security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 7.13,7.14,7.15 (#1545)

Browse Source 
* Locked versions for releases: 7.13,7.14,7.15

(cherry picked from commit c6ddb44445)
This commit is contained in:
github-actions[bot]
2021-10-13 14:23:26 -08:00
parent 76a60c5ca8
commit 847b08a1bd
1 changed files with 268 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files
etc/version.lock.json
+268 -178
View File
@@ -7,19 +7,29 @@
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "7.13.0",
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "819b97e921f748a95d389f35f4e7e485b52ee736654131c03752b127d7e0743a",
"version": 4
"sha256": "cbbb5fe38e0d37cf8fed4293739ecbf327d81a48aeb8aa6d2cb69d0aa362731d",
"version": 5
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"rule_name": "System Shells via Services",
"sha256": "606d4f374fc98e99bd86c9ef062bb48f416b10951ed6138c0ff817fabd8c9ed6",
"version": 9
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"rule_name": "Microsoft 365 User Restricted from Sending Email",
"sha256": "014249347355e7f94d184ef92a149ccdaac362ebec04f4f51e80d9368eb0782c",
"version": 1
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "1c44db89d3410a06dc61f99dda258376dd4863095c7c858ad1da33d8c582fc2c",
"version": 1
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "4da266f820dc2dba8ed78416db2ea4cad6a8260dacad0552bcfa4f25601a61f8",
"version": 1
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"rule_name": "Dumping Account Hashes via Built-In Commands",
"sha256": "a2f14309ddc0b7a13f7b019b2b7350407d2752ab0df9f8665af61bc332727e40",
@@ -32,8 +42,8 @@
},
"035889c4-2686-4583-a7df-67f89c292f2c": {
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "5ccb45d0d495678162da46f277ecfca7343604daaea4564d9fe0884451c7dcf6",
"version": 2
"sha256": "a5417071894f6d1e07147cb4c4ba4712768327afda352ca1bfbc6237b1834431",
"version": 3
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"rule_name": "Modification of OpenSSH Binaries",
@@ -47,8 +57,8 @@
},
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "0f184faf7f0c7af2ea9955885ea9d4a4258cc9d025ed50d265079c466c4ad2cb",
"version": 1
"sha256": "bae7f8ff4ba6ea634982a368fedf0384ba3e9912ae10a1c22dab21a49056cb74",
"version": 2
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"rule_name": "Microsoft IIS Service Account Password Dumped",
@@ -72,13 +82,13 @@
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "ff00a03f7ba5b02d01b5f7890ea3d3039465801d5c3ff943e57cdbc3f9d0bf41",
"version": 7
"sha256": "c481db545277820f57ac0efe04364be82a44271e65b05635d59c07fb0932a535",
"version": 8
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"rule_name": "Remote Desktop Enabled in Windows Firewall",
"sha256": "45c1c0dee9af84917c91545f9845f57dc37d7695a21a743d5c1f73b8ea9fb0d2",
"version": 3
"sha256": "29afef30be0c86eeb8c731c39dbf62b777ed72a65f168c0469f907ed9fd5b801",
"version": 4
},
"080bc66a-5d56-4d1f-8071-817671716db9": {
"rule_name": "Suspicious Browser Child Process",
@@ -107,8 +117,13 @@
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"rule_name": "Process Termination followed by Deletion",
"sha256": "1889f7fd920e6989fcbcf7a13004b0cd0b3952f2e9e769f90f808e6385256793",
"version": 2
"sha256": "94e72ce4ad6b954cf01ab7f7a175c472e6936b75e330dec5da7847381fce4224",
"version": 3
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
"sha256": "b8219972b17dded095e28cdfd69085a06332bb11be4b4124d29a76a054750ccb",
"version": 1
},
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"rule_name": "Malware - Detected - Elastic Endgame",
@@ -125,6 +140,11 @@
"sha256": "499dcd1aa2d62a15f68fa52d95b87511f7f4e14f24ffe83babb3e72e990ff81d",
"version": 3
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "88ba94c428250342f829c23c844e0d491354bb5b845c5a8caf1bdc92ab3faeca",
"version": 1
},
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"rule_name": "Nping Process Activity",
"sha256": "4e12ac0fb84fd0825957284198b6a6419d7164c0a4bf84a19836ffe7a3839c86",
@@ -142,8 +162,8 @@
},
"0e79980b-4250-4a50-a509-69294c14e84b": {
"rule_name": "MsBuild Making Network Connections",
"sha256": "833b8ac407769d2ff54b29c503522466b5ea212d0aff6d04f30865dce0e4b597",
"version": 7
"sha256": "0168b3528c17247ed5631843306c3123c740bbb190605452493031a938421f15",
"version": 8
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
@@ -162,8 +182,8 @@
},
"11013227-0301-4a8c-b150-4db924484475": {
"rule_name": "Abnormally Large DNS Response",
"sha256": "bad712c7e3bf95a043fc2871cebcdd450fea6a3b005d3146372539993ba11f21",
"version": 4
"sha256": "c42302d38db5185ee51e15b0f8e51a0876b04ac1faf813bf4cc194331622f2e9",
"version": 5
},
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs",
@@ -177,7 +197,12 @@
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "68f44e7c9ac63e164010178bf95b4e93cc0dabf879694165d36cc8a9b83dcd8a",
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
"version": 2
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "637411a6c598e26e6158b7f367b37e4ef4c20c2f833cb4adaa2d9866c2662e3b",
"version": 1
},
"12051077-0124-4394-9522-8f4f4db1d674": {
@@ -202,14 +227,14 @@
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "efd7d2aa298941d3d4d452f08ace97c0c6a5bd2a26f9da698d06bae893f899e8",
"version": 1
"sha256": "7b02935da719949670e9b9601000c344b1f818124e52ac762cf52c3df244806a",
"version": 2
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"min_stack_version": "7.14.0",
"rule_name": "Rare User Logon",
"sha256": "aa7f9d68b2cd1e0dd862fac1ad96a879a79a4f3bd3a41e67100663fb05f401b5",
"version": 2
"sha256": "f9e949d45ac4dc51bd454d12b2bd60ec23f8fe3d5ee9a15595a4663248317d73",
"version": 3
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
@@ -248,8 +273,8 @@
},
"16904215-2c95-4ac8-bf5c-12354e047192": {
"rule_name": "Potential Kerberos Attack via Bifrost",
"sha256": "135b9a750efbc4e8e894e01c44e1a7780e7a59c222a3a94310c3eaaa3c11263a",
"version": 1
"sha256": "82021c6bdc0d1e0276714a56622c6195c0745e9c8d37dfa3e179111be9f3c8f7",
"version": 2
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"rule_name": "AWS IAM Group Creation",
@@ -303,8 +328,8 @@
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"rule_name": "Rare AWS Error Code",
"sha256": "8373f49ffa149c3c99aefc2ec629c84424c168c0a8fb68de6f28c0e12fbe376b",
"version": 6
"sha256": "59b061c54de834d4f8b093978bf45f2114bed02645ac3a05df8c21d94d0e692a",
"version": 7
},
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
"rule_name": "Azure Application Credential Modification",
@@ -323,14 +348,19 @@
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"rule_name": "User Account Creation",
"sha256": "204cfc566c8562c3b0ab2cd9fb57da1ac55bf68b3ebae6eb23b3af72f735c458",
"version": 8
"sha256": "2e6aba11ce3349c0f1b9d4e73146c40479f371af1fc28f299eadcfbcc8673748",
"version": 9
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "a6045befcf940787d6b44aca3ba847602c79275a601616a8cb50d66f621907f4",
"version": 6
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "6217f37d9bac2de2323c05583eaf202ca7d48c5f450f270fc66d675631a9575f",
"version": 1
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "0e87841dc0e6587203b2e298d78fa79c2d4f1aaff4b20d4407ef3c04734ae5ce",
@@ -388,8 +418,8 @@
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "6369d78ac26e4f7b3174ef0923cf4ee45dea20c14723637aecfcc0b8f7c0dac3",
"version": 4
"sha256": "5e7be99268fbc7605ca567d2dc6d1cb1fd554771d9f92fb62f0d4e00f780a896",
"version": 5
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"rule_name": "Creation or Modification of Root Certificate",
@@ -478,8 +508,8 @@
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"rule_name": "Net command via SYSTEM account",
"sha256": "b46d627ebfd274fa9aae22cca0c0f99f53ac08424f9269e2c7e2085e77554727",
"version": 7
"sha256": "9edf6f050f8563bcf0dbd301c61100d160969829b5cbdbd7c90872555d44ea25",
"version": 8
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"rule_name": "Exploit - Prevented - Elastic Endgame",
@@ -493,8 +523,8 @@
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"rule_name": "AWS Security Group Configuration Change Detection",
"sha256": "47dab9051ff8692b4edba5796669029cb0dbfa892d6ce22fde32ca65da7add9b",
"version": 1
"sha256": "19504cdc2f2149a7cf1d68afad3fff11132b00621e39c9cb25d8a193ca4737f3",
"version": 2
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
@@ -503,8 +533,8 @@
},
"2917d495-59bd-4250-b395-c29409b76086": {
"rule_name": "Webshell Detection: Script Process Child of Common Web Processes",
"sha256": "d014b0b7c98f1ced15d0d44f3fedf8b71e45eb600f843b25b0bc9dd4e697e68a",
"version": 1
"sha256": "c1adfb252308887a5bdac88b3edc8eae5c11fe737a019a177fe777aa1197348d",
"version": 2
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"rule_name": "Adobe Hijack Persistence",
@@ -513,8 +543,8 @@
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "0c667291acc3d5fea4fee20c2309beec71f63046a4cfdd2f9d855f9c7e40db6b",
"version": 2
"sha256": "ef62ccfe4455d54403f9578bd22ca980ef2a88b8d715172adbb52ae4437c23af",
"version": 3
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"rule_name": "Enumeration of Kernel Modules",
@@ -528,8 +558,8 @@
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "5250ee0f4d13cd87faecfbf97ba1cae636c2c99325f8cb287f4d322c5142f6c8",
"version": 4
"sha256": "2fe8c86abbc5b90c04c50b2d75bc279a82b4ca5b5b9075830ede2cb576e81d8a",
"version": 5
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
@@ -538,8 +568,8 @@
},
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "9f4084ad28a9a4e1378334c8832a4c05e04155476ead195ca7fee9397702109b",
"version": 1
"sha256": "73d4fb8598a974e4c18b6e713228bdddad082fccbb5b41ead57a9a8a31c0d429",
"version": 2
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
@@ -594,8 +624,8 @@
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"rule_name": "Program Files Directory Masquerading",
"sha256": "3d6f296f6aa09dfcd1f7303be722bf62bacbd951fe957e4d26e0ef5b844f6a6c",
"version": 4
"sha256": "ebbaac4af6d54565731b8500a4056718a4388b992d023176c9014cc30728b46f",
"version": 5
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"rule_name": "Suspicious MS Outlook Child Process",
@@ -624,13 +654,13 @@
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"rule_name": "Port Forwarding Rule Addition",
"sha256": "c9f0359efcb3e1b185aabeca1992928a55fd97098d2033d53a522e495da506c4",
"version": 3
"sha256": "0cee3eae7a950faf73452b2022d6ec9980dcce503a5247c6d9b74a28f2a862f9",
"version": 4
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "5058e921ddd9149ceaa4a85c8126eb032fbdd52db90f5a5f6de9981dbf16ef73",
"version": 9
"sha256": "426406e1faa8b58d4d556183c34bdb0f14ecce1c81feafbea403b0802d962ef1",
"version": 10
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"rule_name": "Network Traffic to Rare Destination Country",
@@ -699,8 +729,8 @@
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "e700245e5adf9b5950b075793d0b19fad2a623d52918a733ace3116e1abd3a64",
"version": 2
"sha256": "2b74884e710d2b488775647f1a79e3b28390532e537fcabdf72e1595e4b55621",
"version": 3
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
@@ -724,8 +754,8 @@
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "bf55c9ac0f6fa3fe5373749c8130affc8fb2cf5299be9bfd0ef21db48d038f0b",
"version": 4
"sha256": "6190fcbe0b951625445d3995b34ac7d0eb24f491791797d34fdcc52965947e6c",
"version": 5
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"rule_name": "Unusual Linux Network Port Activity",
@@ -763,6 +793,11 @@
"sha256": "0ec360815683ac95dccca9d337385dfc1389dd03b5d923f929ab310a2a3c8ad0",
"version": 4
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "1a31a209ac2dc61fc7c8c6ece800b34a05c2a7ca6b9332ec6d5313d7e3a65f01",
"version": 1
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"rule_name": "EggShell Backdoor Execution",
"sha256": "49fca84019de306b693f25ee758a76113137f7f37277ac183c412540bf7dab04",
@@ -805,13 +840,13 @@
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"rule_name": "Windows Event Logs Cleared",
"sha256": "530536e43b2e7c308f3578a3bd010061cc3c281373fe5536e0dd2b7bd1395ddd",
"version": 1
"sha256": "f65e89b35c2d09bcf13dc109cfe5c2385c3ef652d65c38a84e4d275ed932866f",
"version": 2
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "23f9191786f04df01ac4076310352f81c20bec7f33495f5d7cbfd41c560e5330",
"version": 3
"sha256": "afd848d3e14acf0cda06b0eb92b86f3bf86fc362d754c4fa574ee0099f5e779f",
"version": 4
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"rule_name": "Adding Hidden File Attribute via Attrib",
@@ -838,6 +873,11 @@
"sha256": "8c07df1d0c0f730e3e3126804f0934ba930fe3aaf3514718b5d17e3873665f4b",
"version": 1
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "a76e2afa15de19ec33e17a27311c9b44df498fbae6d2b30ac9ff94705f314dcf",
"version": 1
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"rule_name": "Potential Persistence via Periodic Tasks",
"sha256": "6cc74d6a74abae157494c559cbc80c499212df19327c2345e899fc8d77a1a089",
@@ -856,13 +896,13 @@
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "c4e92b6369d96f03afcf8abe54580bb558b94689632aabc9b96b9e18ffbe4ea9",
"version": 9
"sha256": "90064df775272d8e2f696fb665bb8e5df6ed2e82abb3a9f450d42b3d0caa61e5",
"version": 10
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "a95fdb458a6423309410cb46d41bda785e2690ffb9c4e06f7ca92cd28b2ad647",
"version": 4
"sha256": "ced0a019b63e9d421f8e75a6d2dd6a581cfd87b9bf4388349f4070700225813d",
"version": 5
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"rule_name": "AWS Management Console Brute Force of Root User Identity",
@@ -876,8 +916,8 @@
},
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "aa01a46fab350db3345bf79795effecf5b1ae98e59739a796682c4c066b7bf52",
"version": 1
"sha256": "c5df84be421d64d3a1261a065649b24397c4d41d7344dd8828b0b1beb84a7d76",
"version": 2
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
@@ -889,6 +929,11 @@
"sha256": "86fbac365ea6f05358840e21847cdac1ba5feaeb3571e7edfdcec13820f6e50a",
"version": 4
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "95ae1bb42d6cb5c5eb8d3e43dc25d1a2110d1f9636e6c018baa87826f7373762",
"version": 1
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "fd6aa0fb6621012cb8e02b57f75725de1c2d778441edb0a01096a2b76f972d53",
@@ -911,8 +956,8 @@
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "56798ab9bdf8cb5392c135b08741c952206a72d42388d404c2e89aa693d02938",
"version": 2
"sha256": "fb6874177f1e3a261c4b67085479793e4423e4be78be5169af97ea5299426828",
"version": 3
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"rule_name": "AWS GuardDuty Detector Deletion",
@@ -951,8 +996,8 @@
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "32c64b8fa0f6c50c2253632facb556b54d2013478619f79cc60cb6f6519ce918",
"version": 3
"sha256": "e7c699725084ca5652b0fa7e6fb0e9ed2d8d82dff4ffba0ef2ab3bffb24c8e09",
"version": 4
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"rule_name": "Network Logon Provider Registry Modification",
@@ -996,13 +1041,13 @@
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "b6c38ee8d6644df3f58b6d542f3078384354af705656469a372d983cae9fb0e2",
"version": 9
"sha256": "868ffb9b45e3d8236b93e72b26814071dc1f1d6f1594fc54b97abc6be9f3d242",
"version": 10
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"rule_name": "RDP Enabled via Registry",
"sha256": "319db6b0ff0a8cf89ddad11cb2f65328fc71e7483f5ef7e0064285dd8aee58a5",
"version": 3
"sha256": "205f152264f976a03a9a96a5fadff7e2e6e2e6c62aaece1df3205b7fcc644305",
"version": 4
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"rule_name": "Zoom Meeting with no Passcode",
@@ -1061,13 +1106,13 @@
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "24d5ea3ff2d410f537c9b96af25167ce0c2c11fa2c647d18ff6bd0b90437962f",
"version": 2
"sha256": "842d45e42d2842a379682b8f9f17bd6a6a77b11af24ff95081b42a10300da7e5",
"version": 3
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"rule_name": "User Added to Privileged Group in Active Directory",
"sha256": "4897f09298c4d423ccecd6048078eb42c74a9fa91c4f9ca81cde2f774bffce10",
"version": 2
"sha256": "1c916f85abeafa2fb73df818ab49266806c69dc729e1e2f68e5982972448cd9a",
"version": 3
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"rule_name": "Persistence via Login or Logout Hook",
@@ -1076,8 +1121,8 @@
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "4369b44ff1e27e0a5323f7f1ea2e08d8855bc451d944ffa053cf0309b2b56d4a",
"version": 3
"sha256": "39b048716937ceb662422d8e35d3e65524d15b2122f65419c6ee49fff049a570",
"version": 4
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"rule_name": "Suspicious Automator Workflows Execution",
@@ -1121,8 +1166,8 @@
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "622971b557f9455358e7a8aabf246eb45113c34526df86049404d2cecf957872",
"version": 2
"sha256": "77491c98fb172a33ef724d96f7b9d6d9ef5991aa0e86270846cbc5691167ddec",
"version": 3
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"rule_name": "Network Connection via Signed Binary",
@@ -1156,8 +1201,8 @@
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "c69ed40fb2e7829b02aeeca20498c23afc04e5731d46c52717cf4a7b13cf50b5",
"version": 4
"sha256": "4e71078c218cc670c114032d04b1a3631cdf38e7c5225829a6268c569fce9bf6",
"version": 5
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"rule_name": "Suspicious macOS MS Office Child Process",
@@ -1190,6 +1235,11 @@
"sha256": "cb9f8ab520ca0272536e6f61744c52bd7dae188a52f40d4587e9c233786de795",
"version": 4
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"rule_name": "New or Modified Federation Domain",
"sha256": "b61f976f927391636b1c2e4f41fdf84dae2d3c93a06d314511f715d67e0591fd",
"version": 1
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"rule_name": "Threat Detected by Okta ThreatInsight",
"sha256": "0f9bfed2053b99795b40e69a51bfdca388143a9a3a4ac6ecccff16c81657acc0",
@@ -1197,8 +1247,8 @@
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "a6dfc7259442d2824f1f911c11a11988a076b0da4e8f23558a73ad3edc789676",
"version": 5
"sha256": "5195503f06d8b358e209d9caebe4d1cfbc94be351590cb60646160fbab60f0a9",
"version": 6
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"rule_name": "Google Workspace Admin Role Assigned to a User",
@@ -1207,8 +1257,8 @@
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "6f6e12923610a9a51d2eab7dfbb921da7be8506c71b0f61b259251f473cd6343",
"version": 3
"sha256": "b9385a20316c74f2f19353aa236f9c1afb3313df732395e9136cc020f037ef7f",
"version": 4
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"rule_name": "AWS CloudWatch Log Group Deletion",
@@ -1222,8 +1272,8 @@
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"rule_name": "Modification of Boot Configuration",
"sha256": "79afa252f7863c4f972d34afac42983788cd12eb97358a12d668057fe6eda091",
"version": 8
"sha256": "22d2bd68a5cc0620132227498ac239156162cfc2774f84b41d0ed7c5733f71fe",
"version": 9
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"rule_name": "AWS IAM Password Recovery Requested",
@@ -1237,8 +1287,8 @@
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "93abb8a737c39cd9cc468f030e525b2bdcdf5bd8651dcc07c9df2e0b4b986408",
"version": 4
"sha256": "d714ce0962a7c7e2f1dae1aec682f7b98138ca47d060f0b89d06599a5821b4d2",
"version": 5
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression",
@@ -1252,8 +1302,8 @@
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"rule_name": "Unusual Process For a Windows Host",
"sha256": "178620681ef147bec01c29302da4d30937587ad6408ada0093e327770d44de86",
"version": 7
"sha256": "783573ab02fc9196d1609a2542041f7126beb62c1a5576457827848982e3d1b7",
"version": 8
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"rule_name": "Anomalous Process For a Windows Population",
@@ -1272,13 +1322,13 @@
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"rule_name": "Security Software Discovery using WMIC",
"sha256": "b94cdf578c5aa4cdaf45b7a08a41047bce69f28c54303d86d72cc822e66aec8e",
"version": 3
"sha256": "b36abb97dfae934d532a0ad8bae5eb1ad848b7862a3fd0e9a35f108c528b905b",
"version": 4
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
"sha256": "0d5c7f9512602335a576a40a13d448d792cef3798b11db696040ef6d4a542447",
"version": 11
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
"version": 12
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
@@ -1325,6 +1375,11 @@
"sha256": "d6f547243894063d94c8152b6485b57855368f0f9288e9d97e4f9e622f1b7e44",
"version": 3
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "4a2b21872c0267aedbc3dbf6d88a10753da1aa493cd5448e9750533eb910965a",
"version": 1
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "39f2ea0432ed3122a7a0d35999c6c5e031af504f3cb039cce854a4dbbf267128",
@@ -1363,13 +1418,13 @@
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "51e2b3082e7350103b6ccafe28053932e602837e855ca1284269bc7974f1241c",
"version": 3
"sha256": "fcd8c3219898d5276945fcee501c6a589d1e17e99b96a7360a30c6d982f3c614",
"version": 4
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "1b2d4be4a6bec79d6bbc28d6fa1e664f19d7da816c2439cf357bacf48f034928",
"version": 1
"sha256": "05939d1b48b1975cfbe6e80623d1c4d942fffa7f68577f3e05f541d61a5eba9b",
"version": 2
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"rule_name": "User Added as Owner for Azure Application",
@@ -1393,8 +1448,8 @@
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"rule_name": "Spike in AWS Error Messages",
"sha256": "97153b857f7fa8c6c22b3fb15e43ebd6d191e9209e5ae2a7509a15b7bc57b5cd",
"version": 6
"sha256": "f9740325f3e0b5993028fde7431dc516168cf619d5040542ef56a57a385a5c89",
"version": 7
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"rule_name": "Azure Key Vault Modified",
@@ -1411,6 +1466,11 @@
"sha256": "565d9e046bb625807c9d552344c5097df14d3f17d12b8c23cc8ef382da27c557",
"version": 3
},
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "cc08cb27e005034b14c5c0157a08b6bc92d0ef1ca0842363510a89f1ba1a70d2",
"version": 1
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"rule_name": "Windows Network Enumeration",
"sha256": "62962d4c50e13c6c3795372fdfa8275aa60f1cba7019c1083b172295130dba0e",
@@ -1438,8 +1498,8 @@
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"rule_name": "Unusual City For an AWS Command",
"sha256": "3a78d230f4c3b9bf42f496bd1393eaf08433761036e886f911d180838f143e18",
"version": 6
"sha256": "48ba1263524fb870cd81eaaf17abbab057a5f04d9737f5fb881fcce07d133df7",
"version": 7
},
"80c52164-c82a-402c-9964-852533d58be1": {
"rule_name": "Process Injection - Detected - Elastic Endgame",
@@ -1484,8 +1544,8 @@
},
"871ea072-1b71-4def-b016-6278b505138d": {
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "53248ec0debf86a1acb0802d5e09db4eee88174caa617c0056bd33de9132b75f",
"version": 3
"sha256": "2f6700f791dd256057e4282a89b038cb5296e4c8c37b48776db059141f394a7b",
"version": 4
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
@@ -1540,13 +1600,13 @@
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "7.13.0",
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "78b068f32b6f2ea26024a9e07219d32464cee7ed641339bc7aa5bede56086f35",
"version": 2
"sha256": "49f3873e68cd7416b2933be1ae193783473434d7ed6329f8d313f0a409453d21",
"version": 3
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "f7abeca09d05a47415e4ae1c6befa323c4f11bf2027921e674e266c6d0e309bb",
"version": 1
"sha256": "ebcb01477dc704bdeee0d1db6985b13879e9151e5552f29028517978eda2b2f0",
"version": 2
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
@@ -1560,8 +1620,8 @@
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
"sha256": "e03a2207ef0ce5d054391b1d1e16eb746b9f84752e7208fb3af36b66ec18a314",
"version": 2
"sha256": "8881269746a6601e50ebc55a0e0dc108792345a2a7dbcce70e37edbe01a18a97",
"version": 3
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
@@ -1580,8 +1640,8 @@
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "3c7a0eec5e46e14bab90be6ed4bd2f446e1d6db10b78a0fafbf2e14ba50b160c",
"version": 2
"sha256": "f15afff68492c854090384c5c1e745704d316f3ef9b8687ba2b9e19a1731addb",
"version": 3
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"rule_name": "GCP Service Account Deletion",
@@ -1650,8 +1710,8 @@
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "b58febfdf9c4805096ba315f8cc7a67171708522bd086ceb5175b3e75884d062",
"version": 3
"sha256": "57f3b1d080ff467de12e14aa6f5aa59d3def291a8da36c8fdc485084e200889a",
"version": 4
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"rule_name": "Google Workspace Admin Role Deletion",
@@ -1665,8 +1725,8 @@
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"rule_name": "Remote Scheduled Task Creation",
"sha256": "2ace8198458c53b15c7adf10cc0de02c82e48e41985a44d13c87e907368f3022",
"version": 3
"sha256": "bdf58af9de2ec55b8d3374f97e3777ebf9b7188990501623ebe9928d176f1b7f",
"version": 4
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"rule_name": "Attempt to Create Okta API Token",
@@ -1751,8 +1811,8 @@
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "f01e503ef6b63f2a8c35c344ee2b8e403170d55b57da27f20fa7e204eebdf462",
"version": 3
"sha256": "60f3f4ec605f4c52a7cfc278b265651dd12b5b9177a26143a797395fc327d22b",
"version": 4
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"rule_name": "Hosts File Modified",
@@ -1771,18 +1831,18 @@
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "c11031d7a313ef26148a98e8acbcb7a30c1de205ff403a81f9ef0c5803f5e696",
"version": 8
"sha256": "57f0f8cb76a41fe58206cf95a8341b2e94f9d9c211e39811cac0f95721b09fa1",
"version": 9
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "5955ca92044b4e13f2b8e8b4a0e0356b42a88150a35d8d55b24a5cadbdc2cefc",
"version": 8
"sha256": "f04344278f08e013710f49865b7c6a98732bbe932665e30e5ea30696e19a1057",
"version": 9
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "1c02c7ab44f7a594bbd41f54d44643a7cce752492cd0dfc5f6359d2ceb865c66",
"version": 8
"sha256": "6aa2f902a6c209e4698dff7263b27b1592311dd713e902640ce9f9a2300efeda",
"version": 9
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"rule_name": "Microsoft Build Engine Loading Windows Credential Libraries",
@@ -1871,8 +1931,8 @@
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"rule_name": "Suspicious MS Office Child Process",
"sha256": "26f0a12b3dc7a8d4d306fe66945b29413c40506622ed906adc4e102e1fd467f7",
"version": 8
"sha256": "e07a208a63f777c6b78eb3e2d91fc678372672774e5c42448f1cc5dddd54d893",
"version": 9
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"rule_name": "Emond Rules Creation or Modification",
@@ -1886,8 +1946,8 @@
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "474cf205bd36fa0fae3a9a14da72c36ccb1c2ca49a61fc100bbc1900369a28d1",
"version": 3
"sha256": "44e523ff34b1fc8bc57e3691d0d7688ee9adabcb86d83dca1175a98f5352746f",
"version": 4
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
@@ -1956,8 +2016,8 @@
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"rule_name": "Unusual AWS Command for a User",
"sha256": "70cf0c86f238b8edf1a6df6d8cc173b99d2eb01cfcfe7452e7af8871d199fd28",
"version": 6
"sha256": "70a62aa5cade20e81839deb1cef446ae52ca3a21725d7bfc00c7fe0adb539d55",
"version": 7
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
@@ -1966,8 +2026,8 @@
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"rule_name": "Potential Command and Control via Internet Explorer",
"sha256": "a5a4d4e22517c9c256ff22db014e7d01eb48986c27b2efa495761fbf3c430a8b",
"version": 3
"sha256": "6607ad18f48b672374029386caeccf0434b055d0ad1b6d035704d773bf06c169",
"version": 4
},
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"rule_name": "Potential SSH Brute Force Detected",
@@ -1991,8 +2051,8 @@
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "4818e94c1c67173f475242f9d94f941902a8457697ee622ba20f9daffd897bbf",
"version": 3
"sha256": "ae34300bc6a31dec04ee9e3edfda886d660fef5b4b5b11ac17e87b1c12629a2b",
"version": 4
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"rule_name": "Netcat Network Activity",
@@ -2026,13 +2086,18 @@
},
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "ecd0137032c4c2466aadefa7b02e3e577736b37087d25529efc58f34c28a71c8",
"version": 4
"sha256": "da3c30b2325fde833e7f51119907e7fe036c63d2c519ebc209219678adcaf401",
"version": 5
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
"sha256": "4a15c4e54783c9e2e4ff522b2cf99daaee98b480161b1b0be8230d659383cb58",
"version": 1
},
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "5bd892d8ebcb429a2b8a9396f2cefbe7a02a3472326fa95b774f4c4b1a53ab2a",
"version": 8
"sha256": "178f41173d20d636480f9ed3b789bb0815b9f38a327bab209b3a98e29e5ff6ed",
"version": 9
},
"b347b919-665f-4aac-b9e8-68369bf2340c": {
"rule_name": "Unusual Linux Username",
@@ -2049,15 +2114,20 @@
"sha256": "9f2b91695b4312bdd195b4b435baca4915e550c4d1d524e7d2fd81ad7f56f9a1",
"version": 1
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "dafc0655d05eda9f4d7aa25bc681f944dfbb3406af1af35b75c17f0361e07c05",
"version": 1
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c2e6159b2299edf22ee885dfe16c66885739f453c602cca8929190fd39417dac",
"version": 6
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"rule_name": "Volume Shadow Copy Deletion via VssAdmin",
"sha256": "54f267e7bd737926f39f468d39a596a292325d0c0df660749a18f33b46955066",
"version": 9
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "a009ff3ab4c85e8aed1731545a96eb1a380cf0927bdbc9a6838aae79a83803e0",
"version": 10
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"rule_name": "Windows Script Interpreter Executing Process via WMI",
@@ -2081,8 +2151,8 @@
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "6c7e16490d9df6da2fe93c0c2bdebb5cb6135c50dd4f5d2ac3aa76cd30e97617",
"version": 5
"sha256": "f2337e3bf6ede7fe3d56f1b71e0c49055ccbacb5d1e3490fca8e6d0ad3b803a7",
"version": 6
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"rule_name": "Network Connection via MsXsl",
@@ -2162,8 +2232,8 @@
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "6e4bba28f2d2a39b6eea697189e933adb39e73e24a9949d485285db5be65bc7b",
"version": 1
"sha256": "992fc3eb2005070d0a2eb094b89e093b57426cbe863e2c35c946265fb8f0d23c",
"version": 2
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
@@ -2177,8 +2247,8 @@
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "4ce6036775350e31b5f760f1fa899ee7be508d50e17e38b822a2ff9fa0ba172d",
"version": 5
"sha256": "b252b1b0ae3130cc2aa2af9cd752d49af6d14fd275f6252fa6171a2c9a3ae506",
"version": 6
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
@@ -2247,8 +2317,8 @@
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "ee3ab5606f836c98a65ede43ac5c1d0c7fbdb968b0054830dfd47af55de52f62",
"version": 8
"sha256": "1998ec75b5eb81ab21dc332a0101d5fb3564ec7fd4023c45d8bc0707c1a9b36b",
"version": 9
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"min_stack_version": "7.14.0",
@@ -2303,8 +2373,13 @@
},
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"rule_name": "Direct Outbound SMB Connection",
"sha256": "437317e02b02da214489bbab1c65f2f875cb48eaf5121c27a63ef3e9b2642344",
"version": 6
"sha256": "211e2a7134d501f32017fb32b025c99a139a2eeabb60830d0df4ca74a56b43c8",
"version": 7
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"rule_name": "Virtual Machine Fingerprinting via Grep",
"sha256": "bf300101c83a76a56196a6d061a1495f30d48c3bab5d7eccc5a121967d04c754",
"version": 1
},
"c87fca17-b3a9-4e83-b545-f30746c53920": {
"rule_name": "Nmap Process Activity",
@@ -2318,8 +2393,8 @@
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "73592f3bf7a304f413433934022d07f75af6301df302ff33e8d876396c3cf782",
"version": 1
"sha256": "18d0de4ff6f850a79fbaa5298d906a404a9ea579a8fd19df694f6e5c5b0b6120",
"version": 2
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
@@ -2403,8 +2478,8 @@
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "ffa9b4ae839b5008ca69ce7dcd7e3ba23e78d8c52c94c211d8d69b543178062a",
"version": 4
"sha256": "823c4ff1be037943b66d709e61e0133600e0c2e6b13b4c3a62a446c5122f298e",
"version": 5
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"rule_name": "Cobalt Strike Command and Control Beacon",
@@ -2443,8 +2518,8 @@
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"rule_name": "Clearing Windows Event Logs",
"sha256": "9bf1c8265176919a62c9cc82b85c1373bca39e43838a5dd64f282d64b45de863",
"version": 9
"sha256": "6045641eb94c7fd8b0837e3aee0d9d4f2c876cf7ef5caab2d04c079dc11dd562",
"version": 10
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting",
@@ -2548,6 +2623,11 @@
"sha256": "a96204e734aad61228f51845056ce0f072c2740658b3d7b8af4eff8706a9ba9d",
"version": 5
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "c166e8d3145309bbf8fb2f0a8940d6e32de698c63c1e0da088b8451223cda272",
"version": 1
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
"sha256": "11c865273e884bc2fc14a65de9455d9d999fec216a350a79742055ea2689a328",
@@ -2560,18 +2640,18 @@
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module Indicator Match",
"sha256": "22044ac757cd8ff685631dcc80bb0a463fe35ea0cdb50402bad9c202d902e381",
"version": 1
"sha256": "4aee4e7612e01f652dd5bc52ec84e6202f180ab4525080a71e3da0201e4a67d1",
"version": 2
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "51ca2215f79efce05cf6065687607be7812ee829dbe9de2c46e31a24baeb63c7",
"version": 9
"sha256": "c7114e3a146e9a6f433e98cf3f746fd92dc8fec7c778c85f81593faa766a1295",
"version": 10
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"rule_name": "Unusual Country For an AWS Command",
"sha256": "08b2b4cb35a69751eedfe76a8d1ac4d07fa57a340939560a7e3b2287187c4cf4",
"version": 6
"sha256": "01ac7e2483d04374dbe5454e88e83ccd2dc9f6fc5309f072147b6da99f6c6bad",
"version": 7
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"rule_name": "NullSessionPipe Registry Modification",
@@ -2615,8 +2695,8 @@
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "63ea346828f878f6fb72dd00e88433d75fa6839baf882c5e5ba5cfcaceab0c2a",
"version": 1
"sha256": "f182f841954adaa9009a1b62d0b98506f864adc4d7ab93e8467f26ada0f518d0",
"version": 2
},
"e0f36de1-0342-453d-95a9-a068b257b053": {
"rule_name": "Azure Event Hub Deletion",
@@ -2636,8 +2716,8 @@
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
"min_stack_version": "7.14.0",
"rule_name": "Spike in Logon Events from a Source IP",
"sha256": "fb4afa427f0347f94517a7191fb7a7f880941fbd2bd47289ce54bcbf5bfc67c9",
"version": 1
"sha256": "604e329a73f5f711f4d8aeb944976f58a8d5a993388062231c925fe211be1b91",
"version": 2
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"rule_name": "AWS Management Console Root Login",
@@ -2656,8 +2736,8 @@
},
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "81c0684aa15cce486e20b18305135c90b2e696990f9f9928b916a604ec1607d7",
"version": 8
"sha256": "bc0cdfb0670f89d77aae9839c681a4e26499830163210bbe8ce929b5c426c68f",
"version": 9
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"rule_name": "Ransomware - Prevented - Elastic Endgame",
@@ -2704,6 +2784,11 @@
"sha256": "be780601c9e4a7e1aca8845facddfea5d71bf738376e9880f61beae46ddc51a4",
"version": 6
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "246d03e49a68169a248914b3d7010e3707f42a27ef57fc08b24727a3b5f06773",
"version": 1
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"rule_name": "Default Cobalt Strike Team Server Certificate",
"sha256": "d06b33a543d522b2f430c7851d7bcfc6784092fac3d4efcc1bd100f0eebabee7",
@@ -2714,6 +2799,11 @@
"sha256": "a20d59b00c5cb946794ec2b30277dc754792a46bce3ee1cd6274d512ff418929",
"version": 2
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"rule_name": "AWS Route Table Modified or Deleted",
"sha256": "dfc3d05667713b082859c690e61f72dbf5e3c650c4b8d1abe77544657c34ac5c",
"version": 1
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "06690c0658d2dd465f3f42e62ce6289924edceaa79f26b4aca756c585acfaa13",
@@ -2781,8 +2871,8 @@
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "c5dc6b1040c2435cfe6ae76ca3334add285aa323acbf57de8d290fcb1df713e6",
"version": 5
"sha256": "09683401b4fff4e70db85bd1e692716a304d674c78fa75013cb09ab1e0236835",
"version": 6
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"rule_name": "Process Execution from an Unusual Directory",
@@ -2806,8 +2896,8 @@
},
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"rule_name": "AdFind Command Activity",
"sha256": "6ddd06f0d57dfe3c9f2a0bec8b2f39773e8b40e1213a52ebbae19d90c9d43b85",
"version": 4
"sha256": "e00f8844f4cd9dae87d650fcf2c3ea31b66cdbe8d9a951cef452f49d469e78f5",
"version": 5
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"rule_name": "Attempt to Deactivate an Okta Application",
@@ -2871,13 +2961,13 @@
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"rule_name": "LSASS Memory Dump Creation",
"sha256": "79631e38ec873ab7281bd533d4827e487ce9da67c8af72a09ee12bc1cef3b04a",
"version": 4
"sha256": "1bb7f26beff47b579126c16832e72166cee2812ed3b488223fd921bcfc96f456",
"version": 5
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"rule_name": "AWS RDS Instance Creation",
"sha256": "8510cdcc19e7d92882fbb86ed39ae27d39dc16f4bdbe64d58d1e45a3fcc2ed3d",
"version": 1
"sha256": "f359082c81ed687bb0fd222764315f15f6249a1690fa7fbc692035c882ce576b",
"version": 2
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"rule_name": "WMI Incoming Lateral Movement",
@@ -2991,8 +3081,8 @@
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "44684e57ec77578500f17e973b1f334764c71964566770833d22956e25e6be1b",
"version": 7
"sha256": "b52c0b3b61c361bd48462ab2432ba1e1689286e1e3022c5580108b09dacfe55e",
"version": 8
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",