security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (#1781)

Browse Source 
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1

(cherry picked from commit 5e073af69d)
This commit is contained in:
github-actions[bot]
2022-02-16 08:25:31 -09:00
parent 678f7cb93c
commit 76f3ff1074
1 changed files with 143 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files
etc/version.lock.json
+143 -133
View File
@@ -148,8 +148,8 @@
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"min_stack_version": "8.0",
"rule_name": "Threat Intel Indicator Match",
"sha256": "644597db423c57ceb689e808957d7850f1838b69d883630234f110141c63606f",
"version": 2
"sha256": "deec30795d7a848bc2ea99f29ec0e44c0d2cf9debfb593a497c818011477c718",
"version": 3
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
@@ -189,8 +189,8 @@
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"min_stack_version": "7.14.0",
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "ff67dcfa3dda984af29cc41ece885de00bd48128fed28a3a8ef4e298d83e43b8",
"version": 1
"sha256": "549215ea3a624085dcc50282089306cd1d82418bedb7612fff262a1adde0d33c",
"version": 2
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"rule_name": "Privilege Escalation via Root Crontab File Modification",
@@ -280,13 +280,13 @@
},
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "8817ddfdb38379b4031a751743514e46c8a4e608c68ea79adf13a6aa11a09b2d",
"version": 1
"sha256": "16e54b31547c5f1dc1b16ad82368432904753d296f9df8aa69d20c61d4d9b3e1",
"version": 2
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "e1d80d9e27fd401af4a1b5d71ca3c873fb759d8583008989b4a228c6df687655",
"version": 1
"sha256": "33fa48cfd6c384e6dcf0a5af2d62090fd89307e136c5ef798efbe745e8324466",
"version": 2
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
@@ -315,13 +315,13 @@
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"rule_name": "Component Object Model Hijacking",
"sha256": "8ca91c7053d3f30c2c76188da11648bbc94aa5c68e2288ceaee0e6d942535fcf",
"version": 5
"sha256": "975fcc9572e8117b283322c180c833044bcd17bf6caf3fb3758f1b06c6c48351",
"version": 6
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "d4ae959f9ad85bcd8081e151eaf495d1b1e6297723b6b7cfecee70697ae4d9ad",
"version": 1
"sha256": "2efc5fbfcc942c4b9524b11fc28cd6e721a37c7c5c1936c95b9361a2d0a15622",
"version": 2
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"rule_name": "Unusual Windows Username",
@@ -420,8 +420,8 @@
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "1751fff36bc2849d6ead1fa2d8574e3ee837344e605318329e54ae45f989b25e",
"version": 6
"sha256": "713f215dd72eac1c0676cf847d9f30d87ba3c2ff376db9f225c99d4433c1eb02",
"version": 7
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
@@ -560,8 +560,8 @@
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"rule_name": "Net command via SYSTEM account",
"sha256": "9edf6f050f8563bcf0dbd301c61100d160969829b5cbdbd7c90872555d44ea25",
"version": 8
"sha256": "5e35b7ace9af65eee277e440fbb6659768d0caf5ab49a5179222cde8b4410fa1",
"version": 9
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"rule_name": "Exploit - Prevented - Elastic Endgame",
@@ -590,8 +590,8 @@
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "b94f034710f0bd4a1c9a3ba74dec7f2dcd74ac6997dd532f8a2fc96eb2589faa",
"version": 1
"sha256": "10a0ac7664c24449518000fd745408481a284e5530621bcb46bd09274cb30517",
"version": 2
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"rule_name": "Adobe Hijack Persistence",
@@ -625,8 +625,8 @@
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "5ca7f98d19a4d9431200fdb6eba8a591bb202717b60a130137f203d98c24cf21",
"version": 2
"sha256": "9a94bd09a73f383701fd95cad27beec422c1ffddbfe186463b5fa61733bb2d16",
"version": 3
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
@@ -645,8 +645,8 @@
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "877044d765d5091e0cefc0b0db367a269916db834ea839d61af7965d888d5611",
"version": 3
"sha256": "d7898ac8939e5614c533f409847a25d00fa7b6de74838a8d8c8c62f4825b7e18",
"version": 4
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
@@ -660,8 +660,8 @@
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "01d70504b5d20ab8b24b2e860abb3d61cc09c6bcab622240c677ae3f5733f5b1",
"version": 3
"sha256": "96d60aedac6a331445e99ddf32dc6532401ff7ce7eeeaa45b07121449be5e805",
"version": 4
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"rule_name": "GCP Firewall Rule Creation",
@@ -671,8 +671,8 @@
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"min_stack_version": "7.15.0",
"rule_name": "Agent Spoofing - Mismatched Agent ID",
"sha256": "64619f9caffb2d5207658b5ddb16c86462b4c19c8567280b74c5191166c42a25",
"version": 1
"sha256": "cb10ec3e256bf22234266e706b1f392088ccf60b2e48ea27893d6b4eb27a2e8b",
"version": 2
},
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
@@ -731,8 +731,8 @@
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"rule_name": "Port Forwarding Rule Addition",
"sha256": "0cee3eae7a950faf73452b2022d6ec9980dcce503a5247c6d9b74a28f2a862f9",
"version": 4
"sha256": "9686d00619c4eda20f8030f22542ba81410c031fa79e8a87712bd72e22b5d96b",
"version": 5
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"rule_name": "Unusual Parent-Child Relationship",
@@ -746,8 +746,8 @@
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "922ec3de8ec673c8094683d428592de1ad4d44af9afd45caa9a4cf8b0e7289eb",
"version": 3
"sha256": "7aa10957a516fe37a541e25ea0eb405baa887338b7cd95b080d7cb5f496e3eee",
"version": 4
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"rule_name": "AWS RDS Security Group Creation",
@@ -877,8 +877,8 @@
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "0ec360815683ac95dccca9d337385dfc1389dd03b5d923f929ab310a2a3c8ad0",
"version": 4
"sha256": "9d7ea3e58be2ab3e6c229d05df37c0f1dc248bdbd5e68c0fb8665051eac97e01",
"version": 5
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"rule_name": "Control Panel Process with Unusual Arguments",
@@ -973,8 +973,8 @@
"493834ca-f861-414c-8602-150d5505b777": {
"min_stack_version": "7.15.0",
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
"sha256": "f8e4481e5c38326daea5818415a4f06be1da64247686974940283c6b7a31f81f",
"version": 1
"sha256": "829bb3432a7664715c5b96c2be6d56e4f957db320f71657203632e61e44b6fe0",
"version": 2
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
@@ -1028,8 +1028,8 @@
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "a18109b668acb88d44b78365be64838b14a3144532e52ed72211806b193cc789",
"version": 3
"sha256": "e573874c887d52298c8c9a8f0ca2e19769f649bd1b4b36f98aed5a4919ec6c6e",
"version": 4
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
@@ -1088,12 +1088,17 @@
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "e7c699725084ca5652b0fa7e6fb0e9ed2d8d82dff4ffba0ef2ab3bffb24c8e09",
"version": 4
"sha256": "063beeef24d261da01edbbeeaee92572fb436a31d690472418d40c46a6209d50",
"version": 5
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "53f0078220668a3e1693b3799b20e79a69c961485f0981c0fefdcb35a4bbad7b",
"sha256": "d7dd9478ea6adaad5568eb2f70c33bc6ce44da0e2a6867f38c5ff48086311669",
"version": 2
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "08df11e0b47db88dd1ea0c975775244bb561f4eedb48f626f65b3d8d51eff4e3",
"version": 1
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
@@ -1123,8 +1128,8 @@
},
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"rule_name": "PowerShell PSReflect Script",
"sha256": "86329a97344d57daff770fd9195eb9f6991826eb7630f321cdc1631692abebca",
"version": 1
"sha256": "9c17e951b973ee2ca613cc870ce1e0276513c1acef9546f7f7264e2c71c48a41",
"version": 2
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"rule_name": "VNC (Virtual Network Computing) from the Internet",
@@ -1143,8 +1148,8 @@
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"rule_name": "PowerShell MiniDump Script",
"sha256": "1ce48872d69315c8737dbfaad85cfbfafeb6605864d782c1e3d5ce01a7c6d29f",
"version": 4
"sha256": "105c3f90085d4af397d4adccf7e48445bb28c785e46cd84cefc25720ab8b2b27",
"version": 5
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"rule_name": "Deleting Backup Catalogs with Wbadmin",
@@ -1153,8 +1158,8 @@
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"rule_name": "RDP Enabled via Registry",
"sha256": "205f152264f976a03a9a96a5fadff7e2e6e2e6c62aaece1df3205b7fcc644305",
"version": 4
"sha256": "671a71d6221cf597294f3a2384e29d5a828ffa9b490776ade78495b7180fa810",
"version": 5
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"rule_name": "Zoom Meeting with no Passcode",
@@ -1168,8 +1173,8 @@
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "c4966675fed8b27f672aca65ba0bac58e7c0b6d3f47cfc4805b4d1b9a95e4bba",
"version": 1
"sha256": "c321fa60ddbbe7f3e8b0914a43379c5eacaee6c4c0b9c399fe46481d47c446f2",
"version": 2
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"rule_name": "O365 Email Reported by User as Malware or Phish",
@@ -1278,8 +1283,8 @@
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "00b90b0ba27de6d77f053e3242f675290c5e1ed3b05fafe8db72007267abd075",
"version": 3
"sha256": "2996a4fab8119ba85417d7826967b9135cbefceaa7cb3c8cfcb0183f0d9f92b8",
"version": 4
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
@@ -1308,8 +1313,8 @@
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
"sha256": "9ad6dc163992a21c58bb77d8738169cdbae4dd13bda4ef4afc98c4c21326f5f9",
"version": 1
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
"version": 2
},
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"rule_name": "Attempt to Mount SMB Share via Command Line",
@@ -1323,8 +1328,8 @@
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "75262fa3fdb8bf3a911f98cd5eaaa2ba57b2d538692b1b002372f00a8534219b",
"version": 6
"sha256": "f27800e26f498a07905f3f25d836d4d3234e564f7ff4aacb4e3778b7155475db",
"version": 7
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"rule_name": "Suspicious macOS MS Office Child Process",
@@ -1338,8 +1343,8 @@
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "160bfa9db1e328fb3835851bf40e9d43c7f8553adaf8b426db137604d0862649",
"version": 2
"sha256": "9fc4ef03c57ceb4080449f8f6db2e2054bae6343b79b340c3b462697cb756abb",
"version": 3
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"rule_name": "Attempt to Revoke Okta API Token",
@@ -1359,8 +1364,8 @@
"6839c821-011d-43bd-bd5b-acff00257226": {
"min_stack_version": "7.13.0",
"rule_name": "Image File Execution Options Injection",
"sha256": "cb9f8ab520ca0272536e6f61744c52bd7dae188a52f40d4587e9c233786de795",
"version": 4
"sha256": "6f3da8f7ad3053933ead97d9f24027defb33edf3e295ff028bd18a9028833dda",
"version": 5
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"rule_name": "New or Modified Federation Domain",
@@ -1408,8 +1413,8 @@
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"min_stack_version": "8.0",
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "15235311ffee1cf2973283364bc89d87f4c5cf3b53bcfc10448c7af106a7f383",
"version": 2
"sha256": "1c84ee3520f02156a2dd650dff1c95cccd1852054ed6f7ca59a4ce9d278c9832",
"version": 3
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"rule_name": "Modification of Boot Configuration",
@@ -1506,8 +1511,8 @@
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"rule_name": "Persistence via WMI Standard Registry Provider",
"sha256": "b7108f02310adf65cd5788774647644755ebe672e8bb53aa2be115338fa80da3",
"version": 1
"sha256": "595a864d26763ad72e78a54831b8e6740f1bd90566b5a450046c0ed8824b9e6e",
"version": 2
},
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
@@ -1690,8 +1695,8 @@
},
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "93fb092a27b030f89e8c30342d19c565a157fd830768461905c8aaade93a24ce",
"version": 1
"sha256": "24464f1301483fc0c282bda7bcb95105795ae33fc1f9c27ebad8c2633fe03af6",
"version": 2
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"rule_name": "Apple Scripting Execution with Administrator Privileges",
@@ -1761,8 +1766,8 @@
},
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "57953cee8db2f39ea676b8cb8ebd4419d0e6147dc1c12c4750e5995b0d7794fa",
"version": 4
"sha256": "01a251c96e82a87e563dfaf1263d2a3646c9323638da1fadd54993b0da087d1a",
"version": 5
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"rule_name": "Command Prompt Network Connection",
@@ -1822,8 +1827,8 @@
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
"sha256": "314d9edaa3b6514c606e7542ce9913e3b0dde35897bb2a42cd4dde5e4629188b",
"version": 5
"sha256": "307795e6c1dce173407f17f57c65d0c530dc24e20c18e78b37e93b7d5d78180b",
"version": 6
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
@@ -1842,8 +1847,8 @@
},
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
"sha256": "40ca32414f8638d2f2938e5351e614e11eecc6d500735380d50c5fbbe18c762f",
"version": 1
"sha256": "d86d494f83bb131dff1bf75fc9fa8952846c3deae9f7e3d60f8446ce5d58f19e",
"version": 2
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
@@ -1877,8 +1882,8 @@
},
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
"rule_name": "GCP Virtual Private Cloud Route Creation",
"sha256": "a8934713ab65c577a096044395867098064056126c593d47d0d0f441f6d961f1",
"version": 6
"sha256": "0fe0766cef30ef7f13a641148fc5a4d89c691158770233026342921f02e6b0bd",
"version": 7
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"rule_name": "AWS WAF Access Control List Deletion",
@@ -1922,8 +1927,8 @@
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "57f3b1d080ff467de12e14aa6f5aa59d3def291a8da36c8fdc485084e200889a",
"version": 4
"sha256": "1e955bf6b29adf56d2b56d5c217ced6c481af84fb549f5640325bd1d4eeebb65",
"version": 5
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"min_stack_version": "8.0",
@@ -1950,8 +1955,8 @@
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "73d69ad8db402c30d7757ba2ed5bd2a7c3aa182a2bdf601f3a6c968bfb8d0f3a",
"version": 1
"sha256": "a9d0adef2ea58481a1500782645964ae1514d39bec94471128be69c318e49ab4",
"version": 2
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"rule_name": "Attempt to Create Okta API Token",
@@ -1995,8 +2000,8 @@
},
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "d5521e95aff90c5392494d06246dc1d72ea9bbb4e1f5a1ae37fe29756cc77f29",
"version": 4
"sha256": "1827b7a04db141b503dcbe4bdd0c18468ccc43b937e02c76d1f2e7686d2b17ef",
"version": 5
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"rule_name": "GCP IAM Service Account Key Deletion",
@@ -2025,8 +2030,8 @@
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "c51ed24a67a2dee5ef5e778e2fb2960fc5a7a8b03c931ad0942691f1dc37c823",
"version": 2
"sha256": "34e37a8d16f99007d21007aa800c2fc54f0de699490e0b9be262f91735376854",
"version": 3
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"min_stack_version": "7.14.0",
@@ -2046,8 +2051,8 @@
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "56621bdde7460e7002b91b6599ca2b6ea6fe1ceb56d0131d5881bf527e9c8812",
"version": 3
"sha256": "e42d1f11048885170aa1c334ea460e06ecf2fd17585fbf040805fb33714bb0bf",
"version": 4
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"rule_name": "Persistence via WMI Event Subscription",
@@ -2114,6 +2119,11 @@
"sha256": "03ea09bf741f0864cbfcd01045657c731176e2cb81f0a022f61644e68e543e95",
"version": 1
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"rule_name": "Potential Credential Access via DCSync",
"sha256": "8ca3cc529b90e43084ed7e700fdb9909e21585b9856284780c92bb4d7493c348",
"version": 1
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "16cfbbcd52c7b8f485e51e3cad277ee20e1a5a59a61059cb884a61e67cc8ba1b",
@@ -2229,8 +2239,8 @@
},
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "bee08942fb6982046be076d88c6640400f97eb29a2f2c4f594e16f4fc18793a9",
"version": 3
"sha256": "09f364282ecc1369272d232ea563722f124c9be5636ae2c9bcbfd6821f8721b7",
"version": 4
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"rule_name": "IPSEC NAT Traversal Port Activity",
@@ -2292,8 +2302,8 @@
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"rule_name": "Potential Command and Control via Internet Explorer",
"sha256": "6607ad18f48b672374029386caeccf0434b055d0ad1b6d035704d773bf06c169",
"version": 4
"sha256": "ecf39233d5f53c119cd57516c3b0ad7c0bc09ff58fd279a47a28d5b61f6c10e1",
"version": 5
},
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"rule_name": "Potential SSH Brute Force Detected",
@@ -2325,8 +2335,8 @@
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "e02ae67b6c66cfc725340e822acb44653e568a7c1b55eb13818f26c296c0e0c2",
"version": 3
"sha256": "357d02c45f3021968f8a30e2a4a9c4f8756fc98f2a06c67e1b05cad44efe8ec0",
"version": 4
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
@@ -2340,8 +2350,8 @@
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"rule_name": "Local Scheduled Task Creation",
"sha256": "1991289eb30b8232cdc4f6c197a93050601db6490831884cb41669e3c91b1f0c",
"version": 9
"sha256": "f0210dc49e358f7039b60f9f0ff7b2339cf65c5cfeda0b549e0dcd4e0071888c",
"version": 10
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"rule_name": "Timestomping using Touch Command",
@@ -2410,8 +2420,8 @@
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "a009ff3ab4c85e8aed1731545a96eb1a380cf0927bdbc9a6838aae79a83803e0",
"version": 10
"sha256": "1232ea6310a97df413022bbeba916d1067e8d6a7e9e5910df9f95ac3a1631575",
"version": 11
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"rule_name": "Windows Script Interpreter Executing Process via WMI",
@@ -2450,8 +2460,8 @@
},
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "48033f00317b95d1da86910a9dab3762505133df9f57dbf96a0b2c8655d3a398",
"version": 1
"sha256": "d7cab2144989c107af3b92511c7d537f09bd71feea642b68bf1618580999ca4f",
"version": 2
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"min_stack_version": "7.13.0",
@@ -2461,8 +2471,8 @@
},
"b9960fef-82c6-4816-befa-44745030e917": {
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "e52aa6f4635077b0b0a9044b61f8d454c17dd5f54748c41ccd6624d79937daf4",
"version": 3
"sha256": "fb5ff8beabd1977f3f402a145b5142fb38ebfc46926df7ef1830d696692d8897",
"version": 4
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"rule_name": "Unusual Windows Network Activity",
@@ -2521,13 +2531,13 @@
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"rule_name": "PowerShell Keylogging Script",
"sha256": "18faa21bc0f6c818f73f17476196b45b9c3f95e45e55141708245a7f21667c2e",
"version": 2
"sha256": "199201b60e09a340510fcf44f7d7e6a585f9994694d4aa9733417311eef15edd",
"version": 3
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "21294393322c72a5945721897592b4efd0dc6745d42a1d6a33492120398d13fb",
"version": 2
"sha256": "d32226f39b805f0d3b878197ce1e5edefacb3256c64e3e9202c9471e13b4e3c9",
"version": 3
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
@@ -2626,8 +2636,8 @@
},
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "149405dd2024aad261ec86a37585f075c5015e970b659ce9a3c4767e414494b0",
"version": 1
"sha256": "90f5901627a5d6c6563a83d379a323230fbdff1ea541807afe7fea4660970e01",
"version": 2
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"rule_name": "Installation of Custom Shim Databases",
@@ -2712,8 +2722,8 @@
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "cdfd1a33f452b52a351411d7c67ed22dd4013559dc4b494576b0b28d0345725f",
"version": 3
"sha256": "df47026f246008b97ac1129190ed1ad88a0f5ee9e13f9740f947380078db82a8",
"version": 4
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
@@ -2838,8 +2848,8 @@
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "67cfb91d3d8841c32d03177a3739af0c3715b1fd530dcb0ed114e0a0eb326dba",
"version": 1
"sha256": "bf42a9a4a18efc72f87194d38872a565e6a5bf75e6baeef8789293f6854950f0",
"version": 2
},
"d2053495-8fe7-4168-b3df-dad844046be3": {
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
@@ -2853,8 +2863,8 @@
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "515c784dacfb480ab4a0a07292d06bfb7063d53a9d59e41d95eccd5d92f388f2",
"version": 2
"sha256": "ee9768020aceeec742747d02c10584b87657ba6490ddcff4553dd8fc8a23a58e",
"version": 3
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"rule_name": "Clearing Windows Event Logs",
@@ -2889,8 +2899,8 @@
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "7e6ec76881a3e6c716f2b9eebc74918276be1c71040dece25601d337b6ce68ed",
"version": 3
"sha256": "df727534686ff5d08f97b53cebae31cc82f831264c16022e81a2aeab10cbd8f9",
"version": 4
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"rule_name": "Attempt to Delete an Okta Policy Rule",
@@ -3000,8 +3010,8 @@
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "a6ad52049db17556bce016b8cdc6ffd9a9cb311bc45bfbcabe972cf30456f3e7",
"version": 1
"sha256": "efa60094cebe3428f728d0c83e1c5a563182fe632fc708289651cae652351029",
"version": 2
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"rule_name": "Unusual Child Process from a System Virtual Process",
@@ -3084,8 +3094,8 @@
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "94f3ca8052551b024507d2e9bb51c49b7efecf2ea678d4bc1978a5b414e586ae",
"version": 1
"sha256": "cac862ac2f6933ac4a3b016aed2ec100b670ab49ab3d148e57a4f2af8f4b10bd",
"version": 2
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"rule_name": "AWS Management Console Root Login",
@@ -3192,13 +3202,13 @@
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "06690c0658d2dd465f3f42e62ce6289924edceaa79f26b4aca756c585acfaa13",
"version": 9
"sha256": "8151b1deb537fd602fd988f92448e6eef5ff8ecce725851068f3338f4de8a95e",
"version": 10
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"rule_name": "Installation of Security Support Provider",
"sha256": "1cc2a5b975de38886990ead87582065b5b8c7f032d3034372cf255ffc0fe7329",
"version": 3
"sha256": "12abcbd73be1245f4c4a087b27c82ce94378f2a0372631b3391c8cf696e7cefa",
"version": 4
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
@@ -3217,8 +3227,8 @@
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"rule_name": "Potential LSA Authentication Package Abuse",
"sha256": "e6431faeb13e0c445d52839605d6ccdce90be6b7f2183d040acae6bb5c66b434",
"version": 1
"sha256": "8d77171cf0f3a00f7c7f86fa5a55cf2a6f92fb20fe2ac7515ec1c11255a015f9",
"version": 2
},
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
"rule_name": "Azure Automation Webhook Created",
@@ -3302,8 +3312,8 @@
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "0bd82ae0595d90f291e7c8ad80cb1f93a0d28033c0bb861c4d3b2ca232374bb1",
"version": 2
"sha256": "58881af4b4b5bc650329bddcf9a241e080d105eca0fc158b58ae94fe71c8e753",
"version": 3
},
"eea82229-b002-470e-a9e1-00be38b14d32": {
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
@@ -3332,8 +3342,8 @@
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"rule_name": "Azure Alert Suppression Rule Created or Modified",
"sha256": "f0a670474705007080338bcdc2ff9dec4c682a56928d8d3979de42ce067eb005",
"version": 1
"sha256": "75b2fa37eba863b363c80a411d125c57fe44e72971aec6689befafaf53212bea",
"version": 2
},
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"rule_name": "Execution with Explicit Credentials via Scripting",
@@ -3352,8 +3362,8 @@
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"rule_name": "SIP Provider Modification",
"sha256": "b761a0e62dcf8f650c42dfe807fb62f206efcaa299a68b1f3fb443e3158840d7",
"version": 1
"sha256": "2ba459343a12bb5eab29944e3968636c5b38e0007b17f8e5b6b8c12c58827110",
"version": 2
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"rule_name": "LSASS Memory Dump Creation",
@@ -3392,8 +3402,8 @@
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "1b97736892e78fbfe77574ada29decaab3531656dda142d994201283b043d5de",
"version": 2
"sha256": "841cadac1dd3470f4549689e834749aef7cee102c1ab901ea1e65ea87af475d6",
"version": 3
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"rule_name": "Delete Volume USN Journal with Fsutil",
@@ -3432,8 +3442,8 @@
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "ea7696c0651daa59c6f9be7cac0c892bafc24c18fbeb881eeab4f4d2dd4cc751",
"version": 2
"sha256": "0533f464fc056492b1be7563a334064ed3a94794b0fc726a8f6c58af99f3fc69",
"version": 3
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"rule_name": "Unusual Linux System Network Configuration Discovery",
@@ -3452,8 +3462,8 @@
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"rule_name": "Network Connection via Registration Utility",
"sha256": "3d038f9ff917769a14a4b725d0b29f1c7cb63e552144f2969e4dff1c77089b75",
"version": 9
"sha256": "cdee88e91070d7a8c85aaec9d595418a9392d5e0a0a561789d4a51234aa790c8",
"version": 10
},
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
"rule_name": "Auditd Max Failed Login Attempts",
@@ -3487,8 +3497,8 @@
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "bb76fcc217e41bd48148eebf78438baeb8f5052ddfbce1cdd316a589d6b5d4a2",
"version": 1
"sha256": "96e700cedbd912428d2141285aeb62d039ba2b0ef593f70f72c0faaca1896dd4",
"version": 2
},
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"rule_name": "MS Office Macro Security Registry Modifications",