From 4ffdc46ba7ed68ce75bcdb520272c81f2bf64c20 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Thu, 27 Aug 2020 14:47:29 -0800 Subject: [PATCH] Lock rule versions (#207) --- etc/version.lock.json | 300 +++++++++++++++++++++--------------------- 1 file changed, 150 insertions(+), 150 deletions(-) diff --git a/etc/version.lock.json b/etc/version.lock.json index 243a8d850..676bce07a 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -6,18 +6,18 @@ }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", - "sha256": "f68a9dce69186cf8572e292ecf08940d2147a15758ea95fdc2c7f088de2b90cf", - "version": 3 + "sha256": "6d47bcc98a871cdd3e70fe35d093133b1c731a17ffb0c7ea03fd0d61fc00dc02", + "version": 4 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Potential DNS Tunneling via Iodine", - "sha256": "b5191f150c1ebb72435b3d9f7fa94f5899d19721c18e0bdaa29fd60fa8467bc7", - "version": 3 + "sha256": "c17a009f2b1b2146fcda7e2375a6560d89536bca1d9fcc52ad5c444b4bcfc179", + "version": 4 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "d0be61c3e42cf4bde25d38756c9c22b8a22823b69d30a865812f5df76e36694f", - "version": 2 + "sha256": "d88cc0ea7309e063e63b8241cc54e7e269ae1b33866dd3bf8f46c438d0d308d7", + "version": 3 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", @@ -41,28 +41,28 @@ }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", - "sha256": "c85589b020359d809d3f65951b4cee3cc7c10da104effeeaa2fc920eed8ff4a6", - "version": 3 + "sha256": "182668d6e35a7cd6ee4f8c9d4c8254a38d117cae8f100783156fcb793fbe0fac", + "version": 4 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", - "sha256": "11cb63b795999bdd1ea0eb1d4cbf5c6b8d86c4945a480136eeaa80f9161fd522", - "version": 3 + "sha256": "fa80576323984a1cdbae7de84168b41ea9aa136a4d4eb5b1881c30927aa2d72e", + "version": 4 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", - "sha256": "823211d2d9e7031bcc9ea0b8602b7e2dda7d6cf7b53dee522c071d8fd2a71d2a", - "version": 3 + "sha256": "059dc81a07c9f3e03e8a0789bff2cb08a59001fdf8fe3a1cb0bcda6d3caa7bc1", + "version": 4 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", - "sha256": "5b24e533677a2f73bf8b544ce6fbf607947458de6b8882958699b9598a3d4a60", - "version": 3 + "sha256": "07e4c45585d14e41fadd1bb2f2d089924be88eeb447ed751d600b3ea06d118f2", + "version": 4 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "cbc8586826f96d5f656bee2ad503dd04e7969434458387de04f4064d8339fa9f", - "version": 2 + "sha256": "59632e186f6b83ff142f1be24f88219a64b9eba91582c6d1151737be05565348", + "version": 3 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -121,13 +121,13 @@ }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", - "sha256": "74696927e06e5fe8c85631d79fbe1c3a4a6b4050e8a47bbe7c15189a0407a7fb", - "version": 3 + "sha256": "402a5e361bf78100cbd475dfe6d13b574e07edaa4fd6515e9c6ad9b2cb741ec4", + "version": 4 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", - "sha256": "7bb31e4849331d9eb2654a8dcc8e8f7e92932705a68217ddfeaf56def57a7e85", - "version": 2 + "sha256": "2e57557c9b3fcb6208d6c61b61fa0c76f5155884ab6f0ee01c7ddd1527283d13", + "version": 3 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endpoint Security", @@ -141,13 +141,13 @@ }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", - "sha256": "4bfbdc1a0d610ccb336a4816910e33f31ab91509561cfd36f9796e0a3ac975fc", - "version": 4 + "sha256": "0ffb12553181b7aba190ba88d9e29ad6f0e6e41cb0b0c290dc111c8c5ebc463d", + "version": 5 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Net command via SYSTEM account", - "sha256": "ea63231f092eb92bb5af6281ae6a75d533362eff9969622f300b444469215456", - "version": 2 + "sha256": "8b67949307e8e23b7ba787b251923997097cd417c90f07c137ff306f8ffeee58", + "version": 3 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endpoint Security", @@ -156,23 +156,23 @@ }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", - "sha256": "05564512fe328ac4a4fcfffe78ae6a65ea0d787a48aceaf575edae53c7f95d0f", - "version": 3 + "sha256": "10a5ff3172ab7265ac7e29a3d64a77992312238f2c35037d3a723bbd26644eac", + "version": 4 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", - "sha256": "d599196e0f60c0f8dffb2d1fca21196e2c6ddf937531106b6bb8e633bfcc3333", - "version": 2 + "sha256": "3a00bcfef88df687e9f60af981f5e45b7f1d7275c637bf6d346c9a8424ed4aa2", + "version": 3 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", - "sha256": "c374f6e74954bf81a5cbbe653d457c42b7f23208449b56ac24281d0d6a1e91db", - "version": 2 + "sha256": "a2a3c2eb4e76f3161927f2f3708a7831c0254f05598cf174afe04e173b9b726e", + "version": 3 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", - "sha256": "92fb6101c53b13f0bf3405f410860ce804f3ba778e06f566431dcda90fe894ba", - "version": 2 + "sha256": "d639e962c341c024aaf84dc2d15fb964b80d6ffeb33446bfc689972ac0e74896", + "version": 3 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", @@ -181,8 +181,8 @@ }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "582776dd04e5cd8c0f07883b793d2cb8e663233686cd8261b144e394e5bc00b3", - "version": 3 + "sha256": "20851dcbbe8b5b2d488ec89f42ae0a34d28ca793f91c59c9a746a071063e4fd5", + "version": 4 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", @@ -196,8 +196,8 @@ }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", - "sha256": "7ce5606939cea6e45c7659bde7b679c0c33a164a9cecae385eb2a89379b7bcde", - "version": 3 + "sha256": "d6cfb4698aec1b5cf0d032dc63a045734b6d2f64f1512eed04ec2830dae5edc5", + "version": 4 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "rule_name": "AWS Execution via System Manager", @@ -211,8 +211,8 @@ }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", - "sha256": "9d456ed87d910cb6ebb86be154c58f80a7e4a011f8f55ddc2ff451f3efc23fe9", - "version": 2 + "sha256": "2ddb1724d79b9606e5fa60cef5a8ea1b4f61ca4586693d6fa9c74083bbb86402", + "version": 3 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", @@ -221,8 +221,8 @@ }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", - "sha256": "10a09743e9baaae69190eabcc1d7f6fc61ff8da5e7ff5a79208b7b25f2c05473", - "version": 2 + "sha256": "6b771c1099456446df103f77a607770b53cd33f3cf21ef60fda8a8a7914961c3", + "version": 3 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", @@ -271,8 +271,8 @@ }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "9cd83ec78d98435f5388ded75a9b1034f52da57884d1052801099e79f1087072", - "version": 3 + "sha256": "cbd3d898a80fdb3bd7c79c2f6486138e0d9d4577d34256136ccc8282a54d12ea", + "version": 4 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", @@ -281,13 +281,13 @@ }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", - "sha256": "637246c78b6fa0905bfc47ca942265bc7fc7daa16e544a1dad9aacd0d8932e89", - "version": 2 + "sha256": "cb6f8a29b6e8e22054ad733b4c8d1e4a3203a08cc8333c9c0ced2057dba9e71e", + "version": 3 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "5b03dfdf92939205720bd9a2a6ba3fcac321ab46278a63cf862a9ca8881623a7", - "version": 3 + "sha256": "7efb0cbeb8fdb7d49f6daeca8b7877ab7472b9bd0046e8e25596320bf7836d50", + "version": 4 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", @@ -296,8 +296,8 @@ }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "f92bcc8271ce1e1082d42f76466838e17a0e94800d8c667f36df7f5dc55a1f92", - "version": 4 + "sha256": "e091babf5f308e98b3f0d883ec8d4d6a7ead789f240e79b6c89b974ba77ac80f", + "version": 5 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", @@ -316,13 +316,13 @@ }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "82ba007857d824bcb38916fca098f15f5bb777191a7403c8e31f860514664d6b", - "version": 2 + "sha256": "ecaccdda66ec525035e0abe4cc0c05cf1ca2bcb9ab42fc9b087d15e6df1af6b5", + "version": 3 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", - "sha256": "b05123353ff4a1d27d4631d4bbc2f16860b755c4c32ec12dd65583f752866f43", - "version": 3 + "sha256": "8906bc996c13a315e04670626ece6862e0fac10a206fe365d567c09c4b0ae50c", + "version": 4 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", @@ -341,8 +341,8 @@ }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "a2f23de5e7249c0e4e28212eca17fcf83fdbea776f898f3bc5c456d9b80deb43", - "version": 3 + "sha256": "711209a022fc43f31489e05a3dd413ef7c89e4bc058376f1bb54c98896dfaf94", + "version": 4 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", @@ -351,8 +351,8 @@ }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", - "sha256": "1de8ead775e787c3256447c82655c40866a9513c245d1223939e04cb9f9763cf", - "version": 2 + "sha256": "9dfe20ded6d2881ef9ab368960f6232c28a7c20783b35ab2176cccff4ca8d19c", + "version": 3 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", @@ -361,18 +361,18 @@ }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", - "sha256": "1ad6e642d8c578f97d2569cc471059c7029ec1190e89c9dd0042c5a88906275b", - "version": 3 + "sha256": "e35d9a9c665928aa65a412aacdc9115351f3ce4a6d8c2588629b84e9243c341d", + "version": 4 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", - "sha256": "64a4c6687e8b28df55161028153804821cace7ea512cbabe778d559283d14a8d", - "version": 3 + "sha256": "87b5626a84518eec3d829cb474cb47532b10bb4a1d0b11d755c3682475d7cc3a", + "version": 4 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", - "sha256": "404f0a34bef511d70d8dd11f094e02aa8a3fe938bdfb3d4441c4dbf6ea1a2cd3", - "version": 3 + "sha256": "548c73b1abd270a73ac51e0460895d3836f11ceadc8b19559a65c9618e20a118", + "version": 4 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", @@ -406,8 +406,8 @@ }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", - "sha256": "c9771d9c525e750a0017693621b03d3aef6a3ec5773461ed3a1661ab43f85b53", - "version": 2 + "sha256": "228c4a9cc746a7de36dcd5f9b3cc9c86d0b06e7aef98059cecf0b2a0c7ed2c2d", + "version": 3 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", @@ -476,13 +476,13 @@ }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", - "sha256": "c2c87b8c43abfa894c8e9d4fae2a21a63ad5e6608775215ee4315901207fc51d", - "version": 3 + "sha256": "ade46e96d842d8cbbf57a750750a9608f727e242b08491889ea63a07dffd4ca3", + "version": 4 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Deletion of Bash Command Line History", - "sha256": "90b821385ca30c677f757792c1f20543e852cc3e84161b7c67418e0795598fc8", - "version": 1 + "sha256": "9d890cbfcc12c01039cba5c143d094316e061f0a4d5d3b08165cf2eac4abb643", + "version": 2 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -501,8 +501,8 @@ }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", - "sha256": "80125097341af87cd48b9ad11105d466d5956ccc306450a562cfd0eb3ba33e5c", - "version": 3 + "sha256": "7de69f7a4a1f9689fe091d5b70484d4392ad24039b3a80f47d39d322d4719e55", + "version": 4 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", @@ -521,13 +521,13 @@ }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Command Prompt Network Connection", - "sha256": "84bf6f16be980111319510f8654f6b42ac0a4e73405b2f031c9d5b0633e71014", - "version": 3 + "sha256": "920af03d75efd763b940e822bf4ba93d3f8fd8dde10e116f98e7d459096de622", + "version": 4 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "Setuid Bit Set via chmod", - "sha256": "80d32998b1c5af4f744b6890f5b5d734fd59f208e072929836a823619660d6b5", - "version": 2 + "sha256": "af04c32620120d576ec2c15c7a49bb359b6c1c77490206e947ed86826020fa3a", + "version": 3 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", @@ -541,8 +541,8 @@ }, "90169566-2260-4824-b8e4-8615c3b4ed52": { "rule_name": "Hping Process Activity", - "sha256": "a981451a19485a25d6fe0c5a5c6760be1d66decf16a4989d48754e3b7add6ab6", - "version": 3 + "sha256": "983df73edf11df0faa699d91d23031739d932dc4134e634c5c886fd07c6d5a4f", + "version": 4 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS Cluster Deletion", @@ -571,8 +571,8 @@ }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", - "sha256": "d11b8d0bb029ec776940640f440bc35573b8d5a83f2306cc9365c36dd2110be7", - "version": 2 + "sha256": "7d7d732303b9069da8939be0085b0b8f1fba316e25e4531e3d078f3ef0bab9c3", + "version": 3 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS EC2 Flow Log Deletion", @@ -586,8 +586,8 @@ }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", - "sha256": "feb2b3549a08e130d7b06da043cae62e646e2199b3c31bb71aa7ff059c3a7b6e", - "version": 2 + "sha256": "b83f0cfa5bbb7f02fa48798def53d8b1a57fd8734d0d24e95e8ebe34444e5249", + "version": 3 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "AWS EC2 Snapshot Activity", @@ -611,28 +611,28 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "2f83765c4911e648c0be0db638d9cc346965a71141933eac60f40861b9b7cd91", - "version": 2 + "sha256": "d6ebaa11d210241095adfa1bcc998743ab486836f893b87e044a8255829f52fb", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "a21ff9b2f5134165746bb88ae1aee78d6bd955a455052c829ab18ccd9f06118f", - "version": 2 + "sha256": "2bbb3b9cbeead17b40f9663e52ec3b42f4b1d58dd645962c431d84b7ce149c90", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "6734ab6912ee86be6f5eff281217b5f9c95ac51596cd01d2f9359cc3b8de7758", - "version": 2 + "sha256": "c7b27e753ab08dc5bd3cab380b67f4b346279dbeddea2b55aa862747f335e56b", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Microsoft Build Engine Loading Windows Credential Libraries", - "sha256": "9aa85ddacb0b3441dfcb53ec6d5b5c5ce908c558a242c764bd3f44624f8153ee", - "version": 2 + "sha256": "45fff1a065830305c07e41b12e2645e34ba7c10c5512268efd85d2e50ce4f833", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "2c2569ff1e94344e1f975de973207510adf013f3a1d023c86508e8a116014454", - "version": 2 + "sha256": "0aefc28ef5fa42264e4082dd010644052873fc54ae3cb0b7bc3cbf5a882fe345", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", @@ -641,8 +641,8 @@ }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", - "sha256": "15ed502ec9c70e5b3fa1de7c99ec0877ac1907ece60779a324b8461956093012", - "version": 2 + "sha256": "a615c13125f279c6b25a34d110cf8d84f45e4bbce23e9ec63080952a04342760", + "version": 3 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "AWS Access Secret in Secrets Manager", @@ -651,13 +651,13 @@ }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", - "sha256": "4f3f62c5999ec7b6e172437a4f359adc08bb68fc7a83c954c4f019b5d64a8664", - "version": 2 + "sha256": "10ea375a05dd802cd9169b589070582864cac1a66a76de45d14c2b089c25e902", + "version": 3 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", - "sha256": "59d713111ca42fcac2769d8939303019253c300d5455524e3fff4446f24282ad", - "version": 3 + "sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17", + "version": 4 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "rule_name": "AWS IAM Assume Role Policy Update", @@ -666,8 +666,8 @@ }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", - "sha256": "63f8ff2b6aafc463ae4759cabe61f70564a50e3d77328cf40916ae99b7ea9813", - "version": 3 + "sha256": "0f44750ec993f9fdde22d2e85e1679352f4d94c946293223c066533697a50f59", + "version": 4 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", @@ -676,8 +676,8 @@ }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", - "sha256": "c22e81459d98bd8fc47e911677c6ee40218253b7ec3bcb2e21c3d7e6116e7d4e", - "version": 2 + "sha256": "d191c76742500aaa9f0d3284ffa0c5fb620768826b7ed5ea0d2eea116d838d86", + "version": 3 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", @@ -696,18 +696,18 @@ }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "Netcat Network Activity", - "sha256": "eb3f95d0ec4f799be133ce35a3b5365edbdf780a99a638023ef5aff1f64c5b1e", - "version": 3 + "sha256": "a86bc32201580a304e3177b759ade73e627c671d5e11853a88415f784b18d71b", + "version": 4 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Commands", - "sha256": "5850b379eef292ad97ff952faf36cd85e8ce9f9c34e36b3f0efe0b844cde9c8f", - "version": 3 + "sha256": "d6d29ecdfb8d8ac87743712066146346c70d2a2991a00def356c8ed4733871bf", + "version": 4 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", - "sha256": "397a3304cb369f9f0567541e5bd84323c385ec834cb499a0e67d718f64006f52", - "version": 3 + "sha256": "88b6fdcc1f81a38ae42c2cc4d883604e9f5acd4a58af5f48a0c48e398665b9a4", + "version": 4 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", @@ -721,8 +721,8 @@ }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deletion via VssAdmin", - "sha256": "9a89bb4616053a27b9da19b0e039f20b5b06eddb82c0254daa490038e565943f", - "version": 3 + "sha256": "fc61426143133407bddabf689f0b5244aff16def118cbf470929b71174763637", + "version": 4 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "rule_name": "Attempt to Deactivate Okta Policy", @@ -736,13 +736,13 @@ }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", - "sha256": "a6b35cd7c01efd9e3ff5f09556cfeae330c4c59d78c7d467cf32b8c376f93371", - "version": 2 + "sha256": "b82fc0de50c86b935980223c1fd582a618f509e526ba9d363771d0b5601b2628", + "version": 3 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories", - "sha256": "0032ef35ec0d687bcb474eedb0e01318c6d305c658ec692cf78bfb9d1bf2e1dc", - "version": 1 + "sha256": "c9369962e142eda14a770259206ca03ba72a0d0b907996d25498e4e2ef847796", + "version": 2 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", @@ -771,8 +771,8 @@ }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "dd84d55464f543307c27a7f776fafdb99ab36e58ad7a7d5cbe9dbd3bd4c39a33", - "version": 2 + "sha256": "15fd9d9b15627d4a9dd571999362b14fb2e86016cf6e27740af6c1f45f64db96", + "version": 3 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -786,13 +786,13 @@ }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "Direct Outbound SMB Connection", - "sha256": "f323552f1aa665fbffde188f19226fda514df98d5e174725d61cd0d413ed8130", - "version": 3 + "sha256": "fae4636ddb0a185e2acbb41f8fea2f8510f6cf0ae61bbddd0218c63a74d5483b", + "version": 4 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", - "sha256": "b0134afadd79015919a72fb3e6fa0f3994aca735609a71ab4aaa03c89c6ceee4", - "version": 3 + "sha256": "b82bf76e52898dfa29ff4736c2c989d575b0bf9c06fdb8bfcbf1ee737f41ccaf", + "version": 4 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endpoint Security", @@ -816,13 +816,13 @@ }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", - "sha256": "68d871126791b1040df2c53b6dc057432217be3b4376703b7cb81a2057344720", - "version": 3 + "sha256": "5dfa85cf3d23f692d8b5612ae518fda01ad11c2a9e4b3858f6f2eb79112332ac", + "version": 4 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", - "sha256": "f9fdcf439337f1fe71aa24215d02c09249e9cfb978f217d3edef60d6607d9403", - "version": 2 + "sha256": "db63134024db06c912eac8f9cbb156a98ba56e576abec86baff108edc6a7a10b", + "version": 3 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "Attempt to Deactivate MFA for Okta User Account", @@ -836,8 +836,8 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "6bf85d1d2f89adc041f3190145f1de20672f190727b302eaaf43268951d5e100", - "version": 3 + "sha256": "1e199885d6b2ee9d5652ae342c7a56130596f14f4207396452c15db2d826c26f", + "version": 4 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", @@ -851,13 +851,13 @@ }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", - "sha256": "9d82b60fa077eab2c9bd133e9a3c4d56e2cf3f1ba86047b23540dc6b837266fb", - "version": 3 + "sha256": "2932086916e97a5920805f062c8461646c61448d36248aa6bf403133c86efa34", + "version": 4 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "6e298f0f3fed486ae6f4eb0a4d93d8deebf1597264ec5ac5ed32c42d8616263a", - "version": 2 + "sha256": "0a50429de3280c10cd206152131fed4f9491b08502c8877352256f7965470a0f", + "version": 3 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", @@ -876,8 +876,8 @@ }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "64fccc407b6b538dbab612c8a8040476660146645f1940b48a64a324c51e705b", - "version": 3 + "sha256": "4b8ef95da8429452dcf67363672f8a9e6c4e45bc80bd729ad5d3b3e60a550a7c", + "version": 4 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", @@ -886,13 +886,13 @@ }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "5f837c9e27f696b82b77dcb7d2c4a1a92142c2464451fc000104488ed8d65160", - "version": 2 + "sha256": "d3b991ebc8647e62117b27fbc8ed1f9c22a7daddb565daa4d2e617d1c8cf71b6", + "version": 3 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", - "sha256": "88700a3ed7404230c3fdcfb911bf74ef67178524e736a46f09cd82435b4e825d", - "version": 3 + "sha256": "26f7ffcfddc4a817c1cedd32dc68cef4167749ada87584c1ab790d2b44a41485", + "version": 4 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", @@ -901,8 +901,8 @@ }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "rule_name": "Connection to External Network via Telnet", - "sha256": "1bdc0e8f97c88ad7d853ebb1870d959cd48583d54e72572f169a3fb35907e1aa", - "version": 2 + "sha256": "8dddae484d130d6bbcf5b88ba30b257f4ec4b0cf0e3eff8233822488c848ad9f", + "version": 3 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", @@ -936,8 +936,8 @@ }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Local Service Commands", - "sha256": "09a14045036f6a30948b02a97ace4a3004863642b39f1d965fb7bc175fadff25", - "version": 3 + "sha256": "7f40a97cad0ae6acde9832aff4deb5250d452c2c825f894a138ae9f0d86a4121", + "version": 4 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", @@ -956,8 +956,8 @@ }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", - "sha256": "8f7296c828ca1babc06b6d8f33006f235b006335b8e05dca5f6cd0dec669975f", - "version": 2 + "sha256": "3354f1c679152be687ac4eef73892612b5b488f0cfe4e0e2636dc3dfdfa45b6a", + "version": 3 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "AWS RDS Instance/Cluster Stoppage", @@ -971,13 +971,13 @@ }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", - "sha256": "681ddd7b3337bb41f2496d94153c346d7e8e4fd2cab289c5c5168e3f5446d549", - "version": 3 + "sha256": "fbb250048e91b7b8df4a0555a9ddc8cf98009dbf2434019bf0e88839983dd332", + "version": 4 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "9fc4f152c5dbe06bbbdf27a4d307abc2da1116b564acc79b30034913e3b12219", - "version": 3 + "sha256": "37d052555eb47692d5dd98ecf41af9de6d21b1526b7047c228a532e021ca04ca", + "version": 4 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", @@ -991,8 +991,8 @@ }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Regsvr", - "sha256": "78487cacf86e895d025eabed659c5ffaa0ded038a19808d5d6bb5f70978fb014", - "version": 3 + "sha256": "01a7ea6c1cda22f3edc887d557916a5f27184cbb9c90dd7c09e36f3c68fd59f4", + "version": 4 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", @@ -1006,12 +1006,12 @@ }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Encoding or Decoding Files via CertUtil", - "sha256": "cd0e189f8420314a834c4916b9685304b8edc4259d275796ee0e06fb7df0338b", - "version": 3 + "sha256": "d650ddaf396c9379540944aa0f084b0ef5802ec62367cb311ac6a4f0dd353d2d", + "version": 4 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", - "sha256": "53659b10280ff1cf084f6f27a95b3eae81c1e9e9e2cf0806e7eb61f14da0fc6d", - "version": 3 + "sha256": "730e186178e67ceed90c1a70820a8ab14290ee86c749c73739fbff617f7da978", + "version": 4 } } \ No newline at end of file