309
"version": 310
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"min_stack_version": "8.3",
@@ -6127,9 +6136,9 @@
"a13167f1-eec2-4015-9631-1fee60406dcf": {
"min_stack_version": "8.3",
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "e5c1b36f03917a30397453769b11a6d01559d9007fd76710654f23e9d0422ac1",
"sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f",
"type": "eql",
"version": 106
"version": 107
},
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"min_stack_version": "8.3",
@@ -6176,9 +6185,9 @@
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
"min_stack_version": "8.3",
"rule_name": "Linux Group Creation",
"sha256": "85d788ae6caafcb45540c9a97804b5cd443104831fdd74e17fdf1526979f6fc2",
"sha256": "7fc88cc105fb44e6b06fe74f60102105a5d43b6174d0e52f9dafb31eda5b1bb7",
"type": "eql",
"version": 4
"version": 5
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"min_stack_version": "8.3",
@@ -6270,9 +6279,9 @@
}
},
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "10f0e0afc0e8f51f1c37dc1a9885a33dd37e56c43f029b3c5865e4983baefb3a",
"sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df",
"type": "query",
"version": 208
"version": 209
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"min_stack_version": "8.3",
@@ -6413,9 +6422,9 @@
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.3",
"rule_name": "Remotely Started Services via RPC",
"sha256": "a1bf5a848d6b73efd9cf627fe30e5f4f04215c6bb8bdd5f29b9e4749d22f7e6c",
"sha256": "e72234fda58c725e6bbfb3c02d000a1276fc1ff4868a63532863b43b2780d3f8",
"type": "eql",
"version": 111
"version": 112
},
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
"min_stack_version": "8.3",
@@ -6434,9 +6443,9 @@
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"min_stack_version": "8.3",
"rule_name": "Remote Execution via File Shares",
"sha256": "9d9d197ea4f0b08c172e8d6c9ebbf5dd1ce90db4d68c73badd25410b2187b17b",
"sha256": "8f4c528243e4b7fe54e84e7f66324d47f06fa299e52a0069c9f5d1cdea337050",
"type": "eql",
"version": 110
"version": 111
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.3",
@@ -6508,9 +6517,9 @@
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"min_stack_version": "8.3",
"rule_name": "Potential Command and Control via Internet Explorer",
"sha256": "b640ecd8355b7fa8945ad7ac3bb3f0a0d80b32741613c7f79c3ed6cfe566f67d",
"sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924",
"type": "eql",
"version": 105
"version": 106
},
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"min_stack_version": "8.3",
@@ -6586,9 +6595,9 @@
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Communication App Child Process",
"sha256": "21910b480ebd6a0ef74d410a04cc389bf6624c492e88f2c65a46efd0138a2592",
"sha256": "da78216a16bc023bec70850e08c999466fb372bf4f11fd44445aaed67089a16c",
"type": "eql",
"version": 3
"version": 4
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"min_stack_version": "8.3",
@@ -6656,9 +6665,9 @@
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"min_stack_version": "8.3",
"rule_name": "Netsh Helper DLL",
"sha256": "a6bceece7403f9bb47478cdb04702271892ebffa4ae4251220da5abbdae44f2b",
"sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9",
"type": "eql",
"version": 1
"version": 2
},
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
"rule_name": "Potential Persistence via Cron Job",
@@ -6669,9 +6678,9 @@
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Share Discovery",
"sha256": "eb213dc86c103363dad386e08221252c0d865f53b002b17fe09c36adb6631ec5",
"sha256": "fda7288ed57e11d03d2af7b74755b704d96c32f3c69abe245de1378438bd144f",
"type": "eql",
"version": 2
"version": 3
},
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
"min_stack_version": "8.3",
@@ -6706,9 +6715,9 @@
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "5c31d3ee5a1f3110f563ae65789deccfa6e2606645333b1227a8a143988b46e5",
"sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b",
"type": "eql",
"version": 107
"version": 108
},
"b347b919-665f-4aac-b9e8-68369bf2340c": {
"min_stack_version": "8.3",
@@ -6750,16 +6759,16 @@
}
},
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "1382976ef19290c1857b535d15facff537acd5d5a33e5575372bef70ba4c9090",
"sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670",
"type": "query",
"version": 205
"version": 206
},
"b483365c-98a8-40c0-92d8-0458ca25058a": {
"min_stack_version": "8.3",
"rule_name": "At.exe Command Lateral Movement",
"sha256": "dd7f70787fff06dbfcdc2556f504ad62feda00ed2e1fa5d7effab3a1be31482f",
"sha256": "041e17a0cd55085d79466cf06aaa8ca81ef2b30a9e42291395534ce27ba0062a",
"type": "eql",
"version": 2
"version": 3
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"min_stack_version": "8.10",
@@ -6808,9 +6817,9 @@
"b64b183e-1a76-422d-9179-7b389513e74d": {
"min_stack_version": "8.3",
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "c5c19121debb9cac2f24c3fbf25c74adaa63b84384b8ff4dddc802e7f737f263",
"sha256": "1e8be0b94b78d86bb0d30e6a4e6d28c81c9c5bdf2b9494ac9c0d7fb465491bae",
"type": "eql",
"version": 108
"version": 109
},
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
"min_stack_version": "8.3",
@@ -6889,9 +6898,9 @@
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via MsXsl",
"sha256": "3f7d50df91793a78c4c8ebc2a8ee1ee1a99dcbd61338345383e52abce0b51f1d",
"sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266",
"type": "eql",
"version": 105
"version": 106
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"min_stack_version": "8.3",
@@ -6989,9 +6998,9 @@
}
},
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "60c1a7d5d2cd24c909689b37015df4508b993bdd925b050e1b45df21a23479ba",
"sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834",
"type": "query",
"version": 205
"version": 206
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"min_stack_version": "8.8",
@@ -7044,9 +7053,9 @@
}
},
"rule_name": "AWS Root Login Without MFA",
"sha256": "8f967af66ccd21f236403f460e274db15d0dab8e769626d091f26ddba123de07",
"sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157",
"type": "query",
"version": 208
"version": 209
},
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
"min_stack_version": "8.3",
@@ -7086,9 +7095,9 @@
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
"min_stack_version": "8.3",
"rule_name": "File and Directory Permissions Modification",
"sha256": "cd8d1d1e784ddc62a5db564994d9192996555133c9273a6f1b4384a76249ec0e",
"sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139",
"type": "eql",
"version": 1
"version": 2
},
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
"min_stack_version": "8.3",
@@ -7114,9 +7123,9 @@
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"min_stack_version": "8.3",
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "b31ac8c754822d3baf70384a75f0a66fc861ddb3ce0a3f8c40474fb161ea8306",
"sha256": "f9a5163bfb60ec1ac26ac681518a193a85b03a87dac342a3579a7b2ae3628e0b",
"type": "eql",
"version": 1
"version": 2
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"min_stack_version": "8.3",
@@ -7172,9 +7181,9 @@
}
},
"rule_name": "AWS RDS Snapshot Restored",
"sha256": "31690f503f33025d8d634b7c33d01adff504c8c0cdfbeab6519116149937669e",
"sha256": "867302d2c993c7e6bb06acb3bb9784e8de51117e6d0fdd1a5a8e040e24fab59f",
"type": "query",
"version": 205
"version": 206
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"min_stack_version": "8.3",
@@ -7214,9 +7223,9 @@
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"min_stack_version": "8.3",
"rule_name": "Memory Dump File with Unusual Extension",
"sha256": "d6064fcc8c3a68d8ecb16d376fef04353be367b0f897433bc82b46a6569f0eb5",
"sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c",
"type": "eql",
"version": 1
"version": 2
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"min_stack_version": "8.3",
@@ -7244,9 +7253,9 @@
}
},
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "53d6e6b5dc3942bb911622ffd2582ed4e8a3bff445df0e269aba07ed320f34e8",
"sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63",
"type": "query",
"version": 205
"version": 206
},
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
"min_stack_version": "8.4",
@@ -7260,9 +7269,9 @@
}
},
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878",
"sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43",
"type": "eql",
"version": 101
"version": 102
},
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"min_stack_version": "8.3",
@@ -7295,9 +7304,9 @@
"c2d90150-0133-451c-a783-533e736c12d7": {
"min_stack_version": "8.3",
"rule_name": "Mshta Making Network Connections",
"sha256": "c3f61a5354e0122350afca10c2552cf9d657bb9f056b48d165a1401820d7ceff",
"sha256": "7b3bec275d247d0cc1c4772be5f41fcfca282df6146f830777ed87b4c663f7e5",
"type": "eql",
"version": 106
"version": 107
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"min_stack_version": "8.3",
@@ -7337,30 +7346,30 @@
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
"min_stack_version": "8.3",
"rule_name": "Windows System Network Connections Discovery",
"sha256": "16cd4b39c59281f69407d88a2f0bbadab7ac9d1408c9e0c6e5400a92f25898d9",
"sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4",
"type": "eql",
"version": 3
"version": 4
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"min_stack_version": "8.3",
"rule_name": "Attempted Private Key Access",
"sha256": "5381a29dcefb0cee21b24a6b62d7d0d3e2a287eea7433b36fe1c6851204841a8",
"sha256": "92447cf8bb6de4a626ecd420b9c64922484cb49f216d13292e833c1abdb4786c",
"type": "eql",
"version": 2
"version": 3
},
"c5677997-f75b-4cda-b830-a75920514096": {
"min_stack_version": "8.3",
"rule_name": "Service Path Modification via sc.exe",
"sha256": "7caa1e811b55ed98053fe152b172e60b4cd16b518423dd231768da1dafb2af8d",
"sha256": "6d70ac346b080bca5ad2083c56ff66bd01f63204483b047353855e7898b39862",
"type": "eql",
"version": 2
"version": 3
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "c9fb9f5a4348ebdf5017702511017d62bed61f46499299e4abd56602815228e3",
"sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a",
"type": "eql",
"version": 108
"version": 109
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"min_stack_version": "8.3",
@@ -7445,9 +7454,9 @@
"c7894234-7814-44c2-92a9-f7d851ea246a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "f54fee3b089a5de904d42af0584c381e9c2061bc3467251f0da4fb74dafe891a",
"sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6",
"type": "eql",
"version": 106
"version": 107
},
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
"min_stack_version": "8.4",
@@ -7496,9 +7505,9 @@
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"min_stack_version": "8.3",
"rule_name": "Direct Outbound SMB Connection",
"sha256": "2aae80db3c5ce4330cf16e46ae51d5f30f8b1f6daf03d46e89140bd829f2a83b",
"sha256": "a30cf230b1215a2e0fd884167dfbb8fd92e5b63fa7a5cb2c9e9a8a306316de4d",
"type": "eql",
"version": 109
"version": 110
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"min_stack_version": "8.3",
@@ -7735,9 +7744,9 @@
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"min_stack_version": "8.3",
"rule_name": "Downloaded URL Files",
"sha256": "3b2b2822568470b436f1a1db2ca7db260343faeb5f156b1b3b697a4393137938",
"sha256": "1a31489f793c58d433963910d8327747a3e7824bf11685358836a38183e8aca0",
"type": "eql",
"version": 1
"version": 2
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"min_stack_version": "8.10",
@@ -7848,9 +7857,9 @@
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"min_stack_version": "8.3",
"rule_name": "Archive File with Unusual Extension",
"sha256": "6fc1f60a466fb9cafbd52086ffba78f59d5ba996e6301563a12e09205b193e84",
"sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3",
"type": "eql",
"version": 1
"version": 2
},
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"min_stack_version": "8.3",
@@ -7890,9 +7899,9 @@
"d197478e-39f0-4347-a22f-ba654718b148": {
"min_stack_version": "8.3",
"rule_name": "Compression DLL Loaded by Unusual Process",
"sha256": "8ec13c2f3c6784d7cfe3f314135c8c4c8afe0087deb18c62bcdf5b41db55f5f2",
"sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce",
"type": "eql",
"version": 2
"version": 3
},
"d2053495-8fe7-4168-b3df-dad844046be3": {
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
@@ -7931,9 +7940,9 @@
"d3551433-782f-4e22-bbea-c816af2d41c6": {
"min_stack_version": "8.3",
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "687d0e851309a066fb0d13b00750846d62e6da9fca5b2a80f9f8b6864ada9b76",
"sha256": "76b2081709ea9b401fc695d779a14dfa839fbd99eb19c8510b2ea6c5f7e7b4f4",
"type": "eql",
"version": 1
"version": 2
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"min_stack_version": "8.3",
@@ -8026,9 +8035,9 @@
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"min_stack_version": "8.3",
"rule_name": "Service Command Lateral Movement",
"sha256": "b00b67bc85c0c677343773dfaa0854b7446ae708afc4f763af9dc2ff9b7af24e",
"sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42",
"type": "eql",
"version": 106
"version": 107
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"min_stack_version": "8.9",
@@ -8042,9 +8051,9 @@
}
},
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "5bc55e01a217a6d8069b08e636d1e12080f2a96b645cc68f8f33806d04a820ee",
"sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578",
"type": "query",
"version": 208
"version": 209
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"min_stack_version": "8.3",
@@ -8062,9 +8071,9 @@
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"min_stack_version": "8.3",
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "d6f6ee5a3f017bfc82533f80fc4c74894dc3a406cae5a4f48f246b31511dfa75",
"sha256": "e564b576c629a29ec8088864b78c7c81c8d46453cc5e038a33fdd24d4a3a2641",
"type": "eql",
"version": 9
"version": 10
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"min_stack_version": "8.8",
@@ -8157,9 +8166,9 @@
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"min_stack_version": "8.3",
"rule_name": "Untrusted Driver Loaded",
"sha256": "2caaa3d2f80549be9ff1f1641f9f9f202ecdadf6b83b01fa9486affa8bdb566f",
"sha256": "9b90c86424390fccfc1959785af10eeade5e654612545617582dca1058cb17b8",
"type": "eql",
"version": 7
"version": 8
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"min_stack_version": "8.9",
@@ -8173,9 +8182,9 @@
}
},
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "7e7bcfe14adab55f0ac9ab6478a826ff0dff7b31efe686b94a1bbf30d730bdd6",
"sha256": "e70bcba5f981ab9bc5d058baf0631ea65c4172e55502ae1f6b6fceeca1035906",
"type": "query",
"version": 208
"version": 209
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"min_stack_version": "8.3",
@@ -8228,9 +8237,9 @@
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
"min_stack_version": "8.3",
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "f4edf52a98e83ab010153cdffb7067610814b7fcc0414bb5e8dcee5bf8d0d3ff",
"sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474",
"type": "eql",
"version": 2
"version": 3
},
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"min_stack_version": "8.3",
@@ -8343,9 +8352,9 @@
}
},
"rule_name": "Query Registry using Built-in Tools",
"sha256": "4f92c23c30b19e9208d921b84d709ec2775f026b2fe995a4ca3644cdf56c2d4f",
"sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd",
"type": "new_terms",
"version": 104
"version": 105
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"min_stack_version": "8.6",
@@ -8400,9 +8409,9 @@
"e00b8d49-632f-4dc6-94a5-76153a481915": {
"min_stack_version": "8.3",
"rule_name": "Delayed Execution via Ping",
"sha256": "dea7cf4add6220cd27ddb9f1a641b95436204b87ca0fca1c18dc903d50ce57a4",
"sha256": "c6fa799b2b134a4e7c34302b0b8f543c54dd38aaba6bfa93b1933a3374e41c71",
"type": "eql",
"version": 1
"version": 2
},
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
"min_stack_version": "8.3",
@@ -8421,9 +8430,9 @@
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"min_stack_version": "8.3",
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "5b07769d45f5a33fcbe539609647986809d75daea1b8aa5874d0ae7f0e6a8892",
"sha256": "c1e96e42705eb2de534b4ce6fa40b16c522e2bb6f8f8a0f0ff6ea140ff22680b",
"type": "eql",
"version": 5
"version": 6
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"min_stack_version": "8.10",
@@ -8474,9 +8483,9 @@
}
},
"rule_name": "AWS Route Table Created",
"sha256": "a1d7f30f2d264fc6fdb0fb5064f0607217c5a23f4310abcf3ed37bbde3c6de43",
"sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5",
"type": "query",
"version": 206
"version": 207
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"min_stack_version": "8.9",
@@ -8490,9 +8499,9 @@
}
},
"rule_name": "AWS RDS Cluster Creation",
"sha256": "064737df50105c6e8c5336eb8537b218f80ef6e29e079214fe8dca37dc5bda32",
"sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6",
"type": "query",
"version": 205
"version": 206
},
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
"min_stack_version": "8.3",
@@ -8557,9 +8566,9 @@
}
},
"rule_name": "AWS Management Console Root Login",
"sha256": "c4f8568aee037cc76372958fdfc1556649341e70f4d8ffc9a8a3f8c1e5fbe0e6",
"sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd",
"type": "query",
"version": 208
"version": 209
},
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"min_stack_version": "8.3",
@@ -8608,9 +8617,9 @@
}
},
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "58bf1f2fc9acd22be3c161424a77c2a213cf1401372313a2272d73d6af866d41",
"sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525",
"type": "query",
"version": 205
"version": 206
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"min_stack_version": "8.3",
@@ -8739,9 +8748,9 @@
"e707a7be-cc52-41ac-8ab3-d34b38c20005": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Memory Dump File Creation",
"sha256": "8e637f03a8f8eb325e7801996c5641dcd8972185da239d2786d603ce93786836",
"sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62",
"type": "eql",
"version": 2
"version": 3
},
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"min_stack_version": "8.3",
@@ -8766,12 +8775,19 @@
"type": "eql",
"version": 106
},
"e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": {
"min_stack_version": "8.3",
"rule_name": "Potential Windows Session Hijacking via CcmExec",
"sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a",
"type": "eql",
"version": 1
},
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process For MSSQL Service Accounts",
"sha256": "cdb82fbb668c46c37e97ed4485ecc44f5e15ee31cc32e28105e7294c0540d5fb",
"sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8",
"type": "eql",
"version": 3
"version": 4
},
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"min_stack_version": "8.3",
@@ -8792,9 +8808,9 @@
}
},
"rule_name": "AWS Route Table Modified or Deleted",
"sha256": "b11f9cf36b13141493f83a145f1b5fb0cd4f6358fbb7fdd5bfe039e8c1a7ccdd",
"sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112",
"type": "query",
"version": 206
"version": 207
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"min_stack_version": "8.3",
@@ -8813,9 +8829,9 @@
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"min_stack_version": "8.3",
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
"sha256": "11efd3f1317d2a58d6a23697ca3bc3e97915a9f61722e9e6d165309b4235e670",
"sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006",
"type": "eql",
"version": 6
"version": 7
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"min_stack_version": "8.6",
@@ -8861,9 +8877,9 @@
}
},
"rule_name": "AWS EC2 VM Export Failure",
"sha256": "3d6439c0aa3958b93a6dddcf1bd5a4bd85a8a42ea1de077784cbcddffa9842dd",
"sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c",
"type": "query",
"version": 205
"version": 206
},
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
"min_stack_version": "8.9",
@@ -8931,9 +8947,9 @@
}
},
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "9483354a3f2036153d547ffd891d4d16c6e0bf7ca283943e90aa19c54a8d8282",
"sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3",
"type": "threshold",
"version": 209
"version": 210
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"min_stack_version": "8.3",
@@ -9031,9 +9047,9 @@
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
"min_stack_version": "8.3",
"rule_name": "Executable File with Unusual Extension",
"sha256": "d740eda69b10b688372f488feab1a6e9af2a26122ee1f6af6de7612aa33706e8",
"sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509",
"type": "eql",
"version": 1
"version": 2
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"min_stack_version": "8.9",
@@ -9047,9 +9063,9 @@
}
},
"rule_name": "AWS RDS Instance/Cluster Stoppage",
"sha256": "ac0a0d9ae3dd952d42b9953594ccbb2e820c3b3754a613810c6568a3fb3205bc",
"sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58",
"type": "query",
"version": 205
"version": 206
},
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"min_stack_version": "8.3",
@@ -9091,9 +9107,9 @@
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"min_stack_version": "8.3",
"rule_name": "Linux User Account Creation",
"sha256": "8c333e1755bb44dd4a24738d80d65fd67a504f1950f8efd1546acee9a50bb0d3",
"sha256": "95cad73c0f9c90ae0aca50ad6528161624c9d694075e6761ef195da867643c08",
"type": "eql",
"version": 4
"version": 5
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.10",
@@ -9121,9 +9137,9 @@
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
"min_stack_version": "8.3",
"rule_name": "Shortcut File Written or Modified on Startup Folder",
"sha256": "0d2db57efc137fb2c937163b2d094d9504f0f8ef15c3c7805ad1b83d14ed8ee0",
"sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662",
"type": "eql",
"version": 1
"version": 2
},
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
@@ -9183,9 +9199,9 @@
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"min_stack_version": "8.3",
"rule_name": "Suspicious HTML File Creation",
"sha256": "e736532f89f364ec30f47b2f1c7016d26c11d011ecf3aba3ec6609ad1d18f324",
"sha256": "a8f8624488bd94c12376e0d7098fdf1714698d2df6e877311fded9ab584a043d",
"type": "eql",
"version": 106
"version": 107
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"min_stack_version": "8.10",
@@ -9241,9 +9257,9 @@
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"min_stack_version": "8.3",
"rule_name": "Service Path Modification",
"sha256": "790cb59192049129174ca88a5027bbc545f0d19ab6d4278e4bd826f2aaedcfc4",
"sha256": "f6488872c8be23ecc9a4e3339d5de39339210c77856be3d05d90c00968a721c9",
"type": "eql",
"version": 1
"version": 2
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"min_stack_version": "8.3",
@@ -9285,9 +9301,9 @@
}
},
"rule_name": "AWS RDS Instance Creation",
"sha256": "25aeaebf372fd4e468e990590efe81685706f45ab5eb44bb246d187a16a8b6e0",
"sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166",
"type": "query",
"version": 205
"version": 206
},
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"min_stack_version": "8.4",
@@ -9306,9 +9322,9 @@
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"min_stack_version": "8.3",
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "883630b3f6c3b96cccb79a36ebc7a8390525e3bce7cd70274b7f66666bffa25f",
"sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e",
"type": "eql",
"version": 109
"version": 110
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"min_stack_version": "8.3",
@@ -9389,16 +9405,16 @@
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"min_stack_version": "8.3",
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "af58671d98fd5dc17bf1d2f0cf469070084cecd6da4017d0572ca1fcfb6a5b7f",
"sha256": "e1128eff83337cf8df9523f584e2a5859c85e7d579d9655bb532de4714bd4124",
"type": "query",
"version": 3
"version": 4
},
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"min_stack_version": "8.3",
"rule_name": "WMIC Remote Command",
"sha256": "42d6b84b3a8696b0bf6bf486d60aab97b24df9b1e2f726ff15bf8b3c0159f746",
"sha256": "49fe04b88dc0dc6ee9776c88113935db33ecbc3c955ddb4b201acb6867022d7f",
"type": "eql",
"version": 3
"version": 4
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"min_stack_version": "8.3",
@@ -9475,9 +9491,9 @@
}
},
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "c58352df4a9adcf9259a2e3656fddae07215b10995a31acba7684366f084e0a9",
"sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc",
"type": "query",
"version": 208
"version": 209
},
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
"min_stack_version": "8.8",
@@ -9545,9 +9561,9 @@
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"min_stack_version": "8.3",
"rule_name": "Browser Extension Install",
"sha256": "6079caeac5bb8aaf376eca68eabd0a6470f809ea118a564a2bff36d9612b7e65",
"sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a",
"type": "eql",
"version": 1
"version": 2
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"min_stack_version": "8.3",
@@ -9582,9 +9598,9 @@
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"min_stack_version": "8.3",
"rule_name": "Potential External Linux SSH Brute Force Detected",
"sha256": "976d63084190e20f320e0106f4ad4bc08619d00ea326d685796c9693902a3d7c",
"sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda",
"type": "eql",
"version": 6
"version": 7
},
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"min_stack_version": "8.3",
@@ -9619,16 +9635,16 @@
}
},
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "2e04de492ae2b8608ce4404506cff8d8216450e3eac0292441ce1ca740d506cf",
"sha256": "1af8edb01a1cfb710c926f5d006909a5e7139b1a95763ed5fbc88147f1eab9bc",
"type": "eql",
"version": 103
"version": 104
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Registration Utility",
"sha256": "72b6d24fbb5b42bb6bc82d00ec7a7b880b9cf1894cbbd762f64cbca9e5c45d41",
"sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d",
"type": "eql",
"version": 107
"version": 108
},
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
"min_stack_version": "8.8",
@@ -9655,9 +9671,9 @@
}
},
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "e2cf9c3a12bd9ec52910d1a412e540d1f76113ddae474ae4fe22f81ed3aafb15",
"sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004",
"type": "query",
"version": 205
"version": 206
},
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"min_stack_version": "8.3",
@@ -9712,16 +9728,16 @@
}
},
"rule_name": "Svchost spawning Cmd",
"sha256": "c2e725e9eb19e33d6be3fc8161e3923a7db648a6233feb31e68837e724c7800c",
"sha256": "6d152e1d87343af4204868f6661565208bc41bc7fa3b54d2431de77ade274f91",
"type": "new_terms",
"version": 211
"version": 212
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"min_stack_version": "8.3",
"rule_name": "Image Loaded with Invalid Signature",
"sha256": "cc47fed45ee058e096104f4c1d2e2068a516895cf8a9e85ab1511686b49de1ee",
"sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d",
"type": "eql",
"version": 1
"version": 2
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"min_stack_version": "8.3",
@@ -9761,9 +9777,9 @@
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
"min_stack_version": "8.3",
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
"sha256": "2d4dac5ee69aa01095329c1850ad5569f1d4d34fe06d5a73ef0f4fb93b1d98b7",
"sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87",
"type": "eql",
"version": 1
"version": 2
},
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"min_stack_version": "8.3",