From 76f3ff10744b1af81f96793c2ea7bba56ea2072a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 16 Feb 2022 08:25:31 -0900 Subject: [PATCH] Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (#1781) * Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (cherry picked from commit 5e073af69d062c9fd996283196e5d695734217d8) --- etc/version.lock.json | 276 ++++++++++++++++++++++-------------------- 1 file changed, 143 insertions(+), 133 deletions(-) diff --git a/etc/version.lock.json b/etc/version.lock.json index 233e57384..90a510098 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -148,8 +148,8 @@ "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "min_stack_version": "8.0", "rule_name": "Threat Intel Indicator Match", - "sha256": "644597db423c57ceb689e808957d7850f1838b69d883630234f110141c63606f", - "version": 2 + "sha256": "deec30795d7a848bc2ea99f29ec0e44c0d2cf9debfb593a497c818011477c718", + "version": 3 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", @@ -189,8 +189,8 @@ "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { "min_stack_version": "7.14.0", "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "ff67dcfa3dda984af29cc41ece885de00bd48128fed28a3a8ef4e298d83e43b8", - "version": 1 + "sha256": "549215ea3a624085dcc50282089306cd1d82418bedb7612fff262a1adde0d33c", + "version": 2 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", @@ -280,13 +280,13 @@ }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "8817ddfdb38379b4031a751743514e46c8a4e608c68ea79adf13a6aa11a09b2d", - "version": 1 + "sha256": "16e54b31547c5f1dc1b16ad82368432904753d296f9df8aa69d20c61d4d9b3e1", + "version": 2 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "e1d80d9e27fd401af4a1b5d71ca3c873fb759d8583008989b4a228c6df687655", - "version": 1 + "sha256": "33fa48cfd6c384e6dcf0a5af2d62090fd89307e136c5ef798efbe745e8324466", + "version": 2 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", @@ -315,13 +315,13 @@ }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", - "sha256": "8ca91c7053d3f30c2c76188da11648bbc94aa5c68e2288ceaee0e6d942535fcf", - "version": 5 + "sha256": "975fcc9572e8117b283322c180c833044bcd17bf6caf3fb3758f1b06c6c48351", + "version": 6 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "d4ae959f9ad85bcd8081e151eaf495d1b1e6297723b6b7cfecee70697ae4d9ad", - "version": 1 + "sha256": "2efc5fbfcc942c4b9524b11fc28cd6e721a37c7c5c1936c95b9361a2d0a15622", + "version": 2 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "rule_name": "Unusual Windows Username", @@ -420,8 +420,8 @@ }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "1751fff36bc2849d6ead1fa2d8574e3ee837344e605318329e54ae45f989b25e", - "version": 6 + "sha256": "713f215dd72eac1c0676cf847d9f30d87ba3c2ff376db9f225c99d4433c1eb02", + "version": 7 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", @@ -560,8 +560,8 @@ }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Net command via SYSTEM account", - "sha256": "9edf6f050f8563bcf0dbd301c61100d160969829b5cbdbd7c90872555d44ea25", - "version": 8 + "sha256": "5e35b7ace9af65eee277e440fbb6659768d0caf5ab49a5179222cde8b4410fa1", + "version": 9 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", @@ -590,8 +590,8 @@ }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "b94f034710f0bd4a1c9a3ba74dec7f2dcd74ac6997dd532f8a2fc96eb2589faa", - "version": 1 + "sha256": "10a0ac7664c24449518000fd745408481a284e5530621bcb46bd09274cb30517", + "version": 2 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", @@ -625,8 +625,8 @@ }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", - "sha256": "5ca7f98d19a4d9431200fdb6eba8a591bb202717b60a130137f203d98c24cf21", - "version": 2 + "sha256": "9a94bd09a73f383701fd95cad27beec422c1ffddbfe186463b5fa61733bb2d16", + "version": 3 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -645,8 +645,8 @@ }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "877044d765d5091e0cefc0b0db367a269916db834ea839d61af7965d888d5611", - "version": 3 + "sha256": "d7898ac8939e5614c533f409847a25d00fa7b6de74838a8d8c8c62f4825b7e18", + "version": 4 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", @@ -660,8 +660,8 @@ }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "01d70504b5d20ab8b24b2e860abb3d61cc09c6bcab622240c677ae3f5733f5b1", - "version": 3 + "sha256": "96d60aedac6a331445e99ddf32dc6532401ff7ce7eeeaa45b07121449be5e805", + "version": 4 }, "30562697-9859-4ae0-a8c5-dab45d664170": { "rule_name": "GCP Firewall Rule Creation", @@ -671,8 +671,8 @@ "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "min_stack_version": "7.15.0", "rule_name": "Agent Spoofing - Mismatched Agent ID", - "sha256": "64619f9caffb2d5207658b5ddb16c86462b4c19c8567280b74c5191166c42a25", - "version": 1 + "sha256": "cb10ec3e256bf22234266e706b1f392088ccf60b2e48ea27893d6b4eb27a2e8b", + "version": 2 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", @@ -731,8 +731,8 @@ }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", - "sha256": "0cee3eae7a950faf73452b2022d6ec9980dcce503a5247c6d9b74a28f2a862f9", - "version": 4 + "sha256": "9686d00619c4eda20f8030f22542ba81410c031fa79e8a87712bd72e22b5d96b", + "version": 5 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", @@ -746,8 +746,8 @@ }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "922ec3de8ec673c8094683d428592de1ad4d44af9afd45caa9a4cf8b0e7289eb", - "version": 3 + "sha256": "7aa10957a516fe37a541e25ea0eb405baa887338b7cd95b080d7cb5f496e3eee", + "version": 4 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "AWS RDS Security Group Creation", @@ -877,8 +877,8 @@ }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", - "sha256": "0ec360815683ac95dccca9d337385dfc1389dd03b5d923f929ab310a2a3c8ad0", - "version": 4 + "sha256": "9d7ea3e58be2ab3e6c229d05df37c0f1dc248bdbd5e68c0fb8665051eac97e01", + "version": 5 }, "416697ae-e468-4093-a93d-59661fa619ec": { "rule_name": "Control Panel Process with Unusual Arguments", @@ -973,8 +973,8 @@ "493834ca-f861-414c-8602-150d5505b777": { "min_stack_version": "7.15.0", "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "f8e4481e5c38326daea5818415a4f06be1da64247686974940283c6b7a31f81f", - "version": 1 + "sha256": "829bb3432a7664715c5b96c2be6d56e4f957db320f71657203632e61e44b6fe0", + "version": 2 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", @@ -1028,8 +1028,8 @@ }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "a18109b668acb88d44b78365be64838b14a3144532e52ed72211806b193cc789", - "version": 3 + "sha256": "e573874c887d52298c8c9a8f0ca2e19769f649bd1b4b36f98aed5a4919ec6c6e", + "version": 4 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", @@ -1088,12 +1088,17 @@ }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", - "sha256": "e7c699725084ca5652b0fa7e6fb0e9ed2d8d82dff4ffba0ef2ab3bffb24c8e09", - "version": 4 + "sha256": "063beeef24d261da01edbbeeaee92572fb436a31d690472418d40c46a6209d50", + "version": 5 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "rule_name": "Network Logon Provider Registry Modification", - "sha256": "53f0078220668a3e1693b3799b20e79a69c961485f0981c0fefdcb35a4bbad7b", + "sha256": "d7dd9478ea6adaad5568eb2f70c33bc6ce44da0e2a6867f38c5ff48086311669", + "version": 2 + }, + "55c2bf58-2a39-4c58-a384-c8b1978153c2": { + "rule_name": "Windows Service Installed via an Unusual Client", + "sha256": "08df11e0b47db88dd1ea0c975775244bb561f4eedb48f626f65b3d8d51eff4e3", "version": 1 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { @@ -1123,8 +1128,8 @@ }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "rule_name": "PowerShell PSReflect Script", - "sha256": "86329a97344d57daff770fd9195eb9f6991826eb7630f321cdc1631692abebca", - "version": 1 + "sha256": "9c17e951b973ee2ca613cc870ce1e0276513c1acef9546f7f7264e2c71c48a41", + "version": 2 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", @@ -1143,8 +1148,8 @@ }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "rule_name": "PowerShell MiniDump Script", - "sha256": "1ce48872d69315c8737dbfaad85cfbfafeb6605864d782c1e3d5ce01a7c6d29f", - "version": 4 + "sha256": "105c3f90085d4af397d4adccf7e48445bb28c785e46cd84cefc25720ab8b2b27", + "version": 5 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", @@ -1153,8 +1158,8 @@ }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", - "sha256": "205f152264f976a03a9a96a5fadff7e2e6e2e6c62aaece1df3205b7fcc644305", - "version": 4 + "sha256": "671a71d6221cf597294f3a2384e29d5a828ffa9b490776ade78495b7180fa810", + "version": 5 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", @@ -1168,8 +1173,8 @@ }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "c4966675fed8b27f672aca65ba0bac58e7c0b6d3f47cfc4805b4d1b9a95e4bba", - "version": 1 + "sha256": "c321fa60ddbbe7f3e8b0914a43379c5eacaee6c4c0b9c399fe46481d47c446f2", + "version": 2 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "O365 Email Reported by User as Malware or Phish", @@ -1278,8 +1283,8 @@ }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "00b90b0ba27de6d77f053e3242f675290c5e1ed3b05fafe8db72007267abd075", - "version": 3 + "sha256": "2996a4fab8119ba85417d7826967b9135cbefceaa7cb3c8cfcb0183f0d9f92b8", + "version": 4 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -1308,8 +1313,8 @@ }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", - "sha256": "9ad6dc163992a21c58bb77d8738169cdbae4dd13bda4ef4afc98c4c21326f5f9", - "version": 1 + "sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621", + "version": 2 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", @@ -1323,8 +1328,8 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "75262fa3fdb8bf3a911f98cd5eaaa2ba57b2d538692b1b002372f00a8534219b", - "version": 6 + "sha256": "f27800e26f498a07905f3f25d836d4d3234e564f7ff4aacb4e3778b7155475db", + "version": 7 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", @@ -1338,8 +1343,8 @@ }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "160bfa9db1e328fb3835851bf40e9d43c7f8553adaf8b426db137604d0862649", - "version": 2 + "sha256": "9fc4ef03c57ceb4080449f8f6db2e2054bae6343b79b340c3b462697cb756abb", + "version": 3 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", @@ -1359,8 +1364,8 @@ "6839c821-011d-43bd-bd5b-acff00257226": { "min_stack_version": "7.13.0", "rule_name": "Image File Execution Options Injection", - "sha256": "cb9f8ab520ca0272536e6f61744c52bd7dae188a52f40d4587e9c233786de795", - "version": 4 + "sha256": "6f3da8f7ad3053933ead97d9f24027defb33edf3e295ff028bd18a9028833dda", + "version": 5 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "New or Modified Federation Domain", @@ -1408,8 +1413,8 @@ "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "min_stack_version": "8.0", "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", - "sha256": "15235311ffee1cf2973283364bc89d87f4c5cf3b53bcfc10448c7af106a7f383", - "version": 2 + "sha256": "1c84ee3520f02156a2dd650dff1c95cccd1852054ed6f7ca59a4ce9d278c9832", + "version": 3 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", @@ -1506,8 +1511,8 @@ }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "b7108f02310adf65cd5788774647644755ebe672e8bb53aa2be115338fa80da3", - "version": 1 + "sha256": "595a864d26763ad72e78a54831b8e6740f1bd90566b5a450046c0ed8824b9e6e", + "version": 2 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", @@ -1690,8 +1695,8 @@ }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "93fb092a27b030f89e8c30342d19c565a157fd830768461905c8aaade93a24ce", - "version": 1 + "sha256": "24464f1301483fc0c282bda7bcb95105795ae33fc1f9c27ebad8c2633fe03af6", + "version": 2 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", @@ -1761,8 +1766,8 @@ }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "57953cee8db2f39ea676b8cb8ebd4419d0e6147dc1c12c4750e5995b0d7794fa", - "version": 4 + "sha256": "01a251c96e82a87e563dfaf1263d2a3646c9323638da1fadd54993b0da087d1a", + "version": 5 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Command Prompt Network Connection", @@ -1822,8 +1827,8 @@ }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", - "sha256": "314d9edaa3b6514c606e7542ce9913e3b0dde35897bb2a42cd4dde5e4629188b", - "version": 5 + "sha256": "307795e6c1dce173407f17f57c65d0c530dc24e20c18e78b37e93b7d5d78180b", + "version": 6 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", @@ -1842,8 +1847,8 @@ }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "40ca32414f8638d2f2938e5351e614e11eecc6d500735380d50c5fbbe18c762f", - "version": 1 + "sha256": "d86d494f83bb131dff1bf75fc9fa8952846c3deae9f7e3d60f8446ce5d58f19e", + "version": 2 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", @@ -1877,8 +1882,8 @@ }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "a8934713ab65c577a096044395867098064056126c593d47d0d0f441f6d961f1", - "version": 6 + "sha256": "0fe0766cef30ef7f13a641148fc5a4d89c691158770233026342921f02e6b0bd", + "version": 7 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", @@ -1922,8 +1927,8 @@ }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "57f3b1d080ff467de12e14aa6f5aa59d3def291a8da36c8fdc485084e200889a", - "version": 4 + "sha256": "1e955bf6b29adf56d2b56d5c217ced6c481af84fb549f5640325bd1d4eeebb65", + "version": 5 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "min_stack_version": "8.0", @@ -1950,8 +1955,8 @@ }, "959a7353-1129-4aa7-9084-30746b256a70": { "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "73d69ad8db402c30d7757ba2ed5bd2a7c3aa182a2bdf601f3a6c968bfb8d0f3a", - "version": 1 + "sha256": "a9d0adef2ea58481a1500782645964ae1514d39bec94471128be69c318e49ab4", + "version": 2 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", @@ -1995,8 +2000,8 @@ }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "rule_name": "Startup or Run Key Registry Modification", - "sha256": "d5521e95aff90c5392494d06246dc1d72ea9bbb4e1f5a1ae37fe29756cc77f29", - "version": 4 + "sha256": "1827b7a04db141b503dcbe4bdd0c18468ccc43b937e02c76d1f2e7686d2b17ef", + "version": 5 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", @@ -2025,8 +2030,8 @@ }, "9960432d-9b26-409f-972b-839a959e79e2": { "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "c51ed24a67a2dee5ef5e778e2fb2960fc5a7a8b03c931ad0942691f1dc37c823", - "version": 2 + "sha256": "34e37a8d16f99007d21007aa800c2fc54f0de699490e0b9be262f91735376854", + "version": 3 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "7.14.0", @@ -2046,8 +2051,8 @@ }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "56621bdde7460e7002b91b6599ca2b6ea6fe1ceb56d0131d5881bf527e9c8812", - "version": 3 + "sha256": "e42d1f11048885170aa1c334ea460e06ecf2fd17585fbf040805fb33714bb0bf", + "version": 4 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "rule_name": "Persistence via WMI Event Subscription", @@ -2114,6 +2119,11 @@ "sha256": "03ea09bf741f0864cbfcd01045657c731176e2cb81f0a022f61644e68e543e95", "version": 1 }, + "9f962927-1a4f-45f3-a57b-287f2c7029c1": { + "rule_name": "Potential Credential Access via DCSync", + "sha256": "8ca3cc529b90e43084ed7e700fdb9909e21585b9856284780c92bb4d7493c348", + "version": 1 + }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", "sha256": "16cfbbcd52c7b8f485e51e3cad277ee20e1a5a59a61059cb884a61e67cc8ba1b", @@ -2229,8 +2239,8 @@ }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "bee08942fb6982046be076d88c6640400f97eb29a2f2c4f594e16f4fc18793a9", - "version": 3 + "sha256": "09f364282ecc1369272d232ea563722f124c9be5636ae2c9bcbfd6821f8721b7", + "version": 4 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", @@ -2292,8 +2302,8 @@ }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "6607ad18f48b672374029386caeccf0434b055d0ad1b6d035704d773bf06c169", - "version": 4 + "sha256": "ecf39233d5f53c119cd57516c3b0ad7c0bc09ff58fd279a47a28d5b61f6c10e1", + "version": 5 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential SSH Brute Force Detected", @@ -2325,8 +2335,8 @@ }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "e02ae67b6c66cfc725340e822acb44653e568a7c1b55eb13818f26c296c0e0c2", - "version": 3 + "sha256": "357d02c45f3021968f8a30e2a4a9c4f8756fc98f2a06c67e1b05cad44efe8ec0", + "version": 4 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", @@ -2340,8 +2350,8 @@ }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Creation", - "sha256": "1991289eb30b8232cdc4f6c197a93050601db6490831884cb41669e3c91b1f0c", - "version": 9 + "sha256": "f0210dc49e358f7039b60f9f0ff7b2339cf65c5cfeda0b549e0dcd4e0071888c", + "version": 10 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", @@ -2410,8 +2420,8 @@ }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "a009ff3ab4c85e8aed1731545a96eb1a380cf0927bdbc9a6838aae79a83803e0", - "version": 10 + "sha256": "1232ea6310a97df413022bbeba916d1067e8d6a7e9e5910df9f95ac3a1631575", + "version": 11 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", @@ -2450,8 +2460,8 @@ }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "48033f00317b95d1da86910a9dab3762505133df9f57dbf96a0b2c8655d3a398", - "version": 1 + "sha256": "d7cab2144989c107af3b92511c7d537f09bd71feea642b68bf1618580999ca4f", + "version": 2 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "7.13.0", @@ -2461,8 +2471,8 @@ }, "b9960fef-82c6-4816-befa-44745030e917": { "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "e52aa6f4635077b0b0a9044b61f8d454c17dd5f54748c41ccd6624d79937daf4", - "version": 3 + "sha256": "fb5ff8beabd1977f3f402a145b5142fb38ebfc46926df7ef1830d696692d8897", + "version": 4 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", @@ -2521,13 +2531,13 @@ }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "rule_name": "PowerShell Keylogging Script", - "sha256": "18faa21bc0f6c818f73f17476196b45b9c3f95e45e55141708245a7f21667c2e", - "version": 2 + "sha256": "199201b60e09a340510fcf44f7d7e6a585f9994694d4aa9733417311eef15edd", + "version": 3 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "21294393322c72a5945721897592b4efd0dc6745d42a1d6a33492120398d13fb", - "version": 2 + "sha256": "d32226f39b805f0d3b878197ce1e5edefacb3256c64e3e9202c9471e13b4e3c9", + "version": 3 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", @@ -2626,8 +2636,8 @@ }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "149405dd2024aad261ec86a37585f075c5015e970b659ce9a3c4767e414494b0", - "version": 1 + "sha256": "90f5901627a5d6c6563a83d379a323230fbdff1ea541807afe7fea4660970e01", + "version": 2 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", @@ -2712,8 +2722,8 @@ }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "cdfd1a33f452b52a351411d7c67ed22dd4013559dc4b494576b0b28d0345725f", - "version": 3 + "sha256": "df47026f246008b97ac1129190ed1ad88a0f5ee9e13f9740f947380078db82a8", + "version": 4 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", @@ -2838,8 +2848,8 @@ }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "67cfb91d3d8841c32d03177a3739af0c3715b1fd530dcb0ed114e0a0eb326dba", - "version": 1 + "sha256": "bf42a9a4a18efc72f87194d38872a565e6a5bf75e6baeef8789293f6854950f0", + "version": 2 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -2853,8 +2863,8 @@ }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "515c784dacfb480ab4a0a07292d06bfb7063d53a9d59e41d95eccd5d92f388f2", - "version": 2 + "sha256": "ee9768020aceeec742747d02c10584b87657ba6490ddcff4553dd8fc8a23a58e", + "version": 3 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", @@ -2889,8 +2899,8 @@ }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "7e6ec76881a3e6c716f2b9eebc74918276be1c71040dece25601d337b6ce68ed", - "version": 3 + "sha256": "df727534686ff5d08f97b53cebae31cc82f831264c16022e81a2aeab10cbd8f9", + "version": 4 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", @@ -3000,8 +3010,8 @@ }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", - "sha256": "a6ad52049db17556bce016b8cdc6ffd9a9cb311bc45bfbcabe972cf30456f3e7", - "version": 1 + "sha256": "efa60094cebe3428f728d0c83e1c5a563182fe632fc708289651cae652351029", + "version": 2 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", @@ -3084,8 +3094,8 @@ }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "94f3ca8052551b024507d2e9bb51c49b7efecf2ea678d4bc1978a5b414e586ae", - "version": 1 + "sha256": "cac862ac2f6933ac4a3b016aed2ec100b670ab49ab3d148e57a4f2af8f4b10bd", + "version": 2 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", @@ -3192,13 +3202,13 @@ }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "06690c0658d2dd465f3f42e62ce6289924edceaa79f26b4aca756c585acfaa13", - "version": 9 + "sha256": "8151b1deb537fd602fd988f92448e6eef5ff8ecce725851068f3338f4de8a95e", + "version": 10 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", - "sha256": "1cc2a5b975de38886990ead87582065b5b8c7f032d3034372cf255ffc0fe7329", - "version": 3 + "sha256": "12abcbd73be1245f4c4a087b27c82ce94378f2a0372631b3391c8cf696e7cefa", + "version": 4 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", @@ -3217,8 +3227,8 @@ }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "e6431faeb13e0c445d52839605d6ccdce90be6b7f2183d040acae6bb5c66b434", - "version": 1 + "sha256": "8d77171cf0f3a00f7c7f86fa5a55cf2a6f92fb20fe2ac7515ec1c11255a015f9", + "version": 2 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", @@ -3302,8 +3312,8 @@ }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "rule_name": "Unusual Print Spooler Child Process", - "sha256": "0bd82ae0595d90f291e7c8ad80cb1f93a0d28033c0bb861c4d3b2ca232374bb1", - "version": 2 + "sha256": "58881af4b4b5bc650329bddcf9a241e080d105eca0fc158b58ae94fe71c8e753", + "version": 3 }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", @@ -3332,8 +3342,8 @@ }, "f0bc081a-2346-4744-a6a4-81514817e888": { "rule_name": "Azure Alert Suppression Rule Created or Modified", - "sha256": "f0a670474705007080338bcdc2ff9dec4c682a56928d8d3979de42ce067eb005", - "version": 1 + "sha256": "75b2fa37eba863b363c80a411d125c57fe44e72971aec6689befafaf53212bea", + "version": 2 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", @@ -3352,8 +3362,8 @@ }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "rule_name": "SIP Provider Modification", - "sha256": "b761a0e62dcf8f650c42dfe807fb62f206efcaa299a68b1f3fb443e3158840d7", - "version": 1 + "sha256": "2ba459343a12bb5eab29944e3968636c5b38e0007b17f8e5b6b8c12c58827110", + "version": 2 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", @@ -3392,8 +3402,8 @@ }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "1b97736892e78fbfe77574ada29decaab3531656dda142d994201283b043d5de", - "version": 2 + "sha256": "841cadac1dd3470f4549689e834749aef7cee102c1ab901ea1e65ea87af475d6", + "version": 3 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", @@ -3432,8 +3442,8 @@ }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "ea7696c0651daa59c6f9be7cac0c892bafc24c18fbeb881eeab4f4d2dd4cc751", - "version": 2 + "sha256": "0533f464fc056492b1be7563a334064ed3a94794b0fc726a8f6c58af99f3fc69", + "version": 3 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux System Network Configuration Discovery", @@ -3452,8 +3462,8 @@ }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Registration Utility", - "sha256": "3d038f9ff917769a14a4b725d0b29f1c7cb63e552144f2969e4dff1c77089b75", - "version": 9 + "sha256": "cdee88e91070d7a8c85aaec9d595418a9392d5e0a0a561789d4a51234aa790c8", + "version": 10 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -3487,8 +3497,8 @@ }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "bb76fcc217e41bd48148eebf78438baeb8f5052ddfbce1cdd316a589d6b5d4a2", - "version": 1 + "sha256": "96e700cedbd912428d2141285aeb62d039ba2b0ef593f70f72c0faaca1896dd4", + "version": 2 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "rule_name": "MS Office Macro Security Registry Modifications",