diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 88392f610..64e084555 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -2,23 +2,23 @@ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "min_stack_version": "8.3", "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "9a422bdc389d943822cf96b871a7a21b0bf1f5d4bfec7fc13afd5bf95d6d27a1", + "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", "type": "query", - "version": 104 + "version": 105 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "7ceb2877a0370d94be392bbe6c33df71f2affb01502593a074424860a5bd0b7d", + "sha256": "d30c57775c5b17bd01a68c5752337e391ce2d7db5cb8aa6eccbc9a54c200c86c", "type": "eql", - "version": 107 + "version": 108 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.3", "rule_name": "System Shells via Services", - "sha256": "4286639db44046de50005bd7097512f21e39f2a52cdb8345be584c9ad02e4adc", + "sha256": "8f7269ea080f0c8f9d2257a9ed2e32139f4c2c1cd0dbc9ebf61ee83987b10d83", "type": "eql", - "version": 106 + "version": 107 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "min_stack_version": "8.4", @@ -51,16 +51,16 @@ "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.3", "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "1f6016205bdd04508b0d8671b2b30a4eb1b8f0fe62aa4024a1d4baf913a02b93", + "sha256": "1fcc8d07520fa392cbd941dbaaac5fef1dc5dee48d5ab029ca64cc5409f7089a", "type": "eql", - "version": 102 + "version": 103 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "min_stack_version": "8.4", "rule_name": "Process Created with an Elevated Token", - "sha256": "67b7525831b20322988d48f3e1ee927a32369070f69e1b6c0e4e8239c0c15d6d", + "sha256": "6c3c1a1a62be741fbfd99c0d2a69725f05c69adb7d911d8241132facbd72dbe8", "type": "eql", - "version": 4 + "version": 5 }, "02a4576a-7480-4284-9327-548a806b5e48": { "min_stack_version": "8.8", @@ -81,9 +81,9 @@ "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "min_stack_version": "8.3", "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "d2c3a678a60fd16ce4fb4f298b85f64f7c780ee43c088155a54aa3b240a2b62d", + "sha256": "7a5170b3aaae9d499bfda31675011334d8bc6f2ce992414981042ce2563e0efe", "type": "query", - "version": 103 + "version": 104 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "min_stack_version": "8.3", @@ -95,9 +95,9 @@ "035889c4-2686-4583-a7df-67f89c292f2c": { "min_stack_version": "8.3", "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "dd6c1bb700d4b7243352b74d107b1a80d833e0e7803adb9011472cbe673314eb", + "sha256": "71c36a582a1af6f143c5b2316611eceae40fef43328be88831c24b2317e7ccae", "type": "threshold", - "version": 105 + "version": 106 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "min_stack_version": "8.8", @@ -109,16 +109,16 @@ "0415f22a-2336-45fa-ba07-618a5942e22c": { "min_stack_version": "8.3", "rule_name": "Modification of OpenSSH Binaries", - "sha256": "5bed0c50445b232e92f1f2e5cb84dcf93e8599342d6337c785948a0eade70419", + "sha256": "4cb2b6b77c91784f961b4347413643db618e2f27805ae42c5d6087ba7e5a9794", "type": "query", - "version": 104 + "version": 105 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "min_stack_version": "8.3", - "rule_name": "Potential DNS Tunneling via Iodine", - "sha256": "915fd8f02f70d4534fadab29964fe138e115e4032d324f80eeea65e8364adc18", + "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", + "sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047", "type": "query", - "version": 104 + "version": 105 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "min_stack_version": "8.3", @@ -130,79 +130,79 @@ "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "542e052f17b733bece1890910265a68070e619b61b65fee4863941d0049a877f", + "sha256": "242d70865b8ccc44b23dc4c85ec781e9f6de7966acae6376216fe6157df81b72", "type": "eql", - "version": 105 + "version": 106 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.3", "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "6c2659629ecf23b93bba53227738008cca52ee9a54d0d0a71181b02a0f189bb5", + "sha256": "dc6dc5d5b9bb5d8022327de5bbdc2e934503ba0e31ae2336672439cbcc22bf74", "type": "eql", - "version": 105 + "version": 106 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.3", "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "46cdc58f49c8ec428ea58ef3fc1f0c2e0d0513e26061021a7d78fb015cf8682f", + "sha256": "7f1bba1cf96766fe9d2d0d21e7e7d03114483ebf1d91a52bdc7a370c5751699b", "type": "eql", - "version": 105 + "version": 106 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "24ed5d192e4dfa765cd52b240eb2e3b0db1984cf8fc53acbf42de66858916b46", + "sha256": "f31c9a7ea34568a5374ff1710793245daeb9aeb25b3a9a24e97f06a5888a0ca2", "type": "query", - "version": 104 + "version": 105 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.3", "rule_name": "Remote System Discovery Commands", - "sha256": "563fe9eaca1e1e48398b91a676ecfd27746f513a3d504507be7e3fc94327dcdd", + "sha256": "21369e608f88a1ea5dcd90d5365bba2e9a909fabf973ed66e37e9136f5f0699a", "type": "eql", - "version": 107 + "version": 108 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "min_stack_version": "8.3", "rule_name": "System Time Discovery", - "sha256": "ceef78e29bb12783c4e7bd67ead843022c541b162f4101bf1df4c38009feebbf", + "sha256": "8534280f701e221bc1312804c5bf3de446a2ef36dd62d6e9bc6e3bb765c9cf76", "type": "eql", - "version": 3 + "version": 4 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "f2e1d9f9e673fffd0fd4af8e63f9e6100d98ed20237ce52345d80853447d0287", + "sha256": "15afab23b7e9efd31d6586f78173366c7895bb1610bd6431cfc8cf2daf8dc063", "type": "eql", - "version": 4 + "version": 5 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.3", "rule_name": "Potential Evasion via Filter Manager", - "sha256": "f33a2c60b52132afa19f7d1b04f28a51527e239f2be3d1e0af94cf4dbe0a508b", + "sha256": "ff88a573a0a319738afbfe4b609f25b741830e26d67d348a9b995e5a9d489dcb", "type": "eql", - "version": 106 + "version": 107 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.3", "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "22f0eca0e14ff81ca6968be97b9be1ac76795d7c7cfcb77c669b486f3feb0490", + "sha256": "f00b9c39c021a4f1b4bbb9b99497ddbe906de70e57582440fa6dc315977892e7", "type": "eql", - "version": 105 + "version": 106 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", - "sha256": "c0e22bb1ec65c7fa009ef3abdf7d1a92ee28cc5bb7aeddb0c344a3b14793d6b3", + "sha256": "5839a3666d7e0133ba8b7e42ac89b59b39e750d0b97a3b3583b69c13de90129a", "type": "threshold", - "version": 2 + "version": 3 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.3", "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "8f5be7d3bda530597080b538417d320e771038574ab9532bf334820643da2012", + "sha256": "a31f827db85593474e5766adaf71c535a3a5d7ce628347b6b7e606bdb261bd04", "type": "eql", - "version": 4 + "version": 5 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "min_stack_version": "8.4", @@ -223,37 +223,37 @@ "080bc66a-5d56-4d1f-8071-817671716db9": { "min_stack_version": "8.3", "rule_name": "Suspicious Browser Child Process", - "sha256": "9f89e10a43049fdd1c7d8cd36c35993b58cfafbbd8d75a91dbad6c55ed9abcac", + "sha256": "9170960c7d48e8e84833ee33402dc9fc313e3f5fc219be8eebf6c3fef43b13d6", "type": "eql", - "version": 103 + "version": 104 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "min_stack_version": "8.3", "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "e1e1fb20c0848c46dbc60d975a90bbafe0f2fa9c3004b103bc67da463de80761", + "sha256": "c0576e652d149dba1c8803419d6a632c9e994ab1037dbd4d33c61e67e376b878", "type": "eql", - "version": 103 + "version": 104 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "min_stack_version": "8.3", "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "0d33a7b572a0b2f6a9fac660cbe0f5023d907c895cdf39f0a6d79f6dc32cec0f", + "sha256": "24161e1b97e4d175337171d4edb04ae53af62b618e97bfadae325175a6a804b9", "type": "query", - "version": 103 + "version": 104 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "min_stack_version": "8.4", "rule_name": "First Time Seen Removable Device", - "sha256": "6fe9605f5969f9fdbeebe376c053f8522fde40eecb05605ffc286f728c904a51", + "sha256": "8f68357de02e845b6234f38e1867817fe26ebc0f260faded9b8c6d2be88b2ae0", "type": "new_terms", - "version": 1 + "version": 2 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "min_stack_version": "8.3", "rule_name": "Windows Account or Group Discovery", - "sha256": "32164f862f35dbf82a5a27223a8fda5cc270bacb541870c57665e9d24c0d096d", + "sha256": "9c4c3dc22f5ae081c7fce7c1cb6523dabdd5affb3e5b4ffce5fe00ec5dd65815", "type": "eql", - "version": 1 + "version": 2 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", @@ -264,16 +264,16 @@ "092b068f-84ac-485d-8a55-7dd9e006715f": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "f935fba02086f8be758f3b9489c61f15d8ad949e6d960266f34c6ac2afdc85b6", + "sha256": "f6144e95dc8aa7800b86c6582df0d1251a9c27f1585675fa011b5ac9ebe844c2", "type": "eql", - "version": 103 + "version": 104 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "min_stack_version": "8.3", "rule_name": "Process Termination followed by Deletion", - "sha256": "a713fe5236004a4069d67f041ed7a272473f219db72fa48c09260d64239dbea1", + "sha256": "b47a3759b8145c73009358643478d070d44505235b1c16c6282bf2925986ffaa", "type": "eql", - "version": 105 + "version": 106 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -281,6 +281,13 @@ "type": "eql", "version": 100 }, + "09bc6c90-7501-494d-b015-5d988dc3f233": { + "min_stack_version": "8.3", + "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", + "sha256": "094055b11724accc14288884bea8d069e3e5c1c1d32159a9b78fc9d7808cdc3a", + "type": "eql", + "version": 1 + }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "min_stack_version": "8.3", "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", @@ -295,12 +302,19 @@ "type": "query", "version": 101 }, + "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { + "min_stack_version": "8.3", + "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", + "sha256": "6292561dbd089951c5f89ea4611e1d54d55397b493aa93f8cdba5c3e5f7e09fa", + "type": "query", + "version": 1 + }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.3", "rule_name": "Anomalous Windows Process Creation", - "sha256": "9595ea9abe7f131ce8ef756327adc42d3e3f68fc866ddb22edd6327ffe22ec32", + "sha256": "a97e8495484e9053dfe57d0b3b3e2cc47984f3e326f8bce2c00bcab788337579", "type": "machine_learning", - "version": 104 + "version": 105 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "min_stack_version": "8.3", @@ -312,7 +326,14 @@ "0b803267-74c5-444d-ae29-32b5db2d562a": { "min_stack_version": "8.3", "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "b1357614dcd30402aba8ea62f30facd7b7d9ea27dd5f096002841eca233f64a8", + "sha256": "cd1a313ebc7c4d9e532bb43100c4d5c06d27676750ffde616f9aec4fcb71d086", + "type": "eql", + "version": 2 + }, + "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { + "min_stack_version": "8.3", + "rule_name": "Processes with Trailing Spaces", + "sha256": "e4ad46e5487eedd9a600516e6aaaef43bfdd74f9bab9254376a7ab03846dbdf1", "type": "eql", "version": 1 }, @@ -326,9 +347,9 @@ "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.3", "rule_name": "Peripheral Device Discovery", - "sha256": "f484d3e00e0c096828790f0301bd66fc0e746ee839f95f372ec694c5057f8d8f", + "sha256": "5b50fcf0eaef2f2da52e18a413845a9342f1271d669f06c117524bd4afb7db27", "type": "eql", - "version": 105 + "version": 106 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "min_stack_version": "8.5", @@ -363,16 +384,16 @@ "0d69150b-96f8-467c-a86d-a67a3378ce77": { "min_stack_version": "8.3", "rule_name": "Nping Process Activity", - "sha256": "ee85a3f7c234d44927852d506fca33cfc75eec28452fc15f59a686314d90a7ba", - "type": "query", - "version": 104 + "sha256": "b526d1555e13cf130c9d0129928555065e1f976d20616cd8863f9e2f7c8720e6", + "type": "eql", + "version": 105 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "957cbc7582e9aa63ba824f1e9d089ba9e08d0811c60b56eaed48becacaa404aa", + "sha256": "b2d0f5656de26bb1163ed5edbb9bf90bde8a599b310b94c0eb3e629ddc0b93a3", "type": "eql", - "version": 105 + "version": 106 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "min_stack_version": "8.3", @@ -391,9 +412,9 @@ "0e79980b-4250-4a50-a509-69294c14e84b": { "min_stack_version": "8.3", "rule_name": "MsBuild Making Network Connections", - "sha256": "7559300757f955a76e69fde5ed3d0d581ed0b6765514f5edd1dbfd1b4c9ad43d", + "sha256": "704d15579a6028b995cfd93bc3a2d782e75c41c656cdcc7c5673f782b70396b5", "type": "eql", - "version": 104 + "version": 105 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "min_stack_version": "8.6", @@ -401,15 +422,15 @@ "8.3": { "max_allowable_version": 102, "rule_name": "RC Script Creation", - "sha256": "8ff8bb29b78a06c2423fd81d4e1ee96b96a55b848136791f25b4415a0ada11f3", + "sha256": "56ff748867dc738357a731cfd37b4ae44c954383780d616e3d9034aed76dd9e1", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Potential Persistence Through Run Control Detected", - "sha256": "5775d029f6a1d764e77e8eeaf6ec342b87708404184191c14ff48fb3b1b56dc8", + "sha256": "cd15e73bb94658d23cc9c074c1ace32b319514089fac6deb29e145d0179bb131", "type": "new_terms", - "version": 105 + "version": 106 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -436,9 +457,9 @@ "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "dcdb5f1a6a492166c0bba63394f40eb43a4f0fb57319848dfbbc3a3578c32443", + "sha256": "e840e03f40e5ac088e2f850f08c2b1286f607a659a430a7051e44d31213c7a22", "type": "query", - "version": 103 + "version": 104 }, "10754992-28c7-4472-be5b-f3770fd04f2d": { "rule_name": "Linux Restricted Shell Breakout via awk Commands", @@ -449,9 +470,9 @@ "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { "min_stack_version": "8.3", "rule_name": "WebProxy Settings Modification", - "sha256": "438530899895194781ddc4006fff420bf7523b45906f957871e7dee42abc8543", + "sha256": "264c4b78490cec9fae3de080bd655b5a1c53ff31c54b5704c76834b583f0516b", "type": "query", - "version": 103 + "version": 104 }, "11013227-0301-4a8c-b150-4db924484475": { "min_stack_version": "8.3", @@ -463,16 +484,16 @@ "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.3", "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "sha256": "e396766823e2a5405b9b406ce2880740eafe1dad906817dad76eab68c55f6ce1", + "sha256": "6ed2244e093a1870d45df1482662e4f762ce4734090878e0a1d1a06e9675b775", "type": "eql", - "version": 104 + "version": 105 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "63bc38efcfec562edc1061756b0342376516b05fa2fb863012a58c668a580f6c", + "sha256": "faeaccab4b1a4766cc93a7b427cb7250df74ac218438d547281678e44d7a3cd9", "type": "eql", - "version": 106 + "version": 107 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "min_stack_version": "8.3", @@ -497,9 +518,9 @@ "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.3", "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "d3059cd402c14f14002ea7323b4fc71ea5c1a815b5531b9b5299b3bf0e3e8e45", + "sha256": "8614adabfa74ea56500abff063edfd0fab24a93e560df2fdfd68d3a60b78fa10", "type": "eql", - "version": 106 + "version": 107 }, "12051077-0124-4394-9522-8f4f4db1d674": { "min_stack_version": "8.3", @@ -571,30 +592,30 @@ "12de29d4-bbb0-4eef-b687-857e8a163870": { "min_stack_version": "8.3", "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "70a17b1089407540ef0a22d247da2b9797fb65a044a7068ee47c963e3edcac74", + "sha256": "6a69ca21111665ced0b0cc269c53ac00d37ac29fccb5d3e5d04abe8e0de046d6", "type": "eql", - "version": 1 + "version": 2 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.3", "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "8492aea09a8f74fb916c4b43d9f9496d4961b84eacddada8e41edc2bab53cf13", + "sha256": "fcf12be61708b748f14f6ae118e930f2c5ebf65992bc3df225f66c5dad6ed0b6", "type": "eql", - "version": 105 + "version": 106 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.3", "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "165d90954e8258658e25a73c27e904aebdfb5c3f0746edae89432e0b251f3559", + "sha256": "d49a0d61c82206a76e5ea5062c272c71b644034b559db7579c8be76bb8dc36d6", "type": "eql", - "version": 103 + "version": 104 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "min_stack_version": "8.3", "rule_name": "Rare User Logon", - "sha256": "d79f5a924028ce11cb5341db06c539127620d7e597136fb655293a574cf8fb81", + "sha256": "84ad771aac0fd0883efd7525692d964e0f85a436752431c84b7dc4e012b05679", "type": "machine_learning", - "version": 103 + "version": 104 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -612,9 +633,9 @@ "143cb236-0956-4f42-a706-814bcaa0cf5a": { "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "ccfab492c8adbc45331067fb58cb3959c360d967505ff0d7ffeaa1323868d37d", + "sha256": "54422260766b12b7477aec8acb27085b1eae0a36285553d26e5730bce422e7a9", "type": "query", - "version": 101 + "version": 102 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "min_stack_version": "8.4", @@ -635,9 +656,9 @@ "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "9ab2deeaf3638f10af0ec2ca4a3c89ea6ad2ec7db4d2ff2a51279145b5a60995", + "sha256": "afca97139ffb2af012ea212958cd4118f14e183943e7c030e5ac45d06a430450", "type": "eql", - "version": 103 + "version": 104 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.3", @@ -649,16 +670,16 @@ "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.3", "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "2ba2deb5cd5e080ab5084bcd5a91402553f04f43ce0dc8e89e9b0ea0723b58e7", + "sha256": "65f575f302777f8e9f896d45ad7e2b53416d03fc3d711a6058f740c933b3e1c4", "type": "eql", - "version": 106 + "version": 107 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "min_stack_version": "8.3", "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "44f9d9a8dd21e71fd622520c48dee8e34a6385a00233d02159d3b6ea627c995c", + "sha256": "d963ef7eb139996297e8b66dc040b9ed8dd898130265bc0f428c48f57690155d", "type": "eql", - "version": 103 + "version": 104 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "min_stack_version": "8.3", @@ -677,9 +698,9 @@ "16904215-2c95-4ac8-bf5c-12354e047192": { "min_stack_version": "8.3", "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "0892038cb6c2617c76c01133337736a9dc13f00858043d1d47a26093d59fd670", + "sha256": "0c96bfd65d7b122ff4af72519d72f2fc9837dcb1d9189a96e7c51301cf0ebcc5", "type": "query", - "version": 103 + "version": 104 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "min_stack_version": "8.3", @@ -691,9 +712,9 @@ "16a52c14-7883-47af-8745-9357803f0d4c": { "min_stack_version": "8.3", "rule_name": "Component Object Model Hijacking", - "sha256": "e3946cad4be97cacd6eae1721271b99d75c06e1af3701bbb7aacb41fe100a1d2", + "sha256": "436bc1aff82273c9504f7df46a2ce3c1653d4dd9864c1580f5ecb99a74c6e3cf", "type": "eql", - "version": 106 + "version": 107 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.3", @@ -705,58 +726,58 @@ "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.3", "rule_name": "Unusual Windows Username", - "sha256": "fff16af718cd9ffae3845fb7daad7562efcd57c71784ae10ed3b7b458a9107c1", + "sha256": "3f017bebc4cd49b96144c2c37d613353b9c74438bb528240c830a99a32537120", "type": "machine_learning", - "version": 103 + "version": 104 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "8.3", "rule_name": "Unusual Windows Service", - "sha256": "ff1fa0b30a31a711cdc799b98e3e33a6941b35265488642c8aa915e3c21f0154", + "sha256": "89e1fd74a24609ea12f4b8735c03de06e82fa5940400ce7cc3860d473e9f9b9a", "type": "machine_learning", - "version": 102 + "version": 103 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "min_stack_version": "8.3", "rule_name": "Suspicious Powershell Script", - "sha256": "3895aa490f18fe5c408b47123198b36f74c34e00ff47968814da0ff89e19a4a6", + "sha256": "c3d4419ad9b4d398652f573451d61439143854032c964a86b28b44f63627d3d3", "type": "machine_learning", - "version": 103 + "version": 104 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "8.3", "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "8c8018eb635fd964b7430b8124f9a03577ac17f143c87d56a9222e575a052e4c", + "sha256": "3e378c975b7684d44d468c1b90b70fd66198d70f52b1af31c2d9877e6e01cda5", "type": "machine_learning", - "version": 102 + "version": 103 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "min_stack_version": "8.3", "rule_name": "Unusual Windows Remote User", - "sha256": "8266a1b8aa08d10d5a6152680285c505e74d47f6eb0b5130ccfb482b597be1b5", + "sha256": "83958e6d3f7ccbbbba3e4f0796b176f124604f15277f14ce33c142029d6c8ff9", "type": "machine_learning", - "version": 102 + "version": 103 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "min_stack_version": "8.6", "rule_name": "New Systemd Service Created by Previously Unknown Process", - "sha256": "b58a3e067846aa68d0aaec50f2b50e30db0431f78fda376ed81fff2472bd0e33", + "sha256": "bd8754496ad2a53571780aab55b02d8dbe4aa20329da96a586b6f81cb7fecdf8", "type": "new_terms", - "version": 3 + "version": 4 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.3", "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "8624a0d129507bc882e310e06def62dceeedac119b86d488dedda1dad2fbe1e9", + "sha256": "333e76901898def53aa58c45b53af5fa36c5089a44572e8677b626c99d9e9864", "type": "eql", - "version": 106 + "version": 107 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "min_stack_version": "8.3", "rule_name": "Unusual Network Destination Domain Name", - "sha256": "d11d221471750536a9a97aee505829b9e7901d9b98e601a6e934d045991a364c", + "sha256": "d0d9eef72ecbbb7af63f2aa522abc13a4cba650dd6da7a17c6b37218c39c1fb8", "type": "machine_learning", - "version": 102 + "version": 103 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "min_stack_version": "8.3", @@ -771,12 +792,19 @@ "type": "eql", "version": 100 }, + "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { + "min_stack_version": "8.3", + "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", + "sha256": "1169776f997d618e40607bc71cdd85c338f7c14f158c845f3ab3ab48922d23f4", + "type": "eql", + "version": 1 + }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "min_stack_version": "8.3", "rule_name": "Rare AWS Error Code", - "sha256": "0b677c45dc16ebe1b9892935012d7b471f6ba00dd9ca2a5f6762e7fc9f6b9db0", + "sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d", "type": "machine_learning", - "version": 105 + "version": 106 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "8.8", @@ -795,9 +823,9 @@ "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "min_stack_version": "8.3", "rule_name": "Execution of COM object via Xwizard", - "sha256": "bb578f3e1d24bdb4b2416fa51a933ce19fe9ccf405b52123fb1cb4bb511610b1", + "sha256": "c9a9234db42533396f1a25a5036711a9363213918faa1187a99e65ae616c78b4", "type": "eql", - "version": 105 + "version": 106 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "min_stack_version": "8.3", @@ -809,16 +837,16 @@ "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.3", "rule_name": "User Account Creation", - "sha256": "e544e513edc167ed6b2f43ccdec0ecb083ad0e80d51ede5803386ca3651e9eb6", + "sha256": "bd9e8d97604e499b249740f537c152e6e886cd82a2d77ceda0bbd4ef99ac37b4", "type": "eql", - "version": 105 + "version": 106 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.3", "rule_name": "Connection to Internal Network via Telnet", - "sha256": "ebe2157d2be3dec7bdb644d51a8e5563886c3037dce4f3ba3b44802e8a515f80", + "sha256": "68f0d73167458fd1589c365cfb07d8bdf9d49e3368435dd8ad08d5eda2d180a4", "type": "eql", - "version": 103 + "version": 104 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "min_stack_version": "8.3", @@ -844,9 +872,9 @@ "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "9c653b226714edd66db9bcd63a5b61afe9f915a3d04b61c4e9641b0132981891", + "sha256": "3113571e7885f573582d119f9e0905d33369509446e7a2729497380f27d3d077", "type": "eql", - "version": 107 + "version": 108 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "min_stack_version": "8.3", @@ -858,23 +886,23 @@ "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "fad07b733ad42f63807d05c81d55df36306a6c09c9e59bbf960f30ffd4f3d047", + "sha256": "38ff22d9612874236bb0fdc1ac65f9f649734272e2484b7058245985ecadd621", "type": "eql", - "version": 105 + "version": 106 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.3", "rule_name": "Remote File Download via Script Interpreter", - "sha256": "94b1f780ffc9a1e13fabd97046085a02068f9f236c4655443b571fedaf8b3c40", + "sha256": "6e10cd53c6b8fef5635f3e97892648c45c1ef8219958c3ad9af076a08f6788b7", "type": "eql", - "version": 106 + "version": 107 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "min_stack_version": "8.3", "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "88344077479fe7a92e02d7ed80dd61d1733d35872c4b32300f7c75ce99e0e74e", + "sha256": "b1a5f097c5ad6885bbd55d4375fd72cfc09507c502321b80aec6edfe33bc3a75", "type": "eql", - "version": 105 + "version": 106 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "min_stack_version": "8.3", @@ -886,30 +914,30 @@ "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "399683cb8a7541296d941d6618de6a1d2337c04d2e684ad1dc1972353e1de5c2", + "sha256": "cbdda8fa4a7ee1ebd5708a3bcc4aaf50947d560339f8f8c45effe6f0e8309a64", "type": "eql", - "version": 103 + "version": 104 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "min_stack_version": "8.4", "rule_name": "Suspicious Inter-Process Communication via Outlook", - "sha256": "b29c7d6e24c565eee5866f5af3a82ec494cc73979d164aa505e18b899295dc13", + "sha256": "7ac0061e940b4f3f683e9552b00466fbce21ca52e1c3a8b5e155fffed0764c4d", "type": "eql", - "version": 3 + "version": 4 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "6cd196b7a97a8f6c1d768209ed9210b64b27f19aa8d565661ab20aa0f41d779c", + "sha256": "2a864a262ee617027d2731c9da168a2d0d477cb915904829e10eb863ad881d85", "type": "eql", - "version": 105 + "version": 106 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "57853a843f49a01248a1eb2764b92716297ac333f002ff15620558a9e63a50aa", + "sha256": "3dccbfd612147d0714339a1a2d6ad16efe695f6d5d9ea764a595cec716beff1b", "type": "query", - "version": 1 + "version": 2 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "min_stack_version": "8.3", @@ -918,12 +946,19 @@ "type": "query", "version": 102 }, + "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { + "min_stack_version": "8.3", + "rule_name": "Creation of SettingContent-ms Files", + "sha256": "a57fdc00e51caf3e5c8c515a75a6b8e8bc79b4e2dbb0f9fb97bc36859dd60525", + "type": "eql", + "version": 1 + }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "min_stack_version": "8.3", "rule_name": "Unusual Sudo Activity", - "sha256": "bca7fecf19183cd732a99c75e2ad7e1c24b4b68d6b0c9d139c52cb90c3883707", + "sha256": "aad0990989bfa63d159c45b28e23cec25bcdd6cb4054ad31584f085b1e38568c", "type": "machine_learning", - "version": 102 + "version": 103 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "min_stack_version": "8.3", @@ -935,16 +970,16 @@ "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "8.3", "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "cd7269a5ce602d12ff69bfe2289d0777a0e9fda7421a49fdd26876b6cee74963", + "sha256": "8eb47dead708d739318e797d2fac9c942978cd80eca1354c0063c15ff502adb9", "type": "machine_learning", - "version": 102 + "version": 103 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.3", "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "f510867b1dd612ee31f4ed99ee090e6cc0806950251ecf15121b5456971ed514", + "sha256": "f14eab4a7143c53fcd49fb00bb945fe9f86c0db1e63ad3b4fd1ceced47e484f1", "type": "eql", - "version": 106 + "version": 107 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "min_stack_version": "8.3", @@ -956,16 +991,16 @@ "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.3", "rule_name": "Suspicious .NET Code Compilation", - "sha256": "9a42d53d5a21a54a4ab03b5e096f23a5c2f253ee8cfa8eb8582b68d0cecd3010", + "sha256": "838a9d840a2c93100aa9faf4b4291f9c968db9e541f1cf59807bd041b0d88a94", "type": "eql", - "version": 105 + "version": 106 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of Root Certificate", - "sha256": "670dd0c9b2c28c3401cdd4c2b4f0f6e5a071084a45af151cff15482da623680e", + "sha256": "f38629eb459ab9343b9f3748109d6c691baf729de86d85d83d10c0740baa869a", "type": "eql", - "version": 105 + "version": 106 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "min_stack_version": "8.3", @@ -977,9 +1012,16 @@ "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.3", "rule_name": "Access of Stored Browser Credentials", - "sha256": "35234173d5b9d4718749b086304cb9d676b2ece095386c7e288c7f5b229ef241", + "sha256": "f8275d90cfe0ef660c6505002f3eb7a22afc1b4c189c9ba4e9f9dd4184dc1161", "type": "eql", - "version": 103 + "version": 104 + }, + "205b52c4-9c28-4af4-8979-935f3278d61a": { + "min_stack_version": "8.3", + "rule_name": "Werfault ReflectDebugger Persistence", + "sha256": "6178ac16e7a1b92253a4eae0123a253627554a9bb2d28ac941328fb97f5250dc", + "type": "eql", + "version": 1 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "min_stack_version": "8.3", @@ -1004,23 +1046,23 @@ "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "min_stack_version": "8.3", "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "19ec6a6a0896ae50d8ef759a3f9583c21b1365d0018106a5e0e0d688c0654f86", + "sha256": "c54e0fcc5ec27640dfa0db638f45805ad4749c78972fa33cc061cab3f04f13d8", "type": "eql", - "version": 4 + "version": 5 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "min_stack_version": "8.3", "rule_name": "SSH Authorized Keys File Modification", - "sha256": "50288c67d08a85066d487dc1bfa5f383349b562b3320be4b185d22d4ef2cc876", + "sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c", "type": "query", - "version": 103 + "version": 104 }, "22599847-5d13-48cb-8872-5796fee8692b": { "min_stack_version": "8.3", "rule_name": "SUNBURST Command and Control Activity", - "sha256": "ab7404ca7d6b35763ff36170fef47dcca626b1485be92ad0740e5510531bef00", + "sha256": "ba55f907ef22d742e948ef03ed381c51077959c108f1166ec3e32bca889d77f0", "type": "eql", - "version": 106 + "version": 107 }, "227dc608-e558-43d9-b521-150772250bae": { "min_stack_version": "8.3", @@ -1046,23 +1088,23 @@ "2339f03c-f53f-40fa-834b-40c5983fc41f": { "min_stack_version": "8.3", "rule_name": "Kernel module load via insmod", - "sha256": "3230f6862ca7942199fb112659d899430fc1f392287340947964a157ab375492", + "sha256": "716b6003b6a1bbcec145bd5ccdfc5283a40c843dc12fc82ff75fd26cc67b5b7c", "type": "eql", - "version": 104 + "version": 105 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", - "sha256": "0b15540e1cf3135d70aaebeb44cd8b9611082ce65c7ceb3da995764c1da3f64f", + "sha256": "9567e972186b39d9f4d1a378dfb482b40eae9cc129ee8c83562223fb8f1a9a3a", "type": "eql", - "version": 103 + "version": 104 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "739ca4ff251f7d15397c5713f3e3a01880762163b87f43465f74fb4a63fadfed", + "sha256": "8bd9e051e381430287850aac140060e1c4eb55636e83ae0d010d241069f208cb", "type": "eql", - "version": 1 + "version": 2 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "min_stack_version": "8.3", @@ -1074,16 +1116,16 @@ "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.3", "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "00a292de5d79ed61455a5054641d763aa07e5dfa9bd3b4ce12a8771ac4349411", + "sha256": "158c5a76f4a4ff8441aa5189db7ca3f8677a210f01a9023decd1732862ef8f46", "type": "eql", - "version": 106 + "version": 107 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "min_stack_version": "8.3", "rule_name": "Privileges Elevation via Parent Process PID Spoofing", - "sha256": "f45fdc170e91f37235ae1357d1612e1372586f8b503693d00740193525ed36df", + "sha256": "3beffde62280896b2aa6df7e414ebeb74f72233abfefcc99493b20c3c02d6aed", "type": "eql", - "version": 4 + "version": 5 }, "26edba02-6979-4bce-920a-70b080a7be81": { "min_stack_version": "8.3", @@ -1102,9 +1144,9 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "fb67b4c2ff34097c5ba5a94a26fce1978ce27992581f3539b1fbf38bd372f134", + "sha256": "2173b0cc2bec6028b91c5b9a051908ca9d6ea87cae8c881a23622b6239e85eee", "type": "query", - "version": 1 + "version": 2 }, "272a6484-2663-46db-a532-ef734bf9a796": { "min_stack_version": "8.3", @@ -1116,9 +1158,9 @@ "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "181d04840190629ceac8ddaecd5d5cbd16eec9b17b497b70284b04070ad8f3a1", + "sha256": "ed68bcf2e292ec89f9e8f578e9e4847812fd4177fa242725286c16db53ff03e0", "type": "eql", - "version": 105 + "version": 106 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "min_stack_version": "8.3", @@ -1144,9 +1186,9 @@ "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "421b6d4b08c0d4f3bbe75d35977673e821d543f468f6a2a7d847bd2eca7c5a33", + "sha256": "8ba669048ae42b7afd8f153bbae5a1b181f3d070db1241c38c847c1fe4dae0e1", "type": "eql", - "version": 105 + "version": 106 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "min_stack_version": "8.3", @@ -1158,9 +1200,9 @@ "28738f9f-7427-4d23-bc69-756708b5f624": { "min_stack_version": "8.3", "rule_name": "Suspicious File Changes Activity Detected", - "sha256": "4bd6246dc55fb0159c82faf0067c0e67b3915706692e70de0bcf8a3504c76afd", + "sha256": "6d8b1a876a2e1ce2967be858e2e4cfecd82d84c47b08d8e33c72e22725073eb2", "type": "eql", - "version": 4 + "version": 5 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", @@ -1171,9 +1213,9 @@ "28d39238-0c01-420a-b77a-24e5a7378663": { "min_stack_version": "8.3", "rule_name": "Sudo Command Enumeration Detected", - "sha256": "f4e6de1f9d2e53ff482497bfa4e3c0063a657aa1b6d18f646644810a785b9c69", + "sha256": "ea5c6d696a82dd4d7d63fb04dd726e8b1fb33ac4622151663d19d31ef7a99a67", "type": "eql", - "version": 1 + "version": 2 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "min_stack_version": "8.3", @@ -1185,16 +1227,16 @@ "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "181901c752e8e7635e1500c27e50132811a64005156e75d5e599f3fc3e1aa33d", + "sha256": "47309853f13ad591cfcbb60814b5c1a7c731abfc3f5349fbb5e9acb25b347134", "type": "eql", - "version": 106 + "version": 107 }, "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.3", "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "c491a97447ad88905464a5b08d67ea3d21cdcc34301ff855f7bb8be2a30b8c8c", + "sha256": "e1d3e0942816bd8564b7abde73127790f145ce3332346d041fbc1e0421600524", "type": "eql", - "version": 105 + "version": 106 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.3", @@ -1203,12 +1245,19 @@ "type": "eql", "version": 108 }, + "29f0cf93-d17c-4b12-b4f3-a433800539fa": { + "min_stack_version": "8.3", + "rule_name": "Potential Linux SSH X11 Forwarding", + "sha256": "8e67f5c7d845b4018e1be6a13d83ea84ba3cf8d5aa448dec49e7e3672158a0fc", + "type": "eql", + "version": 1 + }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "min_stack_version": "8.3", "rule_name": "Potential Code Execution via Postgresql", - "sha256": "90033dd971d1cf6b980023ac5ff9e523d374d3557e57c56b07f56371a39fe66a", + "sha256": "2f246e33c5b5318512de95d017377941e955a43a607619340a1ee900353ca612", "type": "eql", - "version": 2 + "version": 3 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "min_stack_version": "8.4", @@ -1229,30 +1278,30 @@ "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Grep", - "sha256": "d1ab09bbfe775bdbf5f46ddfa00ee77ebaeb9c8e95e41007c1d584ef9e9d91fb", + "sha256": "8193724c74f8c3bda981c1ea69c1775177c530e3a5d30e2387577bd4abaa66f2", "type": "eql", - "version": 2 + "version": 3 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.3", "rule_name": "Adobe Hijack Persistence", - "sha256": "7ca0b1c215fd41e090bfe76124918f2469edb27a5b908f850479646379268a1f", + "sha256": "9aeae912e062be1da7e7f26a9a5cb726d945ce4bba3c5b040a131c5636920a59", "type": "eql", - "version": 106 + "version": 107 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.3", "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "fe321f5fa2f5c624874ecd66cd88b4a28ae51c98a4c853fa56df88a076db045d", + "sha256": "5d23ecdc51a103c5863a93a34aea633e2691b91c8dbeb2a3551c652bfc691f8f", "type": "eql", - "version": 105 + "version": 106 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "min_stack_version": "8.3", "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "a13260284beaf73ffd9e03b97a7dbc44b47b6698d9c0e7fab41b60751c153e17", + "sha256": "86de8c98200d07e566af71b1fa99113d43b1493e4faf47609359a69d1f0138b4", "type": "eql", - "version": 105 + "version": 106 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "min_stack_version": "8.6", @@ -1260,15 +1309,15 @@ "8.3": { "max_allowable_version": 203, "rule_name": "Enumeration of Kernel Modules", - "sha256": "4b0264a513359d05b99ad58d22080e4a27d8a180acd51c3a29b5a0762338548b", + "sha256": "b3bad6443210cec62c090d0872efcafedb7565ac5fed882aa46afab6073c4e08", "type": "eql", - "version": 104 + "version": 105 } }, "rule_name": "Enumeration of Kernel Modules", - "sha256": "466b9b770f662323636376704d15a6f60f676574f2ed2fc6bc32e5704e01a92e", + "sha256": "e66fa90d3d617373ae52b10b1487f5d53b35fea7e11bf4371ccaf37fe0782482", "type": "new_terms", - "version": 204 + "version": 205 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.8", @@ -1296,16 +1345,16 @@ "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "min_stack_version": "8.3", "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "c66ac99c527d9ce3a571674a8427fc145e236e7704adb15cb5ba3a9746db5957", + "sha256": "7c1c93dc3cbb29566f0cea895464bfbda60a453682f8184de11de21ca49597b1", "type": "eql", - "version": 5 + "version": 6 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.3", "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "b3d25fdf38184ccbc533bdd668d051180f53b7d0c949a2ce67bb64116298e817", + "sha256": "00fd95465bfe881a5dfb2b30e171b6d3addca0be3abcb66e67427c52a8e540fe", "type": "eql", - "version": 106 + "version": 107 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.3", @@ -1314,6 +1363,13 @@ "type": "query", "version": 107 }, + "2e311539-cd88-4a85-a301-04f38795007c": { + "min_stack_version": "8.3", + "rule_name": "Accessing Outlook Data Files", + "sha256": "143b6346fd2ca02b863de7457499fe60da116e99bc385dce6d07aa870d1e2054", + "type": "eql", + "version": 1 + }, "2e580225-2a58-48ef-938b-572933be06fe": { "min_stack_version": "8.3", "rule_name": "Halfbaked Command and Control Beacon", @@ -1324,9 +1380,9 @@ "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.3", "rule_name": "Creation of a Hidden Local User Account", - "sha256": "6e26beebe37e253940cae2bdff3afe8ee83ba7b02233dd15836064bf39c628df", + "sha256": "c682c5d7a2d90176791ea60cfc2d52a941a2c145e96c42c88a6802013e6d594e", "type": "eql", - "version": 105 + "version": 106 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "min_stack_version": "8.3", @@ -1345,23 +1401,23 @@ "2f8a1226-5720-437d-9c20-e0029deb6194": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable Syslog Service", - "sha256": "d53d2bac0f592f365342ebf32de4f22f12321dff80b3982f1dff5848f91a5994", + "sha256": "2a77643c47329e2c910e5c86d8c3b2f0cf2b93527ad5bc129d7e614c07ba6369", "type": "eql", - "version": 105 + "version": 106 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "min_stack_version": "8.3", "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "98c901ae5e94affee20ba28310355c2fe120f82d9f2b15408ee034c7f1c48656", + "sha256": "2164ee6d1c3cd39e214f6c965e6cbd0a1dd158e51dd0d883fe83d6915d5f4621", "type": "eql", - "version": 106 + "version": 107 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.3", "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "2922c5af881ac324c921bac57370a6c0fe4a370f396f73294ece99e681f6624b", + "sha256": "414eb4b19b8f79b0c86119bc090d5a342e45837af770df8d3365d3ab81bf5036", "type": "eql", - "version": 105 + "version": 106 }, "30562697-9859-4ae0-a8c5-dab45d664170": { "min_stack_version": "8.3", @@ -1373,9 +1429,9 @@ "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "min_stack_version": "8.5", "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "ff7198e3ae00ec17b015d5caef7bf6f51b3b3307706d52a2c796961917e3f4a7", + "sha256": "9375d07c27d373fae95ace527be0d4a8117abd263b43adfb31536459bda562a9", "type": "eql", - "version": 2 + "version": 3 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "min_stack_version": "8.3", @@ -1394,9 +1450,9 @@ "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.3", "rule_name": "Bypass UAC via Event Viewer", - "sha256": "e139026fbd34c9525711ed72b88a81109c225feb7a1a0a41785dfe0ad88a5929", + "sha256": "c52ce2472b85ca6486fe8ffef36ba98c35db8cd02a58a3e00cbdfbe6448fa7e7", "type": "eql", - "version": 106 + "version": 107 }, "3202e172-01b1-4738-a932-d024c514ba72": { "min_stack_version": "8.3", @@ -1415,23 +1471,23 @@ "32923416-763a-4531-bb35-f33b9232ecdb": { "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "227dd024cb116e5788d4d57bb5a4470e236eb0c932548930d13a6a5ead304cf0", + "sha256": "f989ae55a6fdc1e9c9a11c92fd231aa626b1bb662b0a119d8f5cae8d3c0f3577", "type": "query", - "version": 101 + "version": 102 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.3", "rule_name": "Program Files Directory Masquerading", - "sha256": "898a7167c8dfc155008b0e6d6ffab05c9635c1a5dc338425e37a8394c8aafd29", + "sha256": "f389c3e2a3f8696ba905bbf5f2e7cd9d651bba9bc241a8a4d1b2b38ae984e5a7", "type": "eql", - "version": 104 + "version": 105 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "1659091d6dbe28ced2ef8913bc04782e4d1d8d625937e952813963be6f20788b", + "sha256": "bfcb1a92ded4fab88e6d4e463b78405b82e80e00b2b0e1260ba1ff8164ac01dd", "type": "eql", - "version": 105 + "version": 106 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "min_stack_version": "8.3", @@ -1443,16 +1499,16 @@ "33a6752b-da5e-45f8-b13a-5f094c09522f": { "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Find", - "sha256": "bca338c4bb301ac4191c10df0d7d041b6f9c0ab26d5dba224b2b9994cd5df038", + "sha256": "9d95402d5a02b1571ef1d3e5ad966c19fd3cbeff7b5fa58198ac9151e1923ba0", "type": "eql", - "version": 2 + "version": 3 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "min_stack_version": "8.3", "rule_name": "Remote File Download via PowerShell", - "sha256": "4f0261a509340ce697cae18ff363cd65e6ae445d0e14205b621692ca69c11821", + "sha256": "9a87c68d2c67e9d7c764bd3e0b48bc4c59f6ef3559661cf0ac814f61ec9bbab6", "type": "eql", - "version": 106 + "version": 107 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "min_stack_version": "8.8", @@ -1471,30 +1527,30 @@ "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "min_stack_version": "8.3", "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "4e4f1ca5dbc0514454d1a3115a8b68dd8714436f18a31c634c4a789cc553c02f", + "sha256": "190febf9658cb01dd1a472ea2d24563052fffcf60417fbc65be5593e38ad92f5", "type": "query", - "version": 103 + "version": 104 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.3", "rule_name": "Port Forwarding Rule Addition", - "sha256": "eb18cc9f3ce0afd24d48731362479b2f44e2f2cf86318748a3d7e3a05b6796a5", + "sha256": "83831c2c3a4be02d59440da6f570b9d7e7064ecf5fa6df5565f36e68b68cd2ce", "type": "eql", - "version": 105 + "version": 106 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.3", "rule_name": "Unusual Parent-Child Relationship", - "sha256": "5d218c23d7890651426cbf9d2bf0c45a9f1035b9c7e58cbebf940d056a646cc0", + "sha256": "eb0fbd449489cc0545518f8343446262c27a6955ff5c0843713e629582eb112d", "type": "eql", - "version": 106 + "version": 107 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "min_stack_version": "8.3", "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "5ef2c3108854bbd6066179b046631ae86b850a69f8d2a3758c16720357c06740", + "sha256": "599670166b519587f8e2c8712aaec4839a9edfbd71f94eef4d3ca35a4bff8e82", "type": "machine_learning", - "version": 102 + "version": 103 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -1505,23 +1561,23 @@ "3688577a-d196-11ec-90b0-f661ea17fbce": { "min_stack_version": "8.3", "rule_name": "Process Started from Process ID (PID) File", - "sha256": "aaa90bcbfc34f0d20adea2737bc7e8d8381dda457a88edec1d14211844c480e9", + "sha256": "b4e738c5be1bba9711b183dd54a22a8c10aec54e4a5310352cc7ac4ad24b9af1", "type": "eql", - "version": 105 + "version": 106 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.3", "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "37453c357380c78e1e35d3ef7cd1ff4b43d6f243dbb71efe30a8986f1f0e57db", + "sha256": "2684dc4258fdff2568772c371afcba2729e543adeac05d5e8fbad36f45417fec", "type": "eql", - "version": 103 + "version": 104 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious File Edit", - "sha256": "e7695dfc313dacacbe8789e9b1cd5ce06b6dadf76cf4e3fb21656d07e71249ff", + "sha256": "46076a578186ec461ee06fdb94def49ec0f94300cea3bd8364ebfc75895b65ae", "type": "eql", - "version": 1 + "version": 2 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "min_stack_version": "8.3", @@ -1553,30 +1609,30 @@ "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.3", "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "31590edf65e0763ba73b2ebdc09e3272e3badc15ce32c829d4f4a53e218121a6", + "sha256": "e43423649f4196e3471200c4baac5b465e0a667b3d1dbe95b7870b76ecd1410b", "type": "eql", - "version": 103 + "version": 104 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.3", "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "d50498a4880159c0596fa5807b378f3a581896078839e7ef812792df982ba127", + "sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2", "type": "query", - "version": 104 + "version": 105 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.3", "rule_name": "Network Connection via Certutil", - "sha256": "2f7363e01086d9f4d428dc64bde673731ae3d446bad5b94bec779ce3a11af01e", + "sha256": "c532585e329cfc2a78418e835c1c40593c75045ae9725cbc39486ac6a9236bde", "type": "eql", - "version": 106 + "version": 107 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "min_stack_version": "8.3", "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "f4ebaabdcfd8a2ce59c681dbb38e19a4f3030e555275b36870f1703bd1580f23", + "sha256": "04689f3ff304d7f32e7686e38a520a66df28fb8ee9d2e13149768a9667183188", "type": "eql", - "version": 103 + "version": 104 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "min_stack_version": "8.3", @@ -1602,23 +1658,23 @@ "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "d83d1ac6277a6eaacc4f866a0eac0673353c65dcf22f8d35d152a967a40f742a", + "sha256": "6f54ba0ae7f973881e6d519845715c8888960f217bdaffbbbcabf2ccd305c49f", "type": "eql", - "version": 103 + "version": 104 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.3", "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "8801895ac0c1b68b260b0d8422f6724ea00f543e7aa39a1a69780f664f6831fd", + "sha256": "fd0213ea9905c71a65f94da36a92164a378cd8232856a0ac441ae9f7d49fb108", "type": "threshold", - "version": 105 + "version": 106 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "min_stack_version": "8.3", "rule_name": "Suspicious Module Loaded by LSASS", - "sha256": "e16c76578c008d7a696df092cfe1776eb2f3df55ff2a35184d5298eb5ce4bff3", + "sha256": "5daa50c7701a3bf0e4c82229b8fb7696df740f0bf74dd874a9283b541715f970", "type": "eql", - "version": 3 + "version": 4 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -1629,9 +1685,9 @@ "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "8f53e51eb2a5c859ac8b9ef07768ea5f88dffcedf562c1d7af115e6069362b0b", + "sha256": "f452215a79041dee079474e59d224d2fb4c3c03ed44830b5e5d36e4d1ab89007", "type": "query", - "version": 102 + "version": 103 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "min_stack_version": "8.3", @@ -1650,23 +1706,23 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "be0b2cae97d0fd4aca13ecba80068c7e27a64fae66f1e379e4f2bb52d204a001", + "sha256": "a9acccb7d18adc13099ab88eb003c037bf57f2defa18fc91c8945299c38cba92", "type": "eql", - "version": 105 + "version": 106 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", "rule_name": "NTDS or SAM Database File Copied", - "sha256": "fa2a1bbbfe839717cabfe81b4b36724ec1b661978cffd4ebbf1ccc22e8e3bdc9", + "sha256": "cd3c9afd05e54eb93da83e2d90065582aaad08ee77a94fae48f952f89c46e626", "type": "eql", - "version": 105 + "version": 106 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Port Activity", - "sha256": "662687e1f7d20fac26fc72478041a257548c1358dde6abd89f1644bd3beb6db4", + "sha256": "a2800c6cc225debfe9958195da944e5b1ead6405ccad4dac405b7e7d337dade9", "type": "machine_learning", - "version": 102 + "version": 103 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.3", @@ -1685,23 +1741,23 @@ "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "d5653b06aa153de878d68e0d4877114f1db044699f6efc662c28c2edf00e05c1", + "sha256": "4d57fbe0eec06316d1ee5f24cf1f0a48bff5ed1d8f8bf4c944d57a25fc9c875e", "type": "eql", - "version": 3 + "version": 4 }, "3e3d15c6-1509-479a-b125-21718372157e": { "min_stack_version": "8.3", "rule_name": "Suspicious Emond Child Process", - "sha256": "cb785e78ef17bb9fecba8feaa1452d0e360ffe43df2a42b01f8bfdf10a07bdeb", + "sha256": "1a46d0e2338b7c09dad075c99009e807ddc32b686924dbd5102dde8cc4736bde", "type": "eql", - "version": 103 + "version": 104 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "1d38fe3a6b6728235b1976aae635ea5a8c3be4a190dec4816b3e72876b47ef20", + "sha256": "34be040a61351672e5b29280ad568cf664732a1ab9ae5ac0b32bdb72b49f10f1", "type": "eql", - "version": 105 + "version": 106 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "min_stack_version": "8.8", @@ -1733,54 +1789,61 @@ "type": "query", "version": 102 }, + "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { + "min_stack_version": "8.3", + "rule_name": "Potential Protocol Tunneling via Chisel Client", + "sha256": "337011e93c02efa090b9a19745d82c3d58fd18bee555ff69edaff5e9ff1466b7", + "type": "eql", + "version": 1 + }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "min_stack_version": "8.3", "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "6e342c34082378117af6062c21081f4890c9f474b9bf2535f076146b36eba238", + "sha256": "b3aad2bca92e5e1acd788cfd14d9606aa4b803a48bf303ad37e210739fec9d24", "type": "eql", - "version": 105 + "version": 106 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "min_stack_version": "8.3", "rule_name": "Process Discovery via Built-In Applications", - "sha256": "46147c62f5e79a8d94b983154b0f842739676745d7891b2e1f43cf1898f2fb6b", + "sha256": "f0fbc9841d89528d4653aecdb898606cdec1a669cbf73110c4cc05ec417c4ad2", "type": "eql", - "version": 1 + "version": 2 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", - "sha256": "11848877fcd9b9ef07ebeac7ede4a77295a421fd6f43e1a8430de2c4548779da", + "sha256": "5bb822cc67b9581124c21c5f4abb213946ce935b1c3f3ca248d1c2fcd9ce54e6", "type": "eql", - "version": 103 + "version": 104 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "min_stack_version": "8.3", "rule_name": "Suspicious Modprobe File Event", - "sha256": "a68ec783655e160ea9c0e727fa3aab19c685bc94530fc45ffd899978f6fe427e", + "sha256": "db18497df8258d667278d17da2d21dadbc1c81dedbd75ddcbb22e91e172a8c1c", "type": "eql", - "version": 2 + "version": 3 }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.3", "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "7794555c370acf5d08defaba53b918d5f62e76ea2fa3a6dfb11200a6bbec54c8", + "sha256": "adeea0cfa04ee8759f832217f19f0ce3d6952e72c717c271909ab099034c8659", "type": "eql", - "version": 105 + "version": 106 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "min_stack_version": "8.3", "rule_name": "EggShell Backdoor Execution", - "sha256": "b50833e1d316bfb4a9c66c4a5f221aa2fc388faee9c8c1deda871265667bb892", + "sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb", "type": "query", - "version": 102 + "version": 103 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "min_stack_version": "8.3", "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "76cca014bd08c8c800723f0f5ca9a7aab9b28188e98276e8ea79f35bbdc25810", + "sha256": "8ddd47175f4b4ad6fa50a8ffba06037d5e67ddc829c8b6b6c09ec633b9aa2690", "type": "query", - "version": 103 + "version": 104 }, "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { "min_stack_version": "8.8", @@ -1792,9 +1855,9 @@ "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.3", "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "00deec16498d08e117340634ef0843caf5d738d01384050dd88923a1f1530f55", + "sha256": "9ecdb590d2df1959b2b11908911f24308925c345cce10b0370721afd09a2196e", "type": "threshold", - "version": 104 + "version": 105 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.3", @@ -1806,9 +1869,9 @@ "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "min_stack_version": "8.3", "rule_name": "Unusual Login Activity", - "sha256": "1683c7052a6db82a42f09fdf1a32ec1aeb6bd1143def14c2721ce2b8677ffe60", + "sha256": "178b730df2f0523fca5d50f1c7bfb91a3b574b4d6bfa9a475d11d6208ef93b2c", "type": "machine_learning", - "version": 102 + "version": 103 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "min_stack_version": "8.3", @@ -1820,23 +1883,30 @@ "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { "min_stack_version": "8.3", "rule_name": "Linux User Added to Privileged Group", - "sha256": "d623a6444244cfa441b6beb57b7b108c1dbfa49e8a0a9c289437bfaee0765237", + "sha256": "a48dc7ec63791f8c62b58bfbca37d6765b39621454d2720ac839e13758d02adb", "type": "eql", - "version": 2 + "version": 3 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.3", "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "b3b42571b54fe50ab271727f9ffd766fb6b88c7412f860c8b7e9cb26d061b6c1", + "sha256": "c1524c8e450507403654a2f7bbdc7609ef590afe3fb8de408270d3c012559b54", "type": "eql", - "version": 106 + "version": 107 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.3", "rule_name": "Unusual Windows Path Activity", - "sha256": "39abe1c071ae890bba8df275d7f3f3d3b9ca47ef7bb5ff24f498494f444f6c36", + "sha256": "0c0dc0204bae57db331547a95b8be8a1a7a915fd32f0e9ed199b109a8418db7e", "type": "machine_learning", - "version": 103 + "version": 104 + }, + "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { + "min_stack_version": "8.3", + "rule_name": "Potential Masquerading as VLC DLL", + "sha256": "d3d1985a8512a777f4738794f03380c077f3c84594acd1aefdf22211a59bfba8", + "type": "eql", + "version": 1 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.3", @@ -1862,37 +1932,37 @@ "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.3", "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "545b3881a188e56e732bb7ed1030f96a36bf679fcf522a9dc2929c70e20d5373", + "sha256": "a8e0ecc0284175dcd1f57756fc03477d87d4fecfee80397c01f1490f52ed9b66", "type": "eql", - "version": 106 + "version": 107 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.3", "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "6bce8cfd9391dfe017c48b44fa48aba5421f35cf7926d45d3edc8e93b38302ee", + "sha256": "99fb4c9799becbcb9eaf99a6b9a8c21d74415d2a27790c5e52798590df285c07", "type": "eql", - "version": 107 + "version": 108 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.3", "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "2804d2927348f3270cce9e15fc6ab7010b895fb9f705eba1075bc91171cc2442", + "sha256": "3df00646c1daf36bfe94ebc4e75150121576981877aeb3d5d6c17fc11bb6fb2b", "type": "eql", - "version": 105 + "version": 106 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "8.3", "rule_name": "Unusual Process For a Linux Host", - "sha256": "462756099c1d370d02e60bee6f94057e278eb551f5321b6c2a186a8dc0fb5c74", + "sha256": "5fbea0760b51ff40b45435e9978a27fd21ee1b2a9792c2892ca01cc45f6dc782", "type": "machine_learning", - "version": 103 + "version": 104 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through init.d Detected", - "sha256": "5e2d925fcea0ca293823207dfe02870ff91b21eb26845e86b5bc6466fb1122b1", + "sha256": "ec686d5f69b96d1fefa61938439b2be36a7d62b6ec9a5277294454b9d21f090c", "type": "new_terms", - "version": 4 + "version": 5 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "min_stack_version": "8.8", @@ -1917,16 +1987,16 @@ "47f76567-d58a-4fed-b32b-21f571e28910": { "min_stack_version": "8.3", "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "2e616e5d39c50f2148b85f637589887079741f9ce262dea5c070365f8f70e757", + "sha256": "a59f49a0c0dd5d025e9c45e099c22c750b446326578357bac6d938f54780c991", "type": "eql", - "version": 103 + "version": 104 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "30564156b340fc2226149906e94b475aacd80973cbed89d019ccd4738da6eca4", + "sha256": "bbe5ae3b8a285ccb4c26e9a210d268966a5996803f54073b159507458f48ee7b", "type": "eql", - "version": 103 + "version": 104 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "min_stack_version": "8.6", @@ -1938,9 +2008,9 @@ "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell", - "sha256": "41621e6d7d8394535f33f86ce87b265bffc3b46341f0d41b5a3f0357a6e4f092", + "sha256": "f29f06799ee7b6289d2ba8ffcd4908551efa144016a33e8eaa47b94f2370da97", "type": "eql", - "version": 3 + "version": 4 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.3", @@ -1952,16 +2022,16 @@ "48d7f54d-c29e-4430-93a9-9db6b5892270": { "min_stack_version": "8.3", "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "a7335279197f678eb603fc664437bf326124d49494bbc192a6a2e5863f978e64", + "sha256": "31b89667c022bf5310c60d364fc7c26136c4e66d8287d9bd7923dc18b558b647", "type": "eql", - "version": 103 + "version": 104 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "9072b7f6b45eaf539a2c6db0f473a172c3084f2e9d16c724c77a9c74fa9217ed", + "sha256": "124568f19d6974b48f94c4143a09f425889761f827bdf17b97618850fbf315ae", "type": "query", - "version": 103 + "version": 104 }, "493834ca-f861-414c-8602-150d5505b777": { "min_stack_version": "8.3", @@ -1973,9 +2043,9 @@ "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "min_stack_version": "8.3", "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "2c03c2c8f40f780733d370afb24fddec3264db04edd5cf6fac32f46be6780ce4", + "sha256": "eb9cf2a2df73743755d82c3d776ba2ffd7f17ef1773d32e3def0fb2fd6c50988", "type": "eql", - "version": 2 + "version": 3 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "min_stack_version": "8.4", @@ -1995,17 +2065,17 @@ }, "4973e46b-a663-41b8-a875-ced16dda2bb0": { "min_stack_version": "8.6", - "rule_name": "Potential Process Injection via LD_PRELOAD Environment Variable", - "sha256": "c98c09aa04335312a0ff21b0af0e49c0218d303221038df2aab1398fb821ba5a", + "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", + "sha256": "b29c0c0615f8cdfe01647648349a42a142712d082bff8d986549ed7b4956c0d7", "type": "eql", - "version": 1 + "version": 2 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { "min_stack_version": "8.3", "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "7b1070dba66c471be3c355bd8f43f66acc998ead9506a66d119c57fdfdd31cd6", + "sha256": "0f03ec3cf254ddaf2fb897452085888fda783e6d3394923b04505ac968500d17", "type": "eql", - "version": 1 + "version": 2 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "min_stack_version": "8.3", @@ -2017,9 +2087,9 @@ "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "min_stack_version": "8.3", "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "25c1fc8f3f3cca5abd90f51407ee6536b09f5cc094959427100ff8bb43061d1e", + "sha256": "8a3258a1db6d86b53f94205b24cc30b455508da7981acdcec7d44df34131b612", "type": "eql", - "version": 1 + "version": 2 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "min_stack_version": "8.3", @@ -2031,16 +2101,16 @@ "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Parent Process", - "sha256": "ac72fcaf522c3071580ab0a89bf5819d2048d75227f322493c72329288bfb551", + "sha256": "92665fcb5d7f54bd4531c913e33b9cd692aa92cf5ee65941d69c6c2a0aa5c260", "type": "eql", - "version": 3 + "version": 4 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.3", "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "8f8c69d22ef29bea0f4a731d3ca618ee943b897c187906816547f31062a31834", + "sha256": "d7c419a09a28e530daed1534d397eb968d8b4695f1798649928228865fe7f1bd", "type": "eql", - "version": 105 + "version": 106 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "min_stack_version": "8.8", @@ -2049,12 +2119,19 @@ "type": "query", "version": 3 }, + "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { + "min_stack_version": "8.3", + "rule_name": "ProxyChains Activity", + "sha256": "afdf629d5be941e88364f49c8fdd9ad2f02b342950996749d59123c3e24ba71e", + "type": "eql", + "version": 1 + }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.3", "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "6046c386a3d23ef89f0dc7f9ed396faf2d2ee6539194b4b9cbcbe8103e5be87b", + "sha256": "dccb06c47c184196bb7064a9ac9d5eaf589159eb7776ac44300650a960c9445c", "type": "eql", - "version": 104 + "version": 105 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.3", @@ -2066,9 +2143,9 @@ "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "min_stack_version": "8.3", "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "7445969cb5c322e8c467c61ee4ce21952f59c4781a3f141b739a0ae03dd6f849", + "sha256": "06f6564ca643c6532abb1cdaa5f7b63ff7967e301d6d4c7fb188471da4c03140", "type": "eql", - "version": 2 + "version": 3 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "min_stack_version": "8.3", @@ -2080,16 +2157,16 @@ "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "255e34c99602083f8e6f8d1f5d6b8695f05ff159ed157fef12aed4d10227140f", + "sha256": "2150ef27f2f7aa9e92efd14249439bdf38da42604f587b12651f9360dbe5512e", "type": "query", - "version": 103 + "version": 104 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.3", "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "6d9dfac6827d13a4a4e4b130bc8cc6df711d0edee0b129f8faad566fd804c980", + "sha256": "2f90c20e27fe53e8d19581d66c3700d0e607aeca622f713dffbee083470bdbf7", "type": "eql", - "version": 106 + "version": 107 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.3", @@ -2101,51 +2178,58 @@ "4ec47004-b34a-42e6-8003-376a123ea447": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Spawned from MOTD Detected", - "sha256": "742936018bd86bd0d2eb9c8e3cbc7e8942f260b71df03057a49f68aced7f08fd", + "sha256": "d6507cd42eb759b19bc5d612350f5fee646f38be4fe487ebc7121f70ac057de9", "type": "eql", - "version": 4 + "version": 5 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.3", "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "3e467545fdbd87088d7f1ec06580ea425fd63592c2c087fa3fedb85f55cae7c2", + "sha256": "93581d9de1f2ecba9d10b0b90fc4802c633fdc525cef6b539c20da833098dbfc", "type": "eql", - "version": 105 + "version": 106 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.3", "rule_name": "Suspicious Script Object Execution", - "sha256": "0218289069fce2ea346bf5903576459aee3ecd7272296bcda6a50d1ea36bfc0f", + "sha256": "3b2f5bb731e55d25192b6e44e2f8e2453784591f0b9be178867e26489f73a694", "type": "eql", - "version": 103 + "version": 104 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.3", "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "24b7130060c37c665c0d974647f1600fed134da5ef1856a958048b1de7a7094d", + "sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8", "type": "query", - "version": 103 + "version": 104 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.3", "rule_name": "Execution via TSClient Mountpoint", - "sha256": "1433ced29676c5dba9e9684b963040f135c2b99b2dec232da565e0bd54f7def7", + "sha256": "d133f690998687a3f65041994c005ecd901bab7ac5c3504f34a8f2ca04cadbf5", "type": "eql", - "version": 104 + "version": 105 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.3", "rule_name": "Windows System Information Discovery", - "sha256": "bd8dc11079d05b2e454c67d510d20d0c3075603582bac6f155b9a1b98cf460ea", + "sha256": "97b96679737e68fddbc04eaf2cdb22e954524acf822f15557c9d8e5de258496c", + "type": "eql", + "version": 2 + }, + "5124e65f-df97-4471-8dcb-8e3953b3ea97": { + "min_stack_version": "8.3", + "rule_name": "Hidden Files and Directories via Hidden Flag", + "sha256": "77af208d8070c7123775d9c7708d351a1d4ae579a13d0190e489642b5810f639", "type": "eql", "version": 1 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "462120945eb319e16807d91e4c93127aa9b45f4125145216908cf4278046cf9e", + "sha256": "b62558c73fd30587a1edeb6e1a36b61cf60b19070b994e570a3f4bd023f546cd", "type": "eql", - "version": 103 + "version": 104 }, "514121ce-c7b6-474a-8237-68ff71672379": { "min_stack_version": "8.3", @@ -2164,9 +2248,9 @@ "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "bc228e3719e4df077aafd4ccc33183d2f80ca6cc4d17e0ffdc6c600c9c2d89c7", + "sha256": "f944e30753df250f1d624c4c46ee0f5a60767d7d8ebc3d60af90ca77daab281d", "type": "eql", - "version": 104 + "version": 105 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "min_stack_version": "8.3", @@ -2185,23 +2269,23 @@ "52376a86-ee86-4967-97ae-1a05f55816f0": { "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "e8d3570c3c3e5a9f33eb69cec7d5b6b851442af3ed9086d002b181885dd60663", + "sha256": "6290c2857ed36cf95047595761ef26fcbd7d025b31e56eb92016113c70d70c5a", "type": "eql", - "version": 107 + "version": 108 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "610ae6296cd7bac101db0fcc7d13d90d6f6b46544fea9b2076e8cf77e3b8c3d8", + "sha256": "ed4bedce5bbc1788f21c4a7cf33af783dbfc0a12fcc6a88df03c97257eed9e7a", "type": "eql", - "version": 106 + "version": 107 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Activity", - "sha256": "5b89fb01810c6db3b8a1147047375335c81e24edac29f14fc21f7ea87d951bd5", + "sha256": "17357496d0db27a4d0ccddae1c436a5239eced079e597b6deaf8b586add984e7", "type": "machine_learning", - "version": 102 + "version": 103 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -2218,16 +2302,16 @@ "530178da-92ea-43ce-94c2-8877a826783d": { "min_stack_version": "8.3", "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "e0907427a1a638c778263d67e892b60dcfe3015c0bcde606e680e1ba32d3eb56", + "sha256": "378735996cb788f18b470bb893059276f28497684fbee14dc8952ad9914f76da", "type": "eql", - "version": 103 + "version": 104 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "min_stack_version": "8.6", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "4fd4e498803b69a046d3bc3c1a4b93610e961b6f34f057cd8de12a67c6d69833", + "sha256": "7602af82bdc7fc4962b73c42451d8500e779a3338601f49ea49ea9398fa49613", "type": "new_terms", - "version": 2 + "version": 3 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "min_stack_version": "8.3", @@ -2246,16 +2330,16 @@ "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.3", "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "bf69537bffa3f7ebf40aa6fc63c17ccb2621dbea75cdfa4b5cb969e9f2019bf4", + "sha256": "0b1c1a7d64bb481a68482e3f0954ce0e55df7b26264d3e358b230b5670c80094", "type": "eql", - "version": 105 + "version": 106 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.3", "rule_name": "Uncommon Registry Persistence Change", - "sha256": "b19ffc31d50674b624f05eb378e38a7244c641ec4aba6da331eb8dc385f40137", + "sha256": "950bfce6a55758ef6c60b1fd13ef84531915c61992e405c7217f3bcb40df0f3f", "type": "eql", - "version": 103 + "version": 104 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.3", @@ -2267,9 +2351,9 @@ "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.3", "rule_name": "Network Logon Provider Registry Modification", - "sha256": "12594aa99dbeb7d4711290476226bd673a53fc550d41dea6ceaaa9c81ebdbeb7", + "sha256": "ad743cadda3e3dee154c726922e4f4e1ff0a7b26c8c350d7084d477e65e4a1ef", "type": "eql", - "version": 104 + "version": 105 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.3", @@ -2281,9 +2365,9 @@ "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.3", "rule_name": "PsExec Network Connection", - "sha256": "b7d0c5a85ebe47a9169c95e326c88682024006e74412c6b22098fb8ef46f0269", + "sha256": "9dac69f62fd68c1763945debf1417db0fdb9384fc3200ddb80fad443bd7ed6fa", "type": "eql", - "version": 105 + "version": 106 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.3", @@ -2295,16 +2379,16 @@ "565c2b44-7a21-4818-955f-8d4737967d2e": { "min_stack_version": "8.3", "rule_name": "Potential Admin Group Account Addition", - "sha256": "b504ffef97b6f91e0b46273f785ab363e3a06e6d008ad129e82a95d2beb77525", + "sha256": "5c52523f38fbd7d58ecbaae23c282b59df7964d107d8378355c7232d2c20abbd", "type": "query", - "version": 103 + "version": 104 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "min_stack_version": "8.3", "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "e2fc55eb8ba6bb42bb983a9ea007da12e49980b858ffcee6ddcf971a63bb824f", + "sha256": "b9bee3578c8c5581f2c86ddb1bcb84c7929ed4d44a302adae4ec5a7ff74ed6a0", "type": "eql", - "version": 103 + "version": 104 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "min_stack_version": "8.3", @@ -2323,16 +2407,16 @@ "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "min_stack_version": "8.3", "rule_name": "Execution of an Unsigned Service", - "sha256": "65bb23e65dde88d087e78630c3279cd9ca2c0457df6184a366b96c151d93bb21", + "sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc", "type": "eql", - "version": 1 + "version": 2 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "fc21ee6cbf503c5e838516bdf20bde527a4de6a5d7b855d0af74f506caebf4d7", + "sha256": "57330331ceebc76d136b11b9a4aad37660028ce464cffd529f0023ad0a5399b2", "type": "query", - "version": 102 + "version": 103 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "min_stack_version": "8.3", @@ -2355,19 +2439,26 @@ "type": "query", "version": 106 }, + "57bccf1d-daf5-4e1a-9049-ff79b5254704": { + "min_stack_version": "8.3", + "rule_name": "File Staged in Root Folder of Recycle Bin", + "sha256": "a7e0bdbc40a12b3b58f7280e709f99363b6d9362d4c0c91bcd926dddeeb4f466", + "type": "eql", + "version": 1 + }, "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.3", "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "b61566457439230d2e647b027e9c3b1921003527490e3fc50091e16faa895490", + "sha256": "2d5a85f9eb6c5a5b43149530f52a4cdbf41fb37009ec5f4ea1d572b4a127ba99", "type": "eql", - "version": 105 + "version": 106 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.3", "rule_name": "RDP Enabled via Registry", - "sha256": "f5c878461dc75c880cecb2f8430512a7a3b35a7636ba5436fb47b4b24e67dfb7", + "sha256": "52fb0f6d5a15c031eb4ebdbb0bf86a16bd94e0aa3d3d4b9c9adb3a7019c79cc8", "type": "eql", - "version": 106 + "version": 107 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "min_stack_version": "8.3", @@ -2379,23 +2470,23 @@ "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "min_stack_version": "8.3", "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "881f07e561874d1056d20463f9b92b77aa2c29296314493e05a09bbe3ea158b7", + "sha256": "f0754341d4737d98a3c079a807fdf62a876b2b9e37eddce760a538f8e135a3fb", "type": "eql", - "version": 105 + "version": 106 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "b5eef6f5f7e0633f51cedc194fe8da44dbcbff73ebcd5b7710afdd3fb05c92db", + "sha256": "1bba6c4e3e7130c507b6c959c9bf912171eb7a1f1cdcb69a6cf8bfd62e4ebdae", "type": "eql", - "version": 106 + "version": 107 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "min_stack_version": "8.3", "rule_name": "File or Directory Deletion Command", - "sha256": "c70d1092504b136a5d0c3784be70d95775c027c5caeb78d2ffc4fc95cb2a5859", + "sha256": "f9ebc148c3faecff5518d839295aa1dbefa51d7ba038dc12a382d2c27dff3458", "type": "eql", - "version": 1 + "version": 2 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "min_stack_version": "8.3", @@ -2414,58 +2505,72 @@ "59756272-1998-4b8c-be14-e287035c4d10": { "min_stack_version": "8.3", "rule_name": "Unusual Linux User Discovery Activity", - "sha256": "2603532db2ec7f4eb19bf3e56af6de11bd18e886e06bbbda558564297ff1a3b9", + "sha256": "f22f060fba5f9de2376d38ce5ced5885370cdee60ce06026422199c3d3636225", "type": "machine_learning", - "version": 103 + "version": 104 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "7dbc7a06b1b2db26b7a189680f02c00f57788ad7e4bc04e5a9fbf29bd04f72a3", + "sha256": "8438243430e0b6983e01c039dfab3f7c01111a8f9939c207ef853108907a977a", "type": "eql", - "version": 104 + "version": 105 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Java", - "sha256": "a50e170d25304f4bae2fe5c2fe6858ca40fcbabbd5b5dcb9ad79d2a2d13064a0", + "sha256": "64625792213f211d0d8a873101fb7b1569da37e5179bd5f201b2c1f3101de821", "type": "eql", - "version": 2 + "version": 3 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "min_stack_version": "8.3", "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "d6e7f1842bfbbd2cbf6f3ad6696715458b5ccf7890973a846baf5b037efce1b8", + "sha256": "0f1d99638bad179a4fc6aa5eded3dd7c702cca3bb64d3391795079f2ec31258f", "type": "query", - "version": 103 + "version": 104 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.3", "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "f4dda37c569b0fb434088269f295a6c5ca6b243448e06a3dd609b796f89b41f0", + "sha256": "b13fb00b87c825ce3f05d65295a6b1a47fec6d46d5fe22058d8b8b164a678d0b", "type": "eql", - "version": 105 + "version": 106 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting", - "sha256": "c0f597645e46e5adf3b6ba6589d0e2eac85f4257fd4bc2d92ef9c25e0f8138ab", + "sha256": "2b30d95ee6d6e8bd0ff888cc6609d826560591c7ef3681b5ff74f49f7cc3c888", "type": "query", - "version": 104 + "version": 105 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "min_stack_version": "8.3", "rule_name": "SUID/SGUID Enumeration Detected", - "sha256": "1d29dbe53e81b188976bc7d37092e85352e9bfc9aae131f8bb0f82e4fba6be85", + "sha256": "1e8068d0ce5b93ac8598cc1cc3ce47385a0c99bb43ce15b27a514542fe4adb39", + "type": "eql", + "version": 2 + }, + "5b18eef4-842c-4b47-970f-f08d24004bde": { + "min_stack_version": "8.3", + "rule_name": "Suspicious which Enumeration", + "sha256": "918d3ee72f0aba9e0a382045c846e04f7dc5e1f942954c077aa639794e809917", + "type": "eql", + "version": 1 + }, + "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { + "min_stack_version": "8.3", + "rule_name": "Potential Masquerading as Browser Process", + "sha256": "2869df554ce679e32f42029716b74524aa21ea7af2872e5a42c55de5ceb7835c", "type": "eql", "version": 1 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.3", "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "d221b1a29c592330cced6fc124666e5eafb909db075ae2fe4f376b0b70303277", + "sha256": "6a00941904d85936d537193bcc28a4a4550b2df62bebd6ec46deb6e7479b87da", "type": "eql", - "version": 103 + "version": 104 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "min_stack_version": "8.3", @@ -2477,30 +2582,30 @@ "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.4", "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "ead2a9408ca8a618080d37f3b0afd01046f57d9ebbb32cd658b29f4a132c3d42", + "sha256": "3a1daa97831ddf8f5bfcf84698ec8b3deff467d7f1b8770467a760ef355c1a5b", "type": "new_terms", - "version": 5 + "version": 6 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "ff995198579b5bf65e6e45dca890068241b412c9b485ed2195047faa8e49b2a2", + "sha256": "e67ff82fd38ab4af435c7cd93dee29535aac33d0dca591dada0c896337e58380", "type": "machine_learning", - "version": 102 + "version": 103 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "bc6703e631f2bf3b6b6463f3c5db2078097ee52a576dabc76d5b8d27af7b2666", + "sha256": "361a074bbb3fe56ec08c1430d5b5afc021f8502cb133c1066dd514bdacb37f06", "type": "eql", - "version": 2 + "version": 3 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.3", "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "9093ad075028d5d084f5a7dd40d75ac92d0cd8bb904b285b1e7a63384a8adbef", + "sha256": "e4796e4f5ba9178180960e592aae8dc79ef969e7b951f2c2fd73dae57d29406f", "type": "eql", - "version": 103 + "version": 104 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.3", @@ -2512,30 +2617,30 @@ "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.3", "rule_name": "Persistence via PowerShell profile", - "sha256": "4837861731a429112d4f65eda3208a3dab65384aab3ad3e2431077db1a073938", + "sha256": "5ce8477d708b49d1d38136f4638bc5596e3190949b3e561ff84d56566ca96f61", "type": "eql", - "version": 4 + "version": 5 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "min_stack_version": "8.3", "rule_name": "Persistence via Login or Logout Hook", - "sha256": "34df46303c9e7997ef62d9d9dad16c537e0382074012a9897609b4d7b7dc79d0", + "sha256": "336c261b171bb4cfc280ac1c4170fc07388cd5b96c4674694bdc7108ccaf7b18", "type": "eql", - "version": 103 + "version": 104 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "658d4849d64b0be609077e96af29161032abf882fede376f4e34b581dc466e89", + "sha256": "865a5c61d5bdf21e24120d3b8eb35f82a23286c618fc795dce353491987d04fa", "type": "eql", - "version": 103 + "version": 104 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "min_stack_version": "8.3", "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "1cdf6f9b6e7e844755f615e62f4371b305fbd015896ef21231f2082eee15d7a1", + "sha256": "7c02503c215c5f50cc47a690a3caf0da786994efdfcfd87afa318aacea1154b2", "type": "eql", - "version": 103 + "version": 104 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { "min_stack_version": "8.4", @@ -2590,9 +2695,9 @@ "610949a1-312f-4e04-bb55-3a79b8c95267": { "min_stack_version": "8.3", "rule_name": "Unusual Process Network Connection", - "sha256": "cf2dddf2a16c9ae7bf4a58ad60d72fbcf0c42c485c4d15dd84b29738f57fe846", + "sha256": "fd5996be6b2f46fc713908920b4d06537ad841086cb3b09c6c3e163cab734e9a", "type": "eql", - "version": 105 + "version": 106 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.3", @@ -2617,9 +2722,9 @@ "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "0591fc24c5321e8518676992fcf13ffff7c42eec2c2f268a4a4fb9f69cd3548d", + "sha256": "c34b60cbe2278701b99e658f035d05af7f68558251b332622334022f982c367c", "type": "eql", - "version": 104 + "version": 105 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.3", @@ -2631,9 +2736,9 @@ "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", - "sha256": "2729379ac0fa9f555fb5fd5b58e1340218946f2925a4cc0584a34b6ce47e92d5", + "sha256": "77726aab9988d9e9be93a479e9eddf63e8d156e072e00526fc0df153555e4d58", "type": "eql", - "version": 1 + "version": 2 }, "63c05204-339a-11ed-a261-0242ac120002": { "min_stack_version": "8.4", @@ -2659,23 +2764,30 @@ "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "min_stack_version": "8.3", "rule_name": "Network Connection via Signed Binary", - "sha256": "808861119a9ee8f4cbf046407cc88cce8871bb136a3c5530f247947bb822a8b5", + "sha256": "f383ad8f33cab31ab158968663de5ed3d540de9a4d8d0fa4a578e19a35ed061c", "type": "eql", - "version": 104 + "version": 105 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "min_stack_version": "8.3", "rule_name": "Anomalous Process For a Linux Population", - "sha256": "b8d88bdfed4546ac4b1afc3b6e9064317723865869497016351555ee65fc4d30", + "sha256": "83b053309247f90ea7bda7f3c8e474257fe61dec3fc68d387888dc2da6ccf096", "type": "machine_learning", - "version": 103 + "version": 104 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "min_stack_version": "8.3", "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "58759da1398f2ed9cdac6205374371b42f04208ef47f7a0bbe4ac2c72a1cfabd", + "sha256": "9f94576d0bdd988636ba37fb9ff9911924d47880457e60f8a281664394a503bd", "type": "query", - "version": 103 + "version": 104 + }, + "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { + "min_stack_version": "8.3", + "rule_name": "Network Connection via Recently Compiled Executable", + "sha256": "60780f0b220f4de4cccb01815d9585964f3d68bd515b23972bc9b881a36a70ea", + "type": "eql", + "version": 1 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -2702,23 +2814,23 @@ "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "min_stack_version": "8.3", "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "5093be776a67dab45f4c4a0706097b9791adf1d83baf0ad769eb4ade82ff2ce6", + "sha256": "40c37dec53eaaed25df091561d4f9e4a2c8417d1dc82cf070db4fe72793510d1", "type": "eql", - "version": 103 + "version": 104 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "min_stack_version": "8.5", "rule_name": "Suspicious Termination of ESXI Process", - "sha256": "eba9ff289eeaccf5c48be51e4277e164148f4cc363403c23c8a944105c5aaf75", + "sha256": "0711743a3e6d25d5ac8089b3f5e996420a92bc7890f358cb4e23c6d88ba9a615", "type": "eql", - "version": 2 + "version": 3 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.3", "rule_name": "WebServer Access Logs Deleted", - "sha256": "865169a089484f51565d466f20d7f4b3ddffb231482b928744491443df76f14f", + "sha256": "b3eaab822d17ebdb4ba051295077d3b54352fe5c633183047aaa1169ff1732d5", "type": "eql", - "version": 102 + "version": 103 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "min_stack_version": "8.3", @@ -2730,16 +2842,23 @@ "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "ec37df4c6f03fe29ed01e7a16033cfb75e5001cd753dc1cd5736f4852c5cd383", + "sha256": "5c79e5fd80163228473cfe5b3b9f61d769a063b5c1372c30928ab2ac59cf0525", "type": "eql", - "version": 106 + "version": 107 + }, + "66c058f3-99f4-4d18-952b-43348f2577a0": { + "min_stack_version": "8.3", + "rule_name": "Linux Secret Dumping via GDB", + "sha256": "69b91af7c13fbc10668c950da9d070e9350d6f40ae5115d828703884de988e06", + "type": "eql", + "version": 1 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.3", "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "1a07690edbfaa9211bdc2ac3529fb6b105432896aa9ec206d890ede13296808a", + "sha256": "f1cea9ea6da3199934e1644e4efa06da30f02a8e11d48724001e6152a64ad6ce", "type": "eql", - "version": 103 + "version": 104 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.3", @@ -2778,9 +2897,9 @@ "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "min_stack_version": "8.3", "rule_name": "High Number of Process Terminations", - "sha256": "ce2fa2e1187bf642ec55d7d148eec060fa325ac951f2be420c402e1ad51270f5", + "sha256": "9654e394fb859d2bbad76596b99237d6f8d15e70526ea0e27711c4c3a680ae77", "type": "threshold", - "version": 107 + "version": 108 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -2791,9 +2910,9 @@ "6839c821-011d-43bd-bd5b-acff00257226": { "min_stack_version": "8.3", "rule_name": "Image File Execution Options Injection", - "sha256": "b0942dece4470a3a4214710744a3644d6cd9c2cba5dffc7c127a4ec0afa410e5", + "sha256": "97b4abe585f163bcdacc300075bf109cb501bbb7d1de90a2cdbbbdfbbd9aef97", "type": "eql", - "version": 103 + "version": 104 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "min_stack_version": "8.3", @@ -2812,9 +2931,9 @@ "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.3", "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "9fda9c755ae15eed8281324dc8a228df993846b9c81ad1abb78f73a49fc3a4ba", + "sha256": "e56e2b209388ed0f70bed3114edcf6d49e83959d733faa801e3d40209152e327", "type": "eql", - "version": 104 + "version": 105 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "min_stack_version": "8.4", @@ -2835,9 +2954,9 @@ "689b9d57-e4d5-4357-ad17-9c334609d79a": { "min_stack_version": "8.3", "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "11571b02dbf13391f8338064acec92510a657c042b35320fafaadb58530580e2", + "sha256": "46775980c978cd2264682497c62b9788b6645243da6b72ddaea5bbff0388df3e", "type": "eql", - "version": 103 + "version": 104 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "min_stack_version": "8.3", @@ -2849,9 +2968,9 @@ "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "954b6ed90ec4f7af289e6f435b8dd6a49b37610ee7b3e5f3a6cf03577d36ce32", + "sha256": "53f09e4c88d11c0ee66a186321981f9eb31165d73f02b874ca0edbed0844c6da", "type": "eql", - "version": 104 + "version": 105 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "min_stack_version": "8.3", @@ -2879,9 +2998,9 @@ "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "min_stack_version": "8.3", "rule_name": "Modification of Boot Configuration", - "sha256": "f70f107119f141d8886f8a58ff6926687b51d66bc69ace2184cea66cb35a4505", + "sha256": "8d25051f7633a37c4b90403be6fcde6352db2dc292a62a2098620fafb843e26c", "type": "eql", - "version": 105 + "version": 106 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "min_stack_version": "8.3", @@ -2893,30 +3012,37 @@ "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.3", "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "69744da394abbc6a420858ceef7709e3ccdcf93bb437785b882d1cd603d183bf", + "sha256": "f3cb8da67a3f69a296b53078b37707f55d6852f4c55b7bc074af6e3ab2a01d20", "type": "eql", - "version": 104 + "version": 105 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.3", "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "c186ae5be53627a390060dc7dd2a22a18069877ca0c0bc0248829fa440255d16", + "sha256": "a9f9aa8f746871dce91e94cba6697e908e9901be0135860b93572a5904b48b04", "type": "eql", - "version": 106 + "version": 107 + }, + "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Utility Launched via ProxyChains", + "sha256": "7541e1a6c4200e3961759f0cdadba8eaf793f6e3e9e28dbb34af84aeac5f6fce", + "type": "eql", + "version": 1 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "min_stack_version": "8.3", "rule_name": "Sensitive Files Compression", - "sha256": "a860595ed44bc686650e020e8d1057d9f6ddc0d630c93e00ea6e46d1be39ecc6", + "sha256": "24dee3257162b876da6487b55368acb5b38040fd13ce5d0bc7511b0644e2ae48", "type": "query", - "version": 104 + "version": 105 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.3", "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "9c708ef814d11a565cabbe622c71aae461be77b7d77f10a3c610e006d77f45e1", + "sha256": "4a3308713c74898d9a52d894105c3a41556786008f169b725436c4dbc018ee99", "type": "eql", - "version": 106 + "version": 107 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { "min_stack_version": "8.8", @@ -2928,30 +3054,30 @@ "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "56916bd068b8dcbadec79d7490e229298f77373768b4e5e51e15238e2ee4b1e2", + "sha256": "dfc2fbc0fab4f84b16f206bb71d59399a3450f5cec21c03daa1fd20d529ccdc9", "type": "eql", - "version": 103 + "version": 104 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.3", "rule_name": "Unusual Process For a Windows Host", - "sha256": "d44ed1811f078ea61839ba39bf1a8ce428be8c5c1d788c67ad4f206bbffa35a7", + "sha256": "f65a12afc06498c72c6fe35834ef48f2c6cee057748963b300cae83e7a411f78", "type": "machine_learning", - "version": 106 + "version": 107 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.4", "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "sha256": "64debc2b27eeb00caeb57803d2db7ec69105065610284b17fc7d1238d2e8c7a6", + "sha256": "ef918ece14946f78978846c902ca1e8891e295cc7065c895ba6e7e5b0d9f59b9", "type": "new_terms", - "version": 3 + "version": 4 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.3", "rule_name": "Anomalous Process For a Windows Population", - "sha256": "1484f20db62296695ce5b6744204ac294e46fd18766e5ffa5f78a965d3e5c4b1", + "sha256": "797cf8fc982536b11a0679348b4eca584db853de77646320ff0c146465196bcd", "type": "machine_learning", - "version": 104 + "version": 105 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "min_stack_version": "8.3", @@ -2963,23 +3089,23 @@ "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "min_stack_version": "8.3", "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "9b725c04649063372e0ac70bb4088c61988f3e2cb138afd2c021149e86cf14ab", + "sha256": "5049be04a29a5554df2ccf242d0b225a72316ad6e31acf19295f898d1ed96774", "type": "eql", - "version": 103 + "version": 104 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.3", "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "5bbe98c1d1b136bf1b82b43f6359cbcbb0efbcfa7070b99c6c4b20995dc43b5c", + "sha256": "b93d5773dd0b96dd6d8e331197414f59005cceea42ac2b114e9ace428ca9f578", "type": "eql", - "version": 104 + "version": 105 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery using WMIC", - "sha256": "bb303be8adafd9d55d77ca503b8d38da926f936efaf9e270e931cf32d7a00563", + "sha256": "a1ae41d886802078065a49f39d3cccfc069db47d2052a9950cf0421e0187f9c5", "type": "eql", - "version": 105 + "version": 106 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -2987,6 +3113,13 @@ "type": "query", "version": 100 }, + "6ee947e9-de7e-4281-a55d-09289bdf947e": { + "min_stack_version": "8.3", + "rule_name": "Potential Linux Tunneling and/or Port Forwarding", + "sha256": "9b7a1e7596fff4b6d70a4064cf79f606a74f214ef8aeb4234c08842d2c1b910f", + "type": "eql", + "version": 1 + }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", "sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5", @@ -3032,16 +3165,16 @@ "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "min_stack_version": "8.3", "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "717f008f47d29da3f5b1b63ba46687d10990276feb6c268c9dfa2023ea521904", + "sha256": "df0ebfd519ecbb1f865b556e10ebd19af3fedf23da2afa856e1eed3b78f786eb", "type": "eql", - "version": 104 + "version": 105 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "min_stack_version": "8.3", "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "8ad6ea6c95511bfda4e9acb0d6aba65b2b806a6b61705ad2074ca3d5c1a6a066", + "sha256": "ae6e77c0abc663eb2873c37d6321d6ae8da6355d89e5ebb728b742b16d2d14fb", "type": "query", - "version": 103 + "version": 104 }, "7164081a-3930-11ed-a261-0242ac120002": { "min_stack_version": "8.4", @@ -3053,23 +3186,23 @@ "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "min_stack_version": "8.3", "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "db42ea3e5c51dbabb3613e87b500b004d6b2f22db0587ca0bd388a8e546c6093", + "sha256": "565a3a934715161cb1c0bd792b9694d865ccf9df21072f0e5bd381c947ec3b65", "type": "query", - "version": 105 + "version": 106 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.3", "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "7b7161a306354a85487bb1983dc6741e6e5f3496c81436ea411be3df3db9bc16", + "sha256": "9f0f49705389e6d3d70937bb6c9f6947b3a18dfcae7e1cc504c66380348e68ad", "type": "eql", - "version": 110 + "version": 111 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.3", "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "ed42c0fb2d21cc54e22a7d89aa2d288c8f65e5838f53f8d4f70610fed30dfd4f", + "sha256": "44d4d66dea85165137a0d3f86d314a56a2d3de07baedee209e53118864691402", "type": "eql", - "version": 103 + "version": 104 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "min_stack_version": "8.3", @@ -3081,9 +3214,9 @@ "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.3", "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "589ed370382005f679784080b48032cb270e5ec62367be040705713df506d42b", + "sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c", "type": "query", - "version": 103 + "version": 104 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -3094,37 +3227,44 @@ "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.3", "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "f0075154901353040f0326fe7ce86389aa8eec62b61bea6a4ed774ef5e7aa6d1", + "sha256": "6936c736181dd010bee7cff6349ca6fd1495ff2e37f3c814d03edcec4f025dcd", "type": "eql", - "version": 106 + "version": 107 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.3", "rule_name": "Modification of Environment Variable via Launchctl", - "sha256": "b03d27db98d1c22fc0e332c42a4547f7fff8937be12ad0060c54d80b1a69b6e2", + "sha256": "face2669be6ce58d7dc8b07bc4b200577cdf0bd21facb3d5266facb5df28a6dc", "type": "query", - "version": 103 + "version": 104 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "min_stack_version": "8.3", "rule_name": "Unusual Hour for a User to Logon", - "sha256": "ab13305ff4ac6941cefb428e1de108a8c5c97f0d11cf5074464593477c59fdf3", + "sha256": "8c8f1df8c5b78cb30de44700004958516615a323691d707eee2ed79b9a00424c", "type": "machine_learning", - "version": 103 + "version": 104 }, "746edc4c-c54c-49c6-97a1-651223819448": { "min_stack_version": "8.3", "rule_name": "Unusual DNS Activity", - "sha256": "82fc5b2b1b1c75dda5d968ac3522eeea25437fc6095b9a28e893febe014978a7", + "sha256": "b9ea779f9594e53247551940577acd651bc9971f972c085f9476e736de350577", "type": "machine_learning", - "version": 102 + "version": 103 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "min_stack_version": "8.3", "rule_name": "Suspicious Sysctl File Event", - "sha256": "66246357a6e2baf18f6692bf5ec006c4c8b46cccb03f13a768a516a0a44e7bab", + "sha256": "677db0e224b9e590ddaf2525bccc03fcd4c576f741537f13434eb9cecdd77bdc", "type": "eql", - "version": 2 + "version": 3 + }, + "75dcb176-a575-4e33-a020-4a52aaa1b593": { + "min_stack_version": "8.3", + "rule_name": "Service Disabled via Registry Modification", + "sha256": "372c468ec6a0ebd2259d3b111dd8e4431353594ad85c0e66a0b97284f21d84f1", + "type": "eql", + "version": 1 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "min_stack_version": "8.3", @@ -3136,9 +3276,9 @@ "76152ca1-71d0-4003-9e37-0983e12832da": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Sudoers File Modification", - "sha256": "45be8d8fcc5440e8400f3b3736a93cdfaac250ae4b777dd232d908a245e74058", + "sha256": "6dfec898ca5b57352a078ff6ea65a0452985eeac88bb6ca491399544d57be902", "type": "query", - "version": 102 + "version": 103 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { "min_stack_version": "8.4", @@ -3159,16 +3299,16 @@ "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.3", "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "1d6d7f0f4498f6d1b8c8289faf2ee642bb37d201d14ca66b9143b351f12f136a", + "sha256": "d9c6faf2209cb103e1548a470602851ee01bf04f32853d0ed66169fff27e6847", "type": "eql", - "version": 6 + "version": 7 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Shared Object File", - "sha256": "6f7d21d296794e815a629299d0e7bc2c4287ff94a2a07e0c94f22e6660fd00e5", + "sha256": "1d6f35d59421b7701973891ca9762db50f5dd087b3feb9e9e384ee927cdf1d36", "type": "eql", - "version": 104 + "version": 105 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.3", @@ -3180,23 +3320,23 @@ "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "90ba412e5f74a327e2a562946201aeb6cd21309a6f0a6bab7976fad99953c6d2", + "sha256": "22a26a54eac8e02ec72df44fdc261481315acec5885269f591cb5fd1c46d1825", "type": "eql", - "version": 3 + "version": 4 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "c42d3d5e793948cf2619446bd13d2f526e54d1e6cbf9d36889e28c829b865cd1", + "sha256": "9f85a8053c83ad71c8540a2261dbbc4708549c0de62c0edd99395ef16629cc9f", "type": "eql", - "version": 105 + "version": 106 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.3", "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "50e1096e383732d4bfbbc05cb6ebc3c141541607bc81c2fcf6165e864af53e50", + "sha256": "3efbbd83a3795ef381af8172fedb8209e077505df6097622483b3275060f8be7", "type": "eql", - "version": 105 + "version": 106 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "min_stack_version": "8.3", @@ -3245,16 +3385,16 @@ "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "min_stack_version": "8.3", "rule_name": "Spike in AWS Error Messages", - "sha256": "8cd2d319c3195887156eb5af83cacb38617e98e24fa81bfa46ad105177757464", + "sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57", "type": "machine_learning", - "version": 105 + "version": 106 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "min_stack_version": "8.4", "rule_name": "Unsigned DLL Loaded by Svchost", - "sha256": "31e050673ec47baf5a08c2e334565177b404ce43c1f9ff82d5776a62d20ec295", + "sha256": "7b5df51876d17dc0c0978937514b88e32fbb68a471fdbfb5063af60dff04d178", "type": "eql", - "version": 3 + "version": 4 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "min_stack_version": "8.3", @@ -3263,12 +3403,19 @@ "type": "query", "version": 103 }, + "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { + "min_stack_version": "8.3", + "rule_name": "Potential Masquerading as System32 Executable", + "sha256": "3b177629deb6dd64f254d75b8a4f6b71879b7ff33a70d98c184560b82d67277a", + "type": "eql", + "version": 1 + }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "min_stack_version": "8.3", "rule_name": "Potential Exfiltration via Certreq", - "sha256": "e10b6b4454dd1b73e63fa0c9dc9a1928b6914f51f7b570e674bfc5f40050d590", + "sha256": "4ef6fb0e47ac848843d2ae9b37eacc7369390ef5ff45ecf6b0a374512ad4b979", "type": "eql", - "version": 3 + "version": 4 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.3", @@ -3286,9 +3433,9 @@ "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "a6e7e37ed215456f0c70335badbce32de1457fc96e9523f2bfe470d5ed197db6", + "sha256": "1dd7950a241f5882d741236f88f61e5ed12437aa16756ce984ee04379e2dcdf9", "type": "eql", - "version": 1 + "version": 2 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -3306,9 +3453,9 @@ "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.3", "rule_name": "Windows Network Enumeration", - "sha256": "4a75185148b0f025912e9ecc19ed722f7a025f359e7b93fd8b65afbe41365a1e", + "sha256": "ef35c00c8f160878d607315e984c5aecf6fdca5f36d9db988c29e88f76d00270", "type": "eql", - "version": 105 + "version": 106 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.8", @@ -3329,9 +3476,9 @@ "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "min_stack_version": "8.3", "rule_name": "Tampering of Bash Command-Line History", - "sha256": "df93fe3408b4a9c843b5522860505e6ec82f96abb08fa0881ad1e46e027b0c38", + "sha256": "87fe7e562ce227a8493a541cc86e41d99ea61aaf827cce77b997f82c7a94c935", "type": "eql", - "version": 102 + "version": 103 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "min_stack_version": "8.4", @@ -3365,30 +3512,37 @@ "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.3", "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "5657cd8ac5f0c4e6ae8f8bfd17d420d2fc7893a478c3cf4c06c28941e2106614", + "sha256": "0d2e9303095644cff713d6cc47bcea144b0fb7d1c8c7026f50ac5fe60e57228b", "type": "eql", - "version": 104 + "version": 105 + }, + "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { + "min_stack_version": "8.3", + "rule_name": "Discovery of Internet Capabilities via Built-in Tools", + "sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66", + "type": "eql", + "version": 1 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "min_stack_version": "8.6", "rule_name": "New Systemd Timer Created", - "sha256": "a5a770edc33a8e7e8eebd70dcddd0bb6c09432602b530e9813de3ade870ae6b1", + "sha256": "27bee4413c109d7597639a0a60acd77d395ddd1b5f6f4fb09c88c026a699a4fa", "type": "new_terms", - "version": 4 + "version": 5 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "min_stack_version": "8.3", "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "907f1a257b0bc6e60a9f9ebb695ef97418f1e573e4e9bb00842961b0b9d15343", + "sha256": "2dcd549142325271b0cc47d8d2a3b32dc6f1187d7ed0a0a2ad21238ba64e8ff0", "type": "eql", - "version": 2 + "version": 3 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "min_stack_version": "8.3", "rule_name": "Unusual City For an AWS Command", - "sha256": "6e9418d6a76d5b3bd4aae888d33160f13b9b71a18647ab577689746982587651", + "sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab", "type": "machine_learning", - "version": 105 + "version": 106 }, "80c52164-c82a-402c-9964-852533d58be1": { "min_stack_version": "8.3", @@ -3400,9 +3554,9 @@ "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "0e79e3691650f83b5f187e3bd292dcdbd41e4473d31f3ed524309ef749c1da08", + "sha256": "9c2f8341e807bf0b4ffeb0c40e797f72dbdd69d65b6db7a2a6c7f8ee10708d7a", "type": "eql", - "version": 105 + "version": 106 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -3427,16 +3581,16 @@ "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.3", "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "eaa33048144c193d9ab95f5e9773af65d5f9eabcfe8188abe417c7d6d38009cc", + "sha256": "761723a38f1f9d88a679524aa3ccd687c0cfc74e3b66a8bd2e62807a050d44ea", "type": "eql", - "version": 103 + "version": 104 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "min_stack_version": "8.3", "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "6ea34019b9ba679eea32cbb495b10f6749a8a22e6d08f59fe7b16cd42d7ebf83", + "sha256": "fe6cc04fb2e612cab72a6d221db5f03f75c1706355d5c212987ec5de3a2bd3a6", "type": "eql", - "version": 1 + "version": 2 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "min_stack_version": "8.3", @@ -3454,9 +3608,9 @@ "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "3416e2bf5ca7daf2a45db0247015f02bf59791f7b972b4fdc8acf9dbe9ea6719", + "sha256": "7bd7ca6309b09a6218ebe05322f1477ad28327ac05cab27ae9eb18267b43563c", "type": "eql", - "version": 2 + "version": 3 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.3", @@ -3468,23 +3622,23 @@ "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "3609a3aecbc42521c1cc0249c04b263aec76ee2699b036eb36748213f1f24dc2", + "sha256": "5a3c03a8465e2bd10bcaa699af57945cf361af5ca71be2662c20a6746a5b4960", "type": "eql", - "version": 106 + "version": 107 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "min_stack_version": "8.3", "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "39e4e96b86604efb80925d0bfa1da0279899664119aaa5b392a2cc165a2a20c7", + "sha256": "7e3d4366d0e82917ab82b493fb7f89d6c89013e0e9483692037c1e3264ebefff", "type": "eql", - "version": 107 + "version": 108 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "8.3", "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "6d16ec9af048dc6cb0ae829032dc7f010510fc01e39097bf9deb4d6476af80fd", + "sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47", "type": "eql", - "version": 107 + "version": 108 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "min_stack_version": "8.3", @@ -3510,16 +3664,16 @@ "870aecc0-cea4-4110-af3f-e02e9b373655": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery via Grep", - "sha256": "3ab8e36e47dd61b440cd8084f355afbb348f444f9f3ca559609ea4fbfad4f968", + "sha256": "d5d6fbfe8a86e827bb1f10589d9e8427ba7b59bea1a9707d4359dce6fee0929f", "type": "eql", - "version": 104 + "version": 105 }, "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.3", "rule_name": "Enumeration of Administrator Accounts", - "sha256": "8a3f98f76ff448f3696197c61f3d7473e0997ec6c9f145b7f140e1040ac7589d", + "sha256": "70ad3fa6e2da2dbfbb0211d6835e6657b3c156417e77b4b8bc33b86c2b69167d", "type": "eql", - "version": 106 + "version": 107 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "min_stack_version": "8.3", @@ -3537,9 +3691,9 @@ "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { "min_stack_version": "8.6", "rule_name": "Potential Suspicious Clipboard Activity Detected", - "sha256": "81b067ba7ca440551c5427488fd426f9df51ca8b72ff6e3db6e1a99f324eb05e", + "sha256": "a845a994f21837d7225484856beb19514cb92efaadf804f6caf1748812efd2e6", "type": "new_terms", - "version": 1 + "version": 2 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "min_stack_version": "8.3", @@ -3551,23 +3705,23 @@ "88817a33-60d3-411f-ba79-7c905d865b2a": { "min_stack_version": "8.3", "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "9513ee2f3181086efc60d05ee0bf42d67f78fe20ecf2d92352b2f3765ff58bd3", + "sha256": "de3dc029c5f1bbfc9c187b002dd15ae68bcf1310360b2f17694e84ce55051314", "type": "eql", - "version": 103 + "version": 104 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "min_stack_version": "8.3", "rule_name": "Potential Sudo Hijacking Detected", - "sha256": "ebc6754248c6b7a7634e86d08ec0161e3f109569c788248ac2889d1e047c7973", + "sha256": "a4206f33521819d8d7d53c211f4469b0f4d29f90aa303e728ed6c22f0acd0ec3", "type": "eql", - "version": 1 + "version": 2 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.3", "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "deac5774bed6bfdc77e63f9f2e6b5688261dd238664bc00cebb4d22a72c4d4cf", + "sha256": "81f56a2b806be5fd445f656c540705be59af15be47b97fc7289e0b70ab357fca", "type": "eql", - "version": 104 + "version": 105 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -3578,44 +3732,44 @@ "897dc6b5-b39f-432a-8d75-d3730d50c782": { "min_stack_version": "8.3", "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "7012f85734fadef531a81f65a790a31a85fe7dd6c4ef6bec17a7a9ea1ede1283", + "sha256": "90b8b19f30fb314195c63df104ccdd6013d5b93cb7f2d2672bc0e0fdce6e53fc", "type": "eql", - "version": 106 + "version": 107 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.3", "rule_name": "Command Prompt Network Connection", - "sha256": "a96de0fddbb5b4535329405dcc102eca10762785ad1cc6d6d2bafc48185d5df8", + "sha256": "a7b53613b02ded1945e51652cf8c0a4b2548ec599948a7ac9a5a75287f819c3c", "type": "eql", - "version": 104 + "version": 105 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "min_stack_version": "8.3", "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "aa33ded72a34a56408c07f9dbdabdc13acfe4c609c4fec7f48f093a82fb5a249", + "sha256": "456c1af4f588c9d3fc039ba183fe378b0d32a8920c785254b0550fdd4329374b", "type": "query", - "version": 103 + "version": 104 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "min_stack_version": "8.3", "rule_name": "Suspicious Symbolic Link Created", - "sha256": "cf1e2262983765f27b55ba8f50491c865dfcdfa5215405a7e223cf7a3262b3d9", + "sha256": "ffb3cada9e61abf88edfa4d4994b68df4a1c86040ef6344d2d5d2f2fb67e0bb2", "type": "eql", - "version": 1 + "version": 2 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "min_stack_version": "8.3", "rule_name": "Setuid / Setgid Bit Set via chmod", - "sha256": "89de3007f94235a74251ec78230a1612aa41751a62318782c36137e848ab2227", + "sha256": "9c15ba48b9d09639823c4d9695769a98190668b5a82f91664552b3a1d00134d5", "type": "query", - "version": 102 + "version": 103 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "3e21ffcd1f9b36bb1daee50d26cf91acd10b7f1c10b9c8f1f27279bf32b572e1", + "sha256": "a577ac9fcb46e067f2d9a3dfa1c37db43cf2b744e0701387877da0d9321a209f", "type": "eql", - "version": 103 + "version": 104 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.3", @@ -3627,23 +3781,30 @@ "8acb7614-1d92-4359-bfcf-478b6d9de150": { "min_stack_version": "8.3", "rule_name": "Suspicious JAVA Child Process", - "sha256": "35097b6f0b3c4dc111e03896083a67d44d75afde8cef52b695fcfc833c2d8bf1", + "sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16", "type": "eql", - "version": 104 + "version": 105 + }, + "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { + "min_stack_version": "8.3", + "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", + "sha256": "577175231e8722658399f535dfe19fa278f3082f7848da4f3c65e77ee2a4118c", + "type": "eql", + "version": 1 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.3", "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "aafb76a9f8863d5a85c14adaf0ec53cb6bba634b39475f407befad5b94eca10e", + "sha256": "cf5d70e346d64085f11501ee4ee6aae18cc9a72891310160318db69144acd12f", "type": "eql", - "version": 104 + "version": 105 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "min_stack_version": "8.3", "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "b3147152ceab5d19b1a308b040c5a3ae31cfb7ffcde3d9564621da5102d49685", + "sha256": "b5ba453579b913af45987a4158da3836e9f6d5c089b322ed9b4feb5d3def09a6", "type": "eql", - "version": 105 + "version": 106 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "min_stack_version": "8.3", @@ -3655,23 +3816,23 @@ "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "min_stack_version": "8.3", "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "f01d3cc4a46b406a142212026fbac6666713fd7a0cfb377025089371471c7721", + "sha256": "02d2aa1ce970af5dbef685da0cfc51fc7c9d7c82932b13d1b19d8f212a1ba2de", "type": "query", - "version": 101 + "version": 102 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.3", "rule_name": "Unusual Child Process of dns.exe", - "sha256": "a07d9dd17ccc1fb4611d130132783f98500b2210fa94d6d6687f26ccc7a8a3e5", + "sha256": "ab6f219326b46640112b041c6a7ccdf841ac3d4aa2e364b34b83a7869e301b70", "type": "eql", - "version": 105 + "version": 106 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "min_stack_version": "8.3", "rule_name": "Potential SharpRDP Behavior", - "sha256": "a086a430a5246d5504575c3ead307579d1361febfb0f60c35f89ee47736cbafc", + "sha256": "b6a8ffcc1a8ee2a11059084442b0318bebe5bc120cfafa14f65b4e1d7b321062", "type": "eql", - "version": 104 + "version": 105 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "min_stack_version": "8.3", @@ -3682,10 +3843,10 @@ }, "8cb84371-d053-4f4f-bce0-c74990e28f28": { "min_stack_version": "8.3", - "rule_name": "Potential SSH Password Guessing", - "sha256": "26894fa5e08e82c7990e3ae5d6fb094214df7da670d2eb5fb9d2001e7772265c", + "rule_name": "Potential Successful SSH Brute Force Attack", + "sha256": "930f4fe60fcf470067a75a7d6d9b93d3c80d639fcc0cf248c30c9f41cb98f70d", "type": "eql", - "version": 6 + "version": 7 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "min_stack_version": "8.8", @@ -3697,9 +3858,9 @@ "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "f0bc49fb3356877692242e841428e75c2a7f3e6a4b19b016e0bfea992325700d", + "sha256": "9037dac927b76a260a11026c3e893f9f85b2d876004b652c74c012bb7fd93f5f", "type": "eql", - "version": 104 + "version": 105 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "min_stack_version": "8.3", @@ -3708,19 +3869,33 @@ "type": "query", "version": 102 }, + "8e39f54e-910b-4adb-a87e-494fbba5fb65": { + "min_stack_version": "8.3", + "rule_name": "Potential Outgoing RDP Connection by Unusual Process", + "sha256": "dd3d04e43bbd83b16a0414f323260473ea086aa839efad492a35c4a2cd203829", + "type": "eql", + "version": 1 + }, + "8eec4df1-4b4b-4502-b6c3-c788714604c9": { + "min_stack_version": "8.3", + "rule_name": "Bitsadmin Activity", + "sha256": "c07d18b1bad6186dd2af856dbf2362d78f773b50369e7044b1e1329cc0f23cce", + "type": "eql", + "version": 1 + }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "min_stack_version": "8.3", "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "da330e831040cfb41f8e1dbe7ca597ff279047526226be556531a0ff6c01d85a", + "sha256": "818146f18a2aefd065739007ec4aecb61ec4257169528b7a6605b7ff0cc0758c", "type": "eql", - "version": 103 + "version": 104 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "79fa833139dcdd970fcf966aa53642bf075e8c237c083f593e9a8ba31d8f962e", + "sha256": "9c3c0848659cf6ee23a2450fed6a0492e2de6ef5758060587ab61c498f7a2a26", "type": "eql", - "version": 104 + "version": 105 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "min_stack_version": "8.3", @@ -3738,9 +3913,9 @@ "90169566-2260-4824-b8e4-8615c3b4ed52": { "min_stack_version": "8.3", "rule_name": "Hping Process Activity", - "sha256": "9bd9bfcf3e5386259b1e87dc76e6d13c7d7c76272356e20cb69d1791e27d305f", - "type": "query", - "version": 104 + "sha256": "63e23dabfb3a8535a41b473614245b4df52a35760e0485a6e9f51e55d61615f5", + "type": "eql", + "version": 105 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "min_stack_version": "8.3", @@ -3752,9 +3927,16 @@ "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "min_stack_version": "8.3", "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "9fd4f43335c4e1709100ea8eb8fe828ce5c5cc643b4332701f68e420384d8169", + "sha256": "41382d29e3c6849b93e948bd226cdb0679034847a9d11893198c735da08564ea", "type": "eql", - "version": 103 + "version": 104 + }, + "90babaa8-5216-4568-992d-d4a01a105d98": { + "min_stack_version": "8.3", + "rule_name": "InstallUtil Activity", + "sha256": "c1312553a07dda6fa6995c57f31922c18dbb00fe5becd831c6d1bb4246bad8c0", + "type": "eql", + "version": 1 }, "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { "rule_name": "Auditd Login Attempt at Forbidden Time", @@ -3779,23 +3961,23 @@ "91f02f01-969f-4167-8d77-07827ac4cee0": { "min_stack_version": "8.3", "rule_name": "Unusual Web User Agent", - "sha256": "932ee05757e47a1ccc2512e263ef3851b3df6cf9f1f905fd7f6c14ff868e27eb", + "sha256": "085e5fd9bc868b88d70882d6ff9ad8cd88277bde6a5536d032d204050b191347", "type": "machine_learning", - "version": 102 + "version": 103 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "min_stack_version": "8.3", "rule_name": "Unusual Web Request", - "sha256": "5eeeca2519f2eb668a90c9eb7eb2bcbeb751c83979d5a30d841b6a949c4824fd", + "sha256": "ca0f4d650120d7af5f5c1b882104229c33beac3e20991c9c22403a8a79b89ae1", "type": "machine_learning", - "version": 102 + "version": 103 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "min_stack_version": "8.3", "rule_name": "DNS Tunneling", - "sha256": "95c5521a8804043c2ce46dbb6bda769b2546afedd0aaaf60fb19629e49d92b4c", + "sha256": "30ea79771106d5283bb2b93e9376e9b56ebb99c37ef021f485fdc2ea17c783ea", "type": "machine_learning", - "version": 102 + "version": 103 }, "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.3", @@ -3821,9 +4003,9 @@ "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "min_stack_version": "8.3", "rule_name": "Sudoers File Modification", - "sha256": "be8fc85ed808400b6e478b16df3cc482bf866a26d0d137005c3a09891f266595", + "sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef", "type": "query", - "version": 102 + "version": 103 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "min_stack_version": "8.3", @@ -3835,16 +4017,16 @@ "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.3", "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "be0ae0930b577db016a138130ede4ffee2e566ef18732c03f19e42c7b8f02182", + "sha256": "7ee6e483fa2c41549ec9d26ae3a319f27efcef92d7ebfc4c9e232c80f50c28d0", "type": "eql", - "version": 105 + "version": 106 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.3", "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "5915a9af341960e1ca6dfa9e21e82cf8e4195f36b9a086b3aaa4455fc7501404", + "sha256": "3ab5284a9f2ffdcbb1cc8acb795f4da54e219abbd241a58dd7a0797097d55f66", "type": "eql", - "version": 104 + "version": 105 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "min_stack_version": "8.4", @@ -3865,16 +4047,23 @@ "93f47b6f-5728-4004-ba00-625083b3dcb0": { "min_stack_version": "8.3", "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "db6b76e9a6c301a4f03c90e797b1cd301c48fd21c9690db929cacaf7f44bfbdc", + "sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f", "type": "query", - "version": 103 + "version": 104 + }, + "947827c6-9ed6-4dec-903e-c856c86e72f3": { + "min_stack_version": "8.3", + "rule_name": "Creation of Kernel Module", + "sha256": "bc11b02e437e764264346f0fbf206b73fc696e806b497b4465f6df6841315099", + "type": "eql", + "version": 1 }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { "min_stack_version": "8.3", "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "abac1d11e7f877d853154961ee8ec3fde31af1d1f9901a3a5e5d22a9242daa22", + "sha256": "547b20764fecd9340dbe641b6df4e4839c47770cd894673ee65364b20061959a", "type": "eql", - "version": 3 + "version": 4 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "min_stack_version": "8.4", @@ -3895,9 +4084,9 @@ "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation", - "sha256": "7a073636a8c2986dc7aff0fe54e8dbb20a5b5e5c5db19c2607aa5d1c73f00a72", + "sha256": "1df41e4a31085a0992f0810059addf6a2ad7525c1b132d8c8e5396bff9167837", "type": "eql", - "version": 105 + "version": 106 }, "959a7353-1129-4aa7-9084-30746b256a70": { "min_stack_version": "8.3", @@ -3916,9 +4105,9 @@ "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.3", "rule_name": "File made Immutable by Chattr", - "sha256": "70da697a2d795b80c7a619e9095e3ff375589369d8dda1c3ccadfc5223074306", + "sha256": "8de6fbce3edd5e6599051a15eae6429056bb4fae367b3cd3572ece577dc22e1b", "type": "eql", - "version": 105 + "version": 106 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.3", @@ -3930,16 +4119,16 @@ "96d11d31-9a79-480f-8401-da28b194608f": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through MOTD File Creation Detected", - "sha256": "91d5e62be561b9ba2b9288ad52f5e43bdf1fedcaadcc2790f9cbb44b0a98cff9", + "sha256": "ac2aae146b439c128acf93b6d08c60c1297ef5ce278baed0d2463fed3d109553", "type": "new_terms", - "version": 4 + "version": 5 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "min_stack_version": "8.3", "rule_name": "Access to Keychain Credentials Directories", - "sha256": "f5a924e4073b4f7debe163a2dcbec38d0270cebdbb6385e6e71552ea0be7cf92", + "sha256": "3a52620ed72c8ba4b60a75bb884dab068504e8759c80fb2a40d44961074ab786", "type": "eql", - "version": 103 + "version": 104 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "min_stack_version": "8.3", @@ -3972,16 +4161,16 @@ "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.3", "rule_name": "Potential Abuse of Repeated MFA Push Notifications", - "sha256": "f48fc478b11251048439f96492bd2aad2b2c3b84a99ff42e01c5857de457df83", + "sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4", "type": "eql", - "version": 104 + "version": 105 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.3", "rule_name": "Suspicious Zoom Child Process", - "sha256": "f101a75f5cea0ffdb2e43d41b3ddfbf082a6efd43ebe13f525180aff387b809f", + "sha256": "b15108fed1be29ce5b03c10684a269ab6930c9843c4bae00bf62059a1151250f", "type": "eql", - "version": 106 + "version": 107 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -3992,9 +4181,9 @@ "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI Files", - "sha256": "5c9f9ccf50a5f760e5abbc35b0c30a8fccd38fb8ccf2a92b104fc4555265fe4c", + "sha256": "23394ff5cf8c8530a51e90c2408d609e7000dfbc5dff8724cb29cb88e63a6d09", "type": "eql", - "version": 2 + "version": 3 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -4005,9 +4194,9 @@ "97fc44d3-8dae-4019-ae83-298c3015600f": { "min_stack_version": "8.3", "rule_name": "Startup or Run Key Registry Modification", - "sha256": "13109617be252430a0af0c782ba9695a2e18e9c1256827904312ede390a858eb", + "sha256": "e35230136b3e8717e95ef5022b13c355c44d14666a14d564449b2982dfc27e9d", "type": "eql", - "version": 108 + "version": 109 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "min_stack_version": "8.4", @@ -4016,6 +4205,13 @@ "type": "eql", "version": 2 }, + "98843d35-645e-4e66-9d6a-5049acd96ce1": { + "min_stack_version": "8.3", + "rule_name": "Indirect Command Execution via Forfiles/Pcalua", + "sha256": "c01ebbcea37de715c7c123e6eac64a6049906339a0d60bf1f146d677061bbea5", + "type": "eql", + "version": 1 + }, "9890ee61-d061-403d-9bf6-64934c51f638": { "min_stack_version": "8.3", "rule_name": "GCP IAM Service Account Key Deletion", @@ -4047,9 +4243,9 @@ "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "min_stack_version": "8.3", "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "e91c5d0c1e37dc56aa9b7359f8d0aaa2b3622d6ce958024fb4e23b73af5a5b98", + "sha256": "40258127ac6373780bfd25be362342b142324a166319243b55a747b477db70b0", "type": "eql", - "version": 103 + "version": 104 }, "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.8", @@ -4070,9 +4266,9 @@ "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "8.3", "rule_name": "Spike in Failed Logon Events", - "sha256": "319a1b5798912ce1e22d4274ab5e8a263444ca31289a600b07ecb0039fdbcd21", + "sha256": "1a2c14a7384dc942a3ff18edf7acc8a80867ba7213895616cb80e917fa985a6f", "type": "machine_learning", - "version": 103 + "version": 104 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "min_stack_version": "8.3", @@ -4087,43 +4283,43 @@ "8.3": { "max_allowable_version": 104, "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "96dd345dd9049c6da3264d6610314a092cfb79e65182d8d163815c1889ba3314", + "sha256": "956ccfb72b0b0545eedcac7869c1de45bcdc05490d5bf7c07da51f94442f4cf8", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "ebd07f4f1c4c808413c8280170d1a229c9ff5ea9c42f0a11e064e4861965f364", + "sha256": "3d1c09ba378537737bdaa3bc2bbd9e9934d0e9cb7d50f63d33192377614d85f2", "type": "new_terms", - "version": 105 + "version": 106 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.3", "rule_name": "Suspicious Explorer Child Process", - "sha256": "a8bd97244305d66f46e2f2c18820be193c34162cb7ce82b4dd05fa0d4c333ac1", + "sha256": "e8cc9a60bbe510d51bd3ad134669feb9e5cb0fa08160bf27530801138c60e882", "type": "eql", - "version": 104 + "version": 105 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.3", "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "83dbb7279a23df54d29943b065241fb5b9c8ca10008fc9fd22591c9c6c7d5dfa", + "sha256": "b2540b2ad922ec95cfd386da0ca9a614f308ef3262066028d23296d5db87509f", "type": "eql", - "version": 104 + "version": 105 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.3", "rule_name": "Persistence via WMI Event Subscription", - "sha256": "efa5d04eb0de4d766926df7a31de77239d0fe74d8d059685ed95d91d6580e5c6", + "sha256": "9a25dad4f89fd07ae509d365c90397c70feb22604338c0b57ed2c43b1498c278", "type": "eql", - "version": 105 + "version": 106 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.3", "rule_name": "Hosts File Modified", - "sha256": "848ca4b6973aab7d825fc19df47d9fad8b6b5a0b049c78536b852c6fa97975d2", + "sha256": "acfc1d0db0cb1de8a27ec3ec15a3eea599e9644d56ab8bdd06c8678cf1bcee3f", "type": "eql", - "version": 104 + "version": 105 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.3", @@ -4135,9 +4331,9 @@ "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.3", "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "ed935a77f2c6a9c2c7e39d20df0e6d7b6af77d296ae7e7749807ca3bef0cf8bf", + "sha256": "33745d6764626a4ad4ef565c71d285cde7a74a318e9622b428483457e45f612a", "type": "eql", - "version": 105 + "version": 106 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "min_stack_version": "8.4", @@ -4164,37 +4360,37 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "2bfd31d99b630ca0c9c984f354c3ab5a7fea76166df7fa55940732ac50d49cd8", + "sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2", "type": "eql", - "version": 104 + "version": 105 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "9f81fca217e8a1b0e0423550fcd903530b9f3345da2788c603d0268784a9a883", + "sha256": "69d5523e4e8bd2c582f84b522bfeae185f56d87fb6f698ba3afd72a1722cfc9b", "type": "eql", - "version": 105 + "version": 106 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "92ccb98a5670a616a2ba3f1466609fe634d27e2d76acab79f2f6871a7b9e17e7", + "sha256": "b2885bccbc5942ef0b109aafd8cc5f741f11e702109bfce0e316e37c66a45f02", "type": "eql", - "version": 106 + "version": 107 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "766827804d77a517bc30bfb691d5726197e710212516dfd4fb2f0e24f6282b6e", + "sha256": "0cc7ec48190d68c5dc8c36a1df944b214f34c599d8425caea77fbf4875d98ff1", "type": "eql", - "version": 106 + "version": 107 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "160c6f76131fbeb8894494c0e1d9275d28b6f0eac2353ff8b83c4f7b53e49f99", + "sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d", "type": "eql", - "version": 105 + "version": 106 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.3", @@ -4206,37 +4402,37 @@ "9d19ece6-c20e-481a-90c5-ccca596537de": { "min_stack_version": "8.3", "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "327e19dd65541bc98279099df7ba1960cf71e33c80526dc8e9663198074f242e", + "sha256": "362420c35e0dec946d828d9efe8a1dd0e2313dec67f9a9b0f2c27f8361fffe58", "type": "eql", - "version": 103 + "version": 104 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "9bc99177ea23ad302bd0e299315a14e71b201307e7927a048b06f6c18a51b574", + "sha256": "a8ec37b93c67426decc04bb1828dece6c21599efba58c2bcbdba4de0db24d7e5", "type": "machine_learning", - "version": 102 + "version": 103 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "923544db5daaad9039515107320de465fca70491130f15c05447e19a7a2a3c71", + "sha256": "18494ff65fcc575a4fe46296da4e82fca3ba729b57b21a1c55c64d81a92924ed", "type": "eql", - "version": 104 + "version": 105 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via DCSync", - "sha256": "0cba78f6898d9ec67ceeaf18a9898193a5df782a64372ae57ee3b2f272deff84", + "sha256": "183d1fd02dc0fd574742ae54310b3f93b10da3165738e77fcdf8b460f5f7cdac", "type": "eql", - "version": 108 + "version": 109 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "min_stack_version": "8.3", "rule_name": "File Permission Modification in Writable Directory", - "sha256": "3bd810bff17e93578b6880465171c3ed11a1b0f53a9a34a488a434a683111440", + "sha256": "479f3fc53ac311718ff6affc4889eeca57ac3a34bf6f10026bf60b6b8e915eb8", "type": "eql", - "version": 104 + "version": 105 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "min_stack_version": "8.6", @@ -4271,16 +4467,16 @@ "a13167f1-eec2-4015-9631-1fee60406dcf": { "min_stack_version": "8.3", "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "7a0b86662b957d2a96a20c87d3e2708153362972784186032e5c5ea8de6cabea", + "sha256": "5b2271e8146d2aa236084a96b10d1b5a449f721404a7262dc44bde744bac37ec", "type": "eql", - "version": 104 + "version": 105 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "min_stack_version": "8.3", "rule_name": "File Deletion via Shred", - "sha256": "6b036be970d1ee6d68567c6160d421fdedda2d8ed4998a63ad6d0d720e619b15", + "sha256": "9bb73e05248278c13545b111daf70f5b5b00005f472f1ad9a8ad6dc03a7e4bb8", "type": "query", - "version": 104 + "version": 105 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.3", @@ -4292,9 +4488,9 @@ "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "091b228e76fee62a401548b353eaad1d1a10af237031b251a54f08efdb6ffd51", + "sha256": "6c6d99f8d895a01d02dd4c824f549d027faf0fcd9e4164f5f15841495f797400", "type": "eql", - "version": 3 + "version": 4 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "min_stack_version": "8.3", @@ -4313,9 +4509,9 @@ "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "178b7fe58e8100b46195999990aa071229425ffde84c24120c53538a5fb12d38", + "sha256": "189260746002bccbe31e9ddb6ba7e60d701a6e651c5d2c19efe56cd242c954af", "type": "eql", - "version": 104 + "version": 105 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "min_stack_version": "8.3", @@ -4327,9 +4523,9 @@ "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.3", "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "acd13f78b6d2f6ba2349c203bd47d2d9af049fe0335f55b805cd28c453cfa6d5", + "sha256": "7e9cfb7b511344e897eac5189a53654f476437241ee0c37b7600d2e033787ca7", "type": "eql", - "version": 104 + "version": 105 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "min_stack_version": "8.4", @@ -4357,16 +4553,16 @@ "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.3", "rule_name": "Execution via local SxS Shared Module", - "sha256": "70ecd7b06628c17497b766b9473fcf76cba8a737cf13c6c34624431a8a90ecfb", + "sha256": "45df842bf3fc84a101466bbe60825f7c421c1bb2a632e810a097e320eb227154", "type": "eql", - "version": 104 + "version": 105 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "min_stack_version": "8.3", "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "33fccd60667ae352a14cfcffba24c3c8dde8f3ea9005e6dc2d57b6b869b8680f", + "sha256": "47565477aafa65e36a393078e2728881f6776c4ab363e183c347d8b0e72f349f", "type": "eql", - "version": 105 + "version": 106 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -4412,30 +4608,30 @@ "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Office Child Process", - "sha256": "a61ba5ac15a7a34d76f0694e62edf5ec726aeaf9d41152bc4f58b76a6c025cc9", + "sha256": "e666ba885bd91e597b94e0359330e1a02c9c59b43b48de599aeb78a26c32aaa9", "type": "eql", - "version": 106 + "version": 107 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "min_stack_version": "8.3", "rule_name": "Emond Rules Creation or Modification", - "sha256": "1befbc897e0e93dd4cd2b4572b70e016aed45e4d2353722baa628e4f5551e729", + "sha256": "eaba66ce5e3e1670940bb55f81b29ea66ffea88a4e63f1c2485ba55bbb0b0487", "type": "eql", - "version": 103 + "version": 104 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", - "sha256": "d4511204fcde1b9c77011f1d39c04998944256838e038bbc9aa1918f237c06e9", + "sha256": "d2ecc2ccb29c2a4acf6790274133e976ad48787ab37bfdd12667ae6b58bfbc45", "type": "eql", - "version": 106 + "version": 107 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "min_stack_version": "8.3", "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "62a1f8bacf99e84bc1435ac4f9d97d78d87fe524c2df378ff15289ca9674abdc", + "sha256": "913d17dd423ad4f09f41eb01380f802d3c2c209812a27e963fd5198d566bdb8d", "type": "eql", - "version": 105 + "version": 106 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "min_stack_version": "8.3", @@ -4483,16 +4679,16 @@ "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.3", "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "8d7c7f98ba23485e3a0686eddf2c1bd9788712bdecf05662d48f021ce0c290cf", + "sha256": "a73b1eb6b898a6e001202a04fdd4d7fb4c5b701bd88b68a6840f1260506c2e68", "type": "eql", - "version": 103 + "version": 104 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "min_stack_version": "8.3", "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "c3e5eae52e4a73dfc2fcf875535ac962d131df93db2a0cb84aac70db93a44523", + "sha256": "c71a73ed18eadca2c2c082ca0d511745ce0960e56167e3ed59116b93c8b2720c", "type": "query", - "version": 102 + "version": 103 }, "aa8007f0-d1df-49ef-8520-407857594827": { "min_stack_version": "8.3", @@ -4504,58 +4700,65 @@ "aa895aea-b69c-4411-b110-8d7599634b30": { "min_stack_version": "8.3", "rule_name": "System Log File Deletion", - "sha256": "2b982735ac747391a87582e7358450ae3c8a166cf6839c8f031527bb665ff38a", + "sha256": "6fee4b495f1438946191a9f0a5d18e790c19b3546166fa5dc0126a090844c515", "type": "eql", - "version": 105 + "version": 106 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", "rule_name": "Remotely Started Services via RPC", - "sha256": "02da666124b0d072a5ce43d2b0eb1c1f0687435a6b1ec47726d9e42905b9d60f", + "sha256": "57036ece2d16588ff5db14cfef90686fb253e824740a435cd77099efb522ead8", "type": "eql", - "version": 107 + "version": 108 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "min_stack_version": "8.5", "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "e8a5d91b0c967a375343e2d4f9bd7c98986d52b06b9aeeff450d98a00deff566", + "sha256": "b84f93be7b12d9e7b6dc37e4b6f6f68f717bbb33d181321aaa4a2f77ed66a60d", "type": "threat_match", - "version": 2 + "version": 3 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", "rule_name": "Remote Execution via File Shares", - "sha256": "cf5af76991154894d922ba6ffa39d785602235b54fef9525b0bc0add45e02a14", + "sha256": "9a5ead5bb94a1738ef4a8c11bf9f462123e5bd0feb2519f360526765f6f33939", "type": "eql", - "version": 106 + "version": 107 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.3", "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "d461726231316e18ca3ebe2e565bbe81bfa74b8f2842bfa37baa5bfd88956019", + "sha256": "ac1ddf7a6cff4d90ca970314e03ccc69c8b2c416130ed735e10bbaf12458ff51", "type": "machine_learning", - "version": 102 + "version": 103 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Login Hook", - "sha256": "59fe81064044ce31c2329e951ec2aa956d31b78811ad74796cc9ef72fcea765a", + "sha256": "742e178d21a4f38dbde0ceff9f3c75a33a79e70080f971e3fc63e644283c1f24", "type": "query", - "version": 104 + "version": 105 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.3", "rule_name": "Suspicious WerFault Child Process", - "sha256": "06e4f5a8ec8cb7a2b8858d6cb70c0e9cb5731e014040a21021bdfcbb0b4d8554", + "sha256": "afa61dc2050d9a7e20f967d9211dda8036fdb4e3a725c969403a31ceb567ba33", "type": "eql", - "version": 106 + "version": 107 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "8.3", "rule_name": "Unusual AWS Command for a User", - "sha256": "8048726368b5e9a135e78b0b8bbb88536d5eae51ba31356d5c37d38043a7caf9", + "sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a", "type": "machine_learning", - "version": 105 + "version": 106 + }, + "ac8805f6-1e08-406c-962e-3937057fa86f": { + "min_stack_version": "8.3", + "rule_name": "Potential Protocol Tunneling via Chisel Server", + "sha256": "85b49fc5764428ee7a05cbde9d031b14b82f8f03824c859dd58ec45f25c8a091", + "type": "eql", + "version": 1 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.3", @@ -4583,23 +4786,23 @@ "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "min_stack_version": "8.3", "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "9404ed32a3b7bbaabd344fa0b74d2d1e6099802fa51fb9775f5553160e7e9413", + "sha256": "abc48431a5b42f5096e7d24ebd4ce9ce57b8f5f4f0edfbfb43583d71546b3e44", "type": "eql", - "version": 103 + "version": 104 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "min_stack_version": "8.3", "rule_name": "Potential macOS SSH Brute Force Detected", - "sha256": "518182f871882fe226678248754e37e05df15b9a5168c5308be76e589e25137b", + "sha256": "6d6c36df74a3227db9ddfe242e6d7e4598aa4536c80338756b9774499deb5d46", "type": "threshold", - "version": 104 + "version": 105 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.3", "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "5d2572a424295a08c2ab52f62a82a19fad5895f6e570e2d58822b96aed9d5ef8", + "sha256": "bedefb3843c8bab1185b36e6c8ced6d50cf2e073be5c0270dbbb3b1b27cb89f9", "type": "eql", - "version": 103 + "version": 104 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.3", @@ -4640,58 +4843,79 @@ "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "min_stack_version": "8.3", "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "f69eb78448545394ec26a0632ed3291352df485a97d45763c2eb69d210c89b59", + "sha256": "1784ba8b2bf2310de8bfc0fb1eb058a96c9ef25ba4a1e78a8e271a61f856f675", "type": "query", - "version": 103 + "version": 104 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "min_stack_version": "8.3", "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "f016897ba2db321cef7d3dd7a04703e0ecfa7dd6845b70484504dc29cf4cfac0", + "sha256": "bb502a72d7b3be033796d389420de72438dbe7d44096a7b8203caa4e7676c5aa", "type": "eql", - "version": 106 + "version": 107 + }, + "adbfa3ee-777e-4747-b6b0-7bd645f30880": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Communication App Child Process", + "sha256": "d195fb652753fee06135cdc5beb9fb65b68e7895f9d0fc199416d9269c88cfd6", + "type": "eql", + "version": 1 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "f2a82884f798189f2b7b13da01d487add27ee226475c02e62848b604ce71fc58", + "sha256": "a332e02143efbab6ecaf181c31cf786213bf5fa96f20b0248162df6cd92552ab", "type": "eql", - "version": 2 + "version": 3 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "min_stack_version": "8.6", "rule_name": "Shared Object Created or Changed by Previously Unknown Process", - "sha256": "c5e37ab11a7a0973e1393da0d06ecdfd39fe601bda795ce4e5311844da29ece3", + "sha256": "26c12224f8502e7fc4d3293edee86f433e5a9232a94ff1ed704587a9c019e640", "type": "new_terms", - "version": 2 + "version": 3 + }, + "afa135c0-a365-43ab-aa35-fd86df314a47": { + "min_stack_version": "8.3", + "rule_name": "Unusual User Privilege Enumeration via id", + "sha256": "e5a5fa72494c859d18b55169da07fe4402091b7b621b55c497592cfe489f3912", + "type": "eql", + "version": 1 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.3", "rule_name": "Local Scheduled Task Creation", - "sha256": "be5c9bb6ce37cc7d979aca87b55d0cf6a55462ec42338c92ac79c5fd3cbdb682", + "sha256": "4affb2391184f7f15ecce386a97e00cbad45ccfc2b853a118c89fdbe6fc192b0", "type": "eql", - "version": 104 + "version": 105 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", - "sha256": "f30c5c2d2f9049cb02b7024588b254a4c42ec91b0ac7ac9139ff3a4594de5cdd", + "sha256": "c8effdbedbafb2183ae0ebbed62b0c5290d8157f7c6cf64bd0f9df02ee6c44d7", "type": "eql", - "version": 1 + "version": 2 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "min_stack_version": "8.3", "rule_name": "Timestomping using Touch Command", - "sha256": "7757914030ef50d43c7b015eacb89ebffe2d36360668ecd571358e6fdf0cc7b0", + "sha256": "ed8ed608b91ec1f89f10e2b4ef5ba1ca04884dc57c910b94f5f0b4cbb73021c2", "type": "eql", - "version": 102 + "version": 103 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "min_stack_version": "8.3", "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "61165ead091bce84cf4585396d856b4d9c0d33f6ba69887084aade1a8123dd3f", + "sha256": "fe6380b09c3b3d38b09818076fb3ef3d0693c968fe9ce5547c4a82196782f931", "type": "query", - "version": 103 + "version": 104 + }, + "b0638186-4f12-48ac-83d2-47e686d08e82": { + "min_stack_version": "8.3", + "rule_name": "Netsh Helper DLL", + "sha256": "a6bceece7403f9bb47478cdb04702271892ebffa4ae4251220da5abbdae44f2b", + "type": "eql", + "version": 1 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", @@ -4709,16 +4933,16 @@ "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "min_stack_version": "8.3", "rule_name": "Spike in Network Traffic", - "sha256": "e6bccc4707cecd93cbea5fa7a1d76c45b5757e6c2284487d3948d0a9e6b67ef2", + "sha256": "36d61f7dbb342836f5db53ce1a06141cecfee9ba6d09cbb69983df79202257e6", "type": "machine_learning", - "version": 102 + "version": 103 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "min_stack_version": "8.3", "rule_name": "Remote File Copy via TeamViewer", - "sha256": "8052f1ae7b554af8785295238ac7e83f6d491cf16ae9b4c506588f0159cb2950", + "sha256": "078de5b8caba30df61a3bc9e859848f359bf7a766344430b00b2c2046ed17aa7", "type": "eql", - "version": 106 + "version": 107 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "min_stack_version": "8.3", @@ -4730,37 +4954,37 @@ "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "min_stack_version": "8.3", "rule_name": "Network Connection via Compiled HTML File", - "sha256": "d74daedaf980a6db5c128f235052eaa9315e0fc5de599d36d3941f8f41f8b44a", + "sha256": "dae5acefb06a64476ec330f3a9e199d0829f858f37e1a80b9f611ae9ecf0a42f", "type": "eql", - "version": 104 + "version": 105 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "min_stack_version": "8.3", "rule_name": "Unusual Linux Username", - "sha256": "b728e744228a9807d89df4db5273d33d72adc8b92bb60d0f39ed92959c45bc11", + "sha256": "fe769843cd4082749444ae077951c9a8e2bfe4d74ba57fd091eacee470975016", "type": "machine_learning", - "version": 102 + "version": 103 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.3", "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "743cf5c8d5e18e85119a328a3b41621ac9e4574a645c549a14ce2e8644b5ee02", + "sha256": "850a993dfb6eda757d5c928ddadb446f3ff907e01cc16c715a8274d56c405fa0", "type": "eql", - "version": 105 + "version": 106 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "2c51670dc0fc893d4705fd16ade5d720011b67e8acf121355e8c0b2c79757139", + "sha256": "cf799c7c2e95e99b29012536ac50ca736dbaaa029b937b73985d8f4b31b30e9c", "type": "eql", - "version": 4 + "version": 5 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "92fc231149fc7d4ce3d720c8397135d8327569c535622925a4de903196eb99aa", + "sha256": "46fcd9e76f08b0cd3308e57b64244a9bec5ce01b30e491015a20e1fd53e3de2a", "type": "query", - "version": 103 + "version": 104 }, "b45ab1d2-712f-4f01-a751-df3826969807": { "min_stack_version": "8.3", @@ -4769,6 +4993,13 @@ "type": "query", "version": 103 }, + "b483365c-98a8-40c0-92d8-0458ca25058a": { + "min_stack_version": "8.3", + "rule_name": "At.exe Command Lateral Movement", + "sha256": "893d370046656c516a3d5b747ce8da0049fd49f11a14f685446dca5ada7bcbcf", + "type": "eql", + "version": 1 + }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.3", "rule_name": "Attempt to Delete an Okta Policy", @@ -4779,37 +5010,37 @@ "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via OverlayFS", - "sha256": "186f374d85dadb538793ddf95b2d9cdb9abccfbf819df252ef7f18d0a4e0ab50", + "sha256": "933503a94667894209a5220b062fe18f2b075d5c0c0608171a3843cb264a4429", "type": "eql", - "version": 1 + "version": 2 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Console History", - "sha256": "653a400835b17f11ba20865c79826db118091ff04a9ef8f9b494de4079286c1e", + "sha256": "7cf6587d86fbdfeb3c6513bb3c44adaeeff97831c1afb84ac5aa64fb8ed82298", "type": "eql", - "version": 105 + "version": 106 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "25235a9736b4ecdf954cc17487470170ea687aaa1d661b64ab18a48d1502c838", + "sha256": "2a1696db25e3e2cd7578545491d669f6f258b52993267c6da8d5b2de3409c9b7", "type": "eql", - "version": 106 + "version": 107 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "min_stack_version": "8.3", "rule_name": "Elastic Agent Service Terminated", - "sha256": "1a60d9adba57832adff8082d1c2b375560d5b1f7eb2111020afb019fff3fd6ef", + "sha256": "201dd81fbc35d779e3102c505a0546583887b43b606d36a68232641653d1ca02", "type": "eql", - "version": 103 + "version": 104 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.3", "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "5be6829e0ae6bd00d4229a15529583178ed916cf163f50369dad48b549593adf", + "sha256": "e83adb7abd38295e3992be00556c51a2381e38d400259af3c0d3ba9e3abe6d2d", "type": "eql", - "version": 105 + "version": 106 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "min_stack_version": "8.3", @@ -4835,9 +5066,9 @@ "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "min_stack_version": "8.3", "rule_name": "Linux System Information Discovery", - "sha256": "041f0f842bfaf98f5a5dfd0c4d1a4a02da4f9a99f7c28ce715152dd694a744ff", + "sha256": "0d6d405de797c6c80d2fbc4e4771ff74da4fcec8ef4672510e7906fd491f0185", "type": "eql", - "version": 1 + "version": 2 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { "min_stack_version": "8.3", @@ -4849,30 +5080,37 @@ "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "3ad5b888f364f3db5865ba11e56e472f2239817a4873da91d0def5e40be3dca5", + "sha256": "9514a809ca145d976ad76c91de53390221ffa8bde79020b93c643058eaccd223", "type": "eql", - "version": 104 + "version": 105 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.3", "rule_name": "Network Connection via MsXsl", - "sha256": "ec002abd39c4afba7981ebb6048851084801aa94958cf9989f45cc7098c3c7a0", + "sha256": "674552a858e0c108bede8311d70e4461a8f06e600ceccbe2ca598e97a67d2d8d", "type": "eql", - "version": 103 + "version": 104 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "e6bf0d2f429fbd0e4222a52cc4c09a5959dec36b21344bc1420057e201499246", + "sha256": "26cd2a27b9188a119adafb00b69b4b1d5bbcbc60cfd384696c76c50e54bcff5d", "type": "eql", - "version": 104 + "version": 105 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "min_stack_version": "8.3", "rule_name": "Chkconfig Service Add", - "sha256": "883163582e8b2af740c8ae7d6dc898796d4d0bdefec3f0faced835054500fe87", + "sha256": "ed8d32c408ebce2c38e498744b7f617e2d9a2b9a38139ad447c1c100b5844299", "type": "eql", - "version": 105 + "version": 106 + }, + "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { + "min_stack_version": "8.3", + "rule_name": "Discovery of Domain Groups", + "sha256": "da6f8b65c43fe10336ad0774d7a19fd888def6e0dea1c94eceab12afc0e3fde4", + "type": "eql", + "version": 1 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "min_stack_version": "8.3", @@ -4891,30 +5129,30 @@ "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "a5f0186af2fd0c04b6ceabeb55795c5808e76a430f40c1c79bf44cc09f418584", + "sha256": "e1cb2516563dc7520157b944c165c5b231a99942cdfcd049f1ef1d3213bf29d1", "type": "eql", - "version": 103 + "version": 104 }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.3", "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "9f041e9b17fbf8021d1a8e0cc63fe6718e953ea7a52731666bed3cafde74f75c", + "sha256": "6babe233910e674621a9caa5ef06d385da6c55f240c6169e50263b3ee15edba5", "type": "eql", - "version": 104 + "version": 105 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.3", "rule_name": "Unusual Windows Network Activity", - "sha256": "334c93c0d659846c309268d01cf4ddc81f7163dd30a7595918b64233bb9d346c", + "sha256": "061e957d07cb102889f0ff1a1f4fa80b4f22eeefc5aad74fd2544ccf0852d5ad", "type": "machine_learning", - "version": 102 + "version": 103 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.3", "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "3d6fb6e4995004177715c69ff85197f747babea28f1e6317c2bf675eccce872b", + "sha256": "2a8f252310526865a66c043e6fce6a09a1f3bb3a23422aefd2e8782f9f25e414", "type": "eql", - "version": 103 + "version": 104 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "min_stack_version": "8.3", @@ -4968,9 +5206,9 @@ "bc1eeacf-2972-434f-b782-3a532b100d67": { "min_stack_version": "8.3", "rule_name": "Attempt to Install Root Certificate", - "sha256": "209e98af2a66034562503985dd9af54a15e088e40160fd27010d3afb22557436", + "sha256": "2ec38edc30ee4c822372bf3a9e2f00ebdead1b16f135cbf5fbb1c657fbf41c9d", "type": "query", - "version": 103 + "version": 104 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "min_stack_version": "8.3", @@ -4982,9 +5220,16 @@ "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port SSH connection", - "sha256": "cc0969499f426070cb5671979fcc404bac364c8861bdf2d623a13807b0339413", + "sha256": "92fe0317a5bf0deb57dbfeb4dcf96a13fa08ceb7e7a1e13f9f597eb9c94cda33", "type": "eql", - "version": 3 + "version": 4 + }, + "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { + "min_stack_version": "8.3", + "rule_name": "File and Directory Permissions Modification", + "sha256": "cd8d1d1e784ddc62a5db564994d9192996555133c9273a6f1b4384a76249ec0e", + "type": "eql", + "version": 1 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "min_stack_version": "8.3", @@ -4996,16 +5241,23 @@ "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.3", "rule_name": "PowerShell Keylogging Script", - "sha256": "fe5aea0a84594839a80659094f9d244dd264fe6596aa7761fa689b0c15e39741", + "sha256": "3d79fb63abbf974eea35cef0856ce1d799ebbf00d6ca813fc02212c88846a9b9", "type": "query", - "version": 108 + "version": 109 + }, + "bd3d058d-5405-4cee-b890-337f09366ba2": { + "min_stack_version": "8.3", + "rule_name": "Potential Defense Evasion via CMSTP.exe", + "sha256": "b31ac8c754822d3baf70384a75f0a66fc861ddb3ce0a3f8c40474fb161ea8306", + "type": "eql", + "version": 1 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "70ca7b29a3e5476f544c054cb6be552330e1d973ebbd77d674507ebc0dedcea5", + "sha256": "4c15aa93333df41d25b1da7384c925b4d5277eb5694fbb8f7d8f7c794143ef0d", "type": "eql", - "version": 103 + "version": 104 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "min_stack_version": "8.3", @@ -5024,9 +5276,9 @@ "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.3", "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "729d0326dfdddf0823b549fb9dbf8c5a472322ca0145881c75f6ea3eb9f6d061", + "sha256": "836e67e32ec8fe118f5d1934b55e659b1dbcfce76125cce36bdb3c0e1f8ab9bb", "type": "eql", - "version": 105 + "version": 106 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "min_stack_version": "8.3", @@ -5038,30 +5290,30 @@ "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "min_stack_version": "8.3", "rule_name": "System Owner/User Discovery Linux", - "sha256": "dd5c6e765278681f84124fede3cbf1c5b03a01d987156867a7f41c754042cc87", + "sha256": "51ab813449dbe6bf71c403d5dffdb662db965a2d42c8049eaac20ba8bf5a9132", "type": "eql", - "version": 1 + "version": 2 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.3", "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "aabc80f5592be42389ac49d447b4cf6c02f92531bfcb96e9b3e8d42ab0d221d0", + "sha256": "7571708ba81c1f4c57ec35169932645127841b408009313e8f8135ce0047e56f", "type": "eql", - "version": 106 + "version": 107 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "6760ae2009b5b1af65ce91cc34109def0642787b6bab3fba82ecc9b61aa6e367", + "sha256": "9f7b054508c77d58f7d726725411dc517eef84d474347b3a8557ab84761eb842", "type": "eql", - "version": 103 + "version": 104 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "15bf015d0c430618cf1bae974049f5b7490200fb951e99546779e4e088b08364", + "sha256": "1d3f46774fa553848617bda8c90e9702f60b946e32a622488929bf506f40dae3", "type": "eql", - "version": 104 + "version": 105 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "min_stack_version": "8.3", @@ -5073,9 +5325,9 @@ "c125e48f-6783-41f0-b100-c3bf1b114d16": { "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI index.html File", - "sha256": "054b3d081485e8392d43eeb49d43a0059e44f6443fd62f6023827ad5016dd02d", + "sha256": "2195aa627b79e9257bce750418e362ba1b3e8afcb6b58e9fb9d1e7cb145e171d", "type": "eql", - "version": 2 + "version": 3 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "min_stack_version": "8.3", @@ -5084,33 +5336,40 @@ "type": "query", "version": 103 }, + "c20cd758-07b1-46a1-b03f-fa66158258b8": { + "min_stack_version": "8.3", + "rule_name": "Unsigned DLL Loaded by a Trusted Process", + "sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878", + "type": "eql", + "version": 1 + }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.3", "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "a46adfcb88a1feefa1fa01282ad651ad63a482285fab18a2c9088577ec24f8ee", + "sha256": "10b03b0d2a557fd9f1db04ceba979e83c8291a46dd1430959c27531b5e55a74b", "type": "eql", - "version": 105 + "version": 106 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "1db90461bca9b6a4bb48ed3dc9a1c804c93dd6e51ed2b5d295527786bd6f70f1", + "sha256": "197e0ebe16417250c895c6ab8ef0894bdebdd8535da44dc8426106a4eb63b02d", "type": "machine_learning", - "version": 102 + "version": 103 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "min_stack_version": "8.3", "rule_name": "Persistence via Folder Action Script", - "sha256": "de2cec5d636841a8be769737f786b08014a2483dc2ee1084b28500e5a582bba1", + "sha256": "07321ea58e3520857e64122ab09803a1fc574e94988a20508aea507982b84a06", "type": "eql", - "version": 103 + "version": 104 }, "c2d90150-0133-451c-a783-533e736c12d7": { "min_stack_version": "8.3", "rule_name": "Mshta Making Network Connections", - "sha256": "b950e475df69f1b30d37185ff33eb65d837cf4e7bd8c820d79dc27762d2ce272", + "sha256": "12590f132922a1117fb9cf1c66fb7db25fd6aa692e594ab5e353b1ba010c6298", "type": "eql", - "version": 104 + "version": 105 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "min_stack_version": "8.3", @@ -5122,44 +5381,58 @@ "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.3", "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "3ecf6fde8f1dd54675b805124d6c5a3482354d2124bb9084a27f626b7996ec82", + "sha256": "a694c2c72d254cbfd29fbeb4d0893e558337476a755af6c851563a1014065d26", "type": "eql", - "version": 103 + "version": 104 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "min_stack_version": "8.3", "rule_name": "Potential JAVA/JNDI Exploitation Attempt", - "sha256": "30fd771c4c3580a3638be0c6aabdc48e61038f9e9144161b24170fcc813b4b74", + "sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8", "type": "eql", - "version": 103 + "version": 104 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "min_stack_version": "8.3", "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "48d850254f533120a7df9091a296001d794d5154d4749a4a65cf4565ee727ec9", + "sha256": "d375bc56966923722625e5df9e79b926dbeee902679aa6cb57b02a7dae9b0923", "type": "eql", - "version": 105 + "version": 106 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "d94b333f13b883478ac6a57c3a3fed46a6a46559fd39a7d4c88672c7839ffc3a", + "sha256": "fe7c45ba7ffa9b0a75ac69678e899b81b70778bc9e472fa57463c14bb425caf5", "type": "eql", - "version": 103 + "version": 104 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "min_stack_version": "8.3", "rule_name": "Windows System Network Connections Discovery", - "sha256": "39ffe0fa59bff863d1c705ccf75716a9307552c4f8a1dd37deb2ad113d1a5975", + "sha256": "56bf9828457985099728e90f9046ec5d50ba668e7b911712abec96eaa3d6d665", + "type": "eql", + "version": 2 + }, + "c55badd3-3e61-4292-836f-56209dc8a601": { + "min_stack_version": "8.3", + "rule_name": "Attempted Private Key Access", + "sha256": "878964185cf6bcfd3d1cee459b0664977de42cce6b31af0fb2ad35413e764dc5", + "type": "eql", + "version": 1 + }, + "c5677997-f75b-4cda-b830-a75920514096": { + "min_stack_version": "8.3", + "rule_name": "Service Path Modification via sc.exe", + "sha256": "471c10523b0876136cb7b2ebcf2df348a37efbe907b5bb0bd57c7650ce7c4fea", "type": "eql", "version": 1 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "9e9ec1d553f13b604d6b3caa7ad2b4dd18af1222d2cb33c9c8f72d4ef244052a", + "sha256": "0754db6d4f87bf3dbed35d286a6313e4dd925ac4336f36dfb27b7f5fdb03719d", "type": "eql", - "version": 104 + "version": 105 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "min_stack_version": "8.3", @@ -5178,16 +5451,16 @@ "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.3", "rule_name": "Installation of Custom Shim Databases", - "sha256": "228b038a26e5acfe96bd90831e77ab27f69fe8e605213a668eda442a0987c94d", + "sha256": "180f35496a5277ea5829782e66057c78d10f5cf1a375c0de5b836548f2236bed", "type": "eql", - "version": 104 + "version": 105 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "edca8741f4c883f144567d28c03ca527c89064a0e3bc0c519fb55dc8cb3499b8", + "sha256": "8cf1d0abaed488b33ec708608f9a5ba1ec08a67e664df9145ebf1800d2701adb", "type": "eql", - "version": 105 + "version": 106 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "min_stack_version": "8.3", @@ -5199,9 +5472,9 @@ "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.3", "rule_name": "Remote File Download via MpCmdRun", - "sha256": "e1b09ce9bb8bcef73ecb91ac0b323ad1047ee6a9355870f725b80c477546e542", + "sha256": "cddefa7d53013d704fc6ae7740caee316c50acd79b1fc321a6f2f0b9120d905f", "type": "eql", - "version": 106 + "version": 107 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -5226,9 +5499,9 @@ "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via DllHost", - "sha256": "4c28438479a0b5730f87834e3dfad68cba8dcf4b62b4d7c383034bc8196c8941", + "sha256": "66f9611335e40f84586a2c89a68668f5ad3a0f4f2fded39524a649132ad4360a", "type": "eql", - "version": 104 + "version": 105 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "min_stack_version": "8.4", @@ -5249,44 +5522,44 @@ "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.3", "rule_name": "Unusual File Modification by dns.exe", - "sha256": "f71be07fb14c369b38ffddfe6aa62a28e2142723cf4e64c0376c915405c48d8a", + "sha256": "26595f8f9541a3d4b1ce33b50669bb5f8e620a68f9063c6c07ef0eef97271b42", "type": "eql", - "version": 105 + "version": 106 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "min_stack_version": "8.3", "rule_name": "Spike in Network Traffic To a Country", - "sha256": "5cf42078ef7da2f8b0fcf78ba7aa6e240834dfdd20b8ca8c26de2e6eb355c28d", + "sha256": "93087ad72f05b99dd3bc9858cd5edfd5ed9d21a4afa6e01d0d798e78b4e9ab61", "type": "machine_learning", - "version": 103 + "version": 104 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "min_stack_version": "8.3", "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "fc9f92e3062643cfe2d6a12aefa7cad36930e548cffc6186fac29a72e06d84df", + "sha256": "aa52a0c9a38018a7a9d08eff12060ae5763f3672ab6f68acbc3a41dc323c4720", "type": "query", - "version": 103 + "version": 104 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "min_stack_version": "8.3", "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "9313c69af7bdf578830bda07157d8323ff6cc4b6897b3e7b97ccf72b0a077a2b", + "sha256": "128d5682da221aeffcdc38868dcaa75f484b8b2411f3c7a2eae8881f6e41e861", "type": "query", - "version": 101 + "version": 102 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "min_stack_version": "8.3", "rule_name": "Direct Outbound SMB Connection", - "sha256": "bc60751bab9a15008f8b8c235c2db2812ee6669c00f06fe6ed51dff1fdb2808c", + "sha256": "276fda09a4647e0a3d729f05859857312616bc6c9355cbe2717d2c32fd0cc4fc", "type": "eql", - "version": 106 + "version": 107 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "e1bbc8967fc4f7d52fe7b0c634dd21c2dae5a7862c0451f4f5e8b4235ec64568", + "sha256": "c9158b1c2fd25aec7b65a7112e5bd5234e1f16fe85d6cea011a2c447f8845de0", "type": "eql", - "version": 102 + "version": 103 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", @@ -5297,37 +5570,37 @@ "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { "min_stack_version": "8.3", "rule_name": "Parent Process PID Spoofing", - "sha256": "77b22c4f50e00826c280cf0208fbaf663c53a5e94fdc0109752b095f31f9e2a7", + "sha256": "c3dac03f556b89e88f147aed56f297767b5d0a9110cdf317ef621032e9aae739", "type": "eql", - "version": 103 + "version": 104 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "min_stack_version": "8.3", "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "04cafeaaf4f851803bb0fe3eeaf313e600c55078140ffc472b47faa850bbf3b0", + "sha256": "6c899bbc998ab3b8926434c8838a0567b3e9daab6ac42337689be77fa96f4c6b", "type": "eql", - "version": 4 + "version": 5 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.3", "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "f4980fbd2578fb7fcdee45b3b4c56a8bd7b938745b00046d8a0a17e80ef19714", + "sha256": "d820917b8b190283034007d7db8ba4ac8ef6bd82e9d9d8a9f256976c0fa2623d", "type": "eql", - "version": 106 + "version": 107 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.3", "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "36627195b2bc65f2df0890f67f38997361341df0bcfec1e72aa09017ea6335b9", + "sha256": "dfa996d0665851351caf73bca44bb19208342678d818aff4cc77005b0092ca67", "type": "eql", - "version": 105 + "version": 106 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "407f97d6402f538a62f3547c4036a01df2a4cf493bf5845da4235b85dcb890fd", + "sha256": "1d87bf52f955049b3e1220e65c69464b5d6c21362b8762df0b397d412b1537ee", "type": "eql", - "version": 2 + "version": 3 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "min_stack_version": "8.3", @@ -5346,9 +5619,9 @@ "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "min_stack_version": "8.4", "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "cffbc8323cf7fd93783321a77063d154d2379e643d530da75c6301560fb9a61f", + "sha256": "94fbed29b0713d997d61575509179ec8a3aaf3580b4c2661a2a42ef4e7e50aef", "type": "eql", - "version": 3 + "version": 4 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -5362,15 +5635,15 @@ "8.3": { "max_allowable_version": 206, "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "773477fde04d636ba32e12c52480ac912e81cc69b6e5fe6612f0a40e65434750", + "sha256": "6ab73acfdcd8636a87c0fd8b1342d5e96de8cbd74ed0e4f4dbb689c32a3cbffa", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "cb7ecdd09505eeb2f0952f5a029fae4a911a4a4c7f92fde6d6e49924b3a5b9a3", + "sha256": "16d0a37c5a0c0c7de7d31afcbfae78cadf1e1c87ed0eb87f347d3c6a44b1ae00", "type": "new_terms", - "version": 208 + "version": 209 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.4", @@ -5391,9 +5664,9 @@ "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "min_stack_version": "8.3", "rule_name": "Suspicious Calendar File Modification", - "sha256": "c0e0bb36805ab2fd34f19a688a345b3cb202af63f0963d23cc46b22ac6206b34", + "sha256": "0efc16177bd032307d27579913e6c57c8d1d44ed1f5df38407ead5bbbe045dd8", "type": "query", - "version": 103 + "version": 104 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -5404,9 +5677,9 @@ "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { "min_stack_version": "8.3", "rule_name": "Attempt to Enable the Root Account", - "sha256": "ba29107ead9c675376dd24fda3ec04aa0020c69c50cac63aa2be60a2a989d25b", + "sha256": "08bf09dc443eb0fb41c941a0a47f67b866253111c50d852fec72b81e5cdea100", "type": "query", - "version": 103 + "version": 104 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "min_stack_version": "8.4", @@ -5434,23 +5707,23 @@ "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.3", "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "74d6b5d8ff4d59fdbd42178295cd4da23b7a5e4a5220107547836cb7d06e6f6f", + "sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999", "type": "query", - "version": 104 + "version": 105 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "min_stack_version": "8.3", "rule_name": "Potential Process Herpaderping Attempt", - "sha256": "b5dec6539208e71c295cf3802759f165f88bac7e0dd47171d7a9e62bb02bd4bc", + "sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2", "type": "eql", - "version": 104 + "version": 105 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { "min_stack_version": "8.3", "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "d7fa92ed1490f1e309e84b4fee4dd02e81cd94c8642059107de67e385062259f", + "sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6", "type": "query", - "version": 103 + "version": 104 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -5461,30 +5734,30 @@ "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { "min_stack_version": "8.3", "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "90cd770be4644fc1db139e5c9e4770411c526cd8d75df30f0b929d3c4ed64d67", + "sha256": "ac7fe1661692762ebf3969e3980d674808ea8cf32e188619fd6e08de268af793", "type": "machine_learning", - "version": 102 + "version": 103 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "min_stack_version": "8.3", "rule_name": "Kernel Module Removal", - "sha256": "88335df728513fb16235530315da5117d27f7ee647992c00a32aa06fce26e44a", + "sha256": "06acdf4e4f36bf4d2e6e3f0d424b81264fc5262e89ef2db45dae483404ffce09", "type": "eql", - "version": 104 + "version": 105 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.3", "rule_name": "Attempt to Deactivate MFA for an Okta User Account", - "sha256": "e68a5114b65ec2013c3c9b05c99442525ee4713c09c95453602b704b18dad8c6", + "sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7", "type": "query", - "version": 103 + "version": 104 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.3", "rule_name": "Okta User Session Impersonation", - "sha256": "806e838b07e3deb56dfa18e409bcf0a0e01709d485c38d8249370ed159caacd9", + "sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5", "type": "query", - "version": 104 + "version": 105 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.3", @@ -5496,9 +5769,9 @@ "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.3", "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "a3027453de4708b119195af787958c30200915ff15e3ed696ea72928a7cf20b4", + "sha256": "e749e4d6a22d62d8564e36ff162cddb0342351273f7ae3f914f1781e4a6757e0", "type": "eql", - "version": 104 + "version": 105 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "min_stack_version": "8.3", @@ -5523,19 +5796,26 @@ "type": "query", "version": 205 }, + "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { + "min_stack_version": "8.3", + "rule_name": "Trap Signals Execution", + "sha256": "0ba6ec2eec63d471e368b93ff67990a66c3d7e08e08719c6e2ee4eff8f216c81", + "type": "eql", + "version": 1 + }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "min_stack_version": "8.3", "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "be67c431eddcd379012a52fdceb8e29c7ca50bb81924207dcc0167b059a67853", + "sha256": "33d3c47a50a64210f5b2ffc25ccdff6d5d37d16fc71e6dbbc5c13a18b6780cde", "type": "eql", - "version": 107 + "version": 108 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { "min_stack_version": "8.3", "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "95ff6f5a5a451c7c3167286fa0e43531b665f97fbd19eae2caa0612b2c269846", + "sha256": "62f6fba73304cb10595e4f538a276512b741e0029111d72087049753411361eb", "type": "eql", - "version": 5 + "version": 6 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "min_stack_version": "8.8", @@ -5547,30 +5827,30 @@ "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "2498bd80569bb50038c401a3b9048d441bd5d8a9fcf2b839b8f035538712b52f", + "sha256": "ec194a453dd3acbf1dffd2e109f77cbbc7051fdfa80409701304809ce5654c43", "type": "eql", - "version": 104 + "version": 105 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.3", "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "36e4d81f7eb4ef42ecb6e885bf4253cdce3aaebc0f153f2b28a41f82cb2a93ea", + "sha256": "da76314ab374a374b6612165cb783f7d25612235f241744919149cb6d00af975", "type": "eql", - "version": 105 + "version": 106 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "min_stack_version": "8.3", "rule_name": "Expired or Revoked Driver Loaded", - "sha256": "18d48a09ed5465682a8259a943d3acfc358e34d2bed4e4ec5fdab3e43d3b0324", + "sha256": "58dd943fa10c8dc106e4f561c6a5755a555d7dd1116a6e82a02678f77be051f4", "type": "eql", - "version": 1 + "version": 2 }, "d197478e-39f0-4347-a22f-ba654718b148": { "min_stack_version": "8.3", "rule_name": "Compression DLL Loaded by Unusual Process", - "sha256": "e5a34659fd97863a554ca3ea2a0920b5d0c7c1aed2aa43ccb0e6bde07b229292", + "sha256": "8ec13c2f3c6784d7cfe3f314135c8c4c8afe0087deb18c62bcdf5b41db55f5f2", "type": "eql", - "version": 1 + "version": 2 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -5581,23 +5861,23 @@ "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { "min_stack_version": "8.3", "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "0c0fc09e95400eff1b0ca2557064d77771d8cc107865be5cd3e0e11f29d8c71f", + "sha256": "688898fbfb57e6d44d1f755be87e439516aa1a084dd4adbaa97b65bf8eb86995", "type": "query", - "version": 103 + "version": 104 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.3", "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "c783dca9506ab705c9f88a3c2729370fd10ac1f6bfc74d8497074b67d9226fa3", + "sha256": "73e5e14af530fc3c0ff1a000b5b32bc30097045766025d6a7240dc31794faa7e", "type": "eql", - "version": 105 + "version": 106 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Event Logs", - "sha256": "3aea037601a2e4966bbbe2f6724689bfb697a5226cc79a3e951e2ca75cbaf24f", + "sha256": "14a1097b7ee5b1d73b9dd86e6c7326ea224be99416f6f947d03c968723badf8c", "type": "eql", - "version": 106 + "version": 107 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "min_stack_version": "8.3", @@ -5609,9 +5889,9 @@ "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "min_stack_version": "8.3", "rule_name": "Shell Execution via Apple Scripting", - "sha256": "9fff9fc73e4f027401f117f31054bc09b40a43e209bcaec1aaf2e527e8d29a9c", + "sha256": "6f6e3def0588b1a03d12a0293b5bbd9c1d0090fe90097786f9d7a4b13c95f02e", "type": "eql", - "version": 103 + "version": 104 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.3", @@ -5630,30 +5910,37 @@ "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "min_stack_version": "8.3", "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "bf9dea3c8f6a9ea2d3b552de604fec21d81125afd5dbdf804d9e7d4cd4311257", + "sha256": "1823af90ab9f82af85f6752bb44ce24df6e0ef1e0722d477f91a55675de28c8f", "type": "machine_learning", - "version": 102 + "version": 103 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "min_stack_version": "8.3", "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "e8fca5acc4f3a877f0671e7492375042c332c91e9cd6129d2a20c3add084bdde", + "sha256": "b9964a7773745de7f347665b66883623fc60d4e0e4a004d0b7e3b5cd79694041", "type": "machine_learning", - "version": 102 + "version": 103 + }, + "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { + "min_stack_version": "8.3", + "rule_name": "Linux init (PID 1) Secret Dump via GDB", + "sha256": "a386bc0314dc614dce09c10f76f04e239c85cffb8e305a1a37dc816fe8d0e466", + "type": "eql", + "version": 1 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "sha256": "a838854fa6bc595bb96ed3c2a78e96949041fac6d4f0a4cd707798843927f84b", + "sha256": "351666156e6d77e8c9c195311cd45ba8c31b9e97ea0fd1503c48c15a776c1918", "type": "eql", - "version": 1 + "version": 2 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "9df5726c33e5f211943877e9e0e8b14808da3dbbad2ffdaa342cd2e3b434bb82", + "sha256": "7b25d0582e256fb4ce7c470b52e131cce26a826b62117c6ef9ff6f1769b4f003", "type": "eql", - "version": 103 + "version": 104 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.3", @@ -5665,9 +5952,9 @@ "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.3", "rule_name": "Service Command Lateral Movement", - "sha256": "6fb7e7e332ba7754f07850c5006b8edf7823b8babdbc83c60305faf47f7e7b62", + "sha256": "d560df7cdf03af3bf9cb7e30466dd2430565baa3ead05a508a50979884b3b607", "type": "eql", - "version": 104 + "version": 105 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "min_stack_version": "8.3", @@ -5692,9 +5979,9 @@ "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "min_stack_version": "8.3", "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "9f12bbc1cb7c137572e45d35b8ae7a8a32c0e891f3666f717598cf5e9bb1b2f6", + "sha256": "123d0512c4355047e5fc67352b4ba9a65b7bd2515f7513409a0276a2414ce054", "type": "eql", - "version": 5 + "version": 6 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "min_stack_version": "8.3", @@ -5706,16 +5993,16 @@ "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "min_stack_version": "8.3", "rule_name": "Modification of WDigest Security Provider", - "sha256": "56fc2ab7f022815de735189fb87503086faec3468f297f74be60d2d3ccf610ce", + "sha256": "80570780af03c2efcf7f4a9003e2c21b34eb66a062aaad55d9676514ffea140d", "type": "eql", - "version": 105 + "version": 106 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "min_stack_version": "8.3", "rule_name": "Command Execution via SolarWinds Process", - "sha256": "03b191ecef329ec861a3f747cf9d0046f70c3c91000bff6e22ad0d190f8bbdad", + "sha256": "e5a39260fe132207d539ea518652001adadec98c3bbe9ddaff7d7e7b0e673a57", "type": "eql", - "version": 105 + "version": 106 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "min_stack_version": "8.3", @@ -5727,44 +6014,44 @@ "d75991f2-b989-419d-b797-ac1e54ec2d61": { "min_stack_version": "8.3", "rule_name": "SystemKey Access via Command Line", - "sha256": "22f4855a8b0e109886773b0ab60f676b06b9f85f8b3942fd62b79fa998f7471e", + "sha256": "9d6616ef8767f89e243b80ec3f320bdd3c8e6a46acc445fd040ae92aaf3e9c12", "type": "query", - "version": 103 + "version": 104 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "e6b3ef23ab08030ed69f89c0ff395b3e4735d6f053e32e2f5a39b4c522c192e7", + "sha256": "23765713e12113ddb20663a6b929ed119d23f9106635fe4998ce6990dd394d97", "type": "eql", - "version": 106 + "version": 107 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "min_stack_version": "8.3", "rule_name": "Azure Blob Permissions Modification", - "sha256": "346cc434526ad0dc7188a5077b3493b8499b644cfa218fe758d584d9f9e9074a", + "sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f", "type": "query", - "version": 102 + "version": 103 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "min_stack_version": "8.3", "rule_name": "Spike in Logon Events", - "sha256": "1192928fed5b71e578f0f6e83d8dc596b2e03974cd8586966d77e4147ee2bf9e", + "sha256": "d252490036f46e2d8c44e6c0aec56feb27ef9539cd83c5430534df5a0189a203", "type": "machine_learning", - "version": 102 + "version": 103 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "min_stack_version": "8.3", "rule_name": "SMTP on Port 26/TCP", - "sha256": "f6a24375bbef4ce0535113d9f6bc5ab056ac443b611d94c64ade69e1ba423377", + "sha256": "a83fb857076a042c492fa2affcd6539e499ab52f67b336d1e47854a3e23a13d3", "type": "query", - "version": 101 + "version": 102 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "min_stack_version": "8.3", "rule_name": "Untrusted Driver Loaded", - "sha256": "2fa3b976293e6f4e304535804fc5ad5a9b3b3db9ca62143d76d412d4cd48bde8", + "sha256": "c5ce1faffd687af5423c4bad755a8d5d182a6c74fde100b49092067a43111e70", "type": "eql", - "version": 4 + "version": 5 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "min_stack_version": "8.3", @@ -5776,16 +6063,16 @@ "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "c59d439bf80fbd62af18af25b01eada281c51443bce2351b2f45afa0f219f797", + "sha256": "638b38528aaa1d362737de0ee6c2c010913f44c8179a2ac928dbedc9473049f6", "type": "eql", - "version": 105 + "version": 106 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "b85fcdb3f79216537bf1458e5cd1d7f69614f0f71dd14d6bf685689fb3387445", + "sha256": "8376f30e9c1abd833e2b39242f04ba3f296fe0f2c153e3feda039d77b73ffd6f", "type": "eql", - "version": 4 + "version": 5 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.3", @@ -5814,12 +6101,19 @@ "type": "query", "version": 105 }, + "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { + "min_stack_version": "8.3", + "rule_name": "Network-Level Authentication (NLA) Disabled", + "sha256": "b778970c6f8ec04e3dbcf851f3553e72e19420cdbf1181efb2a8d360ec4f49a2", + "type": "eql", + "version": 1 + }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "min_stack_version": "8.3", "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "7d80f28d96cb19ac5d711ff3821272b449cadc05125b80fed15e1810e7a5fd18", + "sha256": "17af58de4b6c1966f11b602f2971c9d50764e0dd5a201bdaacbca05fb50d7f66", "type": "eql", - "version": 3 + "version": 4 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "min_stack_version": "8.3", @@ -5831,9 +6125,9 @@ "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "min_stack_version": "8.3", "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "e4ae2073950e301288dd33fc960e36f0d7873b7529fc979ac34d8ffa4af1c11c", + "sha256": "f64d050e90fd179771887f3ae5d3ecdd6d9c638572d6ecb8cb513fddcd5496df", "type": "eql", - "version": 1 + "version": 2 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -5844,30 +6138,30 @@ "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { "min_stack_version": "8.3", "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "32e5d329833aeceda4a28086f63db19a8cbd4bf12e6c8f58170c336adba27f47", + "sha256": "df8a6dcbb0d179f109c810c8d819c0e48c62c8280a2c6196d00ba951b1486594", "type": "eql", - "version": 2 + "version": 3 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "61a56e3f002c13b691eb8a4d3e676025740392dac5b6394f1e32c55d82504d12", + "sha256": "2ec7ebca77b749a6e4385185ffcbdbc71c0c3a9600b7599bb7b6462c6d84a28a", "type": "eql", - "version": 105 + "version": 106 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "min_stack_version": "8.3", "rule_name": "Unusual Country For an AWS Command", - "sha256": "dfc13fdb33fda8b62b49e2cabd5b92c3095bd47c29d19053c7d65cd76fe0492c", + "sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946", "type": "machine_learning", - "version": 105 + "version": 106 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.3", "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "617c4e42fa029b78c075d833ff78838c4b19cc87c3849c78b90631dcf5bc7a6b", + "sha256": "e530308b262a81ac2d4d51105ec00c5574674221ede76c621d967f3bafa48e67", "type": "eql", - "version": 4 + "version": 5 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "min_stack_version": "8.3", @@ -5879,44 +6173,44 @@ "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.3", "rule_name": "NullSessionPipe Registry Modification", - "sha256": "6d7dbb30f64226e1c477bbef3dfa86df372f931f16c7c3cf4177fbfffa1cd342", + "sha256": "cdf948e2a073cb6319fa302acc7b0fc8a11477746659be69cff0c9b7860403b8", "type": "eql", - "version": 104 + "version": 105 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.3", "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "d9cd1d4940d6751e4a2e258286c9817f862911d60ce5c4bd9aa3ff7b4c0b05fb", + "sha256": "573c9ca2dbe19f1a028b5b5819057f1cd784de1be52279fb1eb1b99bf3aa91a4", "type": "eql", - "version": 105 + "version": 106 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.3", "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "2fa58beb5aa0c93ed53ea2a3fbedf9cd7a2d28cf0ef44434be59fa4cd00b3f60", + "sha256": "0ec40a6ffaf45b8d92ca2b163b9aabf5bde1a0fbb801e77ab931a36571295fb1", "type": "query", - "version": 104 + "version": 105 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "min_stack_version": "8.3", "rule_name": "Query Registry using Built-in Tools", - "sha256": "21a406b10761433bae9e27a5c5dda3171c27c1032f67b010ca4b5cf7d86b75d2", + "sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd", "type": "eql", - "version": 1 + "version": 2 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "min_stack_version": "8.6", "rule_name": "First Time Seen Driver Loaded", - "sha256": "e1850f1de35fc0bf01a64f6369de0ac88966fb7de5cf8d76cc40ee74e3b233a3", + "sha256": "e35873c4c836a040e5f558474966d7bd8b224776bcebab71cd3db0279a1068d2", "type": "new_terms", - "version": 4 + "version": 5 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "8.3", "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "83a4ad876ab5b1216af0286368f342b23e37d16b4e500845f822998e45653ebe", + "sha256": "d7b5f6ca8779a491a009ef24fa38c89815905e818546c5671f5dc05bd505e3ce", "type": "machine_learning", - "version": 102 + "version": 103 }, "df26fd74-1baa-4479-b42e-48da84642330": { "min_stack_version": "8.3", @@ -5928,9 +6222,9 @@ "df6f62d9-caab-4b88-affa-044f4395a1e0": { "min_stack_version": "8.3", "rule_name": "Dynamic Linker Copy", - "sha256": "1c8917157c0a12371a8fac9b240b8a8d4de389f6e24cbe1c5f441bfd295c0f80", + "sha256": "3e2bd8f151616982adae6eeff5311584831c41100d151b5327e9a39e41354ef4", "type": "eql", - "version": 103 + "version": 104 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "min_stack_version": "8.4", @@ -5971,16 +6265,16 @@ "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.3", "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "30b43ce003bcfe00acfa83c3554527e306887d6b8829730f4711078d0ca9eb15", + "sha256": "ff2526e88d22d00ba16eca2c07ec3bec5e06c7785739a7ab842edd79c975943f", "type": "eql", - "version": 3 + "version": 4 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.3", "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "5f991fe9052a567fe6fef6f5df7e59c80d00aad3fc4bb29db60426085571816e", + "sha256": "71bc21a2e39ae429903f27a300a650a34aed1adfba8e5ce63f527c8362e23d02", "type": "threshold", - "version": 104 + "version": 105 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "min_stack_version": "7.16", @@ -6013,23 +6307,23 @@ "e19e64ee-130e-4c07-961f-8a339f0b8362": { "min_stack_version": "8.3", "rule_name": "Connection to External Network via Telnet", - "sha256": "2a28b8894af580d2033d6f92cfccc8ee87166ca4f62111bb9530a383a2d139b4", + "sha256": "812d614780faf4725c6f1f5361fd6e47e40c2ea93429a55d3e577c3517074577", "type": "eql", - "version": 103 + "version": 104 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "bef6f6bf7ed759ac36e3310b8b9514e8a51fa870287d780da54d57e603d6c626", + "sha256": "d5d199aba7de4375e54e1a420264755c1e6c6e2326dabf9ca76f2cd5285ebe46", "type": "eql", - "version": 2 + "version": 3 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "min_stack_version": "8.3", "rule_name": "Spike in Successful Logon Events from a Source IP", - "sha256": "25564ff00ef70efbfb00200f066dc8aa3de97ef74f1577a17bae32a388e8ace3", + "sha256": "433470a845fb7c68a2d975d0c852935ae2f613397f228fcbc0508dab28be90ff", "type": "machine_learning", - "version": 103 + "version": 104 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.3", @@ -6048,23 +6342,23 @@ "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "min_stack_version": "8.3", "rule_name": "System Network Connections Discovery", - "sha256": "f1e02a3590b661178ff4a6c7bee48858ad88a4e4195356a9009caa22023fe576", + "sha256": "656484abbd7ea6b41057e6c9b6b267bf1bcf9a7144ec6e07f6fe26948404ab9f", "type": "eql", - "version": 1 + "version": 2 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "0cad46f14f7e04919fb567f72588b2333aaddbd906c2b26b2efc231469f516bf", + "sha256": "0897fefd02654839585af75de63a6c8ed5041e6659933458ff58f29327d6c410", "type": "eql", - "version": 3 + "version": 4 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "d4b32c1aa1a7cdd50177f852352b6147c0bb3cc6ee0ea3d5d4367fa923f32f5b", + "sha256": "b8ef093aa90790193389f0a3b2eb27568f9516fec3932bce89da7213cabf2393", "type": "eql", - "version": 105 + "version": 106 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "min_stack_version": "8.3", @@ -6076,9 +6370,9 @@ "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.3", "rule_name": "Process Activity via Compiled HTML File", - "sha256": "a3eeba9808f132664a72bb9e332547a6b8dbc90e518f5d639978062ce074653f", + "sha256": "71b3674d3f5ae08be304fa711dd538194ebb2c5624de5518b705a973ce44764b", "type": "eql", - "version": 106 + "version": 107 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "min_stack_version": "8.3", @@ -6097,16 +6391,16 @@ "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "1d8fbea05cf9bfdfc4b87a7f952139314e16086435879cf7915208a0c2f2ecef", + "sha256": "db6c8cc00bdbaf0ddb428a155db94ed7c9f288d60b6f199fab061f577a7bd7f4", "type": "eql", - "version": 103 + "version": 104 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "min_stack_version": "8.3", "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "5f49e89f504715fe1cba731e8ae1d6f883b041e3e58b5baf6a46ad13c911835b", + "sha256": "1b8c0a0d497da1a7aa237cea422221680d66e067bd3cb56754342e2426b8456e", "type": "eql", - "version": 104 + "version": 105 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.3", @@ -6154,16 +6448,16 @@ "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "min_stack_version": "8.3", "rule_name": "Bash Shell Profile Modification", - "sha256": "7f6ff70bb01620c9324c6ce0743e205ea091501a7016e8bb65790760e3def99d", + "sha256": "89a6e5c6d2b9b24839bad3982fe4350838838f91a099081af2d9e17bbd48eb02", "type": "query", - "version": 102 + "version": 103 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "min_stack_version": "8.3", "rule_name": "Authorization Plugin Modification", - "sha256": "aac4b1275744c5a1fe3d0445c9f3b4ae84e05de109b4efdb9d345686552e83fe", + "sha256": "588ebf1bdd990fd6153d745e01de7aa329e4b9ad1cf727e6c6ae340a7691e07f", "type": "query", - "version": 103 + "version": 104 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.3", @@ -6175,9 +6469,9 @@ "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "min_stack_version": "8.3", "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "7d1e6bcb45ff23e9e8cd012485a31ac59e652ebf7047896172ac71beb689f78a", + "sha256": "077f0a7711bbf837f2e67231c713061aab1388e7194845c2724884baba2fcba8", "type": "eql", - "version": 103 + "version": 104 }, "e7075e8d-a966-458e-a183-85cd331af255": { "min_stack_version": "8.3", @@ -6189,16 +6483,30 @@ "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.3", "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "2d819160686b4dfc1941accb589fd0938e37c0ef216edadc9d94c351b612010a", + "sha256": "e6030f17314972964810faa00556377b009451a1f81181856e9cd6099eecbfbc", "type": "eql", - "version": 104 + "version": 105 + }, + "e72f87d0-a70e-4f8d-8443-a6407bc34643": { + "min_stack_version": "8.3", + "rule_name": "Suspicious WMI Event Subscription Created", + "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", + "type": "eql", + "version": 2 + }, + "e74d645b-fec6-431e-bf93-ca64a538e0de": { + "min_stack_version": "8.3", + "rule_name": "Unusual Process For MSSQL Service Accounts", + "sha256": "3b88ce7678e0afd9133e4614123484e05b3c652f2ee1b555271860a540e9e01a", + "type": "eql", + "version": 1 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "0097165a0376ec51018928535107bd47c625c71f6d811e7798d6454e630959e6", + "sha256": "6b4158b68c196337a5ca798c23c4e99e1f5b63dcc09404ce703310ffa3115658", "type": "eql", - "version": 3 + "version": 4 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "min_stack_version": "8.3", @@ -6210,37 +6518,37 @@ "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.3", "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "b9ae74fc807ffc8fce266a1f8c095a0887e594a44c0e61dc8839c448a0a6a17b", + "sha256": "9d7d295720f93607b0c637e791d1135a828f9a60edfd04a13aea1c2f444cddfb", "type": "eql", - "version": 105 + "version": 106 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.3", "rule_name": "Installation of Security Support Provider", - "sha256": "1bf151116d4b2bc3ccc7951936a59d68d4b8669432206c00e14304c8e1415150", + "sha256": "07f742804dcc4362c3a6df0146ffd869e3e92a5e39ed19fbc676e1a205762fca", "type": "eql", - "version": 103 + "version": 104 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.3", "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "30ecd8e373787ea5c52b236e4ed93a887c090fe39055bf6bc728cfbc4df05cba", + "sha256": "dc2992b1a27eba7999a488081a344e7546a35fed9138ada9a18fcca55cead2d4", "type": "eql", - "version": 3 + "version": 4 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "min_stack_version": "8.4", "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "137b5aa97aad2f77517958f46e0bce9edb04a546f1eb2dbb6a8f63fba22b69f8", + "sha256": "386862fe4e944388b9eada8008e45520c98413131236b3c1dbdffd72bd7b2db3", "type": "new_terms", - "version": 1 + "version": 2 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.3", "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "9afdeb2599a551c5eb8f3ff261198014bd7c2693d30069a77ac4777813b78754", + "sha256": "94f8f87bf5279e92dae5e3f1a86adcc88c5e03a1ddc2d3ee3878b1ef488abd08", "type": "threshold", - "version": 104 + "version": 105 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "min_stack_version": "8.3", @@ -6252,16 +6560,16 @@ "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.3", "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "c04a3b177fa635e5073e1777229cf87cc812c0aca116dc0fb5278fe9b4103c5c", + "sha256": "2691fb427b7fddacc7927bc417d5dab77367c0f14203e072f86d3aefe7a62802", "type": "eql", - "version": 106 + "version": 107 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "min_stack_version": "8.3", "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "0e8169011982ee7609a677aafc69532dc6d9a4330676dfe37707d6f051f77c94", + "sha256": "a0ba2b3c599f12c32b5a0939253f61624c5aaef4f8bec7e3c2a58427a1421f1c", "type": "eql", - "version": 103 + "version": 104 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -6292,9 +6600,9 @@ "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "min_stack_version": "8.3", "rule_name": "Spike in Firewall Denies", - "sha256": "083a8ad280b799c399d7821f2f4e606ac4a020dbe66a2d90b03779ddda9e0ac4", + "sha256": "2b70a5f6f296ce20ca6fb54b48a52c4bb57dec8c35b7dfc9b661509716a7cc0a", "type": "machine_learning", - "version": 102 + "version": 103 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "min_stack_version": "8.3", @@ -6327,30 +6635,30 @@ "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of SELinux", - "sha256": "5b24a50476c732ec6b371dad3170cad81c5aa1c731a55c68760d81b86a61b9e9", + "sha256": "b8f1ac64b7c560cb7647ffb41b0bcbedc7b257a7f316fcbeb491b84b7b09c94c", "type": "query", - "version": 104 + "version": 105 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.3", "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "ee443de66e8ce5e18a5a6ffd0fe8f851b831366de4650d6d871c43f5f8a6d338", + "sha256": "cc34ad5743714d022bd3d06b3eef95da4715d5b72e531c4235b17576ba88d2d5", "type": "eql", - "version": 105 + "version": 106 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "min_stack_version": "8.3", "rule_name": "IIS HTTP Logging Disabled", - "sha256": "5e7cb98d3206bb2c2de6b1e2342323f2872bce4e3fb01683c81648cb365b45b1", + "sha256": "160ed3a375dcc3e55e6117241ad6a6bc1ef32411c7d4a0d406c968aeeb017680", "type": "eql", - "version": 105 + "version": 106 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "min_stack_version": "8.3", "rule_name": "Process Execution from an Unusual Directory", - "sha256": "4f5246aada46e95bdd9fed86ca0d16acd2974d578418af67875271c309deec2a", + "sha256": "7ef91946b0330f608783b4afaf455fe3bb69d40331bd9be9573e1e1b3b9429d2", "type": "eql", - "version": 105 + "version": 106 }, "ec604672-bed9-43e1-8871-cf591c052550": { "min_stack_version": "8.8", @@ -6383,9 +6691,9 @@ "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.3", "rule_name": "AdFind Command Activity", - "sha256": "f4e71dc526006da4bac3c997b139ec814a7ee28bd2f9a180dcdf72accc5e7b85", + "sha256": "84fe4ed20d10995793ab80c3edcadea3a2e6590b1c71d8b0f7ae5f3400276e36", "type": "eql", - "version": 105 + "version": 106 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.3", @@ -6397,9 +6705,9 @@ "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.3", "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "22a83d83075e8a7c7d03073abac96e611e683a27e786b7302d85b963bd60eca3", + "sha256": "3482abb380dae16ed856b1c92ebf753d98d655730383b3e1e6329221b64d7f96", "type": "eql", - "version": 105 + "version": 106 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "min_stack_version": "8.3", @@ -6411,9 +6719,16 @@ "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Print Spooler Child Process", - "sha256": "2354a55212329efb9a516c9174288f3e0b64ad13792b723bb28d57651cbd5d0c", + "sha256": "2bd1115d1a41b7a4ddd1ec2a4b7dac55b76173ff8ff1e3df92775705269ba0c6", "type": "eql", - "version": 103 + "version": 104 + }, + "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { + "min_stack_version": "8.3", + "rule_name": "Shortcut File Written or Modified on Startup Folder", + "sha256": "0d2db57efc137fb2c937163b2d094d9504f0f8ef15c3c7805ad1b83d14ed8ee0", + "type": "eql", + "version": 1 }, "ee619805-54d7-4c56-ba6f-7717282ddd73": { "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", @@ -6424,44 +6739,44 @@ "eea82229-b002-470e-a9e1-00be38b14d32": { "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "99dac24a22a39ea3be5c736dcc12cc76b1c987fdae7e573526777dcad95277f4", + "sha256": "05d0abb50bae439b769843646d3b7295eef4a0bc5c024cf9798ecf355acd3575", "type": "eql", - "version": 103 + "version": 104 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "min_stack_version": "8.3", "rule_name": "BPF filter applied using TC", - "sha256": "e324fbce926ee2c09462c343fc2dfac12ea68d40006d9f7a6691abcaf792dcf8", + "sha256": "dfcaee87ab5815bd4120fc20f1cfd41d481913aa1b077dd7e28539febe9bd5d9", "type": "eql", - "version": 104 + "version": 105 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "b7a016a12f5e3c2e210d36424564a200cae8b1effa73daf7fabf056d9f4fe732", + "sha256": "421ac0a4b80d62b16f199e6f04b38b5b8c1c8dbed801722495c596321864b0fb", "type": "eql", - "version": 2 + "version": 3 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.3", "rule_name": "Whoami Process Activity", - "sha256": "07c4a16cbb0ffc5b61004a6277d767c457afcc3013ba98d0b8d490439350cc98", + "sha256": "a5131bae94678610d7c365c497f62c084b0c6c3c2954fada880c3531d5e342e9", "type": "eql", - "version": 106 + "version": 107 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.3", "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "6c802906ba9f964ce774dfa67a8c3d6010d1006704d7fc403537bdf9f0dd6297", + "sha256": "2e8062644461fe200b2c0e86e1ea8526c11447b53e129b6096fffef03a70986d", "type": "eql", - "version": 104 + "version": 105 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "min_stack_version": "8.3", "rule_name": "Suspicious HTML File Creation", - "sha256": "1e5bef65027af0a05f3de482643acc583716953c5c99bf4896ce11051852964d", + "sha256": "7ab8c378ff7083c1a6c05954e86861bc3ea942fa39a3e3ae31cdc225509315d7", "type": "eql", - "version": 103 + "version": 104 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.3", @@ -6473,9 +6788,9 @@ "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "min_stack_version": "8.3", "rule_name": "Attempt to Remove File Quarantine Attribute", - "sha256": "fcf72e0783c3adf9aafc478284e0eba0dab0551c0715760478495a33c7dfecfc", + "sha256": "6433cb81a632852cd17a4e72400aca36cfc55a5f7dcd8826f139d7a029c91097", "type": "eql", - "version": 103 + "version": 104 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "min_stack_version": "8.3", @@ -6487,16 +6802,16 @@ "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "min_stack_version": "8.3", "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "069592795fe832ea7f6dfe549a1fa247bd908178024ee419b20fcb7c1f7f6968", + "sha256": "1757d1031c5a71bf9d138675ce1ff87d27789dbda0f8da8764846ec8e42433f4", "type": "query", - "version": 103 + "version": 104 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "min_stack_version": "8.3", "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "78d1d50157f527f4732480eade1158fc622b33f2dca7d3fc2c2a2f4de62a494b", + "sha256": "acc6575e3fa6df0eabd86bf1fa2a16fdcf95a33f0b3c99ef35f473bee3cbea26", "type": "eql", - "version": 3 + "version": 4 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "min_stack_version": "8.4", @@ -6505,33 +6820,40 @@ "type": "query", "version": 2 }, + "f243fe39-83a4-46f3-a3b6-707557a102df": { + "min_stack_version": "8.3", + "rule_name": "Service Path Modification", + "sha256": "790cb59192049129174ca88a5027bbc545f0d19ab6d4278e4bd826f2aaedcfc4", + "type": "eql", + "version": 1 + }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "3336e870dbf93421b43a64f9b8c49cadad5f601538631b20e82f9049e196fc73", + "sha256": "f296c42702e111663ae6795fba27be54503e7ec2e1c6a433a0f3cf3ff1c376b6", "type": "eql", - "version": 104 + "version": 105 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.3", "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "84cb2e4e1720959039508304ff67cfdee0c1a51db94272d7d25d0db239a4b426", + "sha256": "181e254a121f95897919759791f5af14565c11aa4ed7bab144e1e9c27400ac8b", "type": "eql", - "version": 104 + "version": 105 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.3", "rule_name": "SIP Provider Modification", - "sha256": "b6d059b41ec3c351e24a6792aad79cbc08783ae813d7805711b61488eac3fa3d", + "sha256": "66bb086ae806373755f3c312b7a40a726c84622d160a5d644fe31f651e50d2b3", "type": "eql", - "version": 104 + "version": 105 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Creation", - "sha256": "f7fcb2f0df25ddd194a087a817b5a6e48d66536798ceb70722f5136cf4ba1e45", + "sha256": "ddf5498423537a85ccdbb7552f2986e755918e505b195b2aa3e6c58ab2825bc0", "type": "eql", - "version": 105 + "version": 106 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "min_stack_version": "8.3", @@ -6550,16 +6872,16 @@ "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.3", "rule_name": "WMI Incoming Lateral Movement", - "sha256": "5f0a33718711359e7a2af2f2e56e9f79233e0193ae37a5b8b39e5095584c8993", + "sha256": "881b9fd8fe67814ac0e2fd46633b3d14bec837de65f947f3196690da517ec326", "type": "eql", - "version": 106 + "version": 107 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "min_stack_version": "8.3", "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "79fde8d4adcaaaa7ac191b37765c599413cd54d37497553e7e8e735f18aac24d", + "sha256": "115660e13a810016b291f195725e24a486fef4f4a29c1b6ea99e35462af86691", "type": "threshold", - "version": 102 + "version": 103 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "min_stack_version": "8.5", @@ -6571,9 +6893,9 @@ "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "9025912a22ca77063fc7dd8f0843ac667190f2191588cf9bbce1909e2d83a248", + "sha256": "6529bb3e9f2e7ba6334ccf83e73cb084a6d4a6b4754c82131a2b29b573db94fc", "type": "eql", - "version": 103 + "version": 104 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.3", @@ -6591,16 +6913,16 @@ "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "min_stack_version": "8.3", "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "188ba26251c3df6a20ccd67b2ae9b96139fb4d5c1c68e891399e9d99feba842f", + "sha256": "4a1c0d919c79748efefe5321d5e6652f4806a90a6748a5fbb97472ba5c7b6479", "type": "eql", - "version": 1 + "version": 2 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.3", "rule_name": "Windows Script Executing PowerShell", - "sha256": "e7dc6fb96282c96c61bb1290e6e68d0cfd0e5cd0fd30eeeaec670b79c3041ee5", + "sha256": "9c28b36b93bb14bdf7618dda4125499529113bf5a991135211322b859581d528", "type": "eql", - "version": 105 + "version": 106 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "min_stack_version": "8.8", @@ -6609,47 +6931,54 @@ "type": "eql", "version": 2 }, + "f5861570-e39a-4b8a-9259-abd39f84cb97": { + "min_stack_version": "8.3", + "rule_name": "WRITEDAC Access on Active Directory Object", + "sha256": "1985348b300faecebbaac140fff23f888d5eac725cc209b01811dc5cc860b8b1", + "type": "query", + "version": 1 + }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "min_stack_version": "8.3", "rule_name": "Masquerading Space After Filename", - "sha256": "e59551f8663381e3baeba7dd42447256e5d15c271552d6f3c15755eda537742a", + "sha256": "b8733fd0fd4e27a60869420a23f949e588a94ab43ebbc2bacdcb58250c6a82bb", "type": "eql", - "version": 3 + "version": 4 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "min_stack_version": "8.3", "rule_name": "Account or Group Discovery via Built-In Tools", - "sha256": "d0b5b7421a20b250d3fc91360a5273690910cd714db99731e1e12e03a08a6e7a", + "sha256": "402cdc6a8b9fbe4bbda7174be70efe396596bdbc7c8e4adb6b4edffeb52d8334", "type": "eql", - "version": 1 + "version": 2 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "min_stack_version": "8.3", "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "133e8e211c98abb7775d5ef2a264fcda19a436423e9ae8c878966f5ba362de62", + "sha256": "0e7d1a785743f7bd0167dacf31665648afe6cc0921d859d611decdcf3ca2bf89", "type": "eql", - "version": 105 + "version": 106 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.3", "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "a3dfc02fcce81d2343d3560d8caea2b824651441f863cce2ef98a6c0d5a905e4", + "sha256": "cee57a655fce6db9f5c07b5bed43fda69027de2fad8e578801e6811bab06077f", "type": "eql", - "version": 106 + "version": 107 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "min_stack_version": "8.3", "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "a3deb286c584007ec6431c3226831128f8c2a3809fb331bb2b178cdb9ef1b569", + "sha256": "244211398fba0bab7dda8256bd3c850b4d50809a75b98d4a729d349b94fee478", "type": "query", - "version": 103 + "version": 104 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { "min_stack_version": "8.3", "rule_name": "System Hosts File Access", - "sha256": "d372a1c866d541ac25b2e33d7cfc8da8d4e031a17257fd1c4c45d6efba714b18", + "sha256": "f1c8e65d5f5b64c4daf0001b6c893d1cb6b75923a7d71c1986c7a6366a5fee9b", "type": "eql", - "version": 1 + "version": 2 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "min_stack_version": "8.3", @@ -6675,44 +7004,51 @@ "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.3", "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "aedf01dfa1bf8d224d1fccc905243a26c241bbd0e968852f69ca044285fb493c", + "sha256": "b1b304251797d95d12cc192562063ef62b6569b453974d77fb9f017320ae1731", "type": "eql", - "version": 106 + "version": 107 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "96fcb69c27262eca1aa8dd6c790be15b464ce6c19ce2942806f0f301716e1bc8", + "sha256": "84af71d36b636e2785c85ee6e6b0dcfc90b6df18c844ba0627a5605b8aa892d5", "type": "eql", - "version": 103 + "version": 104 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "min_stack_version": "8.3", "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "b39735f9a618bae0e9c20d03324affbfe31fb8687966a1c6f6f08f44c29faf73", + "sha256": "a2f610710f7b33470a65808c34fbd182dcd0512ec2a9678a18b05f5f24343378", "type": "query", - "version": 103 + "version": 104 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.3", "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "0ef5e5688380318d8e5b973d62177b1068dd91236911b6404bf671185933e979", + "sha256": "9c50c505cf44d6eec05e8c2cc96a6569c7c14b193943425c21de51abbea9e5ca", "type": "eql", - "version": 105 + "version": 106 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Configuration Discovery", - "sha256": "496578f1b84ea8549729bfd25e63a4eecb1e9dff49aafcdc6443c19942459476", + "sha256": "4dd687fdbb673c91ffcda22bc2630d7ea3e59cd3af2a796d57bd7077684f6042", "type": "machine_learning", - "version": 103 + "version": 104 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "min_stack_version": "8.3", "rule_name": "Ingress Transfer via Windows BITS", - "sha256": "5442a56054357a1ed242e64c168bb93cdaef2d7dab17907b877542e244eb2c4c", + "sha256": "f58b2bc6df6119dd19b628c293c7dff6ea595e65b39223cf2d0dde59b882b15f", "type": "eql", - "version": 3 + "version": 4 + }, + "f97504ac-1053-498f-aeaa-c6d01e76b379": { + "min_stack_version": "8.3", + "rule_name": "Browser Extension Install", + "sha256": "6079caeac5bb8aaf376eca68eabd0a6470f809ea118a564a2bff36d9612b7e65", + "type": "eql", + "version": 1 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "min_stack_version": "8.3", @@ -6731,9 +7067,9 @@ "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.3", "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "bc06b516f75d028926285aa293b7bf12cdc34c0f4192a04f7a9e258403034b29", + "sha256": "56bfc5a88cfcdbba392ce9e25d0e7838831cac7440f8ef2a35107b6257261115", "type": "eql", - "version": 104 + "version": 105 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "min_stack_version": "8.3", @@ -6745,23 +7081,37 @@ "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "79fc6be5da75fc9eaeafbb39e968ff4bc2967ffc934dddb84427c0a39050e79c", + "sha256": "df52af5aacf36ea1a7ad6a44b6238bfd08e8feb288d0bb5d1b604d6f8cd513b2", "type": "eql", - "version": 3 + "version": 4 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.3", "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "bc08d2c4be90293d885bf62c71e887f88c297e8f8366a937fb61e30784ee0a8f", + "sha256": "49d714fa5c7450eb4f2ae0d249c48cc4200969fed6ea2b87d14a560608ca32ce", "type": "eql", - "version": 5 + "version": 6 + }, + "fac52c69-2646-4e79-89c0-fd7653461010": { + "min_stack_version": "8.3", + "rule_name": "Potential Disabling of AppArmor", + "sha256": "84c459fa919be715728e6f1c0a8c4ec19b8480510bb411c3b81bb72ced32586f", + "type": "eql", + "version": 1 + }, + "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { + "min_stack_version": "8.3", + "rule_name": "Potential Masquerading as System32 DLL", + "sha256": "6dabae4a91d13a982c01d893b7091d39599ab9bbc1e7e88117adcf8ae0a70a40", + "type": "eql", + "version": 1 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.3", "rule_name": "Network Connection via Registration Utility", - "sha256": "bb44b33fa5d5d15163b5cdc51d5f5c127d3022c651aa17333b36cdd0abb0f9d3", + "sha256": "cca4c8c4fe974be12e9a9717eb82caa9cbb509858bba01b5872ad90988772dce", "type": "eql", - "version": 104 + "version": 105 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -6779,9 +7129,9 @@ "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "96fe25fb76a0337fa7f7f585fde5bfe86d03528f33382dab0ec8766b4bc2b762", + "sha256": "8975d3c8774ec9437e4cd11148a51508e2c6d7f7d78d7201c4be6cfbaf0004ab", "type": "eql", - "version": 104 + "version": 105 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -6792,30 +7142,58 @@ "fd4a992d-6130-4802-9ff8-829b89ae801f": { "min_stack_version": "8.3", "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "73fc12430790298f2f05319524499777d0c7c2cc255e57e8471446f9af663395", + "sha256": "4b954791de8751f010850822c06e03453a0570b6d49480dce1b58cd1a05b269d", "type": "eql", - "version": 105 + "version": 106 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.3", "rule_name": "Suspicious CertUtil Commands", - "sha256": "e947ee6e113ad0a659652a84faabb40ba343c6bee1fa11acf179c9e4f5c2a4c8", + "sha256": "fd88b16bea9e60d003cfb12c298738c8c7c185dcbe2daa2b7efe66e7bc09b023", "type": "eql", - "version": 105 + "version": 106 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "min_stack_version": "8.3", "rule_name": "Svchost spawning Cmd", - "sha256": "4a6376d24e1e14905d1096728ea63c281a55893a2cf2573b3ebf4a71a4aab05d", + "sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04", "type": "eql", - "version": 106 + "version": 107 + }, + "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { + "min_stack_version": "8.3", + "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", + "sha256": "62b9374ecd5f2c092b1940f6dd1481f37a42f04bdda1015b7cb512ba22db08ca", + "type": "eql", + "version": 1 + }, + "fddff193-48a3-484d-8d35-90bb3d323a56": { + "min_stack_version": "8.3", + "rule_name": "PowerShell Kerberos Ticket Dump", + "sha256": "5c50aaa0928ecab2b1476d973bb4bfb90d78dd9e2448e1aaa8c61daa32ddedce", + "type": "query", + "version": 1 + }, + "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { + "min_stack_version": "8.3", + "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", + "sha256": "a8ea104f14627b5bef865394a5a80d56b351edaa5b4beea10407d3950c42f419", + "type": "query", + "version": 1 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.3", "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "53e0af24327a2cbab6fcacb09e3f95174eff8fdbbb805d7e44607b32dfa5113e", + "sha256": "da773bcc4a79e9c08e47654c4abaef1190bd351feb40255c17932f918361f591", "type": "eql", - "version": 105 + "version": 106 + }, + "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { + "min_stack_version": "8.3", + "rule_name": "Potential Masquerading as Business App Installer", + "sha256": "60ec14b09417f0cb76b839ac47aa592120fc5692e363f35cb28840dcb84414be", + "type": "eql", + "version": 1 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "min_stack_version": "8.3", @@ -6834,16 +7212,16 @@ "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "min_stack_version": "8.6", "rule_name": "Cron Job Created or Changed by Previously Unknown Process", - "sha256": "3050a1275d1edfd0cb61b4d07a4b3d7bd48a60653e19fa96aceda436a2380fed", + "sha256": "3f05ca34ca031232a58c6bdd28c52d7ebc9751646383323594d0514a33322443", "type": "new_terms", - "version": 3 + "version": 4 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "min_stack_version": "8.7", "rule_name": "LSASS Process Access via Windows API", - "sha256": "dae356594ee36f82491c4f915e8b4530b0f5d8825f3ef41980ac82e0e9a3b9b3", + "sha256": "89aab4dd5ac4c53bd4096c632d79151c726d6991f64ad42938fde25eed6a3c8b", "type": "eql", - "version": 2 + "version": 3 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "min_stack_version": "8.3", @@ -6862,8 +7240,8 @@ "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "min_stack_version": "8.3", "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "f843662389115d2d135ceb3967be8b8614e5967be904f046447eeb9ebdc65100", + "sha256": "16c98c01aec6efd485063babc9daf4aef11f4c6de3c2834b877688f6326a8cb6", "type": "eql", - "version": 1 + "version": 2 } } \ No newline at end of file