security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4217)

Browse Source
This commit is contained in:
github-actions[bot]
2024-10-28 21:07:46 +05:30
committed by GitHub
parent 123e090e7d
commit 5d2940fa7c
1 changed files with 1547 additions and 494 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+1547 -494
View File
@@ -11,22 +11,22 @@
"8.10": {
"max_allowable_version": 213,
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "1373f91eab112faf20548ab4097d38478d76efdd3b2f1452a4ea00e6fbe5f971",
"sha256": "853c0119b884740c18884bf5ff39f6f2ed3a5fa2edac34c1664737716be93587",
"type": "eql",
"version": 114
"version": 115
},
"8.13": {
"max_allowable_version": 313,
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "945351b7a4886f20027e399a8f5b0273a8dbe836686f2fc058529a1427108950",
"sha256": "95d6bda6c85aa51a099bee8f81f8ca363afbd0a32c6243308b42ca2e6acbcbf7",
"type": "eql",
"version": 214
"version": 215
}
},
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "fc8f6b7d2a2e0d5c627a5ca1756b3b5df6ad0c51634811f9796238cc39a4a6ea",
"sha256": "d0e504df5a08de7cc03083586e584341e9e476f9a9f5e9a525b4412d81faee74",
"type": "eql",
"version": 314
"version": 315
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.14",
@@ -89,10 +89,20 @@
"version": 1
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 206,
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10",
"type": "eql",
"version": 107
}
},
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "28cbeaec5f3660a4e3a04bc6a7cb9638f8a0875530b512ad5614994fe1c3f004",
"type": "eql",
"version": 106
"version": 207
},
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
@@ -141,16 +151,26 @@
"version": 206
},
"035889c4-2686-4583-a7df-67f89c292f2c": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 211,
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "a07d1cef609011df0d31be52648a89dcf9ffdad1282b8910ccba67298c5c15a1",
"type": "threshold",
"version": 112
}
},
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "3c63df8e9a4eae961ea24ad7bc9706960aa31cf846685ddbd8cbbba903e3b0e5",
"sha256": "4ba341e47ade2acd985606544787c92e19701acffaf9c287fd5689ac401c7368",
"type": "threshold",
"version": 111
"version": 212
},
"035a6f21-4092-471d-9cda-9e379f459b1e": {
"rule_name": "Potential Memory Seeking Activity",
"sha256": "4fa0b41dabe97414e45d4ae961a4c4fd9c445bca04d51659e7251547e80fe258",
"sha256": "20152e6156019129d0fbbb345d391d5e782b2a10b7ae835fd26d8be3e6e3838c",
"type": "eql",
"version": 2
"version": 3
},
"0369e8a6-0fa7-4e7a-961a-53180a4c966e": {
"rule_name": "Suspicious Dynamic Linker Discovery via od",
@@ -179,9 +199,9 @@
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"rule_name": "Modification of OpenSSH Binaries",
"sha256": "ceef6d0c728c9575da9bd78da19050dc7e02eaee57eca642272639b91d863494",
"sha256": "04af79fc085a46b7a9239dd4f9bfaf09118355ac4802004f3fdb734b00113972",
"type": "query",
"version": 109
"version": 110
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
@@ -195,22 +215,22 @@
"8.10": {
"max_allowable_version": 100,
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "4b3a1669dafbfd92293834f3aae32cdf1ece35c4f6591b33d1f3040fa44fce9f",
"sha256": "c033b9b9cf89ada890efbe4f3d50749d62d412f4f4649252be0cde9f15bab174",
"type": "eql",
"version": 1
"version": 2
},
"8.13": {
"max_allowable_version": 200,
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "b73f166a75fdf86d3f2056d4ae8d312ea463c44c64dc9fab1b77f809d7b966ae",
"sha256": "ca6b6244eb33d751ab8afe90e9447bc34a5cd46b0e4604ee73d8c2e77612cb67",
"type": "eql",
"version": 101
"version": 102
}
},
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "b73f166a75fdf86d3f2056d4ae8d312ea463c44c64dc9fab1b77f809d7b966ae",
"sha256": "8a7f7f22aef8cdf2fa76b6194ccab0d26453470ba193c15aa82ef83fa9cf3102",
"type": "eql",
"version": 201
"version": 202
},
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
"rule_name": "Azure AD Global Administrator Role Assigned",
@@ -243,15 +263,25 @@
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"rule_name": "Systemd-udevd Rule File Creation",
"sha256": "0dfc0b069d300f001ad888794c331aa6459cf2a1afbe74e991e76540d3d1c334",
"sha256": "12d9feafcc88441dac8a47687708fa8fb7bf194076d084b80efd2128b97a5570",
"type": "eql",
"version": 6
"version": 7
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 213,
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "b50fa9f171fe0197eb2ebc36ca1e71976b33fd5b0e5ae691bd8757f0a5433e7e",
"type": "eql",
"version": 114
}
},
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "b2f9992729bc05c1ad61753e6a581826cfdbf50a5cfe644cf620c534e0ee0add",
"type": "eql",
"version": 113
"version": 214
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"min_stack_version": "8.14",
@@ -289,16 +319,36 @@
"version": 108
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 213,
"rule_name": "Remote System Discovery Commands",
"sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4",
"type": "eql",
"version": 114
}
},
"rule_name": "Remote System Discovery Commands",
"sha256": "8385d01edb4859b073dd968c3ed428bdc9f20bb184869f14eb4f42692a0abe06",
"type": "eql",
"version": 113
"version": 214
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 109,
"rule_name": "System Time Discovery",
"sha256": "6c4426a3866d01d267968dd2a284598d30d2c3b9e9c7caa7cc6ed10ec46ec261",
"type": "eql",
"version": 10
}
},
"rule_name": "System Time Discovery",
"sha256": "b20b0883dce0c126871b6ae34bed57fd769c23c5b5de5d0d7778bca20696d468",
"sha256": "91c3723d6e06feb5696fb366c36fe16394766a895529e478dcfcc8ccbaddc71f",
"type": "eql",
"version": 9
"version": 110
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"rule_name": "Unusual Remote File Size",
@@ -335,15 +385,15 @@
"8.10": {
"max_allowable_version": 211,
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "84f9ab9fddd97724ac58b9019c6094a320f8d9d0f2b389c4fc66ffd72c3e570a",
"sha256": "b4231cb6409668adc787176da9f432d5d9c835cff96c03363e9ce8745301edd1",
"type": "eql",
"version": 112
"version": 113
}
},
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "4cba3feab1ad86e3059a5998c72b8673a2d37950425f6e1b0e80a4acb3d5e002",
"sha256": "3a61aa859d4dd430becb99b7310d8f43570207832557eedf3e2684c3180cd10c",
"type": "eql",
"version": 212
"version": 213
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"min_stack_version": "8.14",
@@ -435,10 +485,20 @@
"version": 106
},
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 108,
"rule_name": "First Time Seen Removable Device",
"sha256": "629de40be19abc034ed2f876dd72df2fc72ce0397116eed55c08d790401d4da6",
"type": "new_terms",
"version": 9
}
},
"rule_name": "First Time Seen Removable Device",
"sha256": "20d5ab4b426cb84f65b990fde4a3011164e908b124f4c961646afae8d6e73a58",
"type": "new_terms",
"version": 7
"version": 109
},
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"rule_name": "Windows Account or Group Discovery",
@@ -478,9 +538,9 @@
},
"09bc6c90-7501-494d-b015-5d988dc3f233": {
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"sha256": "bdc3b02c0073ad81ac689ad056327c1e74d84408ac65b51b4738e1fc7c3b5d13",
"sha256": "ba5ece96c45f82ec3deddbb0311dc407ea0a8234e9dea257649d0cd4014c2eff",
"type": "eql",
"version": 4
"version": 5
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
@@ -502,7 +562,7 @@
"version": 5
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 105,
@@ -510,30 +570,57 @@
"sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14",
"type": "query",
"version": 6
},
"8.12": {
"max_allowable_version": 207,
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e",
"type": "query",
"version": 108
}
},
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "1a79fc397af3f12c7da606036342d1b41b7d2b17df4a446cd98e618b4e7e9891",
"type": "query",
"version": 107
"version": 208
},
"0b15bcad-aff1-4250-a5be-5d1b7eb56d07": {
"rule_name": "Yum Package Manager Plugin File Creation",
"sha256": "020707bc72930c1c88624fa6bc70c89066d79ec0c2e4b211d7039857de3514b0",
"sha256": "b6b6b3ca5a1b00c1c9c2963e11de9416eb551dc1cae810218908a0530dee3559",
"type": "eql",
"version": 3
"version": 4
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 207,
"rule_name": "Anomalous Windows Process Creation",
"sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Anomalous Windows Process Creation",
"sha256": "acdcc7db7bd1b750efe71ad345cb5a5475fd227ac91ab85cc7c45383df0d9eb0",
"type": "machine_learning",
"version": 107
"version": 208
},
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 212,
"rule_name": "User account exposed to Kerberoasting",
"sha256": "219b0df8371df6ea7c07119bc2f066c86112814dc9620531ceb2ad40ea8c9cc0",
"type": "query",
"version": 113
}
},
"rule_name": "User account exposed to Kerberoasting",
"sha256": "4b5cbd7460298bb5d01a57eea52921d5400e6071d98b2cb6ec940f3fdcc3d2af",
"type": "query",
"version": 112
"version": 213
},
"0b79f5c0-2c31-4fea-86cd-e62644278205": {
"rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User",
@@ -553,15 +640,15 @@
"8.13": {
"max_allowable_version": 101,
"rule_name": "Attempt to Establish VScode Remote Tunnel",
"sha256": "1b2555dd5c85d73de0e5bba5942450628664cd1e0023117f44c85b562060643c",
"sha256": "d6fa3f4e6eefb62df2be718d0947e519176fb25f046497c15158ef5116ca4088",
"type": "eql",
"version": 2
"version": 3
}
},
"rule_name": "Attempt to Establish VScode Remote Tunnel",
"sha256": "5497d098e570a215007cbe03a87f3122353b2f7693d184260582856664ce0c69",
"sha256": "e3e0dae0ba3379b0f1c16cff9934161e82104fc80d18f14fcf96ae61dcd3e44e",
"type": "eql",
"version": 102
"version": 103
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"rule_name": "Processes with Trailing Spaces",
@@ -581,9 +668,9 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "Peripheral Device Discovery",
"sha256": "c3889f256c7f95c492de240f96870f33ac83d81b6ad034e3aecf476450573762",
"sha256": "d9d7783a57c30c4bb51fcc2f714e5ac5db80978cf14629962b24be7503ee539b",
"type": "eql",
"version": 110
"version": 111
},
"8.13": {
"max_allowable_version": 309,
@@ -688,10 +775,20 @@
"version": 100
},
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 309,
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735",
"type": "threshold",
"version": 210
}
},
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "b6fe17ae61cabf399f3502a59bd831e6a43b9d29f19787c3623981dc44eec698",
"type": "threshold",
"version": 209
"version": 310
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"rule_name": "Privilege Escalation via Root Crontab File Modification",
@@ -775,10 +872,20 @@
"version": 100
},
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 113,
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "6df7d5c060e8d61e90cfec0609cf1ff20b5d00a9a9710cad398debcbd37532d2",
"type": "query",
"version": 14
}
},
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "5da4a9373dd0e7d3e939dc5815ae14c28a0fedadefabad3b85e2e059b5cc1a24",
"type": "query",
"version": 13
"version": 114
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"min_stack_version": "8.13",
@@ -809,10 +916,20 @@
"version": 100
},
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "cb2a69fa201dd3ff5dce343a170be369ad36f706783f357da48c68a5642d8c0b",
"type": "machine_learning",
"version": 7
}
},
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "a979104cf9cc45e2deefe33c7763b2f7452f1cce582e84c1036d8659251e76e9",
"type": "machine_learning",
"version": 6
"version": 107
},
"1251b98a-ff45-11ee-89a1-f661ea17fbce": {
"rule_name": "AWS Lambda Function Created or Updated",
@@ -937,10 +1054,20 @@
"version": 105
},
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "ac05cb0b596f7532273a85d11c32fdb6302791693df41953a29630139fe66853",
"type": "threshold",
"version": 7
}
},
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "d0a42671292f00c27195e313455fdfaba1fec838c135fe4e95baf80fe9fe68bd",
"type": "threshold",
"version": 5
"version": 107
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
@@ -994,9 +1121,9 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "e95a20057c03b7af915f7bb0aa29300e680a683ac8f1c15d8951150d2acd81d3",
"sha256": "2536e138a13316b962ee6f5eb296c024e757f735e0e882e0c547eb4364066937",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
@@ -1150,40 +1277,90 @@
"version": 2
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 206,
"rule_name": "Unusual Windows Username",
"sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows Username",
"sha256": "2aa54fb200fbc2dc2a08134e4047e7d738718526afc740d255f2d4122be23a8a",
"type": "machine_learning",
"version": 106
"version": 207
},
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Service",
"sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55",
"type": "machine_learning",
"version": 106
}
},
"rule_name": "Unusual Windows Service",
"sha256": "aeb4741bd8e4ad54e3207d4a0c8f74feb21e04a61c42cca74da415224a2af13c",
"type": "machine_learning",
"version": 105
"version": 206
},
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 206,
"rule_name": "Suspicious Powershell Script",
"sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Suspicious Powershell Script",
"sha256": "14d8f45b942a560b3b14732c25e7974f73d292f45a4e7918d19e53176371a601",
"type": "machine_learning",
"version": 106
"version": 207
},
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251",
"type": "machine_learning",
"version": 106
}
},
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "e1c5e226e528ca5b94b5043313893ac737e6f289a6c7021011cbccbac374b8a0",
"type": "machine_learning",
"version": 105
"version": 206
},
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Remote User",
"sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad",
"type": "machine_learning",
"version": 106
}
},
"rule_name": "Unusual Windows Remote User",
"sha256": "1c6ce3b862feb23ee131c82cda24b91a71c155b8cfbc57d8deadf6782dc324eb",
"type": "machine_learning",
"version": 105
"version": 206
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"rule_name": "Systemd Service Created",
"sha256": "2a67cb5cd32db22aa939d61ec976ea4d0aa9623596bdf8a430c808aa2aa77ee5",
"sha256": "b60b8f6f9625053ab6af246ddc30eb490e456bda7f66464b769de74b3309378a",
"type": "eql",
"version": 14
"version": 15
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.14",
@@ -1302,22 +1479,22 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "Execution of COM object via Xwizard",
"sha256": "1d0681a11138f4ae7bf2b6332f6fd7d4cdc980921332c53b1723a9b082b2ad99",
"sha256": "d5330b96f928f7e7a7a2cc531152af5ce8c6a2e9ed52235ce07ca406f8dda1be",
"type": "eql",
"version": 110
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Execution of COM object via Xwizard",
"sha256": "75b9e2340d47646a740eb8b676d3f14570901f1077538b742bb0707df63f181a",
"sha256": "378075d3770551eeae56e8ea53ab1cd46b454659bb893501cf1d289db20b6fb4",
"type": "eql",
"version": 210
"version": 211
}
},
"rule_name": "Execution of COM object via Xwizard",
"sha256": "32b2823ce29ab2ac08642513c87f7d13eba21dd4653181deecac9f786e73114e",
"sha256": "cd42a38d9a6e35812d8c106382547d304b5b560c92518647d4dc73dfd75cc02f",
"type": "eql",
"version": 310
"version": 311
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"rule_name": "AWS CloudTrail Log Suspended",
@@ -1331,9 +1508,9 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "User Account Creation",
"sha256": "45816938efafa31647f79f3eb0813237660ed5a732912ed9797a2fa64edd516c",
"sha256": "51fbad167264e7d23b84626ae0142b5735da83770e53dbafaf844c6266b1f9b7",
"type": "eql",
"version": 110
"version": 111
},
"8.13": {
"max_allowable_version": 309,
@@ -1453,10 +1630,20 @@
"version": 108
},
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 108,
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344",
"type": "query",
"version": 9
}
},
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "0787e6065fa1eb22d7f0b4ae1c97a7da2bd3d32393f320be448e93e2df69dddc",
"type": "query",
"version": 8
"version": 109
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.14",
@@ -1505,12 +1692,12 @@
},
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
"rule_name": "Potential Linux Hack Tool Launched",
"sha256": "d83c19a46e9401aef5cd62ba06786de63e0ea6448479965630475a6b00667731",
"sha256": "c45877265f7039d3e1d666f7844b61798b2b176867b0b221c503ffb8e52ce0ae",
"type": "eql",
"version": 3
"version": 4
},
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 105,
@@ -1518,12 +1705,19 @@
"sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06",
"type": "query",
"version": 6
},
"8.12": {
"max_allowable_version": 208,
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1",
"type": "query",
"version": 109
}
},
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "54e718a88b4a68d227e6b66b126f993aa778b036deb6f8be5b61951c298f111f",
"type": "query",
"version": 108
"version": 209
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"rule_name": "Azure Storage Account Key Regenerated",
@@ -1548,10 +1742,20 @@
"version": 103
},
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 105,
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39",
"type": "eql",
"version": 6
}
},
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "c6ab370809c60a6fc72b73ebf08275954bc19e7bee4115ff334fc436e4256db0",
"sha256": "ff8663b5c757bb323d6d9af69fd2819865654af9bb2de2359009d0cb368ec2a6",
"type": "eql",
"version": 5
"version": 106
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
@@ -1566,10 +1770,20 @@
"version": 104
},
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 109,
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762",
"type": "query",
"version": 10
}
},
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "eeebabf5497517642690f0b238295c5f9f09396305832e4b067a3d788067bee9",
"type": "query",
"version": 9
"version": 110
},
"1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
"min_stack_version": "8.13",
@@ -1579,10 +1793,20 @@
"version": 2
},
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 103,
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "5e69bca88bf1a332578110580989822ab6a36beaee0c2a1278161135f3785eb8",
"type": "eql",
"version": 4
}
},
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "fb398cfee97e528fb36491eb57ae229eb51744020bc8ff818659bc74fdd08ecc",
"sha256": "13b48a7591f9b468f310bbdcd36b045d671d36396a0d86129881eb16289c32fa",
"type": "eql",
"version": 3
"version": 104
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"rule_name": "Unusual Linux User Calling the Metadata Service",
@@ -1618,9 +1842,9 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "8ac1d85c1a2ec7664798918bc56810136f6ac597b13a7b0eec0e9c033a6bcbdd",
"sha256": "db2f8575c9e60cf49f9d13b3a8fba24af09922368ddad48fe7a80d1dda9519f0",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
@@ -1797,9 +2021,9 @@
},
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
"rule_name": "Kernel Module Load via insmod",
"sha256": "3327b2f3c9c739028f181cd20b7cf3e768c7eae5f4363b478ef982fee21b8eb2",
"sha256": "f93a7445bd58a5432583f328a212f267f6b995da0635115c18ac935a208acd5d",
"type": "eql",
"version": 109
"version": 110
},
"2377946d-0f01-4957-8812-6878985f515d": {
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
@@ -1850,10 +2074,20 @@
"version": 309
},
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 103,
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "73577478f9ddc1f86f6e593172107b94cb54d7aa9ae3d818dd6196eaf5dd05f4",
"type": "query",
"version": 4
}
},
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "01735177fce51c42923f16c612bbf247992c18fbc96e57a1b72c571807c334eb",
"type": "query",
"version": 3
"version": 104
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"rule_name": "Potential Reverse Shell via Background Process",
@@ -1863,9 +2097,9 @@
},
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"rule_name": "Network Activity Detected via Kworker",
"sha256": "910c6260475ac0d34a0354b97ff3c19f1b7ef26a8d78a053e3b1fb73f55c7323",
"sha256": "6c823634705c69de0120c2254520b0a79b53891b3f5af608fab3f07a2f04ec3b",
"type": "new_terms",
"version": 5
"version": 6
},
"25e7fee6-fc25-11ee-ba0f-f661ea17fbce": {
"rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added",
@@ -1920,15 +2154,15 @@
"8.13": {
"max_allowable_version": 310,
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "5347550dec817bbf8a30b8cceeec4fb4c34039491a86e3cb7eb2a10b8afa6d1c",
"sha256": "535792c8a18d108f65af67d434bd5befcc35f6422b87accce90f5cf7fcda3f7e",
"type": "eql",
"version": 211
"version": 212
}
},
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "6ade23c64deaeb89059e8ca68c53f0ee23843a4a561f5bb0c1a90c69d4d05b37",
"sha256": "63d4edaeb49856654125035d9376493bf4182f432dffc0f6dd69eef84bf81441",
"type": "eql",
"version": 311
"version": 312
},
"26a726d7-126e-4267-b43d-e9a70bfdee1e": {
"rule_name": "Potential Defense Evasion via Doas",
@@ -1965,7 +2199,7 @@
"version": 311
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 104,
@@ -1973,12 +2207,19 @@
"sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f",
"type": "query",
"version": 5
},
"8.12": {
"max_allowable_version": 207,
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95",
"type": "query",
"version": 108
}
},
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "4a3e6bf68329d70f058be24f7904ce234a26b57c38972ad33ff103a9e00f78a9",
"type": "query",
"version": 107
"version": 208
},
"2724808c-ba5d-48b2-86d2-0002103df753": {
"rule_name": "Attempt to Clear Kernel Ring Buffer",
@@ -2086,21 +2327,21 @@
},
"28d39238-0c01-420a-b77a-24e5a7378663": {
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "70ed05b5053d1ac43542f1f8ffef64b0cfb2cb35c0a94eb8be86882438034320",
"sha256": "0f36e67505607bcb3888b92df081e70b54c5e239c9e0ed3345f8f8736beed326",
"type": "eql",
"version": 5
"version": 6
},
"28eb3afe-131d-48b0-a8fc-9784f3d54f3c": {
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "0a180c61b8aa35288abaa53efe0c157c6d37e5280e80b5e25ca9284d250d0be9",
"sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403",
"type": "eql",
"version": 2
"version": 3
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"rule_name": "Shell Configuration Creation or Modification",
"sha256": "1bbc59664ea9b04b6617570b0dfb20792a323de2634050e653bd63ba8b1adcb4",
"sha256": "82a1df00e80a4d2e8c1cbcdef1cbc52c47bca472993056876a09f27981ed2fe6",
"type": "eql",
"version": 4
"version": 5
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"rule_name": "AWS Security Group Configuration Change Detection",
@@ -2162,7 +2403,7 @@
"version": 415
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 310,
@@ -2170,12 +2411,19 @@
"sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d",
"type": "new_terms",
"version": 211
},
"8.12": {
"max_allowable_version": 414,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4",
"type": "new_terms",
"version": 315
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "6b9ddb99af8aebdf137ebdbc012a627a5c96f21ad7dfab54a26dc16d5763ed3d",
"type": "new_terms",
"version": 314
"version": 415
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
@@ -2190,16 +2438,16 @@
"version": 1
},
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
"rule_name": "Potential Linux SSH X11 Forwarding",
"sha256": "359e41830e4fd4bfc9775176917b335b3c9188c05a983a056b52e796d20b6fd7",
"rule_name": "Linux SSH X11 Forwarding",
"sha256": "2562c461d5762274c7090f399cda06176716c846f045c4ba9c5d60ad1d63df91",
"type": "eql",
"version": 3
"version": 4
},
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "8bfe7f061ea6409e5ec8657a58cc81d8fd705e930ef358d31347a1ee67035391",
"sha256": "31193d1ef0348a443dc4c9605b4f62d6242633a24281f63b10519a48bb6178b4",
"type": "eql",
"version": 6
"version": 7
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
@@ -2209,9 +2457,9 @@
},
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
"rule_name": "ESXI Discovery via Grep",
"sha256": "7f6bc06878f5c089508b21b556ed4a227c059d655b54717af4863db317dd6504",
"sha256": "93e259e4c84d6f482879c952380259c33794efa042c0d5141a382f91661b8880",
"type": "eql",
"version": 6
"version": 7
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.14",
@@ -2330,9 +2578,9 @@
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"rule_name": "Enumeration of Kernel Modules",
"sha256": "4f8354117b7013f27de2b6338d831ecebb494b5dd5dc310f3d36de2e9df3e46e",
"sha256": "e476a54ff58dbe2b9ad2df9aa0a9e110cdaa9b7f6adea0b3fa77bd0f4638913c",
"type": "new_terms",
"version": 209
"version": 210
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.14",
@@ -2402,16 +2650,36 @@
"version": 211
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 212,
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029",
"type": "query",
"version": 113
}
},
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "7e0cc4f4c58256634c207a3b45ff788e4f9970f7e0b9436f55f186c002437855",
"type": "query",
"version": 112
"version": 213
},
"2e311539-cd88-4a85-a301-04f38795007c": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 104,
"rule_name": "Accessing Outlook Data Files",
"sha256": "a0b1ea8add4c4ec61339a2fcb49fe3d78db9aafb5f670e041383d82edaedb473",
"type": "eql",
"version": 5
}
},
"rule_name": "Accessing Outlook Data Files",
"sha256": "db4e19d7469dc91d1a4d9faafa87f33a0ffda20f60b7e829d7066ccfada6ef07",
"sha256": "cbd45fc062e5bcef6a93a19f9d01b6f8d1fcd038fff47b19a5adb99569cdd378",
"type": "eql",
"version": 4
"version": 105
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"min_stack_version": "8.13",
@@ -2465,10 +2733,20 @@
"version": 101
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 211,
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652",
"type": "query",
"version": 112
}
},
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "f30a726cc8233f0fd47f045cc06753a16529142e73e25f7f2f0a62d4321894c8",
"type": "query",
"version": 111
"version": 212
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
@@ -2583,9 +2861,9 @@
},
"32300431-c2d5-432d-8ec8-0e03f9924756": {
"rule_name": "Network Connection from Binary with RWX Memory Region",
"sha256": "172d24bcf01cef30702ad2466f5b01b312a7b5b9b0420781b3f5d178dee2810e",
"sha256": "f4f1b93a821c7d0b22e83e0cf23a1df584971e45af788834809e1d6f1c716d1e",
"type": "eql",
"version": 2
"version": 3
},
"323cb487-279d-4218-bcbd-a568efe930c6": {
"rule_name": "Azure Network Watcher Deletion",
@@ -2605,9 +2883,9 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Program Files Directory Masquerading",
"sha256": "640ede499425561eafaace54b64271dc0c75b80d80fca0d8b82da0d2b58c30f3",
"sha256": "258a6e5c72a134ab06314270a0d8709dc02f850f08ae059cb9eb2467a30befef",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
@@ -2666,9 +2944,9 @@
},
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"rule_name": "ESXI Discovery via Find",
"sha256": "65285808d7e3a2abc4e4eafa9288e8e9c5d82f2dc7fd8f2cf160f7c224988f04",
"sha256": "5ffb9a4076c8b9782893429052beeb256ac381d1d57cd0267fc84f9f5df944df",
"type": "eql",
"version": 6
"version": 7
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"rule_name": "Remote File Download via PowerShell",
@@ -2796,9 +3074,9 @@
"8.10": {
"max_allowable_version": 208,
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "fefaa82ff180803dd05b6b0d43cfed6b9c836603ead4df9a42364585d37197e4",
"sha256": "7c1d04e302bd0cc733f293024b81bb5d74dbde9e0d8fe8b71b07db53d4157eeb",
"type": "eql",
"version": 109
"version": 110
},
"8.13": {
"max_allowable_version": 308,
@@ -2872,10 +3150,20 @@
"version": 208
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 214,
"rule_name": "Network Connection via Certutil",
"sha256": "abedf8ad3f6cbec189082eb584ef1af665eec659cf86b4d8f4c76e7aefa8e1be",
"type": "eql",
"version": 115
}
},
"rule_name": "Network Connection via Certutil",
"sha256": "a46ff963d1341267dc84e8cae348751c9602db28818d086bdbc2d06646e63071",
"type": "eql",
"version": 114
"version": 215
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"rule_name": "Prompt for Credentials with OSASCRIPT",
@@ -2944,9 +3232,9 @@
},
"39c06367-b700-4380-848a-cab06e7afede": {
"rule_name": "Systemd Generator Created",
"sha256": "6830658a6c7df047562c77a035de9a3c72616c2c4cc3680ea3caead24a2675ba",
"sha256": "b336dcc55cb6d9c74fd8f467faab033cf4e5c408d97b06a750b73840b1ba098b",
"type": "eql",
"version": 2
"version": 3
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"min_stack_version": "8.14",
@@ -3088,9 +3376,9 @@
"8.10": {
"max_allowable_version": 101,
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "43ef957c4841d72a0eed0eef915a2a434fba9e1bbfa8f9e969c7754d8236aca5",
"sha256": "644088f8272495a09f98f2e60b82bdc7e491488962026c367645213608a99d86",
"type": "eql",
"version": 2
"version": 3
},
"8.13": {
"max_allowable_version": 201,
@@ -3106,7 +3394,7 @@
"version": 202
},
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 104,
@@ -3114,12 +3402,19 @@
"sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0",
"type": "query",
"version": 5
},
"8.12": {
"max_allowable_version": 207,
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972",
"type": "query",
"version": 108
}
},
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "3eb8a1947715938780e819d71334fd11a170328f2310ffc13b69fc69fdf047fb",
"type": "query",
"version": 107
"version": 208
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"rule_name": "AWS CloudTrail Log Updated",
@@ -3227,9 +3522,9 @@
},
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
"rule_name": "Potential Protocol Tunneling via Chisel Client",
"sha256": "506ac5257e3fbd5947ce89f51b4a1154eea0e4245f3b8d26f1579ed36d7de792",
"sha256": "4cf0ffba6ff6f1228756a6782ad1152b613568a74869d6299a2bedf9881f9420",
"type": "eql",
"version": 5
"version": 6
},
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"rule_name": "Binary Executed from Shared Memory Directory",
@@ -3256,10 +3551,20 @@
"version": 3
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a User",
"sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134",
"type": "machine_learning",
"version": 7
}
},
"rule_name": "Unusual Process Spawned by a User",
"sha256": "201e146529ae1e7eeb0af4b0bc377ec5381676db3b1d5027332f45a8027f195e",
"type": "machine_learning",
"version": 6
"version": 107
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"rule_name": "GitHub User Blocked From Organization",
@@ -3273,9 +3578,9 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "4f88e7a9112a07893f4b2c1849ef0d4959829a575d2ab8700ea6d9cb9e9aa3f5",
"sha256": "9124fc2a6d76be52cfaaa7edfd6b3c4272290e8964d42e59d8f1d1fba215848a",
"type": "eql",
"version": 110
"version": 111
},
"8.13": {
"max_allowable_version": 309,
@@ -3292,15 +3597,15 @@
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"rule_name": "Suspicious Modprobe File Event",
"sha256": "2a6caaea58f921647c925b776c5a3263205f0e14402adfb96fe9784742822f0c",
"sha256": "d4f1d5fc1a70a2e0a60cefc3b2923c55452347f28b90e20a3625f397c32db48c",
"type": "new_terms",
"version": 107
"version": 108
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"rule_name": "Unix Socket Connection",
"sha256": "3205e8361a1f086b49b3af871c969ed11481015e0dff4ac8a9a0d72db9843e22",
"sha256": "36c91409f9ebf48e88b25078d6bd2b3b73f9800c2e99335803ecbcbaa0ec45f0",
"type": "eql",
"version": 2
"version": 3
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.14",
@@ -3398,9 +3703,9 @@
},
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
"rule_name": "Linux User Added to Privileged Group",
"sha256": "2dfb9575cc645fa50cebdb23d7ca0430deb31dd044ee4678db3517dbeeab236c",
"sha256": "b36dd6fcfb99d97dac139862308b9eacab7435ef10661b56e29a24b22eebdf4e",
"type": "eql",
"version": 7
"version": 8
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"min_stack_version": "8.14",
@@ -3426,10 +3731,20 @@
"version": 311
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 206,
"rule_name": "Unusual Windows Path Activity",
"sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows Path Activity",
"sha256": "041957d983301e74d0e06438e1ee8ac7badf8dd542f3a501ad94e29ad6bf27e4",
"type": "machine_learning",
"version": 106
"version": 207
},
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
"rule_name": "Potential Masquerading as VLC DLL",
@@ -3472,10 +3787,20 @@
"version": 2
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 210,
"rule_name": "Windows Event Logs Cleared",
"sha256": "5b47360215d43475d7848120c7ed6f96afd5484ad1f0c017dae282578f91ae27",
"type": "query",
"version": 111
}
},
"rule_name": "Windows Event Logs Cleared",
"sha256": "868e3d06e6043e63111eb21f96849df3002b2a0f958afc5c12e623b3a3dcff8f",
"type": "query",
"version": 110
"version": 211
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.14",
@@ -3522,9 +3847,9 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "35db94e83082bb07447ac1233547dcfe629fb843d39c755861ace1e5e426a32a",
"sha256": "8c08daa0c05dcee4ed2250136b61ff79be87b9d5b3145a67e7b5aa0114bb3b8e",
"type": "eql",
"version": 110
"version": 111
},
"8.13": {
"max_allowable_version": 309,
@@ -3547,9 +3872,9 @@
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"rule_name": "System V Init Script Created",
"sha256": "0b73e5e62cae5d12fa9f1593413122fedb8a5dabb1a53d42be46c0cee2d4f35f",
"sha256": "bffd4c3c138597c1e8697e47dd4862d762e32635fa8b8a20e3272318eea1d034",
"type": "eql",
"version": 12
"version": 13
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"rule_name": "Sensitive Files Compression Inside A Container",
@@ -3559,9 +3884,9 @@
},
"476267ff-e44f-476e-99c1-04c78cb3769d": {
"rule_name": "Cupsd or Foomatic-rip Shell Execution",
"sha256": "ea849a9461e38a2045fe127b98e787f05d95161ba0ae4008de1c4ce3a7c773dd",
"sha256": "fb87274ccfb96c0641b3aea5ddf1537d06990126a1c3f7c0406938ea5aaf0f01",
"type": "eql",
"version": 1
"version": 2
},
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"min_stack_version": "8.14",
@@ -3685,10 +4010,20 @@
"version": 3
},
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 105,
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "35cd1983ce5cf5a7d22b79416e565bed4c3f3295030450046ee07050ee83efb1",
"type": "eql",
"version": 6
}
},
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "aca87260b181359408cce6f76507de03da06ac49fa8815ca6587fbb18465b5ad",
"sha256": "24424c58a67a62f2464e7ce3c038697aeb561551b61ba5a2c8bf1cf001674ec1",
"type": "eql",
"version": 5
"version": 106
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
@@ -3779,16 +4114,26 @@
"version": 309
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 110,
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1",
"type": "query",
"version": 11
}
},
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "fdb260cd12a650f01e9663894e62c091eec9d70cfa7d579f4708358a4415dc9c",
"type": "query",
"version": 10
"version": 111
},
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "8cdb4afadd73272dc07ee9b31b8a8f1e2ab6d9ba07e75a228d827eb5cedf236e",
"sha256": "12adf24b45b80651b336e5b4671fab85fbc28d4537ec3a96a58e9e0dba18da77",
"type": "eql",
"version": 6
"version": 7
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"rule_name": "AWS Management Console Brute Force of Root User Identity",
@@ -3895,9 +4240,9 @@
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
"min_stack_version": "8.13",
"rule_name": "Unusual High Confidence Misconduct Blocks Detected",
"sha256": "ec8018367ddae889657cf1cb6c99b9c0fb427d64de771d720364e8e10a5ddf6c",
"sha256": "3398bec154ac1a626c777596eca4d931feeb50eeaa61584cd602258d98b79e25",
"type": "esql",
"version": 2
"version": 3
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"min_stack_version": "8.14",
@@ -3905,22 +4250,22 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "516db4cf8557eafd3460e28139da74d2c72f860f9905e30ab5a32a2022d2094d",
"sha256": "13f5cc6ad0ceb744bd444965dad8371e0611a07853e0a95e644693752311fef2",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "0d6d4651b1ecb4c9d8f441529eaeec07303f9c3c334747c598732aab1906a13b",
"sha256": "8fcabaf421ead8967729841048f4304562f4719e3d0b887656122fe831a43b9d",
"type": "eql",
"version": 211
"version": 212
}
},
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "a7ce39d7ca13ce9e8e59f3f06b1ed7ae1731bd3cecab9ac660fe44815d1f0e7c",
"sha256": "c18c0a517e014572b811a79c2427ada539292d70e5d70db5e1b5dab10c4e52f2",
"type": "eql",
"version": 311
"version": 312
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
@@ -3929,16 +4274,26 @@
"version": 3
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 107,
"rule_name": "Windows System Information Discovery",
"sha256": "bb14ae17071b97cd7b9fe8499c6dcdda0096740071a0341b6782765f3d928155",
"type": "eql",
"version": 8
}
},
"rule_name": "Windows System Information Discovery",
"sha256": "756e470e62e48f87fbad4a84a36227fae6cf096baea0cfbfd68eab516ca7ab0d",
"sha256": "547b5b46dd9bf2cdc0c7e62cb41182704197c47de44f9c2f95a3cd12548ddce0",
"type": "eql",
"version": 7
"version": 108
},
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
"rule_name": "Hidden Files and Directories via Hidden Flag",
"sha256": "997601d0253b1c3fc65712c6e0e2784ffba03a5f7b3926a5cf5e183aea3006d7",
"sha256": "12f8eb3b4618ce0341401b73c190673b46bb61613acb4341b028e3e4bec093c9",
"type": "eql",
"version": 2
"version": 3
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.14",
@@ -4093,9 +4448,9 @@
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "abbed0de67d7ae950dd29ebf82d8d832f7075ebdd3b1ff3841b33f154df5f96a",
"sha256": "31fdbcd1bcd6c7fd916a92c19c40e5cbe355a75a3b31c97758f5723d31bdf870",
"type": "new_terms",
"version": 10
"version": 11
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"rule_name": "AWS EFS File System or Mount Deleted",
@@ -4122,28 +4477,38 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "e987d5fe63d102c7bb7c668c0fc403ccdc02389130d9aed4ed25a1e85a1f52b4",
"sha256": "189fc5da545a292982fe7c5e2d385b615084e5e802f77adec7944ec327009f12",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "83280bfbf6c14209cedb5b7a86f820170bd880a70b2b0a343536e9735032fc7d",
"sha256": "139f8bfa2c8cbb9183a5192c82ba2adb3fd3f23f81086fb9874e23cdbe7580fd",
"type": "eql",
"version": 211
"version": 212
}
},
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "d56d39e789ec74fb9e36767e2af77e608728e0e3e9dce8f1737ab40fe74565d8",
"sha256": "756f5cf00ac9cb8da7bcb2c337c9b4e427f52c809e8846acfb481d18cf1e5683",
"type": "eql",
"version": 311
"version": 312
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 105,
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "72677413c70aa85a2e7dedc6fd503e8b8a5d600f704cc1d1be1b63bb8f82b67b",
"type": "eql",
"version": 6
}
},
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "18ddc4eb7eda6120b2b7e59391fa204195a03dad284743b8a2d8405a64b3be18",
"sha256": "f031d67ed436433e67086abdfa538113a953bfbf725e3aface9fc9c4cdaeab6a",
"type": "eql",
"version": 5
"version": 106
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"min_stack_version": "8.14",
@@ -4151,18 +4516,18 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "1b77761f1f1b0914e1345e28a6c1d2b0c30453aa083758de07f18b9a79857ee3",
"sha256": "b18ae237ecf1195a3a18d5e282ebbd4f5b841f81e0b4589c75029d4e2509468a",
"type": "eql",
"version": 110
"version": 111
}
},
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "1b77761f1f1b0914e1345e28a6c1d2b0c30453aa083758de07f18b9a79857ee3",
"sha256": "62ede16d68f9a13f35791ebd4acf967b6a53e167d2211eea0b4a9c9e452339ef",
"type": "eql",
"version": 210
"version": 211
},
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 107,
@@ -4170,12 +4535,19 @@
"sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2",
"type": "query",
"version": 8
},
"8.12": {
"max_allowable_version": 209,
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74",
"type": "query",
"version": 110
}
},
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "204ae09b3fad4e478789727bf76c2cd45d4b667c9a0d7a140a83d9c4d85bfe12",
"type": "query",
"version": 109
"version": 210
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"min_stack_version": "8.14",
@@ -4183,15 +4555,15 @@
"8.10": {
"max_allowable_version": 211,
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "b266d7cba5e3ee8a68a89a82582964b770cf9005aeaecc0127687672ede31ee1",
"sha256": "9838e651bcc3ca696c8bbe02db34f5ab98e93e30ff733022c2f835f995de5698",
"type": "eql",
"version": 112
"version": 113
}
},
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "b266d7cba5e3ee8a68a89a82582964b770cf9005aeaecc0127687672ede31ee1",
"sha256": "5132f31e51639151e91e5c3302b4650fc9f619e7eb892a051a03487eb3b5e62e",
"type": "eql",
"version": 212
"version": 213
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"min_stack_version": "8.14",
@@ -4232,10 +4604,20 @@
"version": 2
},
"56004189-4e69-4a39-b4a9-195329d226e9": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "288753c0acbb4ead22f3c4e6457bb3ea4019d812147816fc00c1b4c855ae4098",
"type": "machine_learning",
"version": 7
}
},
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "fc15e14ff5e5b9a4e9791cd5a68b234418e8d305be7f057eb8a3d00248eac66b",
"type": "machine_learning",
"version": 6
"version": 107
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
@@ -4244,10 +4626,20 @@
"version": 2
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 206,
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "0e87c9e449804be35d7c6b0b54a4b6dac4a0c973fdf92f2645b9f7c3ab8c20f7",
"type": "query",
"version": 107
}
},
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "3e6a9752a3bdbffedad925a1b38a27845fc5d548f93785ad06147603e651e3e0",
"sha256": "1645e32bd9388cfedd1bbb52f9d608fa1f020e59df807c8c0a24d791979f2fc7",
"type": "query",
"version": 106
"version": 207
},
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"min_stack_version": "8.11",
@@ -4278,7 +4670,7 @@
"version": 104
},
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 209,
@@ -4286,12 +4678,19 @@
"sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179",
"type": "query",
"version": 110
},
"8.12": {
"max_allowable_version": 312,
"rule_name": "PowerShell PSReflect Script",
"sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d",
"type": "query",
"version": 213
}
},
"rule_name": "PowerShell PSReflect Script",
"sha256": "38589e5b42cc43f6e6b822a37057ab671b1596137a108e3c0f6275bbd7821ad1",
"type": "query",
"version": 212
"version": 313
},
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
"rule_name": "Execution of an Unsigned Service",
@@ -4318,16 +4717,36 @@
"version": 102
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 209,
"rule_name": "PowerShell MiniDump Script",
"sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b",
"type": "query",
"version": 110
}
},
"rule_name": "PowerShell MiniDump Script",
"sha256": "0c2a7186e2aa5916c5889d9d75731f00059da7f8d8306ea8e6cc5ba810f49a4a",
"type": "query",
"version": 109
"version": 210
},
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 105,
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb",
"type": "eql",
"version": 6
}
},
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "81da2322574ee19272135501b257cf847b0b854ac486336d75fd54970c66a1be",
"sha256": "1acdc9f8e087369826ba6e49c673137f4634a9a62b94bccf201c13d8d3ce0932",
"type": "eql",
"version": 5
"version": 106
},
"57bfa0a9-37c0-44d6-b724-54bf16787492": {
"min_stack_version": "8.14",
@@ -4524,9 +4943,9 @@
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"rule_name": "Suspicious which Enumeration",
"sha256": "c9fb7b1a40fb8a63342f9f814a8e100720fa02eea274c2aeb53db151bed3f581",
"sha256": "5067ebbb2ae7642ec887f660253ec56fa569320fbf62652220280935c9bff570",
"type": "eql",
"version": 6
"version": 7
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"rule_name": "Potential Masquerading as Browser Process",
@@ -4535,10 +4954,20 @@
"version": 5
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 213,
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "91c753727cc93c11d0c14042e89f25f4662381aa6ed581df89352758ca0056f3",
"type": "new_terms",
"version": 114
}
},
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "aeec107590fee9b7eb50ce2c5790e91eebe4152e23c7a16c88cd8371f4e374b0",
"type": "new_terms",
"version": 112
"version": 214
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"rule_name": "AWS WAF Rule or Rule Group Deletion",
@@ -4554,16 +4983,36 @@
"version": 2
},
"5c602cba-ae00-4488-845d-24de2b6d8055": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 102,
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0",
"type": "query",
"version": 3
}
},
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "e76374e15f51af2dd0d683aacb95c40df7bb4ab2452ca64cab318aa20a1766a6",
"type": "query",
"version": 2
"version": 103
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 112,
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "e8f2e9d239fe934d39d2496d41056a475a491501fc1284c105d1ec26357a2106",
"type": "new_terms",
"version": 13
}
},
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "68e3da7154a6582f7a0c8b621f055fb9c62464b39f4b3727ca0208ab9e47aa0e",
"sha256": "60be180da0a4d8a02621f58482c7ddfc3b2fc4815bbd722097bef9ec5bfe45a8",
"type": "new_terms",
"version": 12
"version": 113
},
"5c81fc9d-1eae-437f-ba07-268472967013": {
"rule_name": "Segfault Detected",
@@ -4672,15 +5121,15 @@
"8.10": {
"max_allowable_version": 101,
"rule_name": "Unsigned DLL loaded by DNS Service",
"sha256": "8d7f07f9b154ad5aeed9d76695452e6470861400f810fc9a777d390eda0fb74c",
"sha256": "6cb0f50b9083f11e35a528ca1c9f073dcef46992d57b6a063637ff826dca43d7",
"type": "eql",
"version": 2
"version": 3
}
},
"rule_name": "Unsigned DLL loaded by DNS Service",
"sha256": "8d7f07f9b154ad5aeed9d76695452e6470861400f810fc9a777d390eda0fb74c",
"sha256": "1bed4177a477d026c410cae36aa7cc8da677f5a62bab50fb6caced420d1dd57c",
"type": "eql",
"version": 102
"version": 103
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"rule_name": "Suspicious Automator Workflows Execution",
@@ -4799,7 +5248,7 @@
"version": 104
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 212,
@@ -4807,12 +5256,19 @@
"sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e",
"type": "query",
"version": 113
},
"8.12": {
"max_allowable_version": 315,
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8",
"type": "query",
"version": 216
}
},
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "0c8aca13cd27121eb75ba5494b65fc5c53151b4d7a12f3f830916d156f260a95",
"type": "query",
"version": 215
"version": 316
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
@@ -4859,10 +5315,20 @@
"version": 207
},
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 210,
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "09003a6823150f57bc5b81c6c0599e50317ea46ebabc44f362e8adf0ca9a0b62",
"type": "query",
"version": 111
}
},
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "d1a41572216c35257141c8fde9abe70f1cc185ba00383bd8a0a180ce1ce6cbc6",
"type": "query",
"version": 110
"version": 211
},
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"rule_name": "Potential Non-Standard Port HTTP/HTTPS connection",
@@ -4872,9 +5338,9 @@
},
"63431796-f813-43af-820b-492ee2efec8e": {
"rule_name": "Network Connection Initiated by SSHD Child Process",
"sha256": "026a0ff9383f49a20b58463f40f14c0331889526d60ee9e89e1e8d14c0772894",
"sha256": "bf0ca3359e6f32c685d719787f6adfd48d96993c3b01c42812464e6aaed5aa1c",
"type": "eql",
"version": 2
"version": 3
},
"63c05204-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
@@ -4918,9 +5384,9 @@
},
"640f79d1-571d-4f96-a9af-1194fc8cf763": {
"rule_name": "Dynamic Linker Creation or Modification",
"sha256": "bdf1b0f84e3bbc046df60ade86c8188ef57fbb45f7fc947f84d9011da4d6a60f",
"sha256": "17626f3f8f0d9413631123ff3710cc6bbd765919f591f8cc4cb0b3ed798fd72d",
"type": "eql",
"version": 1
"version": 2
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"rule_name": "Anomalous Process For a Linux Population",
@@ -4936,9 +5402,9 @@
},
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"rule_name": "Network Connection via Recently Compiled Executable",
"sha256": "602b297ae58effa807f0bca106916c4f1902c7fa8f5c62bfd282b5b65de72f7b",
"sha256": "c2a1edb00dafb062774f8a65b34f761d2c5332b1165d4c2282dab5acdd7baeac",
"type": "eql",
"version": 5
"version": 6
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
@@ -4994,10 +5460,20 @@
"version": 2
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 206,
"rule_name": "WebServer Access Logs Deleted",
"sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977",
"type": "eql",
"version": 107
}
},
"rule_name": "WebServer Access Logs Deleted",
"sha256": "615a81cd545877582b84f8a6524858b3762c49019fa6fc3286e441330c854938",
"type": "eql",
"version": 106
"version": 207
},
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
@@ -5034,10 +5510,20 @@
"version": 207
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 112,
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "d53d5a4467e47eb48356c3b13a7d5a888133b68942c45901923d5d26b6a21804",
"type": "query",
"version": 13
}
},
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "dc7f9e08e370facf03fd788985647ead45419455fbd6e63b7c489088770b941b",
"type": "query",
"version": 12
"version": 113
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"rule_name": "Attempt to Modify an Okta Policy",
@@ -5081,9 +5567,9 @@
"8.10": {
"max_allowable_version": 208,
"rule_name": "Image File Execution Options Injection",
"sha256": "c2b23662abc573f31a8ecd1f1a209ab092b6d28915dc38aaa16664af71c1545f",
"sha256": "4cd0be97857d8107806320934a41077bc479799bc584f29bf9c272ef1159fdf3",
"type": "eql",
"version": 109
"version": 110
},
"8.13": {
"max_allowable_version": 308,
@@ -5230,9 +5716,9 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "Modification of Boot Configuration",
"sha256": "8370613b240c6526b217457b239420a79efbdaad26b15203f4ec59b96e044971",
"sha256": "47544b67e85088392633e552971d8cc2b2ae0beadfdbd26d254c16d5c94b8672",
"type": "eql",
"version": 110
"version": 111
},
"8.13": {
"max_allowable_version": 309,
@@ -5382,10 +5868,20 @@
"version": 1
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 210,
"rule_name": "Unusual Process For a Windows Host",
"sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203",
"type": "machine_learning",
"version": 111
}
},
"rule_name": "Unusual Process For a Windows Host",
"sha256": "76043082e1635afa431a0b6ffd9156292fcec2cb34e12c1d3d5f8a4ac354c8da",
"type": "machine_learning",
"version": 110
"version": 211
},
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
@@ -5395,27 +5891,57 @@
},
"6ded0996-7d4b-40f2-bf4a-6913e7591795": {
"rule_name": "Root Certificate Installation",
"sha256": "1181d28604ebf265444f65fb2e0e91ed779f6557ac57a9aaa2425f073f9dbee8",
"sha256": "823b635b9abe083d089b09bad1fedea72c47d6079538298c3c4059448d5226f2",
"type": "eql",
"version": 1
"version": 2
},
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 107,
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "b287f162d06d726f7736822c18f2a4f4f45ee9e83f43e4e42155e3584e43c1e6",
"type": "new_terms",
"version": 8
}
},
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "9d96edb2b383e25178813ce435566c0bfddaa9456a84a0dc55e26cdd61ce408e",
"sha256": "a8bbd1a9cdafc77c48549535f3b93376cad74a043e69ead9323c875d7feb04d9",
"type": "new_terms",
"version": 7
"version": 108
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 207,
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "849904e5601ed2b7ca539b15e1b20c3d5fd3a966683bc5a5f0cfa7101f0edcd9",
"type": "machine_learning",
"version": 107
"version": 208
},
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 209,
"rule_name": "AdminSDHolder Backdoor",
"sha256": "e93289cdea358a09e2f778fc7c8e54c33ba01ad48013526945a7614333f52abe",
"type": "query",
"version": 110
}
},
"rule_name": "AdminSDHolder Backdoor",
"sha256": "d92aec3ae515b2f1ef5ead2567d90bf9ed286c98404ada51b490d78121809360",
"type": "query",
"version": 109
"version": 210
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
@@ -5440,10 +5966,20 @@
"version": 209
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 213,
"rule_name": "Security Software Discovery using WMIC",
"sha256": "c320306a1610f531069193dac0fa021f55391c66d46b5d296b5e2c380817fd31",
"type": "eql",
"version": 114
}
},
"rule_name": "Security Software Discovery using WMIC",
"sha256": "e367014765972ea19c75ae672a6fed0a0c7915901fbf3ae50868a9faf7e0f9dd",
"sha256": "46ce350a70ad18636cde452bd1c45f325da59e8b2412b135766d037a3944a288",
"type": "eql",
"version": 113
"version": 214
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
@@ -5510,10 +6046,20 @@
"version": 209
},
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 102,
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27",
"type": "eql",
"version": 3
}
},
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "2b0a113e37d67649e6f11b5bf035ca1a3a6649ad4996a27b1e788651ae11b846",
"sha256": "ebca825d8f82f3442cf31f625828e5423889ecb4f613cd0a3a06c3e0ca9cd8a4",
"type": "eql",
"version": 2
"version": 103
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"rule_name": "Persistence via WMI Standard Registry Provider",
@@ -5696,9 +6242,9 @@
},
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
"rule_name": "Suspicious Sysctl File Event",
"sha256": "a98b507603e191d5d7b9018614f89020e94baf48aa9ab69666128517e8a282c8",
"sha256": "d790d709f03bebac3ba27db548f318546cf856374beeabb46c5ced8ee2b2dab1",
"type": "new_terms",
"version": 107
"version": 108
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"rule_name": "Service Disabled via Registry Modification",
@@ -5774,29 +6320,29 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33",
"sha256": "b7ab17057206897d65dcad5a62262f342860ce34ca6624af13a3e70326b99e47",
"type": "eql",
"version": 110
"version": 111
},
"8.11": {
"max_allowable_version": 311,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "798b0bc1aa4d176b16df395288002a2230428379590ddac8a418f1d42b23d435",
"sha256": "fd323ccf6885bb8208a092bc4453726707a9556bc41e3a2427bcd38bbe67cb2a",
"type": "eql",
"version": 212
"version": 213
},
"8.13": {
"max_allowable_version": 413,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "3d646c36cc0e84e7c619ac72a7eb01e5b77ea36e35acec05e07f5aa24755bd79",
"sha256": "fa7f0992aba0bdd414251ed673752a12db4ec5e47f27f027e5183b546920abc8",
"type": "eql",
"version": 314
"version": 315
}
},
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "a1f2778c3089a6666380ca97ed61892329ff328b9f9518586d3a79497eadf9c1",
"sha256": "1a434a85ff5b56a152e0d0113a98ed1da564de86086c64c2935069b35d97a87d",
"type": "eql",
"version": 414
"version": 415
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"min_stack_version": "8.14",
@@ -5829,9 +6375,9 @@
},
"7787362c-90ff-4b1a-b313-8808b1020e64": {
"rule_name": "UID Elevation from Previously Unknown Executable",
"sha256": "cba8664ad751541036313bc6f39bf662a14e3ee4440c028dac9c4b089dd71780",
"sha256": "20a7e5fcb8be7660f1a17f80c4e882a8fc95e82c19a75ad9f1a27620b30bec30",
"type": "new_terms",
"version": 3
"version": 4
},
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
@@ -5875,29 +6421,29 @@
"8.10": {
"max_allowable_version": 100,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0",
"sha256": "416dce868f1a4876765a41cddaba8d8860afac5cca30502daf254f8f45cb337a",
"type": "eql",
"version": 1
"version": 2
},
"8.11": {
"max_allowable_version": 202,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "49a6b4db003e5979ea703d08bd0b70fac84ca643c074a444e673d90ab43d8b3c",
"sha256": "cd3cb9cd7b2638583883de2da1aec04b010b4d8dc850d4e9344f2016ef1f0446",
"type": "eql",
"version": 103
"version": 104
},
"8.13": {
"max_allowable_version": 304,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "2cdef7164dd5efff7785fe8dd624222490599f9496bf2c1ae2652d0dab81dc9f",
"sha256": "bcbc70fad2d9c71913c432c46861cb8ff153465af7f9f11ab464014680f13996",
"type": "eql",
"version": 205
"version": 206
}
},
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "54b0e619cd3f80d0144a009e63970baaa6f7b13db1e8853ed78bcd6dfd2a3d63",
"sha256": "1eaf3424c72feb184b48c48ad3da78cb7d02d08e49f2b3be6d1772122c378de4",
"type": "eql",
"version": 305
"version": 306
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"rule_name": "Suspicious File Renamed via SMB",
@@ -5959,10 +6505,20 @@
"version": 209
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 211,
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "4644f2023e8d78c8af11d80cefe47e3b0fb58668952193d57ec1d6bc11df7e4e",
"type": "query",
"version": 112
}
},
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "fcf721e497f059801651f6332bbdc66878edeac4195692fa7e6e402fbabf0fb1",
"type": "query",
"version": 111
"version": 212
},
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
"rule_name": "Network Sniffing via Tcpdump",
@@ -5984,9 +6540,9 @@
},
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
"rule_name": "Potential Execution via XZBackdoor",
"sha256": "e0c591aeba61158c00765037cf3782c59e6577da6a93fca8720d47fe1b602867",
"sha256": "b0577394863a57fc35c75a1748f35f6df69d1e0ae476ef4230fbdcd28d3dc564",
"type": "eql",
"version": 3
"version": 4
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
@@ -6001,10 +6557,20 @@
"version": 206
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 213,
"rule_name": "Windows Network Enumeration",
"sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486",
"type": "eql",
"version": 114
}
},
"rule_name": "Windows Network Enumeration",
"sha256": "344dca0a521891ded14c0fa6218e8d742b0d0c478d220c1433bf97273df3b42f",
"type": "eql",
"version": 113
"version": 214
},
"7b981906-86b7-4544-8033-c30ec6eb45fc": {
"rule_name": "SELinux Configuration Creation or Renaming",
@@ -6036,9 +6602,9 @@
},
"7c2e1297-7664-42bc-af11-6d5d35220b6b": {
"rule_name": "APT Package Manager Configuration File Creation",
"sha256": "55bc076a0afc6e5d4aeeb675d5ceac237bd0b6f1be950eda19669219fb3bdf6b",
"sha256": "c15e188ea1ce6f3177c41bfe4cb9a692bfcdc3416f1af28263ebc1a14ca9404a",
"type": "eql",
"version": 3
"version": 4
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"rule_name": "Google Workspace Bitlocker Setting Disabled",
@@ -6088,29 +6654,29 @@
"8.10": {
"max_allowable_version": 102,
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "a3c1779146ac37db61c960f0dd8090df03ff5ca4d862a830cb4f276b73ad4a49",
"sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91",
"type": "eql",
"version": 3
"version": 4
},
"8.12": {
"max_allowable_version": 203,
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "a3c1779146ac37db61c960f0dd8090df03ff5ca4d862a830cb4f276b73ad4a49",
"sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91",
"type": "eql",
"version": 104
"version": 105
},
"8.13": {
"max_allowable_version": 304,
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "9f07ddc78490993b58486df4fc3d44fffd01697488bdc9523a3ee71b197662d4",
"sha256": "66858a324d0462bd232554434241130f2856843cf22ef73c579c09e3f6e39043",
"type": "eql",
"version": 205
"version": 206
}
},
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "b696ce99dbc3d3c4e3d25ea1ed05a27f867ee9358bae8fa0145cc89a006ffd7f",
"sha256": "09aa0b96928a0da988c7c455ed658d28a685def31b11dd104cab212d9ba3a979",
"type": "eql",
"version": 305
"version": 306
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"min_stack_version": "8.14",
@@ -6136,9 +6702,9 @@
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"rule_name": "Systemd Timer Created",
"sha256": "22106370ef245153e940ad0c5577fa5492b2c1799353840dcf28c8ef4a7c564a",
"sha256": "1e46fd812061270a2231dca8ec5a7ffbddd0a53997cfb62e0d457cac8e0a45d5",
"type": "eql",
"version": 14
"version": 15
},
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"min_stack_version": "8.13",
@@ -6149,9 +6715,9 @@
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "a673dd1c8988721179c42b0b788a1b229fce05298dfe5664b54ca535750e4587",
"sha256": "1cb7f1b40b2b92807f7a8f322a6510de21f99c502327d83b1d2f5865b494e36a",
"type": "new_terms",
"version": 106
"version": 107
},
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"rule_name": "Unusual Process Extension",
@@ -6160,10 +6726,20 @@
"version": 4
},
"8025db49-c57c-4fc0-bd86-7ccd6d10a35a": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 102,
"rule_name": "Potential PowerShell Obfuscated Script",
"sha256": "3750bd0f420e04cc5b48056c7e39fda3d29f6f4d5427f19dfbae2a2d94dbb8b5",
"type": "query",
"version": 3
}
},
"rule_name": "Potential PowerShell Obfuscated Script",
"sha256": "6e71b4ea552314b263198211bc6bc680d060453ac942fe0fe59499562f8ed834",
"type": "query",
"version": 2
"version": 103
},
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
"rule_name": "SSM Session Started to EC2 Instance",
@@ -6172,10 +6748,20 @@
"version": 1
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 103,
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "70cb8aeef7011beb9cbd55faf6160037ba6c072935e5f73404df35820c44f059",
"type": "eql",
"version": 4
}
},
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "2f33fc4f7caa141d7d123cb9f3db0800102989bf888469014c091590af360155",
"sha256": "4a3c5fd150828acc188647d8c5574f0b88da993c4d0abaaa285644ff08021608",
"type": "eql",
"version": 3
"version": 104
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"rule_name": "Unusual City For an AWS Command",
@@ -6225,7 +6811,7 @@
"version": 100
},
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 210,
@@ -6233,12 +6819,19 @@
"sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de",
"type": "query",
"version": 111
},
"8.12": {
"max_allowable_version": 313,
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5",
"type": "query",
"version": 214
}
},
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "320a555df4db198a83d99c9c148c34b4bea3d27beec4d6824ea25b077dfdd561",
"type": "query",
"version": 213
"version": 314
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"min_stack_version": "8.14",
@@ -6274,9 +6867,9 @@
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"rule_name": "Potential Linux Local Account Brute Force Detected",
"sha256": "7951c32071a4f27cf235f88d6d4af14655a24aca293681878a970dc3e3973c1f",
"sha256": "135901066ac707836fa9dc5d72517b43f80c3f43f8afdbcd0793ccd7e271f79b",
"type": "eql",
"version": 6
"version": 7
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"rule_name": "Azure Kubernetes Pods Deleted",
@@ -6326,10 +6919,20 @@
"version": 3
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412",
"type": "query",
"version": 7
}
},
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "20a8c64cf10a599a57a3f2adcde2cd11f433b594347d5f01e75ddc591af6b8cb",
"type": "query",
"version": 6
"version": 107
},
"84755a05-78c8-4430-8681-89cd6c857d71": {
"rule_name": "At Job Created or Modified",
@@ -6397,9 +7000,9 @@
},
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"rule_name": "Security Software Discovery via Grep",
"sha256": "de3ae123fbc7d0cb0596b3c5cc6467fdf51f545053665c4f5afdeb758983bc76",
"sha256": "d4773a9bd42acb66239348d5fe61bd9512fb95f50634dfbfaa1c8f42820b2b78",
"type": "eql",
"version": 109
"version": 110
},
"871ea072-1b71-4def-b016-6278b505138d": {
"min_stack_version": "8.14",
@@ -6436,10 +7039,10 @@
"version": 100
},
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"rule_name": "Potential Suspicious Clipboard Activity Detected",
"sha256": "0177e89bdd890b3651f0d3bc7bb08aa7a71cc97d95e6f965d2131a132599a839",
"rule_name": "Linux Clipboard Activity Detected",
"sha256": "948181ba2921e5e5ff2e950f272a9fa9cb5797927da206fc67100db0641746f3",
"type": "new_terms",
"version": 4
"version": 5
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
@@ -6582,10 +7185,10 @@
"version": 207
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Suspicious JAVA Child Process",
"sha256": "c73d3fa21849f702bf7a08d4182ce1e62bbf2096eef54418fd5faf94e042da75",
"rule_name": "Deprecated - Suspicious JAVA Child Process",
"sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693",
"type": "new_terms",
"version": 208
"version": 209
},
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
@@ -6622,9 +7225,9 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "071d89c4572134471756b34b80307bbb03d025c6ce054517a1789245187d0db8",
"sha256": "9ce5994792151c28626d0f425f8e0bce511165c1596d5abe844a65343516481d",
"type": "eql",
"version": 110
"version": 111
},
"8.13": {
"max_allowable_version": 309,
@@ -6657,22 +7260,22 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "413cab0e2b9bc4a6210ad80d9dda7117b2bc1fbe8a5ed8fbc922dfea700529e8",
"sha256": "3e7ec0c52dab161d210c5a8c1871fb05710c9a0fc8e713a61ec2b46834a99460",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "918d4f6d345efaf52d079c3cb52fa771790a7777a86a818fdaa72a11aca5ffe0",
"sha256": "38d0941ee472b5919ff202905e616b35d4fcf58b34c86b0f728f3570f8e9d3c8",
"type": "eql",
"version": 211
"version": 212
}
},
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "a339cd594e22f12930a187d07e676424f0c517d1782e02099541845fd5de7029",
"sha256": "b150ed721a6ec1116190ad1dcfb3db4e6c695a418fcd51fca09e3ab018d7ef3b",
"type": "eql",
"version": 311
"version": 312
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
@@ -6753,10 +7356,20 @@
"version": 4
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 104,
"rule_name": "Bitsadmin Activity",
"sha256": "5b0252807a2fe30f852e9467564c981179272010b0d5b4a8fbddcfcd5713fd6e",
"type": "eql",
"version": 5
}
},
"rule_name": "Bitsadmin Activity",
"sha256": "c8759e5d38ff5b6b5ccbd5f3bbb2dfdc6e5c2496f6838fb16ad79eff6df49fb9",
"sha256": "0eb3d4c886d1825f2f64434cbc2f7f824a2f31eb5a1f37d0c409129c1d89ab86",
"type": "eql",
"version": 4
"version": 105
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"min_stack_version": "8.14",
@@ -6827,10 +7440,20 @@
"version": 108
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 103,
"rule_name": "InstallUtil Activity",
"sha256": "6f7157de8bdb8a54f183dd25c580741a6975960ce6320bb1e64d9a04b082b30f",
"type": "eql",
"version": 4
}
},
"rule_name": "InstallUtil Activity",
"sha256": "b92f346d7d4452e75805ef5947e138d215676542d84f62585faca2bbbdc5985e",
"sha256": "9f9c56b567948852bcbe378e570fdf547ce08d08295a8993571cd4b4327af2e7",
"type": "eql",
"version": 3
"version": 104
},
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
"rule_name": "Auditd Login Attempt at Forbidden Time",
@@ -6875,7 +7498,7 @@
"version": 1
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 107,
@@ -6883,12 +7506,19 @@
"sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548",
"type": "query",
"version": 8
},
"8.12": {
"max_allowable_version": 209,
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f",
"type": "query",
"version": 110
}
},
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "ce443a1e91f6122b9fe1c883d2642db0c14a654bf43b938bb85505d24adddda4",
"type": "query",
"version": 109
"version": 210
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.14",
@@ -6962,9 +7592,9 @@
"8.10": {
"max_allowable_version": 206,
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851",
"sha256": "e20bede2cf9f7765ae6d20ca1cf0c101e18b2cce36bd1404306fcfbdfc346d4c",
"type": "eql",
"version": 107
"version": 108
},
"8.11": {
"max_allowable_version": 308,
@@ -7016,9 +7646,9 @@
"8.10": {
"max_allowable_version": 108,
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "1f336cac30c00c0a9d22ee5887d3b3fe79ca45615ac7a56079ac0fe826c75e30",
"sha256": "92f99ada650ca1643ca9d74eeb044541cd01943858f78c837320f22b52db65d1",
"type": "eql",
"version": 9
"version": 10
},
"8.13": {
"max_allowable_version": 208,
@@ -7047,10 +7677,20 @@
"version": 107
},
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 103,
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "094d5839307d9e9f979d87f04da382a99499e6932f5c04d08583d33439593897",
"type": "query",
"version": 4
}
},
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "6ec2f6a7128677f6221950458047a3b8e1280a63bea437a60b9c6da72c55d746",
"type": "query",
"version": 3
"version": 104
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"min_stack_version": "8.14",
@@ -7069,10 +7709,20 @@
"version": 210
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 209,
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c",
"type": "query",
"version": 110
}
},
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "6dc0584fa3dc988eb1f19f71ae64b7dfdfded3c1db4e5a6a80bb43bcf8778753",
"type": "query",
"version": 109
"version": 210
},
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
"min_stack_version": "8.13",
@@ -7089,9 +7739,9 @@
},
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"rule_name": "File made Immutable by Chattr",
"sha256": "c2d2cfe2f74f7c4a8901ab56d95245ba900ce8e18c828bf0a2ad894b6260731e",
"sha256": "554e2d9f8e0757200b05413ef711c554856e94d6e704b08e57b934f69a26ba7c",
"type": "eql",
"version": 111
"version": 112
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"rule_name": "Attempt to Create Okta API Token",
@@ -7163,29 +7813,29 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976",
"sha256": "caeba78c336bb935017ea2fa0a4a71a5d66c521649882281fff349ee6094c4da",
"type": "eql",
"version": 110
"version": 111
},
"8.11": {
"max_allowable_version": 311,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "745bbfc9daf71b081b3cbc422438c9c11dd5c34eee59681b1a8ee21dea74b4a6",
"sha256": "5f50216e837aebb5103936a65d7bb07f9ef153d873db29761cc5fe034c150aea",
"type": "eql",
"version": 212
"version": 213
},
"8.13": {
"max_allowable_version": 413,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "f7df58636dd0f5db7c616886cb0351669060903ff09f78b0e42e5bea9ef0c820",
"sha256": "60e026edebd1c4bcfd0580ec04e257e406ecedb6ace76131d14a9bbcad9535ee",
"type": "eql",
"version": 314
"version": 315
}
},
"rule_name": "Suspicious Zoom Child Process",
"sha256": "5405ae15a7c4c66cec53971ecfd6d17ba8647f25cced95b1c82df4fe7e5e660d",
"sha256": "9762b71fbc0bb8d0886f4b4c796d490d1e216a9cb3081ba46310edaa272fdf75",
"type": "eql",
"version": 414
"version": 415
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
@@ -7225,15 +7875,25 @@
},
"986361cd-3dac-47fe-afa1-5c5dd89f2fb4": {
"rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"sha256": "5712effbbe1f56916c81aa8c2fa4c30fe56da84d391d94c8f1fabfcc499a273f",
"sha256": "9921b21414e5f26b0a92efb35b3aa687685d77a03473e8f2f74e4eb5def0f2c7",
"type": "eql",
"version": 1
"version": 2
},
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 103,
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "4281493e0e1c2e1d8da0462e3464ee6477d337993c3844b7ac96f49510e498dc",
"type": "eql",
"version": 4
}
},
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "e660e1d232fba1ebc63af5c0809de741e16b48a216fc1e04333e400920a8a56f",
"sha256": "56ee900c3c60566cdad73204b69ff67f4e49dd0fbbf0ad53ddaaf26095c60caa",
"type": "eql",
"version": 3
"version": 104
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"rule_name": "GCP IAM Service Account Key Deletion",
@@ -7266,10 +7926,20 @@
"version": 107
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 109,
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "295b6b5f0bcc7c346200669736ff41d92683604648d0d0c729da6030e1edd0c3",
"type": "eql",
"version": 10
}
},
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "85e5f6ced29ac3d6e31d6e1f4a7c0b4f2599e27e53092e952773acedced38cf5",
"type": "eql",
"version": 9
"version": 110
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"min_stack_version": "8.14",
@@ -7289,9 +7959,9 @@
},
"999565a2-fc52-4d72-91e4-ba6712c0377e": {
"rule_name": "Access Control List Modification via setfacl",
"sha256": "2bdb21ef00ffe93f4747808c826b6427d6a409233ef39a8eb86825ceac929077",
"sha256": "56c8562c3f638627b4748c065a8c8c771c5192aeeafeb828cb96f7150784c66f",
"type": "eql",
"version": 1
"version": 2
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"rule_name": "Spike in Failed Logon Events",
@@ -7313,9 +7983,9 @@
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "6d3b04cf53c9662f1a011b9b8d0b412aa1fb0f3bfe1771f6a1807b4bf76c1780",
"sha256": "aa9fc82aa5324a0f942d1115e319178f8cb830f3e6d3a881a1859865b3768db5",
"type": "new_terms",
"version": 208
"version": 209
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"min_stack_version": "8.14",
@@ -7402,15 +8072,25 @@
"9b80cb26-9966-44b5-abbf-764fbdbc3586": {
"min_stack_version": "8.11",
"rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities",
"sha256": "869205c107b75f01fc84a1a4d7906b841d447e59fa886d66162a42cadd64c68e",
"sha256": "818ec7b5077ef339d297c377bd56ef3592dbf978c6f01eab575e082d7ec31f59",
"type": "eql",
"version": 3
"version": 4
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 209,
"rule_name": "Hosts File Modified",
"sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2",
"type": "eql",
"version": 110
}
},
"rule_name": "Hosts File Modified",
"sha256": "6c8889d19257e8545d39010b01b1e721000f32d09695add926dd4b13d378b84b",
"type": "eql",
"version": 109
"version": 210
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"min_stack_version": "8.14",
@@ -7470,10 +8150,20 @@
"version": 100
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 310,
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c",
"type": "new_terms",
"version": 211
}
},
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "37eced0f6fbe00d0d4f72c4340aafc08a0e4649d41713d82af3cbe9cdec35360",
"type": "new_terms",
"version": 210
"version": 311
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"min_stack_version": "8.14",
@@ -7481,9 +8171,9 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "136ae03e8398626300b67d66ea323ef995153b5d73e05a4d97615fb9ccc4667f",
"sha256": "dbaff78cc444435417a8dc117e92fac3f383f660e8ec2efc3882be4df7be8641",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
@@ -7531,10 +8221,20 @@
"version": 210
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 313,
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "357cfd30e6d72e8067b8fd85480960fc82ed8f8735df37e327c18110e32d637e",
"type": "new_terms",
"version": 214
}
},
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "11b4fc95052ff2e6c25c718c92d10ff5bfcc0c4e6b2dfce4802d5ff828416772",
"type": "new_terms",
"version": 213
"version": 314
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"min_stack_version": "8.14",
@@ -7594,9 +8294,9 @@
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "bb48a554acead2212b1c7f843dc9352b7f546a24999c026f249e82bfb88acd46",
"sha256": "9c5b42e9d0ce3be94bd99e088bd928d5dd6f6dc750cf9a67b5cb20c6067bdd0b",
"type": "new_terms",
"version": 210
"version": 211
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
@@ -7660,15 +8360,15 @@
"8.10": {
"max_allowable_version": 206,
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "5e85d0964ffb23e46464866537bf77a32631a6719b54a4a2b2145594bc426af1",
"sha256": "11b482716d805d5718f0923dc1b0127ca26a5c89ac02df96dab7fe8a371199d2",
"type": "eql",
"version": 107
"version": 108
}
},
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "c27402a2b97ef38d57e1ca971362297737b43fc11bfbeba559dbb459a49a79de",
"sha256": "cbb9883d7a92a6a590c0f8f1280653d30652d6832ac8209e13d9fd8af07494bc",
"type": "eql",
"version": 207
"version": 208
},
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"min_stack_version": "8.14",
@@ -7747,10 +8447,20 @@
"version": 108
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 108,
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58",
"type": "query",
"version": 9
}
},
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "806757feca7a5f09ea78d6c4344a5b4961a51dbbd7c9779b0fa1d3e24e2f4087",
"type": "query",
"version": 8
"version": 109
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"min_stack_version": "8.14",
@@ -8037,10 +8747,20 @@
"version": 2
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676",
"type": "machine_learning",
"version": 106
}
},
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "41d9773b53e26197a39fa675ffa40d07b17987dd304c38336693138b0222111c",
"type": "machine_learning",
"version": 105
"version": 206
},
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"rule_name": "Potential Persistence via Login Hook",
@@ -8080,9 +8800,9 @@
},
"ac531fcc-1d3b-476d-bbb5-1357728c9a37": {
"rule_name": "Git Hook Created or Modified",
"sha256": "1a2154c53e400d0a4a40954d8b3bb8a81e9c72e8ea5339616287431599bbd96a",
"sha256": "baf94c030f8649e89628d8d83f0e90cfebbb67da5b711c8a8c4063d48a01cd64",
"type": "eql",
"version": 2
"version": 3
},
"ac5a2759-5c34-440a-b0c4-51fe674611d6": {
"min_stack_version": "8.14",
@@ -8136,10 +8856,20 @@
"version": 6
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 209,
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21",
"type": "query",
"version": 110
}
},
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "b419d7a1beb994f9b021b2477fb9df633c75879e1523c5d9042f5f83dc1f98e0",
"type": "query",
"version": 109
"version": 210
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation",
@@ -8219,15 +8949,25 @@
},
"ad5a3757-c872-4719-8c72-12d3f08db655": {
"rule_name": "Openssl Client or Server Activity",
"sha256": "eb60ed38bd81425874c7f966c9730433440964d537828399605c87d3e47a6ace",
"sha256": "5535a4f110cc1281d1ad303fd5f73ab8f18de03b4f7055194c5f86cb79cef0ce",
"type": "eql",
"version": 1
"version": 2
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 211,
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d",
"type": "query",
"version": 112
}
},
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "23c56aed37124f4d42a7e066da164226be49cc33c8358d269cb23b54daa61b9b",
"type": "query",
"version": 111
"version": 212
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
@@ -8284,9 +9024,9 @@
},
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
"sha256": "2ea424f3dd8247a4393a0720f27cf711e88eeb3053ef0a9d566a12ccdbff9d2f",
"sha256": "e0f82917421c7696991e4560a68459553d9372473b32461c5f4dfefc5ad1c98a",
"type": "new_terms",
"version": 8
"version": 9
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"rule_name": "Unusual User Privilege Enumeration via id",
@@ -8371,10 +9111,20 @@
"version": 100
},
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 105,
"rule_name": "Potential Network Share Discovery",
"sha256": "d9f7984d4c89a14a40266258ea1b410241ad8120b38c698f8df2b0b38685c01c",
"type": "eql",
"version": 6
}
},
"rule_name": "Potential Network Share Discovery",
"sha256": "1eec14e34b78d05d1d54269871b6b0fffff322f1f5bba3508e37ad163c8f498e",
"type": "eql",
"version": 5
"version": 106
},
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
"rule_name": "Spike in Network Traffic",
@@ -8438,9 +9188,9 @@
"8.10": {
"max_allowable_version": 212,
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "7b41c9b34eb7756cea5d9ea21200350a5e85bf48b70549efb6bb1a05a8f336d9",
"sha256": "8dcb7952ad32b417b17af0842d510e13cc6cdbc53392b0faf1d86f3f4ed08817",
"type": "eql",
"version": 113
"version": 114
},
"8.13": {
"max_allowable_version": 312,
@@ -8491,10 +9241,20 @@
"version": 206
},
"b483365c-98a8-40c0-92d8-0458ca25058a": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 104,
"rule_name": "At.exe Command Lateral Movement",
"sha256": "2abb4b86050fb28a5ecd1b9b0c29831409dc9f84f79ea5b162542a3f3e371402",
"type": "eql",
"version": 5
}
},
"rule_name": "At.exe Command Lateral Movement",
"sha256": "596bc9757fd1b14354c88844abe003ea6c44c81e47e0c0e3eb676d0e18a37aa2",
"sha256": "0faf08d3fdfac536a63dfff97a2abbd6313f1fefaf83540375468e94be91e7a0",
"type": "eql",
"version": 4
"version": 105
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"rule_name": "Attempt to Delete an Okta Policy",
@@ -8562,9 +9322,9 @@
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"rule_name": "Elastic Agent Service Terminated",
"sha256": "8abfc44bc5f8a00effd8c97c81a841dcc2cbe6cd3e2da51a5b277f96c2baf671",
"sha256": "f3649a0d50320a3030f75006849ddad5a4d2da60d180156464fccb95ead0343d",
"type": "eql",
"version": 106
"version": 107
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"min_stack_version": "8.14",
@@ -8652,10 +9412,20 @@
"version": 3
},
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 107,
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21",
"type": "query",
"version": 8
}
},
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "654522097bfb8fcc73d4d0e47d8cd853307040171bb5ba29d706f26e17879552",
"type": "query",
"version": 7
"version": 108
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.14",
@@ -8709,9 +9479,9 @@
"8.10": {
"max_allowable_version": 104,
"rule_name": "Kirbi File Creation",
"sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f",
"sha256": "dac2e2c25e7dd1a182070fd822b152f0095457a92cc288cdb320b70210ac5506",
"type": "eql",
"version": 5
"version": 6
},
"8.11": {
"max_allowable_version": 206,
@@ -8758,9 +9528,9 @@
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"rule_name": "Chkconfig Service Add",
"sha256": "49a38a189b45b8742927c27e0f3bc16b1f3b9ea5805a11c8eb6cb1abff49eeb8",
"sha256": "9c7a8cfb8eca73b67ec15c23255ca9cf126e741100f64dc1894d35746f8b2985",
"type": "eql",
"version": 112
"version": 113
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"rule_name": "Discovery of Domain Groups",
@@ -8792,9 +9562,9 @@
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "bbdba9f735a270571a5a0f1df636cdd573417d76ebf91c3ee006046ae88f685d",
"sha256": "96c38ecf43de8a4a33c0288d46a9ba72c818241dbfade2a921c8c79a69ed4faf",
"type": "eql",
"version": 110
"version": 111
},
"b9960fef-82c6-4816-befa-44745030e917": {
"min_stack_version": "8.14",
@@ -8826,10 +9596,20 @@
"version": 1
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Network Activity",
"sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57",
"type": "machine_learning",
"version": 106
}
},
"rule_name": "Unusual Windows Network Activity",
"sha256": "0a7119838ef1bbfcb9f54801d64f16dd3d98728399c20c2d35f94a5ce6ad4ce4",
"type": "machine_learning",
"version": 105
"version": 206
},
"ba81c182-4287-489d-af4d-8ae834b06040": {
"rule_name": "Kernel Driver Load by non-root User",
@@ -8916,9 +9696,9 @@
},
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
"rule_name": "Potential Non-Standard Port SSH connection",
"sha256": "68365d0090a647d05f3396ace9d86f2c79f607bef610741ce9c4240ccfa0de26",
"sha256": "97bc67179bba8f6cfb7b0f1f51016d7a35525d4394522b1dff503b2777675b42",
"type": "eql",
"version": 5
"version": 6
},
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
"rule_name": "File and Directory Permissions Modification",
@@ -8939,16 +9719,36 @@
"version": 5
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 214,
"rule_name": "PowerShell Keylogging Script",
"sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e",
"type": "query",
"version": 115
}
},
"rule_name": "PowerShell Keylogging Script",
"sha256": "0f29bd06ba330170b8afdddc3f4b34a22926ac6b7ad0ed8cb91586055464778b",
"type": "query",
"version": 114
"version": 215
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 104,
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "668daa0b262a8a546290c3bcc29fe23cbf7ab05b7089f4dc2d7368a4f98fa04a",
"type": "eql",
"version": 5
}
},
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "cf28ed994aa47d40b0d77d68da9785c3c07ff15ccd3ad79e7aec4b99bc0b90e2",
"sha256": "1b379c5cbede7bf2589191a432c64ff0cec22ff6311e672094cd7adfdb312095",
"type": "eql",
"version": 4
"version": 105
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"min_stack_version": "8.14",
@@ -8956,21 +9756,21 @@
"8.10": {
"max_allowable_version": 206,
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "724eec536f66fe8a03fe8cdef9a9cc126999a17e21ca4b456271a6dac6ac1e9a",
"sha256": "d3a4fe36f9cfc3992560267e468577a3a244bcf0ef337b17dd9d40cfc525840c",
"type": "eql",
"version": 107
"version": 108
}
},
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "724eec536f66fe8a03fe8cdef9a9cc126999a17e21ca4b456271a6dac6ac1e9a",
"sha256": "db7cf9c80bdb8b5893f2f43e48a7d7df98a942bf350a50d63170ac69fa939a6f",
"type": "eql",
"version": 207
"version": 208
},
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"rule_name": "Potential Pspy Process Monitoring Detected",
"sha256": "3ebba1b3c0653e611e5c1abc4e917c868371220b6fb55954eafa7a8d7c6cf5fe",
"sha256": "208ae3e9f868bf1cce7eb02281964c937adbfde045a989a1092be5f6762da5f5",
"type": "eql",
"version": 7
"version": 8
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"min_stack_version": "8.14",
@@ -9005,10 +9805,20 @@
"version": 101
},
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "cc1d705bc605d526d53b66ae99fe04295569f385dba1baf4b454810b18014206",
"type": "machine_learning",
"version": 7
}
},
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "33fbe922a809500b90b0b747bca167cf62c51e06ababa878a628223092488470",
"type": "machine_learning",
"version": 6
"version": 107
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"rule_name": "Unusual Remote File Directory",
@@ -9022,22 +9832,22 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "d94f813f3adad813ecd430aca4ca81b77662ad2e1bf90576aded2e84b4e12f66",
"sha256": "9fccd84e0d8fb3b15fbb84c2772e68bece05e41bf66896555fe409a03f691dd7",
"type": "eql",
"version": 110
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "9aa835a42ccfb3fc6fd49f646d5cf9b6a9571de15990d420846c8337e15d4660",
"sha256": "db1f6c9c5239a78f6c915ce9494aaffcf9463f9e6f0dd22ae5f13015228ec267",
"type": "eql",
"version": 210
"version": 211
}
},
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "871d6e23b0e77d32ac7d8e92be4a9861f61135565f0297109c30dbde7fa36a2f",
"sha256": "aa92d61a20988fcff096acb8bdefc175bc6a9106afea40c6075279a20c88a82c",
"type": "eql",
"version": 310
"version": 311
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"rule_name": "AWS RDS DB Instance Restored",
@@ -9115,10 +9925,20 @@
"version": 103
},
"c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 102,
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
"sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2",
"type": "query",
"version": 3
}
},
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
"sha256": "e35fdfd50d3dc2bb04494da7e86463de8df7262df4dc0e66fda0ce85c0784cb4",
"type": "query",
"version": 2
"version": 103
},
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"rule_name": "Suspicious Renaming of ESXI index.html File",
@@ -9216,9 +10036,9 @@
},
"c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": {
"rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters",
"sha256": "48e762ddbceaf6256b8b4c9f5a0d0236f8b0a26eb64f33a8366908c1e39ecf03",
"sha256": "c056bd0c7ba6094f8c2e3dab39e877cd912116a95831c04b4dcd657055f001cb",
"type": "new_terms",
"version": 1
"version": 2
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.14",
@@ -9262,9 +10082,9 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "ea6c245fc31ad66d45cb335f153b5b6cc1962313e4fc87ee3ad4890e4df9d4fc",
"sha256": "4f666b4d6483dcf490a23c94ca65dce3962f9a0dc3d482280c676c363d4bf77e",
"type": "eql",
"version": 110
"version": 111
},
"8.13": {
"max_allowable_version": 309,
@@ -9309,16 +10129,36 @@
"version": 4
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 105,
"rule_name": "Attempted Private Key Access",
"sha256": "b2c8c3e7141403ad662ca97ee2128c56cee7a9922533a8296c69671cb2ce92fa",
"type": "eql",
"version": 6
}
},
"rule_name": "Attempted Private Key Access",
"sha256": "3f4bc3609acb832849bf3dfb8d0011e9101a62ddbb200980ef4c9c1c18105c16",
"sha256": "a4672a225e05abdfbd91924298f689eb56da9ff55c0db55ca1f87d7ca8bdd3d9",
"type": "eql",
"version": 5
"version": 106
},
"c5677997-f75b-4cda-b830-a75920514096": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 105,
"rule_name": "Service Path Modification via sc.exe",
"sha256": "d4b7737d66ebdff698638b968d1b299b70f7f6f299ff70afa22ab9d911dada32",
"type": "eql",
"version": 6
}
},
"rule_name": "Service Path Modification via sc.exe",
"sha256": "19481cd5f0061d0e9abb287e0056d90364099357f75b6d510e5daf24b03f7344",
"sha256": "68a44067c32fb88cc99fc0e545ddfb866037e9bc40ee5f130d2798f03f4e94aa",
"type": "eql",
"version": 5
"version": 106
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"min_stack_version": "8.14",
@@ -9394,9 +10234,9 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "71713128fb40f765aa19577ca4c5ee2641efa56f6b05b76896c18d048f27a904",
"sha256": "5153767a496dccc99d12eced8554a65fe9665ecda63cd00274c500bcdadd1281",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
@@ -9553,9 +10393,9 @@
},
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "370e2287e26fd37cab018216a50a46bdac348146f3ab718ff3a9d20dd6380f0e",
"sha256": "beed8f315f35277cafc2f3c69e1efaa6dbb44c60c2a4898cb869bbccef4035c9",
"type": "eql",
"version": 9
"version": 10
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"min_stack_version": "8.14",
@@ -9563,9 +10403,9 @@
"8.10": {
"max_allowable_version": 212,
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "fdeb8bd3bd36da8482aec51fe088238a05b01313fe6a03b6a96be73499e64c95",
"sha256": "240ef030208238909ed116c65fb35bd1e2c030a6abaa3dffd50c51e79a4e2c78",
"type": "eql",
"version": 113
"version": 114
},
"8.13": {
"max_allowable_version": 312,
@@ -9586,9 +10426,9 @@
"8.10": {
"max_allowable_version": 211,
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "b6c3999e3b7038dd6d84f41e410f3f357f47f247ca63dab5d626eba35c8f1403",
"sha256": "0650a9d5a9a0652dfbf6134767ecd50de79b4300912151bf929d62a8487c1c3f",
"type": "eql",
"version": 112
"version": 113
},
"8.13": {
"max_allowable_version": 311,
@@ -9635,9 +10475,9 @@
},
"cac91072-d165-11ec-a764-f661ea17fbce": {
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "b4f2c9fe5dcc43eb113d00600fc6a7ca5091c0957af96c084ee2d9a790aa3a2a",
"sha256": "a8cbba8e757bacc0d4a491555d42b7d66a7d1eec1394da1a8f1cddfd82cf5bb9",
"type": "new_terms",
"version": 213
"version": 214
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"rule_name": "Google Workspace MFA Enforcement Disabled",
@@ -9729,9 +10569,9 @@
},
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"rule_name": "Kernel Module Removal",
"sha256": "8e7fd75b780b1265825a7a783ea3000b983acf3ce3100a49edb797139b01e31f",
"sha256": "4899db29eec2e7c875e0f09ddbaf04bd8c73d3e360259279916f0e08c135ecb7",
"type": "eql",
"version": 109
"version": 110
},
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"rule_name": "Downloaded URL Files",
@@ -9741,9 +10581,9 @@
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "fb512e2a04b7bf3b8549b73433d2f7f16c1fc0028ad3a8730030fc324bd23ee6",
"sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31",
"type": "eql",
"version": 208
"version": 209
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"rule_name": "Okta User Session Impersonation",
@@ -9752,7 +10592,7 @@
"version": 208
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 110,
@@ -9760,12 +10600,19 @@
"sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa",
"type": "query",
"version": 11
},
"8.12": {
"max_allowable_version": 212,
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b",
"type": "query",
"version": 113
}
},
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "6262fc93d9b9ad2723c123c69d5d878e62bdec2dc156698f9ad18a818677df0c",
"type": "query",
"version": 112
"version": 213
},
"cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
"rule_name": "Shadow File Modification",
@@ -9785,9 +10632,9 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "d5a932b4cde4b72560bcd708508421d4e1157cbdf147429ffc893e6f28d0ec3a",
"sha256": "d66af889a4f25a88bf895b4dccd150b6e7d236baf15963c969ac201ed5bcbd65",
"type": "eql",
"version": 110
"version": 111
},
"8.13": {
"max_allowable_version": 309,
@@ -9896,9 +10743,9 @@
"8.10": {
"max_allowable_version": 211,
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "3732dc9625b63920eb195603fc132b4be43a8c17c19933f8e2f9ca1c08ed3606",
"sha256": "3917ba5bb57ddff2af656072117cadeef74e6d09afc56a3ae5f26106282c7f20",
"type": "eql",
"version": 112
"version": 113
},
"8.13": {
"max_allowable_version": 311,
@@ -10006,10 +10853,20 @@
"version": 107
},
"d3551433-782f-4e22-bbea-c816af2d41c6": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 103,
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "5bcaf5dc0f395444215ce0aad01b433014a5a155b896171c1d041df226e51766",
"type": "eql",
"version": 4
}
},
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "2ec39c980e8e040f091141e4bba068c7e2d9421b07a8d3a80a12f3410c234ad5",
"sha256": "5f491cb250197e96f8b04303127d25ac73bfa4d6a8c4f391c9557212b28adb50",
"type": "eql",
"version": 3
"version": 104
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting",
@@ -10072,9 +10929,9 @@
"8.10": {
"max_allowable_version": 207,
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "3811648f476d3fc838556af8d262a1088cd53f6ee50ae76a0e23637bb58c0ead",
"sha256": "60df5eed46bbcf083835c15802642a1d7dc80990487cf8c6f593aeb2bbcd6625",
"type": "eql",
"version": 108
"version": 109
},
"8.13": {
"max_allowable_version": 307,
@@ -10113,9 +10970,9 @@
},
"d6241c90-99f2-44db-b50f-299b6ebd7ee9": {
"rule_name": "Unusual DPKG Execution",
"sha256": "69340d5a5035b5a7afddb451f23b3a5ff02a53ac0e1d8d93bc331e92cccfde1b",
"sha256": "24402d8ab6122a577c5617dca6a28ef35fbfe7ce2ff4051aaed28f9fd8640891",
"type": "eql",
"version": 1
"version": 2
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"rule_name": "AWS CloudWatch Log Stream Deletion",
@@ -10136,10 +10993,20 @@
"version": 100
},
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 113,
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "b62cb287eba4d616dacf2fdc8e98db08f74415252b83c5346cf1299121dd401e",
"type": "eql",
"version": 14
}
},
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "d2b8477d5765b0980fbdb9f344b4ff035ec0cb0578b284a317b889b5e58ff032",
"sha256": "a509788cd40ec1f0f0af9c860a4dbb6f77a05421428008e91c1619cf410ee20e",
"type": "eql",
"version": 13
"version": 114
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
@@ -10194,9 +11061,9 @@
},
"d74d6506-427a-4790-b170-0c2a6ddac799": {
"rule_name": "Suspicious Memory grep Activity",
"sha256": "b142483255de74b46aa32d1dd3a28f2821bb97997be6bae899e84c0d30fa9165",
"sha256": "62d90a376ed43ac65cbd84ee0b7d37b598d450de07cfde82408db98cfee04d6a",
"type": "eql",
"version": 2
"version": 3
},
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"rule_name": "SystemKey Access via Command Line",
@@ -10361,10 +11228,20 @@
"version": 100
},
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 105,
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "c8d78b9a264919f6a100901cb87b338a1148ed52bb4f422e912c4a9b4c534a5d",
"type": "new_terms",
"version": 6
}
},
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "605a26973cce40e167abba5375124060d5ae04432693969be8b5bee370e4185e",
"type": "new_terms",
"version": 5
"version": 106
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
@@ -10444,9 +11321,9 @@
},
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "abccbf694da0eb306df7f606501df6d3e19475e12fbcd106342e187528d0ecf7",
"sha256": "69570f9ed79d40fc1f9217930bb3117b6392d515cdf063f8cde02c53c6e7f60c",
"type": "eql",
"version": 8
"version": 9
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"min_stack_version": "8.14",
@@ -10454,22 +11331,22 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "6913e8fd7b9203ace2ef366cb24c06ff59a5c1908905f32042768f3590809916",
"sha256": "f0a835fbc3354f77c2f9932da85b594a119039f747e7af1bc8cd8fd0699c3f75",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "cb144e1664eae2022a168bf937188f2f8f0498ea2c8f35164327b7ed8a553f03",
"sha256": "fc94eadae513c2cc5d7926f9b29162dc04e94539951f7b86fd3bdd9832ca46db",
"type": "eql",
"version": 211
"version": 212
}
},
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "49d710901913160d828cd0fe69071b96efd4e943a03e70a95f1e579e09fb5bae",
"sha256": "fd5c86759b6948c95d8e08768f9293bd265a8dc55d2351badc0205d0b356c28a",
"type": "eql",
"version": 311
"version": 312
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"rule_name": "Unusual Country For an AWS Command",
@@ -10541,9 +11418,9 @@
"8.10": {
"max_allowable_version": 209,
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "35578d34109317c67ca01f095e9d891323b630a65d9c3b4bb9fa61bb4ae51074",
"sha256": "2dc4ed28b131d5fcdb67907c89c6524e73a884148e5d5ad792d42e65f619c8c2",
"type": "eql",
"version": 110
"version": 111
},
"8.13": {
"max_allowable_version": 309,
@@ -10571,22 +11448,22 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "1ea85895c1e9692b2144abd83a39f906efacd1dd15a7e0ea709d74bd772a29f1",
"sha256": "64088266c02ecdf9fa7132deb1addf06105d09c902e7ec255a0b536395272ff8",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "08289b38793c4f025901e9d6568a91f4a5cadeb60603041c278622343e9ca486",
"sha256": "a7b99e7aa7cbd5a81b8013087a2b9fccead7841f4219882418dcbd63763d3608",
"type": "eql",
"version": 211
"version": 212
}
},
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "c764cc98731b767bd1daf51c93e2b175ceacda33748ac361e2a2faea9b5f8efc",
"sha256": "cbc93e8df0c9561bcf71aa5c1c047699a17c624200c322609b788853594cca6a",
"type": "eql",
"version": 311
"version": 312
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
@@ -10607,10 +11484,20 @@
"version": 8
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e",
"type": "machine_learning",
"version": 106
}
},
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "d328e86d5da5551f9015b551689158237ac673a65a0d2980967ff93f1b9638b3",
"type": "machine_learning",
"version": 105
"version": 206
},
"df26fd74-1baa-4479-b42e-48da84642330": {
"rule_name": "Azure Automation Account Created",
@@ -10695,10 +11582,20 @@
"version": 208
},
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 108,
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "741569f3966efbf4451f3705f1cc486fb78f55422a1766913c2619b70072586e",
"type": "eql",
"version": 9
}
},
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "722dc606baba2b7a20f5fa648810db4aff9da0019aa616b58dacbdcc0d003765",
"sha256": "d82fcf936af322fa2da05ceac8ec3a4994a372bf58f8664d1345e0dddc57d275",
"type": "eql",
"version": 8
"version": 109
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"rule_name": "Attempts to Brute Force an Okta User Account",
@@ -10708,9 +11605,9 @@
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "da9fb3e751cf2aca3b76ff6969e48fb1e4f477f4832888b32a57290109f5982a",
"sha256": "bbc79c31a49dbadfd95c068a4bae83f11457d10bd83b3a13b598049767cb3119",
"type": "eql",
"version": 4
"version": 5
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"rule_name": "Whitespace Padding in Process Command Line",
@@ -10761,7 +11658,7 @@
"version": 105
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.12",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 211,
@@ -10769,19 +11666,26 @@
"sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9",
"type": "query",
"version": 112
},
"8.12": {
"max_allowable_version": 315,
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2",
"type": "query",
"version": 216
}
},
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "ca835ae54902b43b43600be560e50e3ec172b5bab2d1419520717665a9b443e8",
"type": "query",
"version": 215
"version": 316
},
"e28b8093-833b-4eda-b877-0873d134cf3c": {
"min_stack_version": "8.11",
"rule_name": "Network Traffic Capture via CAP_NET_RAW",
"sha256": "0d493d54d6a9e9eb8b1f527d5c6ebdffc45744a26431e74cad009bc649787cd4",
"sha256": "f5c6eb26668b0618457eb54076493de70230dd3c72adcd575923b13012ae0c45",
"type": "new_terms",
"version": 3
"version": 4
},
"e29599ee-d6ad-46a9-9c6a-dc39f361890d": {
"min_stack_version": "8.12",
@@ -10853,9 +11757,9 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "e854ef45e0b15bde6c824b68e085a4fa5f63ae2e6c35b648a7756ba04b22f351",
"sha256": "433f8b6dbfbb827e6060d659633ff337f13f121b38b71de98f5e0c71cae016bb",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
@@ -10900,15 +11804,25 @@
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "a12fc5ac4681febd200e96fa86740a7e2de167ef46d88241bac338e2664351a8",
"sha256": "782e6ea2ec801b948326c6dde829cf378f884c812681328c4577234da4bf90fa",
"type": "eql",
"version": 113
"version": 114
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 104,
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "020a011d15d2d0ad7e19782ca05849aee2beece8563925f3c5ecba763271bf0f",
"type": "new_terms",
"version": 5
}
},
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "ffe14ac65dfa2a8820245873c21a9e1c00089649ed9d3be35102f434e3824639",
"type": "new_terms",
"version": 4
"version": 105
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"rule_name": "Attempt to Modify an Okta Network Zone",
@@ -10933,10 +11847,20 @@
"version": 206
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 212,
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "2a9607c64117bf0a530a215badcbd0b2b71ec685ac068bedc537c920300ebb03",
"type": "query",
"version": 113
}
},
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "aad6c2b791f2afc079b2ed0ef7a166717dc6a09cc6de90722d6ebf150ddc70fb",
"type": "query",
"version": 112
"version": 213
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"rule_name": "MFA Disabled for Google Workspace Organization",
@@ -11134,9 +12058,9 @@
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "8357787656e3daed9dc3bd059a5ddbfe3135b2c8f5f60e19c0e6f21f35c60199",
"sha256": "53547d9a43a3fc0d757d092bb75810899bd2886e9a0ff67b393c97c069bd4753",
"type": "new_terms",
"version": 106
"version": 107
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
@@ -11210,10 +12134,20 @@
"version": 100
},
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "d2146dbc0bf3635a79dd508efbeac1edd36c749e19d592d10ca7e5bdd1be2879",
"type": "machine_learning",
"version": 7
}
},
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "273ab111885b862ada1a91bda7e0c52c082564cfb0bd6c60905f01285ffdc336",
"type": "machine_learning",
"version": 6
"version": 107
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
@@ -11240,16 +12174,36 @@
"version": 103
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad",
"type": "query",
"version": 6
}
},
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "452345c390a3f58cffe2ad756b136a031115a28fa4243770374662c6c857f01a",
"type": "query",
"version": 5
"version": 106
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 212,
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb",
"type": "query",
"version": 113
}
},
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "d7f6edb6af54dfc5d3bce2f5f8cd4bd2b869f751dbfe299e4cff67a302c6cae8",
"type": "query",
"version": 112
"version": 213
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"rule_name": "Suspicious Network Connection Attempt by Root",
@@ -11322,22 +12276,22 @@
"8.10": {
"max_allowable_version": 211,
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "7997ce4c4ea3c3ef0d1adec59cb16f13f15a066fbf0ce32911c176a9d52c6efe",
"sha256": "410db635d79cd7e1e9e08c48ec74e3d535e371c84cceb06dcf0bca6f5a3c36ce",
"type": "eql",
"version": 112
"version": 113
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "3f2bd412d6cfb3cf1e423a19361cd64ce9df8fa5cbcf9b6137aa6844c7ab4773",
"sha256": "7b1ad0930e0d399848cb3814f29f4114d11dc749c1117fe69b11dcfda2aa05d4",
"type": "eql",
"version": 212
"version": 213
}
},
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "bbb273361c04bf542c7aef6dd6996e80dc4d87b34edf41bdbea421b7eea98136",
"sha256": "b5ef38fb69f464a4b3a78df77efdff1973928840166119bd81ec4834d944cac2",
"type": "eql",
"version": 312
"version": 313
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"rule_name": "File Made Executable via Chmod Inside A Container",
@@ -11353,9 +12307,9 @@
},
"ecc0cd54-608e-11ef-ab6d-f661ea17fbce": {
"rule_name": "Unusual Instance Metadata Service (IMDS) API Request",
"sha256": "4403a1b8cc3b6cf55887b3e1bb2c55edebd5d4110ed98095a7e4d74823fe5f11",
"sha256": "61702c8dcf0374f8bb444a8a111fb32779c6ef86dbbfa133ec1fdb56321c8db1",
"type": "eql",
"version": 1
"version": 2
},
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
"rule_name": "Executable File with Unusual Extension",
@@ -11584,10 +12538,20 @@
"version": 2
},
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 104,
"rule_name": "Service Path Modification",
"sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599",
"type": "eql",
"version": 5
}
},
"rule_name": "Service Path Modification",
"sha256": "af6644977dc35574f5942430a311b670b041e7fce34a70a57fed46135b94c210",
"sha256": "a707712ab1a8884c4ac8dd000630745507c22979577802994c2e9d0ab4b5e091",
"type": "eql",
"version": 4
"version": 105
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"rule_name": "Creation of Hidden Login Item via Apple Script",
@@ -11607,22 +12571,22 @@
"8.10": {
"max_allowable_version": 208,
"rule_name": "SIP Provider Modification",
"sha256": "4f2fa4f7ba18189f4ee2482c093526e503df9e2402510c43f392b820c072387e",
"sha256": "e7285256bf0c38b5fbb2b1c6f458037f9fed88e1e8238438993dd0b6347aa48e",
"type": "eql",
"version": 109
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "SIP Provider Modification",
"sha256": "410120de8d4d9f8849234a383e2f8a0c99e6986e2c88487b30e9966af201d8d5",
"sha256": "d738dfc708658d71ae14be394ef74073c038935186dcd52452963824dcff6832",
"type": "eql",
"version": 209
"version": 210
}
},
"rule_name": "SIP Provider Modification",
"sha256": "410120de8d4d9f8849234a383e2f8a0c99e6986e2c88487b30e9966af201d8d5",
"sha256": "ee278465be6f3dbb091ce5d5a2f86ef626accfc7c850b1fa069f00a2fd0b4b72",
"type": "eql",
"version": 309
"version": 310
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"min_stack_version": "8.14",
@@ -11689,9 +12653,9 @@
},
"f3818c85-2207-4b51-8a28-d70fb156ee87": {
"rule_name": "Suspicious Network Connection via systemd",
"sha256": "52931e3500fd41b92dd905637912dc28861b532e3bf11d6ab79f243237f9573c",
"sha256": "45c7e70c63f0babc04075bb7fcacaf276c43f3f76f27788e95a22486dc947598",
"type": "eql",
"version": 2
"version": 3
},
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
"rule_name": "Threat Intel URL Indicator Match",
@@ -11701,9 +12665,9 @@
},
"f41296b4-9975-44d6-9486-514c6f635b2d": {
"rule_name": "Potential curl CVE-2023-38545 Exploitation",
"sha256": "422469c042fbbd783e6f8aca78c507ba139de7e0aa3e364406f12f16db6db808",
"sha256": "a4f60de34a9b8854d098412627c483a602372a1752481e4bb94ee32edabdfeb4",
"type": "eql",
"version": 5
"version": 6
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"min_stack_version": "8.14",
@@ -11735,10 +12699,20 @@
"version": 2
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 212,
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "30ba3d2c92f6f824dc2745bf9a9f728b5d08a4fd8af315800636042be2f05a3d",
"type": "query",
"version": 113
}
},
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "a501daeafd36d21146d80fd784cd66a942aba32df467a451a98e26818a2e661b",
"type": "query",
"version": 112
"version": 213
},
"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": {
"min_stack_version": "8.13",
@@ -11796,40 +12770,80 @@
"version": 2
},
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 107,
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "c40aac172f1cdf1b7ccb004c0801fc47510425f767724967677d2084cdbf562d",
"type": "new_terms",
"version": 8
}
},
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "d22f0fbb911966cb407185b46199efd05573dd405193ce51ed521b9b72d30289",
"type": "new_terms",
"version": 6
"version": 108
},
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "333be162aecfbad2bbd9669d7b3a4cd1351d709be0aaeae0bf00799471195531",
"type": "query",
"version": 7
}
},
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "a6c101a1883de891bb4d57551be80870b4826b128ce142cd1118f3aec69e22da",
"type": "query",
"version": 6
"version": 107
},
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "WMIC Remote Command",
"sha256": "824ed78aea5ddf39cae5d2dc171b0f9f632d21b3e248777f36b5c884e141a689",
"type": "eql",
"version": 7
}
},
"rule_name": "WMIC Remote Command",
"sha256": "bde579fd6042b8f056a3c84c411c1b0a020840f712a7b40248674978d6d629aa",
"sha256": "3bd84cb33875e0103cc886054ecc28efc9a73d479a6af6ebc8457657b6b35189",
"type": "eql",
"version": 6
"version": 107
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "bec5a046d8ac67ff161d518d2ccf53b9138179dfc67759ad5f9078fdc14810a6",
"sha256": "45c7bf0dabebd2c0f6761522c9e451ba672ebe426611de5c126c314fc0006ffd",
"type": "eql",
"version": 5
"version": 6
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "6ee5d0b1cbc2f8f3b11a2689ab4c8e4651d061d0f7728c67b6b86642eb5afc60",
"type": "machine_learning",
"version": 7
}
},
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "cd92b6d8bfeeb796c8aa85d4173fc81fada02dcee2eba62947319524f50b8bc3",
"type": "machine_learning",
"version": 6
"version": 107
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"rule_name": "Masquerading Space After Filename",
"sha256": "0bdfb6f39afe789ae9447ea9f33938a24d746c1017ac0646c9f1776272882e37",
"sha256": "5f2226e282c0f810754301af6a21ee8303cfc152b5003db4500df84b536cc373",
"type": "eql",
"version": 6
"version": 7
},
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
"rule_name": "Account or Group Discovery via Built-In Tools",
@@ -11945,9 +12959,9 @@
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
"min_stack_version": "8.11",
"rule_name": "Potential Privilege Escalation via Linux DAC permissions",
"sha256": "39e51bf1355bc9d55908c45292191667d343c6e7e55bd924acc646c39149c813",
"sha256": "c019dc62df736fd44d9e738556bb88927bb5a3381f6dd541d60087ba788d3255",
"type": "new_terms",
"version": 2
"version": 3
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"min_stack_version": "8.14",
@@ -11980,9 +12994,9 @@
},
"f86cd31c-5c7e-4481-99d7-6875a3e31309": {
"rule_name": "Printer User (lp) Shell Execution",
"sha256": "8c82f7ae81e70899a3291b174c982e42800a293504f4224e5b966446845357bb",
"sha256": "6507c4745da0b0264ac93849eb4783ca11447050920d70c87be1c446f2206d74",
"type": "eql",
"version": 1
"version": 2
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"min_stack_version": "8.14",
@@ -12008,11 +13022,20 @@
"version": 312
},
"f8822053-a5d2-46db-8c96-d460b12c36ac": {
"min_stack_version": "8.10",
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 103,
"rule_name": "Potential Active Directory Replication Account Backdoor",
"sha256": "2a62a3a177beecf69edfd14fc1bbccd14a17f2f6228349c6766b2dc90ca8fa03",
"type": "query",
"version": 4
}
},
"rule_name": "Potential Active Directory Replication Account Backdoor",
"sha256": "9302b94451cee85bf6f7911e5a81caad7dad04e6d5d9271549085ee41f25cfe5",
"type": "query",
"version": 3
"version": 104
},
"f909075d-afc7-42d7-b399-600b94352fd9": {
"min_stack_version": "8.14",
@@ -12099,9 +13122,9 @@
"8.10": {
"max_allowable_version": 210,
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "047b8cd1964481be440c7186d72ce524d343cb9aef77ae92e9f48b47f18b27f0",
"sha256": "b5403c097f3e0017c48a4a4c0745a2c73e8cf2922e3c43377e79ecc1dd37eeca",
"type": "eql",
"version": 111
"version": 112
},
"8.13": {
"max_allowable_version": 310,
@@ -12304,10 +13327,20 @@
"version": 310
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 317,
"rule_name": "Svchost spawning Cmd",
"sha256": "3496b237c65ce8b5c66a99b52546e49a3564913f15df60b8ab5ff3831bd56e7a",
"type": "new_terms",
"version": 218
}
},
"rule_name": "Svchost spawning Cmd",
"sha256": "2140d944bef1c61a87c150671d805d24438ca8fe7e109ef377a97dbc5a4efd83",
"type": "new_terms",
"version": 216
"version": 318
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"rule_name": "Image Loaded with Invalid Signature",
@@ -12317,21 +13350,41 @@
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"rule_name": "System Binary Moved or Copied",
"sha256": "c86b28f11fe883a792c1f4a99ca24524597264470b2dc6d302b02795551ec614",
"sha256": "49225541197b4b6b4988a3f6f4b5e6540977b229a825bfea0d1292a82a942d39",
"type": "eql",
"version": 12
"version": 13
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "e706f825293f97ffcf09c0d6cf29360f290b2af6f4fd63321077a785996970b3",
"type": "query",
"version": 7
}
},
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "d2f0a42229c44c3071f0ff420fc676660dd1a831a53634858ff9c59b0df0e7d1",
"type": "query",
"version": 6
"version": 107
},
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"min_stack_version": "8.14",
"previous": {
"8.10": {
"max_allowable_version": 106,
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9",
"type": "query",
"version": 7
}
},
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "8c11dd82f0841066ff7939242c462d6f9ae4ab6375851532b649a5cc2c186c9b",
"type": "query",
"version": 6
"version": 107
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"min_stack_version": "8.14",
@@ -12405,9 +13458,9 @@
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"rule_name": "Cron Job Created or Modified",
"sha256": "ed309e5ccb19be6d0cd66d8b65d8c4d28a0fd81f4d5dd3a10bb6a321632bf511",
"sha256": "b0c6daed3da044ef0e0ce21a69c8b2b1a79c9e7b050b3d2d21597432dc235d90",
"type": "eql",
"version": 13
"version": 14
},
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",