From 847b08a1bd80ed509d4648ec6feab3faef68c0f3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 13 Oct 2021 14:23:26 -0800 Subject: [PATCH] Lock versions for releases: 7.13,7.14,7.15 (#1545) * Locked versions for releases: 7.13,7.14,7.15 (cherry picked from commit c6ddb44445abdb610af6e42a428b14c9113a4823) --- etc/version.lock.json | 446 +++++++++++++++++++++++++----------------- 1 file changed, 268 insertions(+), 178 deletions(-) diff --git a/etc/version.lock.json b/etc/version.lock.json index c2190e755..0e36032a0 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -7,19 +7,29 @@ "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "7.13.0", "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "819b97e921f748a95d389f35f4e7e485b52ee736654131c03752b127d7e0743a", - "version": 4 + "sha256": "cbbb5fe38e0d37cf8fed4293739ecbf327d81a48aeb8aa6d2cb69d0aa362731d", + "version": 5 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", "sha256": "606d4f374fc98e99bd86c9ef062bb48f416b10951ed6138c0ff817fabd8c9ed6", "version": 9 }, + "0136b315-b566-482f-866c-1d8e2477ba16": { + "rule_name": "Microsoft 365 User Restricted from Sending Email", + "sha256": "014249347355e7f94d184ef92a149ccdaac362ebec04f4f51e80d9368eb0782c", + "version": 1 + }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "1c44db89d3410a06dc61f99dda258376dd4863095c7c858ad1da33d8c582fc2c", "version": 1 }, + "02a4576a-7480-4284-9327-548a806b5e48": { + "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", + "sha256": "4da266f820dc2dba8ed78416db2ea4cad6a8260dacad0552bcfa4f25601a61f8", + "version": 1 + }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "rule_name": "Dumping Account Hashes via Built-In Commands", "sha256": "a2f14309ddc0b7a13f7b019b2b7350407d2752ab0df9f8665af61bc332727e40", @@ -32,8 +42,8 @@ }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "5ccb45d0d495678162da46f277ecfca7343604daaea4564d9fe0884451c7dcf6", - "version": 2 + "sha256": "a5417071894f6d1e07147cb4c4ba4712768327afda352ca1bfbc6237b1834431", + "version": 3 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Modification of OpenSSH Binaries", @@ -47,8 +57,8 @@ }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "0f184faf7f0c7af2ea9955885ea9d4a4258cc9d025ed50d265079c466c4ad2cb", - "version": 1 + "sha256": "bae7f8ff4ba6ea634982a368fedf0384ba3e9912ae10a1c22dab21a49056cb74", + "version": 2 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", @@ -72,13 +82,13 @@ }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", - "sha256": "ff00a03f7ba5b02d01b5f7890ea3d3039465801d5c3ff943e57cdbc3f9d0bf41", - "version": 7 + "sha256": "c481db545277820f57ac0efe04364be82a44271e65b05635d59c07fb0932a535", + "version": 8 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall", - "sha256": "45c1c0dee9af84917c91545f9845f57dc37d7695a21a743d5c1f73b8ea9fb0d2", - "version": 3 + "sha256": "29afef30be0c86eeb8c731c39dbf62b777ed72a65f168c0469f907ed9fd5b801", + "version": 4 }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", @@ -107,8 +117,13 @@ }, "09443c92-46b3-45a4-8f25-383b028b258d": { "rule_name": "Process Termination followed by Deletion", - "sha256": "1889f7fd920e6989fcbcf7a13004b0cd0b3952f2e9e769f90f808e6385256793", - "version": 2 + "sha256": "94e72ce4ad6b954cf01ab7f7a175c472e6936b75e330dec5da7847381fce4224", + "version": 3 + }, + "09d028a5-dcde-409f-8ae0-557cef1b7082": { + "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", + "sha256": "b8219972b17dded095e28cdfd69085a06332bb11be4b4124d29a76a054750ccb", + "version": 1 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", @@ -125,6 +140,11 @@ "sha256": "499dcd1aa2d62a15f68fa52d95b87511f7f4e14f24ffe83babb3e72e990ff81d", "version": 3 }, + "0ce6487d-8069-4888-9ddd-61b52490cebc": { + "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", + "sha256": "88ba94c428250342f829c23c844e0d491354bb5b845c5a8caf1bdc92ab3faeca", + "version": 1 + }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", "sha256": "4e12ac0fb84fd0825957284198b6a6419d7164c0a4bf84a19836ffe7a3839c86", @@ -142,8 +162,8 @@ }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", - "sha256": "833b8ac407769d2ff54b29c503522466b5ea212d0aff6d04f30865dce0e4b597", - "version": 7 + "sha256": "0168b3528c17247ed5631843306c3123c740bbb190605452493031a938421f15", + "version": 8 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -162,8 +182,8 @@ }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", - "sha256": "bad712c7e3bf95a043fc2871cebcdd450fea6a3b005d3146372539993ba11f21", - "version": 4 + "sha256": "c42302d38db5185ee51e15b0f8e51a0876b04ac1faf813bf4cc194331622f2e9", + "version": 5 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", @@ -177,7 +197,12 @@ }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", - "sha256": "68f44e7c9ac63e164010178bf95b4e93cc0dabf879694165d36cc8a9b83dcd8a", + "sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0", + "version": 2 + }, + "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { + "rule_name": "Third-party Backup Files Deleted via Unexpected Process", + "sha256": "637411a6c598e26e6158b7f367b37e4ef4c20c2f833cb4adaa2d9866c2662e3b", "version": 1 }, "12051077-0124-4394-9522-8f4f4db1d674": { @@ -202,14 +227,14 @@ }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "efd7d2aa298941d3d4d452f08ace97c0c6a5bd2a26f9da698d06bae893f899e8", - "version": 1 + "sha256": "7b02935da719949670e9b9601000c344b1f818124e52ac762cf52c3df244806a", + "version": 2 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "min_stack_version": "7.14.0", "rule_name": "Rare User Logon", - "sha256": "aa7f9d68b2cd1e0dd862fac1ad96a879a79a4f3bd3a41e67100663fb05f401b5", - "version": 2 + "sha256": "f9e949d45ac4dc51bd454d12b2bd60ec23f8fe3d5ee9a15595a4663248317d73", + "version": 3 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -248,8 +273,8 @@ }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "135b9a750efbc4e8e894e01c44e1a7780e7a59c222a3a94310c3eaaa3c11263a", - "version": 1 + "sha256": "82021c6bdc0d1e0276714a56622c6195c0745e9c8d37dfa3e179111be9f3c8f7", + "version": 2 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", @@ -303,8 +328,8 @@ }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", - "sha256": "8373f49ffa149c3c99aefc2ec629c84424c168c0a8fb68de6f28c0e12fbe376b", - "version": 6 + "sha256": "59b061c54de834d4f8b093978bf45f2114bed02645ac3a05df8c21d94d0e692a", + "version": 7 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Azure Application Credential Modification", @@ -323,14 +348,19 @@ }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", - "sha256": "204cfc566c8562c3b0ab2cd9fb57da1ac55bf68b3ebae6eb23b3af72f735c458", - "version": 8 + "sha256": "2e6aba11ce3349c0f1b9d4e73146c40479f371af1fc28f299eadcfbcc8673748", + "version": 9 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", "sha256": "a6045befcf940787d6b44aca3ba847602c79275a601616a8cb50d66f621907f4", "version": 6 }, + "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { + "rule_name": "AWS ElastiCache Security Group Modified or Deleted", + "sha256": "6217f37d9bac2de2323c05583eaf202ca7d48c5f450f270fc66d675631a9575f", + "version": 1 + }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", "sha256": "0e87841dc0e6587203b2e298d78fa79c2d4f1aaff4b20d4407ef3c04734ae5ce", @@ -388,8 +418,8 @@ }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "rule_name": "Suspicious .NET Code Compilation", - "sha256": "6369d78ac26e4f7b3174ef0923cf4ee45dea20c14723637aecfcc0b8f7c0dac3", - "version": 4 + "sha256": "5e7be99268fbc7605ca567d2dc6d1cb1fd554771d9f92fb62f0d4e00f780a896", + "version": 5 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "rule_name": "Creation or Modification of Root Certificate", @@ -478,8 +508,8 @@ }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Net command via SYSTEM account", - "sha256": "b46d627ebfd274fa9aae22cca0c0f99f53ac08424f9269e2c7e2085e77554727", - "version": 7 + "sha256": "9edf6f050f8563bcf0dbd301c61100d160969829b5cbdbd7c90872555d44ea25", + "version": 8 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", @@ -493,8 +523,8 @@ }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "47dab9051ff8692b4edba5796669029cb0dbfa892d6ce22fde32ca65da7add9b", - "version": 1 + "sha256": "19504cdc2f2149a7cf1d68afad3fff11132b00621e39c9cb25d8a193ca4737f3", + "version": 2 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", @@ -503,8 +533,8 @@ }, "2917d495-59bd-4250-b395-c29409b76086": { "rule_name": "Webshell Detection: Script Process Child of Common Web Processes", - "sha256": "d014b0b7c98f1ced15d0d44f3fedf8b71e45eb600f843b25b0bc9dd4e697e68a", - "version": 1 + "sha256": "c1adfb252308887a5bdac88b3edc8eae5c11fe737a019a177fe777aa1197348d", + "version": 2 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", @@ -513,8 +543,8 @@ }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "0c667291acc3d5fea4fee20c2309beec71f63046a4cfdd2f9d855f9c7e40db6b", - "version": 2 + "sha256": "ef62ccfe4455d54403f9578bd22ca980ef2a88b8d715172adbb52ae4437c23af", + "version": 3 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", @@ -528,8 +558,8 @@ }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "5250ee0f4d13cd87faecfbf97ba1cae636c2c99325f8cb287f4d322c5142f6c8", - "version": 4 + "sha256": "2fe8c86abbc5b90c04c50b2d75bc279a82b4ca5b5b9075830ede2cb576e81d8a", + "version": 5 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -538,8 +568,8 @@ }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "rule_name": "Creation of a Hidden Local User Account", - "sha256": "9f4084ad28a9a4e1378334c8832a4c05e04155476ead195ca7fee9397702109b", - "version": 1 + "sha256": "73d4fb8598a974e4c18b6e713228bdddad082fccbb5b41ead57a9a8a31c0d429", + "version": 2 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", @@ -594,8 +624,8 @@ }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", - "sha256": "3d6f296f6aa09dfcd1f7303be722bf62bacbd951fe957e4d26e0ef5b844f6a6c", - "version": 4 + "sha256": "ebbaac4af6d54565731b8500a4056718a4388b992d023176c9014cc30728b46f", + "version": 5 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", @@ -624,13 +654,13 @@ }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", - "sha256": "c9f0359efcb3e1b185aabeca1992928a55fd97098d2033d53a522e495da506c4", - "version": 3 + "sha256": "0cee3eae7a950faf73452b2022d6ec9980dcce503a5247c6d9b74a28f2a862f9", + "version": 4 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", - "sha256": "5058e921ddd9149ceaa4a85c8126eb032fbdd52db90f5a5f6de9981dbf16ef73", - "version": 9 + "sha256": "426406e1faa8b58d4d556183c34bdb0f14ecce1c81feafbea403b0802d962ef1", + "version": 10 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", @@ -699,8 +729,8 @@ }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "e700245e5adf9b5950b075793d0b19fad2a623d52918a733ace3116e1abd3a64", - "version": 2 + "sha256": "2b74884e710d2b488775647f1a79e3b28390532e537fcabdf72e1595e4b55621", + "version": 3 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -724,8 +754,8 @@ }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", - "sha256": "bf55c9ac0f6fa3fe5373749c8130affc8fb2cf5299be9bfd0ef21db48d038f0b", - "version": 4 + "sha256": "6190fcbe0b951625445d3995b34ac7d0eb24f491791797d34fdcc52965947e6c", + "version": 5 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", @@ -763,6 +793,11 @@ "sha256": "0ec360815683ac95dccca9d337385dfc1389dd03b5d923f929ab310a2a3c8ad0", "version": 4 }, + "416697ae-e468-4093-a93d-59661fa619ec": { + "rule_name": "Control Panel Process with Unusual Arguments", + "sha256": "1a31a209ac2dc61fc7c8c6ece800b34a05c2a7ca6b9332ec6d5313d7e3a65f01", + "version": 1 + }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", "sha256": "49fca84019de306b693f25ee758a76113137f7f37277ac183c412540bf7dab04", @@ -805,13 +840,13 @@ }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", - "sha256": "530536e43b2e7c308f3578a3bd010061cc3c281373fe5536e0dd2b7bd1395ddd", - "version": 1 + "sha256": "f65e89b35c2d09bcf13dc109cfe5c2385c3ef652d65c38a84e4d275ed932866f", + "version": 2 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "23f9191786f04df01ac4076310352f81c20bec7f33495f5d7cbfd41c560e5330", - "version": 3 + "sha256": "afd848d3e14acf0cda06b0eb92b86f3bf86fc362d754c4fa574ee0099f5e779f", + "version": 4 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", @@ -838,6 +873,11 @@ "sha256": "8c07df1d0c0f730e3e3126804f0934ba930fe3aaf3514718b5d17e3873665f4b", "version": 1 }, + "48d7f54d-c29e-4430-93a9-9db6b5892270": { + "rule_name": "Unexpected Child Process of macOS Screensaver Engine", + "sha256": "a76e2afa15de19ec33e17a27311c9b44df498fbae6d2b30ac9ff94705f314dcf", + "version": 1 + }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", "sha256": "6cc74d6a74abae157494c559cbc80c499212df19327c2345e899fc8d77a1a089", @@ -856,13 +896,13 @@ }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "c4e92b6369d96f03afcf8abe54580bb558b94689632aabc9b96b9e18ffbe4ea9", - "version": 9 + "sha256": "90064df775272d8e2f696fb665bb8e5df6ed2e82abb3a9f450d42b3d0caa61e5", + "version": 10 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "a95fdb458a6423309410cb46d41bda785e2690ffb9c4e06f7ca92cd28b2ad647", - "version": 4 + "sha256": "ced0a019b63e9d421f8e75a6d2dd6a581cfd87b9bf4388349f4070700225813d", + "version": 5 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", @@ -876,8 +916,8 @@ }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "aa01a46fab350db3345bf79795effecf5b1ae98e59739a796682c4c066b7bf52", - "version": 1 + "sha256": "c5df84be421d64d3a1261a065649b24397c4d41d7344dd8828b0b1beb84a7d76", + "version": 2 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", @@ -889,6 +929,11 @@ "sha256": "86fbac365ea6f05358840e21847cdac1ba5feaeb3571e7edfdcec13820f6e50a", "version": 4 }, + "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { + "rule_name": "Unauthorized Access to an Okta Application", + "sha256": "95ae1bb42d6cb5c5eb8d3e43dc25d1a2110d1f9636e6c018baa87826f7373762", + "version": 1 + }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", "sha256": "fd6aa0fb6621012cb8e02b57f75725de1c2d778441edb0a01096a2b76f972d53", @@ -911,8 +956,8 @@ }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "56798ab9bdf8cb5392c135b08741c952206a72d42388d404c2e89aa693d02938", - "version": 2 + "sha256": "fb6874177f1e3a261c4b67085479793e4423e4be78be5169af97ea5299426828", + "version": 3 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", @@ -951,8 +996,8 @@ }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", - "sha256": "32c64b8fa0f6c50c2253632facb556b54d2013478619f79cc60cb6f6519ce918", - "version": 3 + "sha256": "e7c699725084ca5652b0fa7e6fb0e9ed2d8d82dff4ffba0ef2ab3bffb24c8e09", + "version": 4 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "rule_name": "Network Logon Provider Registry Modification", @@ -996,13 +1041,13 @@ }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "b6c38ee8d6644df3f58b6d542f3078384354af705656469a372d983cae9fb0e2", - "version": 9 + "sha256": "868ffb9b45e3d8236b93e72b26814071dc1f1d6f1594fc54b97abc6be9f3d242", + "version": 10 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", - "sha256": "319db6b0ff0a8cf89ddad11cb2f65328fc71e7483f5ef7e0064285dd8aee58a5", - "version": 3 + "sha256": "205f152264f976a03a9a96a5fadff7e2e6e2e6c62aaece1df3205b7fcc644305", + "version": 4 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", @@ -1061,13 +1106,13 @@ }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "24d5ea3ff2d410f537c9b96af25167ce0c2c11fa2c647d18ff6bd0b90437962f", - "version": 2 + "sha256": "842d45e42d2842a379682b8f9f17bd6a6a77b11af24ff95081b42a10300da7e5", + "version": 3 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "rule_name": "User Added to Privileged Group in Active Directory", - "sha256": "4897f09298c4d423ccecd6048078eb42c74a9fa91c4f9ca81cde2f774bffce10", - "version": 2 + "sha256": "1c916f85abeafa2fb73df818ab49266806c69dc729e1e2f68e5982972448cd9a", + "version": 3 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", @@ -1076,8 +1121,8 @@ }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "4369b44ff1e27e0a5323f7f1ea2e08d8855bc451d944ffa053cf0309b2b56d4a", - "version": 3 + "sha256": "39b048716937ceb662422d8e35d3e65524d15b2122f65419c6ee49fff049a570", + "version": 4 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", @@ -1121,8 +1166,8 @@ }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "622971b557f9455358e7a8aabf246eb45113c34526df86049404d2cecf957872", - "version": 2 + "sha256": "77491c98fb172a33ef724d96f7b9d6d9ef5991aa0e86270846cbc5691167ddec", + "version": 3 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", @@ -1156,8 +1201,8 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "c69ed40fb2e7829b02aeeca20498c23afc04e5731d46c52717cf4a7b13cf50b5", - "version": 4 + "sha256": "4e71078c218cc670c114032d04b1a3631cdf38e7c5225829a6268c569fce9bf6", + "version": 5 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", @@ -1190,6 +1235,11 @@ "sha256": "cb9f8ab520ca0272536e6f61744c52bd7dae188a52f40d4587e9c233786de795", "version": 4 }, + "684554fc-0777-47ce-8c9b-3d01f198d7f8": { + "rule_name": "New or Modified Federation Domain", + "sha256": "b61f976f927391636b1c2e4f41fdf84dae2d3c93a06d314511f715d67e0591fd", + "version": 1 + }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "rule_name": "Threat Detected by Okta ThreatInsight", "sha256": "0f9bfed2053b99795b40e69a51bfdca388143a9a3a4ac6ecccff16c81657acc0", @@ -1197,8 +1247,8 @@ }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "a6dfc7259442d2824f1f911c11a11988a076b0da4e8f23558a73ad3edc789676", - "version": 5 + "sha256": "5195503f06d8b358e209d9caebe4d1cfbc94be351590cb60646160fbab60f0a9", + "version": 6 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", @@ -1207,8 +1257,8 @@ }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "6f6e12923610a9a51d2eab7dfbb921da7be8506c71b0f61b259251f473cd6343", - "version": 3 + "sha256": "b9385a20316c74f2f19353aa236f9c1afb3313df732395e9136cc020f037ef7f", + "version": 4 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", @@ -1222,8 +1272,8 @@ }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", - "sha256": "79afa252f7863c4f972d34afac42983788cd12eb97358a12d668057fe6eda091", - "version": 8 + "sha256": "22d2bd68a5cc0620132227498ac239156162cfc2774f84b41d0ed7c5733f71fe", + "version": 9 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", @@ -1237,8 +1287,8 @@ }, "6aace640-e631-4870-ba8e-5fdda09325db": { "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "93abb8a737c39cd9cc468f030e525b2bdcdf5bd8651dcc07c9df2e0b4b986408", - "version": 4 + "sha256": "d714ce0962a7c7e2f1dae1aec682f7b98138ca47d060f0b89d06599a5821b4d2", + "version": 5 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", @@ -1252,8 +1302,8 @@ }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "rule_name": "Unusual Process For a Windows Host", - "sha256": "178620681ef147bec01c29302da4d30937587ad6408ada0093e327770d44de86", - "version": 7 + "sha256": "783573ab02fc9196d1609a2542041f7126beb62c1a5576457827848982e3d1b7", + "version": 8 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "rule_name": "Anomalous Process For a Windows Population", @@ -1272,13 +1322,13 @@ }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "rule_name": "Security Software Discovery using WMIC", - "sha256": "b94cdf578c5aa4cdaf45b7a08a41047bce69f28c54303d86d72cc822e66aec8e", - "version": 3 + "sha256": "b36abb97dfae934d532a0ad8bae5eb1ad848b7862a3fd0e9a35f108c528b905b", + "version": 4 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", - "sha256": "0d5c7f9512602335a576a40a13d448d792cef3798b11db696040ef6d4a542447", - "version": 11 + "sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622", + "version": 12 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -1325,6 +1375,11 @@ "sha256": "d6f547243894063d94c8152b6485b57855368f0f9288e9d97e4f9e622f1b7e44", "version": 3 }, + "721999d0-7ab2-44bf-b328-6e63367b9b29": { + "rule_name": "Microsoft 365 Potential ransomware activity", + "sha256": "4a2b21872c0267aedbc3dbf6d88a10753da1aa493cd5448e9750533eb910965a", + "version": 1 + }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "39f2ea0432ed3122a7a0d35999c6c5e031af504f3cb039cce854a4dbbf267128", @@ -1363,13 +1418,13 @@ }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "51e2b3082e7350103b6ccafe28053932e602837e855ca1284269bc7974f1241c", - "version": 3 + "sha256": "fcd8c3219898d5276945fcee501c6a589d1e17e99b96a7360a30c6d982f3c614", + "version": 4 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "1b2d4be4a6bec79d6bbc28d6fa1e664f19d7da816c2439cf357bacf48f034928", - "version": 1 + "sha256": "05939d1b48b1975cfbe6e80623d1c4d942fffa7f68577f3e05f541d61a5eba9b", + "version": 2 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "User Added as Owner for Azure Application", @@ -1393,8 +1448,8 @@ }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", - "sha256": "97153b857f7fa8c6c22b3fb15e43ebd6d191e9209e5ae2a7509a15b7bc57b5cd", - "version": 6 + "sha256": "f9740325f3e0b5993028fde7431dc516168cf619d5040542ef56a57a385a5c89", + "version": 7 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", @@ -1411,6 +1466,11 @@ "sha256": "565d9e046bb625807c9d552344c5097df14d3f17d12b8c23cc8ef382da27c557", "version": 3 }, + "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { + "rule_name": "AWS ElastiCache Security Group Created", + "sha256": "cc08cb27e005034b14c5c0157a08b6bc92d0ef1ca0842363510a89f1ba1a70d2", + "version": 1 + }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "rule_name": "Windows Network Enumeration", "sha256": "62962d4c50e13c6c3795372fdfa8275aa60f1cba7019c1083b172295130dba0e", @@ -1438,8 +1498,8 @@ }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", - "sha256": "3a78d230f4c3b9bf42f496bd1393eaf08433761036e886f911d180838f143e18", - "version": 6 + "sha256": "48ba1263524fb870cd81eaaf17abbab057a5f04d9737f5fb881fcce07d133df7", + "version": 7 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", @@ -1484,8 +1544,8 @@ }, "871ea072-1b71-4def-b016-6278b505138d": { "rule_name": "Enumeration of Administrator Accounts", - "sha256": "53248ec0debf86a1acb0802d5e09db4eee88174caa617c0056bd33de9132b75f", - "version": 3 + "sha256": "2f6700f791dd256057e4282a89b038cb5296e4c8c37b48776db059141f394a7b", + "version": 4 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -1540,13 +1600,13 @@ "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "7.13.0", "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "78b068f32b6f2ea26024a9e07219d32464cee7ed641339bc7aa5bede56086f35", - "version": 2 + "sha256": "49f3873e68cd7416b2933be1ae193783473434d7ed6329f8d313f0a409453d21", + "version": 3 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "f7abeca09d05a47415e4ae1c6befa323c4f11bf2027921e674e266c6d0e309bb", - "version": 1 + "sha256": "ebcb01477dc704bdeee0d1db6985b13879e9151e5552f29028517978eda2b2f0", + "version": 2 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", @@ -1560,8 +1620,8 @@ }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", - "sha256": "e03a2207ef0ce5d054391b1d1e16eb746b9f84752e7208fb3af36b66ec18a314", - "version": 2 + "sha256": "8881269746a6601e50ebc55a0e0dc108792345a2a7dbcce70e37edbe01a18a97", + "version": 3 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", @@ -1580,8 +1640,8 @@ }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "3c7a0eec5e46e14bab90be6ed4bd2f446e1d6db10b78a0fafbf2e14ba50b160c", - "version": 2 + "sha256": "f15afff68492c854090384c5c1e745704d316f3ef9b8687ba2b9e19a1731addb", + "version": 3 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", @@ -1650,8 +1710,8 @@ }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "b58febfdf9c4805096ba315f8cc7a67171708522bd086ceb5175b3e75884d062", - "version": 3 + "sha256": "57f3b1d080ff467de12e14aa6f5aa59d3def291a8da36c8fdc485084e200889a", + "version": 4 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", @@ -1665,8 +1725,8 @@ }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", - "sha256": "2ace8198458c53b15c7adf10cc0de02c82e48e41985a44d13c87e907368f3022", - "version": 3 + "sha256": "bdf58af9de2ec55b8d3374f97e3777ebf9b7188990501623ebe9928d176f1b7f", + "version": 4 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", @@ -1751,8 +1811,8 @@ }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "rule_name": "Persistence via WMI Event Subscription", - "sha256": "f01e503ef6b63f2a8c35c344ee2b8e403170d55b57da27f20fa7e204eebdf462", - "version": 3 + "sha256": "60f3f4ec605f4c52a7cfc278b265651dd12b5b9177a26143a797395fc327d22b", + "version": 4 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "rule_name": "Hosts File Modified", @@ -1771,18 +1831,18 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "c11031d7a313ef26148a98e8acbcb7a30c1de205ff403a81f9ef0c5803f5e696", - "version": 8 + "sha256": "57f0f8cb76a41fe58206cf95a8341b2e94f9d9c211e39811cac0f95721b09fa1", + "version": 9 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "5955ca92044b4e13f2b8e8b4a0e0356b42a88150a35d8d55b24a5cadbdc2cefc", - "version": 8 + "sha256": "f04344278f08e013710f49865b7c6a98732bbe932665e30e5ea30696e19a1057", + "version": 9 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "1c02c7ab44f7a594bbd41f54d44643a7cce752492cd0dfc5f6359d2ceb865c66", - "version": 8 + "sha256": "6aa2f902a6c209e4698dff7263b27b1592311dd713e902640ce9f9a2300efeda", + "version": 9 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Microsoft Build Engine Loading Windows Credential Libraries", @@ -1871,8 +1931,8 @@ }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", - "sha256": "26f0a12b3dc7a8d4d306fe66945b29413c40506622ed906adc4e102e1fd467f7", - "version": 8 + "sha256": "e07a208a63f777c6b78eb3e2d91fc678372672774e5c42448f1cc5dddd54d893", + "version": 9 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", @@ -1886,8 +1946,8 @@ }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "474cf205bd36fa0fae3a9a14da72c36ccb1c2ca49a61fc100bbc1900369a28d1", - "version": 3 + "sha256": "44e523ff34b1fc8bc57e3691d0d7688ee9adabcb86d83dca1175a98f5352746f", + "version": 4 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", @@ -1956,8 +2016,8 @@ }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", - "sha256": "70cf0c86f238b8edf1a6df6d8cc173b99d2eb01cfcfe7452e7af8871d199fd28", - "version": 6 + "sha256": "70a62aa5cade20e81839deb1cef446ae52ca3a21725d7bfc00c7fe0adb539d55", + "version": 7 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", @@ -1966,8 +2026,8 @@ }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "a5a4d4e22517c9c256ff22db014e7d01eb48986c27b2efa495761fbf3c430a8b", - "version": 3 + "sha256": "6607ad18f48b672374029386caeccf0434b055d0ad1b6d035704d773bf06c169", + "version": 4 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential SSH Brute Force Detected", @@ -1991,8 +2051,8 @@ }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "4818e94c1c67173f475242f9d94f941902a8457697ee622ba20f9daffd897bbf", - "version": 3 + "sha256": "ae34300bc6a31dec04ee9e3edfda886d660fef5b4b5b11ac17e87b1c12629a2b", + "version": 4 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "Netcat Network Activity", @@ -2026,13 +2086,18 @@ }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", - "sha256": "ecd0137032c4c2466aadefa7b02e3e577736b37087d25529efc58f34c28a71c8", - "version": 4 + "sha256": "da3c30b2325fde833e7f51119907e7fe036c63d2c519ebc209219678adcaf401", + "version": 5 + }, + "b2951150-658f-4a60-832f-a00d1e6c6745": { + "rule_name": "Microsoft 365 Unusual Volume of File Deletion", + "sha256": "4a15c4e54783c9e2e4ff522b2cf99daaee98b480161b1b0be8230d659383cb58", + "version": 1 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", - "sha256": "5bd892d8ebcb429a2b8a9396f2cefbe7a02a3472326fa95b774f4c4b1a53ab2a", - "version": 8 + "sha256": "178f41173d20d636480f9ed3b789bb0815b9f38a327bab209b3a98e29e5ff6ed", + "version": 9 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", @@ -2049,15 +2114,20 @@ "sha256": "9f2b91695b4312bdd195b4b435baca4915e550c4d1d524e7d2fd81ad7f56f9a1", "version": 1 }, + "b45ab1d2-712f-4f01-a751-df3826969807": { + "rule_name": "AWS STS GetSessionToken Abuse", + "sha256": "dafc0655d05eda9f4d7aa25bc681f944dfbb3406af1af35b75c17f0361e07c05", + "version": 1 + }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "rule_name": "Attempt to Delete an Okta Policy", "sha256": "c2e6159b2299edf22ee885dfe16c66885739f453c602cca8929190fd39417dac", "version": 6 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { - "rule_name": "Volume Shadow Copy Deletion via VssAdmin", - "sha256": "54f267e7bd737926f39f468d39a596a292325d0c0df660749a18f33b46955066", - "version": 9 + "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", + "sha256": "a009ff3ab4c85e8aed1731545a96eb1a380cf0927bdbc9a6838aae79a83803e0", + "version": 10 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", @@ -2081,8 +2151,8 @@ }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "6c7e16490d9df6da2fe93c0c2bdebb5cb6135c50dd4f5d2ac3aa76cd30e97617", - "version": 5 + "sha256": "f2337e3bf6ede7fe3d56f1b71e0c49055ccbacb5d1e3490fca8e6d0ad3b803a7", + "version": 6 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", @@ -2162,8 +2232,8 @@ }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "6e4bba28f2d2a39b6eea697189e933adb39e73e24a9949d485285db5be65bc7b", - "version": 1 + "sha256": "992fc3eb2005070d0a2eb094b89e093b57426cbe863e2c35c946265fb8f0d23c", + "version": 2 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", @@ -2177,8 +2247,8 @@ }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "4ce6036775350e31b5f760f1fa899ee7be508d50e17e38b822a2ff9fa0ba172d", - "version": 5 + "sha256": "b252b1b0ae3130cc2aa2af9cd752d49af6d14fd275f6252fa6171a2c9a3ae506", + "version": 6 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Elastic Endgame", @@ -2247,8 +2317,8 @@ }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "ee3ab5606f836c98a65ede43ac5c1d0c7fbdb968b0054830dfd47af55de52f62", - "version": 8 + "sha256": "1998ec75b5eb81ab21dc332a0101d5fb3564ec7fd4023c45d8bc0707c1a9b36b", + "version": 9 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "min_stack_version": "7.14.0", @@ -2303,8 +2373,13 @@ }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "Direct Outbound SMB Connection", - "sha256": "437317e02b02da214489bbab1c65f2f875cb48eaf5121c27a63ef3e9b2642344", - "version": 6 + "sha256": "211e2a7134d501f32017fb32b025c99a139a2eeabb60830d0df4ca74a56b43c8", + "version": 7 + }, + "c85eb82c-d2c8-485c-a36f-534f914b7663": { + "rule_name": "Virtual Machine Fingerprinting via Grep", + "sha256": "bf300101c83a76a56196a6d061a1495f30d48c3bab5d7eccc5a121967d04c754", + "version": 1 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", @@ -2318,8 +2393,8 @@ }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "73592f3bf7a304f413433934022d07f75af6301df302ff33e8d876396c3cf782", - "version": 1 + "sha256": "18d0de4ff6f850a79fbaa5298d906a404a9ea579a8fd19df694f6e5c5b0b6120", + "version": 2 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", @@ -2403,8 +2478,8 @@ }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "ffa9b4ae839b5008ca69ce7dcd7e3ba23e78d8c52c94c211d8d69b543178062a", - "version": 4 + "sha256": "823c4ff1be037943b66d709e61e0133600e0c2e6b13b4c3a62a446c5122f298e", + "version": 5 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", @@ -2443,8 +2518,8 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "9bf1c8265176919a62c9cc82b85c1373bca39e43838a5dd64f282d64b45de863", - "version": 9 + "sha256": "6045641eb94c7fd8b0837e3aee0d9d4f2c876cf7ef5caab2d04c079dc11dd562", + "version": 10 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", @@ -2548,6 +2623,11 @@ "sha256": "a96204e734aad61228f51845056ce0f072c2740658b3d7b8af4eff8706a9ba9d", "version": 5 }, + "d99a037b-c8e2-47a5-97b9-170d076827c4": { + "rule_name": "Volume Shadow Copy Deletion via PowerShell", + "sha256": "c166e8d3145309bbf8fb2f0a8940d6e32de698c63c1e0da088b8451223cda272", + "version": 1 + }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Multi-Factor Authentication Disabled for an Azure User", "sha256": "11c865273e884bc2fc14a65de9455d9d999fec216a350a79742055ea2689a328", @@ -2560,18 +2640,18 @@ }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module Indicator Match", - "sha256": "22044ac757cd8ff685631dcc80bb0a463fe35ea0cdb50402bad9c202d902e381", - "version": 1 + "sha256": "4aee4e7612e01f652dd5bc52ec84e6202f180ab4525080a71e3da0201e4a67d1", + "version": 2 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "51ca2215f79efce05cf6065687607be7812ee829dbe9de2c46e31a24baeb63c7", - "version": 9 + "sha256": "c7114e3a146e9a6f433e98cf3f746fd92dc8fec7c778c85f81593faa766a1295", + "version": 10 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", - "sha256": "08b2b4cb35a69751eedfe76a8d1ac4d07fa57a340939560a7e3b2287187c4cf4", - "version": 6 + "sha256": "01ac7e2483d04374dbe5454e88e83ccd2dc9f6fc5309f072147b6da99f6c6bad", + "version": 7 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", @@ -2615,8 +2695,8 @@ }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "rule_name": "Whitespace Padding in Process Command Line", - "sha256": "63ea346828f878f6fb72dd00e88433d75fa6839baf882c5e5ba5cfcaceab0c2a", - "version": 1 + "sha256": "f182f841954adaa9009a1b62d0b98506f864adc4d7ab93e8467f26ada0f518d0", + "version": 2 }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deletion", @@ -2636,8 +2716,8 @@ "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "min_stack_version": "7.14.0", "rule_name": "Spike in Logon Events from a Source IP", - "sha256": "fb4afa427f0347f94517a7191fb7a7f880941fbd2bd47289ce54bcbf5bfc67c9", - "version": 1 + "sha256": "604e329a73f5f711f4d8aeb944976f58a8d5a993388062231c925fe211be1b91", + "version": 2 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", @@ -2656,8 +2736,8 @@ }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", - "sha256": "81c0684aa15cce486e20b18305135c90b2e696990f9f9928b916a604ec1607d7", - "version": 8 + "sha256": "bc0cdfb0670f89d77aae9839c681a4e26499830163210bbe8ce929b5c426c68f", + "version": 9 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", @@ -2704,6 +2784,11 @@ "sha256": "be780601c9e4a7e1aca8845facddfea5d71bf738376e9880f61beae46ddc51a4", "version": 6 }, + "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { + "rule_name": "Screensaver Plist File Modified by Unexpected Process", + "sha256": "246d03e49a68169a248914b3d7010e3707f42a27ef57fc08b24727a3b5f06773", + "version": 1 + }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", "sha256": "d06b33a543d522b2f430c7851d7bcfc6784092fac3d4efcc1bd100f0eebabee7", @@ -2714,6 +2799,11 @@ "sha256": "a20d59b00c5cb946794ec2b30277dc754792a46bce3ee1cd6274d512ff418929", "version": 2 }, + "e7cd5982-17c8-4959-874c-633acde7d426": { + "rule_name": "AWS Route Table Modified or Deleted", + "sha256": "dfc3d05667713b082859c690e61f72dbf5e3c650c4b8d1abe77544657c34ac5c", + "version": 1 + }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "06690c0658d2dd465f3f42e62ce6289924edceaa79f26b4aca756c585acfaa13", @@ -2781,8 +2871,8 @@ }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", - "sha256": "c5dc6b1040c2435cfe6ae76ca3334add285aa323acbf57de8d290fcb1df713e6", - "version": 5 + "sha256": "09683401b4fff4e70db85bd1e692716a304d674c78fa75013cb09ab1e0236835", + "version": 6 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "rule_name": "Process Execution from an Unusual Directory", @@ -2806,8 +2896,8 @@ }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", - "sha256": "6ddd06f0d57dfe3c9f2a0bec8b2f39773e8b40e1213a52ebbae19d90c9d43b85", - "version": 4 + "sha256": "e00f8844f4cd9dae87d650fcf2c3ea31b66cdbe8d9a951cef452f49d469e78f5", + "version": 5 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "rule_name": "Attempt to Deactivate an Okta Application", @@ -2871,13 +2961,13 @@ }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", - "sha256": "79631e38ec873ab7281bd533d4827e487ce9da67c8af72a09ee12bc1cef3b04a", - "version": 4 + "sha256": "1bb7f26beff47b579126c16832e72166cee2812ed3b488223fd921bcfc96f456", + "version": 5 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "AWS RDS Instance Creation", - "sha256": "8510cdcc19e7d92882fbb86ed39ae27d39dc16f4bdbe64d58d1e45a3fcc2ed3d", - "version": 1 + "sha256": "f359082c81ed687bb0fd222764315f15f6249a1690fa7fbc692035c882ce576b", + "version": 2 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", @@ -2991,8 +3081,8 @@ }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "44684e57ec77578500f17e973b1f334764c71964566770833d22956e25e6be1b", - "version": 7 + "sha256": "b52c0b3b61c361bd48462ab2432ba1e1689286e1e3022c5580108b09dacfe55e", + "version": 8 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation",