diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index 8716873ab..7753c9988 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -64,6 +64,11 @@ "rule_name": "Potential Shell via Web Server", "stack_version": "8.3" }, + "2377946d-0f01-4957-8812-6878985f515d": { + "deprecation_date": "2024/04/01", + "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", + "stack_version": "8.9" + }, "28896382-7d4f-4d50-9b72-67091901fd26": { "deprecation_date": "2022/08/03", "rule_name": "Suspicious Process from Conhost", diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index a8b2b2a5d..426d47b61 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -18,16 +18,16 @@ "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "d6e135893b61752bf5e9ade6841683b593b05b98ac25bc8b6e6da7b35c4a2b42", + "sha256": "ac7d08baf88d495e5767d5845ee47e22b500b643e11ca7e806309d30e958a1fc", "type": "eql", - "version": 111 + "version": 112 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.3", "rule_name": "System Shells via Services", - "sha256": "d72a2228f26b816836305d763e5f5d9e903ab000038bc927f5d10e28df155280", + "sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71", "type": "eql", - "version": 109 + "version": 110 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "min_stack_version": "8.4", @@ -37,11 +37,20 @@ "version": 2 }, "0136b315-b566-482f-866c-1d8e2477ba16": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 User Restricted from Sending Email", + "sha256": "3801a06e2eb380734652847208adb12ceb5e1bb394da148a047b8a25afe3bc17", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 User Restricted from Sending Email", "sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f", "type": "query", - "version": 105 + "version": 206 }, "015cca13-8832-49ac-a01b-a396114809f6": { "min_stack_version": "8.9", @@ -90,9 +99,9 @@ "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "min_stack_version": "8.4", "rule_name": "Process Created with an Elevated Token", - "sha256": "6c3c1a1a62be741fbfd99c0d2a69725f05c69adb7d911d8241132facbd72dbe8", + "sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db", "type": "eql", - "version": 5 + "version": 6 }, "02a4576a-7480-4284-9327-548a806b5e48": { "min_stack_version": "8.8", @@ -118,18 +127,27 @@ "version": 106 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "sha256": "f0f075e54cb17ce304f0d93b12277a29c7b1454d8bec5c05615e31fc6ebee725", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573", "type": "query", - "version": 105 + "version": 206 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "min_stack_version": "8.3", "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "92dfb9997f9e81ca6045204e4c1b3ece1606c26102e22d7ee77e2de74583e5ee", + "sha256": "5bb8f568879a496363f640b8866b46e0a39fe4e15005cab6f5af9eb499e3584d", "type": "threshold", - "version": 108 + "version": 109 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { "min_stack_version": "8.3", @@ -183,9 +201,9 @@ "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "f30003f79a8a0e9dccbf5624b0938ece537c035677b4ce15bf5f88523a387123", + "sha256": "08eeec4ed1f73497e06767edc13231268e1d647f7b29f0401175d1618d04affa", "type": "eql", - "version": 109 + "version": 110 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "min_stack_version": "8.6", @@ -197,16 +215,16 @@ "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.3", "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "eb124d112db3baf26a4dc6bc4e87e095d0e6e734155fd9b36dd78637d465e0e5", + "sha256": "a85b92effa53537c7a86f7871455c176bc2c48a6928248fa29dcf8a548677730", "type": "eql", - "version": 109 + "version": 110 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.3", "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "23256a2ac31f12c8f6094b66ec8171c0591a4ff3519d174a53c5324467e2ce0d", + "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", "type": "eql", - "version": 109 + "version": 110 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "min_stack_version": "8.3", @@ -246,23 +264,23 @@ "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "6496727d4e84e81c75d87d620f9a6662b800036f1ec2ee26b2a4b2435ccda542", + "sha256": "4e653f97afcad71acd94ddf79e5534455c79986773fc543839900cc60e129d88", "type": "eql", - "version": 6 + "version": 7 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.3", "rule_name": "Potential Evasion via Filter Manager", - "sha256": "6b91e61058491288a8ad9c3c19c977a9b530d25111ab834806df3e86fd57ae48", + "sha256": "547a848b0b1c9458a6a838abb3430914bb8557a0b1bd030f11d882f5605e024c", "type": "eql", - "version": 109 + "version": 110 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.3", "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "eeb82061ab01c63344201c4e0400988c1da110014c984e8d9021397e5e66a185", + "sha256": "4682c4aac80de38bf56894acd47cac808366a9f47329763291361bb23756d3a8", "type": "eql", - "version": 109 + "version": 110 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { "min_stack_version": "8.3", @@ -281,9 +299,9 @@ "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.3", "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "ad1cf76b56835697ba2f77f6e4bb1a718528a7b567d45179449defd6cd4d7788", + "sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46", "type": "eql", - "version": 7 + "version": 8 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "min_stack_version": "8.4", @@ -325,9 +343,9 @@ "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "min_stack_version": "8.4", "rule_name": "First Time Seen Removable Device", - "sha256": "23f0a48d6fa3383a6840a42d5ef0d207b51657c45464929d5b0cff2d720668d8", + "sha256": "085b5157400c5090fec630066b9c606cb33fa8334b9c49babca8242399a11b91", "type": "new_terms", - "version": 3 + "version": 4 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "min_stack_version": "8.3", @@ -398,11 +416,20 @@ "version": 4 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { - "min_stack_version": "8.3", + "min_stack_version": "8.12", + "previous": { + "8.3": { + "max_allowable_version": 105, + "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", + "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", + "type": "query", + "version": 6 + } + }, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", + "sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e", "type": "query", - "version": 6 + "version": 106 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.3", @@ -442,9 +469,9 @@ "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.3", "rule_name": "Peripheral Device Discovery", - "sha256": "ddcc25632228b69f04cb0077f4837da1a67e20ba2b4503efd99e94cb254a4203", + "sha256": "f01eac25f9c7d222bc6e12ea4b86f7b4a06d4b76608183e9be91aaf9671427b7", "type": "eql", - "version": 108 + "version": 109 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "min_stack_version": "8.5", @@ -463,11 +490,20 @@ "version": 204 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", + "sha256": "2dfc5642c7eff9f946739bbe4289e5bd8fe6f4374a492ed1fc5215e7b6e721ff", + "type": "query", + "version": 106 + } + }, "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", "sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746", "type": "query", - "version": 105 + "version": 206 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "min_stack_version": "8.3", @@ -498,11 +534,20 @@ "version": 1 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "SharePoint Malware File Upload", + "sha256": "e32858e7a0449a506cfe595eabf2e1e82954cf683de287c05d0bf7295253c579", + "type": "query", + "version": 106 + } + }, "rule_name": "SharePoint Malware File Upload", "sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393", "type": "query", - "version": 105 + "version": 206 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "min_stack_version": "8.3", @@ -593,16 +638,16 @@ "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "0dc9f4e57a7bc59df2f633d8c4e2610b1d538c37126f67d3090c09ce4b6ba73d", + "sha256": "47fb83a4f1705416ad0ba2cf6d42e319617bf0e145a68f21652116832e770309", "type": "eql", - "version": 109 + "version": 110 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "e1a2f2164b858641ec8d28ac37bbc63ab7ecb4a201cb990859818dc99e0bc780", + "sha256": "94905ad569d414ab1a3c0037dcdb641498c790debb11ceeea8d3354c9b7acd76", "type": "eql", - "version": 110 + "version": 111 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "min_stack_version": "8.9", @@ -636,9 +681,9 @@ "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.3", "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "4502ceb6ad5ec2578d2604033ee78aad4096d0462f454b834f610dfcfc7291a2", + "sha256": "c0a79cd64ff9bae3ad1545d8a18809dd34644d93ed177bd5f4586a2bb2cb4dba", "type": "eql", - "version": 111 + "version": 112 }, "12051077-0124-4394-9522-8f4f4db1d674": { "min_stack_version": "8.9", @@ -665,9 +710,9 @@ "1224da6c-0326-4b4f-8454-68cdc5ae542b": { "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "ed42dc14705443ce7e86a7f3971eb8dc07c29cbbddcbe3b7f6b38089aff6e457", + "sha256": "37bda4461229741fa959b9d762f3bf17c0d03378734fbc1a04cbe4563675bea6", "type": "machine_learning", - "version": 3 + "version": 4 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", @@ -733,16 +778,16 @@ "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.3", "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "cb9c9bf880cbdb45311b832bfea90ff69ff754cf1dfbfc61c504fa8df6c954b4", + "sha256": "07748a896518875c7361a26af5beac29e29097fd6ec0285208e2e88d7df4a538", "type": "eql", - "version": 110 + "version": 111 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.3", "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "bed9e8d75e78762c904ad3bcbdd17b1629297363bf702e2afa19036c4c5def6c", + "sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471", "type": "eql", - "version": 107 + "version": 108 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "min_stack_version": "8.3", @@ -760,9 +805,9 @@ "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", - "sha256": "7e3a75c384a3aa4c32bba8e583878109e3a0599e3224d8e59163c1d940b3ebdc", + "sha256": "e4aac0fcc25bbc7121134faf7852704142d562d2c72bf9973c69b0dfd8d6046c", "type": "eql", - "version": 3 + "version": 4 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "min_stack_version": "8.3", @@ -804,9 +849,9 @@ "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "35ce91b43c0e63015d8b8c07ed81c3f0f95c7a0c0efdd0e48a0502ce31093e07", + "sha256": "d3adc721588e0ae5b24bc4f24e2615b84100397158efd20f6fa50212746fb697", "type": "eql", - "version": 108 + "version": 109 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "min_stack_version": "8.3", @@ -825,9 +870,9 @@ "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.3", "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "5874fd05ebf55673785abd8a4e83eac604f30bf58a18b2978747f099a47d8375", + "sha256": "f31b60069f41b2547dfb226805c62256ec852c2b5ec5014524230d20ca42a646", "type": "eql", - "version": 111 + "version": 112 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "min_stack_version": "8.3", @@ -883,9 +928,9 @@ "16a52c14-7883-47af-8745-9357803f0d4c": { "min_stack_version": "8.3", "rule_name": "Component Object Model Hijacking", - "sha256": "1d9e06ec8fe7b0d0eec41e2a4d5a9f2c6aa6f685194c5b715d6fb5754fe3c05e", + "sha256": "3d8695589654d6d7e54c53f1ff0699ba0c8246a2e2bb9779621fec8d881676d6", "type": "eql", - "version": 111 + "version": 112 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.3", @@ -939,9 +984,9 @@ "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.3", "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "e90a5a8670e27a8eaa2704728a15f92785a494fa148c12dffcad2a8bd96118f6", + "sha256": "23f4030c21a08bb1eb019a328b8fe62aeea2683957f343f0399abdff84347b22", "type": "eql", - "version": 108 + "version": 109 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "min_stack_version": "8.3", @@ -1017,9 +1062,9 @@ "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "min_stack_version": "8.3", "rule_name": "Execution of COM object via Xwizard", - "sha256": "274c5d83ba69799b1b71490d04a15e288cefe59ae05c7609c9cda49fcfc4ce0a", + "sha256": "069735bb9cd4e472acbdcba371bd44bb50df1f225267d294773ac746e8ecc9e5", "type": "eql", - "version": 108 + "version": 109 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "min_stack_version": "8.9", @@ -1040,16 +1085,16 @@ "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.3", "rule_name": "User Account Creation", - "sha256": "6d3d2de6bf958ba713b77e53d33cf74251bba8751f17193256696fbd09939ed3", + "sha256": "96534addae6874564d720b53fb0d2b7f621702dd58f3fdebb1d3c69a80f55abb", "type": "eql", - "version": 108 + "version": 109 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "min_stack_version": "8.4", "rule_name": "Process Created with a Duplicated Token", - "sha256": "51febd0739715d80d22439ab57ace39d85b46bb853c1af905477341ceb640fb4", + "sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802", "type": "eql", - "version": 2 + "version": 3 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.3", @@ -1093,7 +1138,7 @@ "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", "type": "query", - "version": 109 + "version": 111 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", @@ -1154,16 +1199,16 @@ "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "d9e48c241bc31b9994d46c3c2a1a0186e25fb744c9da0059f117a7fae8c0030a", + "sha256": "b09a3222c4eab9324474c30ec5eddb3cd13c0f86e3b9776fc690aa77d8fe9e9d", "type": "eql", - "version": 108 + "version": 109 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "min_stack_version": "8.4", "rule_name": "Suspicious Inter-Process Communication via Outlook", - "sha256": "4c8c8473db95992186d566e79adf668d651878042f01dc8c4a1de75f8a44c347", + "sha256": "eb4c56089e3f5a64944ea09016b315e24d78a78381989d1d29939502318b82f1", "type": "eql", - "version": 5 + "version": 6 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.3", @@ -1180,11 +1225,20 @@ "version": 3 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { - "min_stack_version": "8.3", + "min_stack_version": "8.12", + "previous": { + "8.3": { + "max_allowable_version": 105, + "rule_name": "PowerShell Script with Discovery Capabilities", + "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", + "type": "query", + "version": 6 + } + }, "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", + "sha256": "e88e967f368a84359155555ed5b6de403b41fba8223ea19c9b7449a06e834192", "type": "query", - "version": 6 + "version": 106 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "min_stack_version": "8.3", @@ -1193,6 +1247,13 @@ "type": "query", "version": 102 }, + "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { + "min_stack_version": "8.3", + "rule_name": "Creation of a DNS-Named Record", + "sha256": "9b97868151d1bdb1c5754a996d30cf988232f389c492b7f9132402adae176f75", + "type": "eql", + "version": 1 + }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "min_stack_version": "8.3", "rule_name": "Creation of SettingContent-ms Files", @@ -1252,9 +1313,9 @@ "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.3", "rule_name": "Suspicious .NET Code Compilation", - "sha256": "62b3243701eaf818aa660cdcf7e9349322ee81f633aa0084e3c524e3d32ba4e4", + "sha256": "5fd6637d01d25848657a37779415e23778a84ee81a913351ee2bbb54701fe88a", "type": "eql", - "version": 109 + "version": 110 }, "202829f6-0271-4e88-b882-11a655c590d4": { "min_stack_version": "8.3", @@ -1266,9 +1327,9 @@ "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of Root Certificate", - "sha256": "d07f6dd2837e924ff6de33cd32baf79e1da77761b30b28a595cc98b0190bcf53", + "sha256": "a137b8929c8afb05318cec2dac421d5e03d1bba700cb7978151e0429bb7a6e53", "type": "eql", - "version": 109 + "version": 110 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "min_stack_version": "8.9", @@ -1337,9 +1398,9 @@ "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "min_stack_version": "8.3", "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "a5cc59d7cf2e2fa059c0b9764eea066885103f00f02d4d447a130f44e15b452a", + "sha256": "9252233dd00ddb80533d2b70ccda0987fc97cab21f4fe935dcb0806e07dc9354", "type": "eql", - "version": 6 + "version": 7 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "min_stack_version": "8.6", @@ -1360,9 +1421,9 @@ "22599847-5d13-48cb-8872-5796fee8692b": { "min_stack_version": "8.3", "rule_name": "SUNBURST Command and Control Activity", - "sha256": "ba55f907ef22d742e948ef03ed381c51077959c108f1166ec3e32bca889d77f0", + "sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7", "type": "eql", - "version": 107 + "version": 108 }, "227dc608-e558-43d9-b521-150772250bae": { "min_stack_version": "8.9", @@ -1425,9 +1486,9 @@ "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", - "sha256": "3e1f1dcee9be8b47adb401cfd92323f482f7e22611ecb85b8d301af019b18653", + "sha256": "dcf5239bdf937bd790a721fc5c7fceea3af8c5377ce0b466359a5ebb23a57ed6", "type": "eql", - "version": 107 + "version": 108 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "min_stack_version": "8.3", @@ -1467,16 +1528,16 @@ "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.3", "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "126645c0dd5cdade08a0e700f459414da0f7ddf0b26b61817e7c6f1171d959fa", + "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", "type": "eql", - "version": 110 + "version": 111 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "min_stack_version": "8.3", "rule_name": "Privileges Elevation via Parent Process PID Spoofing", - "sha256": "b17d343699156f436fb832585a96af5844d078cf79f5fa34771f1ceb6b0e95b2", + "sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517", "type": "eql", - "version": 6 + "version": 7 }, "26edba02-6979-4bce-920a-70b080a7be81": { "min_stack_version": "8.3", @@ -1486,18 +1547,36 @@ "version": 105 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", + "sha256": "ab30e15051fb603800f933ba9b3f6539ac75a662fd2dfcbe66c8f7121c7608a9", + "type": "threshold", + "version": 107 + } + }, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633", "type": "threshold", - "version": 106 + "version": 207 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { - "min_stack_version": "8.3", + "min_stack_version": "8.12", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "PowerShell Script with Archive Compression Capabilities", + "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", + "type": "query", + "version": 5 + } + }, "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", + "sha256": "a3c97823d3b6940c64c3cd69101e314c8bf84a5c63e6f3ac1358259b034546cd", "type": "query", - "version": 5 + "version": 105 }, "2724808c-ba5d-48b2-86d2-0002103df753": { "min_stack_version": "8.3", @@ -1507,11 +1586,20 @@ "version": 4 }, "272a6484-2663-46db-a532-ef734bf9a796": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Transport Rule Modification", + "sha256": "fbfde864c7e1f31e7fcfef374c9517e890a58223969f83a4c15fee6afb623353", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Transport Rule Modification", "sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e", "type": "query", - "version": 105 + "version": 206 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.3", @@ -1528,25 +1616,34 @@ "version": 104 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Teams External Access Enabled", + "sha256": "94685626f0a0ed06951084baeb71eae9ec250c07e2ccd46be608e1f1321d5726", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Teams External Access Enabled", "sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56", "type": "query", - "version": 105 + "version": 206 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.3", "rule_name": "Account Password Reset Remotely", "sha256": "bd56a7406f9eb92ed5ae5f56f3b907b56ac2f13892cb6f81d1fc8810651fbedb", "type": "eql", - "version": 111 + "version": 113 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "1fb55bf7b692e5b95ce37d95f3fdaa6ad25e99035e5b7b66e15c874b197e9da7", + "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", "type": "eql", - "version": 110 + "version": 111 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "min_stack_version": "8.3", @@ -1601,19 +1698,19 @@ "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "40ce924fa3299f63687bf28ba5a09ffe6142e56f64010f766f3350db86522cf6", + "sha256": "f64dc97be4c992f52e4ecf99c9d964a2d99544bea2d8d33d80ba5e96d62d8f80", "type": "eql", - "version": 111 + "version": 112 }, "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.3", "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "042c84534e3f2e42aaad622b511e2a606ed267b5ea9d48a1e289c2ced981af4a", + "sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc", "type": "eql", - "version": 110 + "version": 111 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { - "min_stack_version": "8.6", + "min_stack_version": "8.12", "previous": { "8.3": { "max_allowable_version": 207, @@ -1621,12 +1718,19 @@ "sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3", "type": "eql", "version": 108 + }, + "8.6": { + "max_allowable_version": 310, + "rule_name": "Enumeration of Privileged Local Groups Membership", + "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", + "type": "new_terms", + "version": 211 } }, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", + "sha256": "69aa12515cb5a6a884d8fcd0056daadf549285264513b506832693885dae1db6", "type": "new_terms", - "version": 211 + "version": 311 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "min_stack_version": "8.10", @@ -1682,23 +1786,23 @@ "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.3", "rule_name": "Adobe Hijack Persistence", - "sha256": "9511519552dcac359dd785ad280b824b18f30b72c8776b5c13589adecd28db7e", + "sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d", "type": "eql", - "version": 110 + "version": 111 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.3", "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "43fda5bff6b8024187994b386ff239f5b34a3dbc20d13cac44e186e7ad26bb7b", + "sha256": "df6ed2953eabd8c292df3200fc51dd9222b2c0c3fd5b9174f66efb61a28bcd5b", "type": "eql", - "version": 109 + "version": 110 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "min_stack_version": "8.3", "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "7583ab195e69ad5b71c92d119b7e50b25df405d9af54fd263467de71829c7a12", + "sha256": "de455f667043e9cf42dd5fe4ac1a588f29bf04c9e5ac3c78bf84f5849ae48494", "type": "eql", - "version": 108 + "version": 109 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "min_stack_version": "8.6", @@ -1740,25 +1844,34 @@ "version": 3 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "O365 Excessive Single Sign-On Logon Errors", + "sha256": "6aafdc4d1c33f41d82f7a067cce68c407f9cc905aa5f0bcee8e8a3626f89a88e", + "type": "threshold", + "version": 107 + } + }, "rule_name": "O365 Excessive Single Sign-On Logon Errors", "sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46", "type": "threshold", - "version": 106 + "version": 207 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "min_stack_version": "8.3", "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "b923fa419e9ac1d3e41bd75e45c9c2ef9ddde2134eb32607cb9f601891fe589c", + "sha256": "469f29380de3612562dd52d96cf08b2590670a1f0ed5c09882c3caa6420fc78f", "type": "eql", - "version": 7 + "version": 8 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.3", "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "3c1ac65899b1c8a54368d0242926e71b84970c3d3525c102b8fc3212e2fe5a28", + "sha256": "a23203b35000455d7e15f08f4aa4523ffb4cf37e6277c5ad2afff5dfb75f06d4", "type": "eql", - "version": 109 + "version": 110 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.3", @@ -1791,9 +1904,9 @@ "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.3", "rule_name": "Creation of a Hidden Local User Account", - "sha256": "9b9c9894727201ffd4c48acd3806088c597cc81ae8b85f9dd6a9d88587a6c292", + "sha256": "04e25e2a367da2d230efdd2c089caf2310ebc0b4555468d52654ae40cd73624f", "type": "eql", - "version": 109 + "version": 110 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "min_stack_version": "8.3", @@ -1833,9 +1946,9 @@ "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.3", "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "8e9618108b6191ca96f5028c7ebad3b970904705f93ef91cc05da0a39a35841b", + "sha256": "c25dfc5c295e5fe0ef6c4bd03401308cc79d8069474d9a66e34a91f53a75d793", "type": "eql", - "version": 110 + "version": 111 }, "301571f3-b316-4969-8dd0-7917410030d3": { "min_stack_version": "8.9", @@ -1882,9 +1995,9 @@ "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.3", "rule_name": "Bypass UAC via Event Viewer", - "sha256": "80d0b61b700c1596bf6c6190a1fc56d04324e5a1f0c3b74c6e06f559810308f7", + "sha256": "e6a2af9522e0e9af476dbdd8aacdf56e95e20a452abd93a0bbd42f622856b52c", "type": "eql", - "version": 111 + "version": 112 }, "3202e172-01b1-4738-a932-d024c514ba72": { "min_stack_version": "8.3", @@ -1917,16 +2030,16 @@ "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.3", "rule_name": "Program Files Directory Masquerading", - "sha256": "c5aa7db35a6cc9e3919372237fa8dffc8e397027df0c591dca62a660c3c826d2", + "sha256": "8cec03274c88dea9a86f4cc7af3af538103fe9b253736b1c5dd81848830076fa", "type": "eql", - "version": 108 + "version": 109 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "c62185b1fbe63d5cfa6260c4c2a4b70f8de70a803a1847d7d6ef4d320688dbc8", + "sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3", "type": "eql", - "version": 110 + "version": 111 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "min_stack_version": "8.9", @@ -1989,9 +2102,9 @@ "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.3", "rule_name": "Port Forwarding Rule Addition", - "sha256": "a29be1699ea98079497ab6f9dbcda467f70d809fb84a0d405bd02035d126342a", + "sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd", "type": "eql", - "version": 109 + "version": 110 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "min_stack_version": "8.9", @@ -2003,9 +2116,9 @@ "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.3", "rule_name": "Unusual Parent-Child Relationship", - "sha256": "0fe48302bd069b376d0c0125b9b99b6e6bc78713aa8f3ded6f2dc4d5d7c198a7", + "sha256": "1984aac08fb341387ffbc60fed85f41724c02408e79a0837eebfaff0eea168c3", "type": "eql", - "version": 110 + "version": 111 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "min_stack_version": "8.3", @@ -2030,9 +2143,9 @@ "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.3", "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "105ca4a083fb2c40d09d028b90dc636ffb2ef5d20a4ebc06fa2bfd135a0c2a85", + "sha256": "dd157344f60c0f8cdf534de6a25fd8ec70ae6b174250971f224102c56b1ed3d2", "type": "eql", - "version": 106 + "version": 107 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "min_stack_version": "8.9", @@ -2170,23 +2283,23 @@ "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "a95a8deb33c605f49071b6760943f92eb999d304ed26cbb4ecff1b05fdd79c5d", + "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", "type": "eql", - "version": 106 + "version": 107 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.3", "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "7a96acd466a52a000a95a7a901ce68338cde32312c53ad710e741dba79c4d31f", + "sha256": "4a18eb2fad582229c98d6a037fd50e8c8c1ce71cc2a6442d5f73f60435460035", "type": "eql", - "version": 109 + "version": 110 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "min_stack_version": "8.3", "rule_name": "Suspicious Module Loaded by LSASS", - "sha256": "fdd555efd8dd322e1a61baac6b914d2c1413a0cd235e63b81bd359e5699bece9", + "sha256": "b774f07509146c401d27897d918bded4c1725c4bf5e8b457e9a749116e912d1f", "type": "eql", - "version": 7 + "version": 8 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -2225,16 +2338,16 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "0cc9b4c66d9e04312246894acad762bceae4aecf2c325f9a58d7c3bd3f42a05a", + "sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f", "type": "eql", - "version": 109 + "version": 110 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", "rule_name": "NTDS or SAM Database File Copied", - "sha256": "3d513821b853d8c2375e5387149c85a0a5ed409ab49bc51e03da3056957874e3", + "sha256": "9b7f98ccce2835bb0f4a66f0d771402a60aa80c0516f3c461f25258464d92dde", "type": "eql", - "version": 111 + "version": 112 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "8.3", @@ -2243,12 +2356,28 @@ "type": "machine_learning", "version": 103 }, - "3d3aa8f9-12af-441f-9344-9f31053e316d": { + "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "min_stack_version": "8.3", + "rule_name": "ScreenConnect Server Spawning Suspicious Processes", + "sha256": "b8cf058fc04d31b542a9af0b67afca6876cd61ca3cbae997f11f1750d0e5c24c", + "type": "eql", + "version": 1 + }, + "3d3aa8f9-12af-441f-9344-9f31053e316d": { + "min_stack_version": "8.12", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "PowerShell Script with Log Clear Capabilities", + "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", + "type": "query", + "version": 5 + } + }, "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", + "sha256": "afa86911efb5e954ddd5ac66e6ff98a64832328ccdd43ef5c3a5c73ec1172297", "type": "query", - "version": 5 + "version": 105 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "min_stack_version": "8.9", @@ -2276,9 +2405,9 @@ "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "ffebc8558061bb7dea44422008c6d36bf5a9a5bd236b54a4c1c347e3afeaaa7a", + "sha256": "2a6df6ecfdcec0cacd6cd3fbe669354f173ae5e52c45c067290621e97758d904", "type": "eql", - "version": 5 + "version": 6 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { "min_stack_version": "8.3", @@ -2304,9 +2433,9 @@ "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "628d69badc4c7cac5d27f8b5e345a0f678ff14a21da4d553f6415fc9f62d61e5", + "sha256": "f7be2ac3e9aac82f91122e2416bba98480072d50a299c9fb593ea60bf876b8d8", "type": "eql", - "version": 109 + "version": 110 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "min_stack_version": "8.8", @@ -2325,11 +2454,20 @@ "version": 208 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", + "sha256": "6f5fb726f163898f2ca5b0b8de75a346cda8451de239adb986ada4f3128b4c67", + "type": "threshold", + "version": 107 + } + }, "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", "sha256": "3ee6a597bfe462c8b9132d7ca83768025a28634b18c009db462cb0c3bd7bfe39", "type": "threshold", - "version": 106 + "version": 207 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { "min_stack_version": "8.3", @@ -2369,9 +2507,9 @@ "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a User", - "sha256": "6f137c74ed8f940e891bb2048f8df801d3cc8a5b7adba6e3734f2c9da5394f68", + "sha256": "605a890392cba9a22d8ca7c2285cf0fe0e562dfeccb201126b50540f02b6567b", "type": "machine_learning", - "version": 3 + "version": 4 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { "min_stack_version": "8.3", @@ -2383,9 +2521,9 @@ "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", - "sha256": "913b7ece64e8615edbf3d142cc711bdb73bd123721616e96628eba23c172a0e9", + "sha256": "ff437c6e2c47619b352ee9e1a2afc7a9efc07196a586924803b1daaf14e3c9d6", "type": "eql", - "version": 107 + "version": 108 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "min_stack_version": "8.6", @@ -2413,9 +2551,9 @@ "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.3", "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "0ffed8b229232fa659665f4b08e7fc2bf4925814c0faea7b4334187b8e75ca10", + "sha256": "aa2506ef37c17be2ee06aaebfabb669748b8247f50e0664debb0e789db74ca71", "type": "eql", - "version": 110 + "version": 111 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { "min_stack_version": "8.8", @@ -2499,9 +2637,9 @@ "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.3", "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "e912c188a61231bfdcc366e62f89eb1c6885c298e56a48db3d8d955f6307b0ac", + "sha256": "83d79f7e35b069d84ce239901a6f3aaabd224e0494355f02c61e2650de4099c6", "type": "eql", - "version": 109 + "version": 110 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.3", @@ -2541,23 +2679,23 @@ "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.3", "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "0e8838bdb203c5d2583b224ce04df505c6a540eaf32e201a73e500d67873a354", + "sha256": "b3b214a87a2d7efdda2a6e79454b84fdbae8dbfdb3834d1b51bdc0524f4e0b41", "type": "eql", - "version": 110 + "version": 111 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.3", "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "52236fcc17f178dc677b43983bcaa370fd8880a981d93b4470f67a60bd98d1eb", + "sha256": "f28a8d21784231d74baa3c2c1bc50c52047b904b90baf5f454eff45f52d1ca07", "type": "eql", - "version": 110 + "version": 111 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.3", "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "83b8afb55578a79b9e61c0f4dc9589bb9fb7ab8bdac3c35dcca2eee7b4c89aaa", + "sha256": "532a6ef376ad303e213a6c18952dbfd541118f748ed30402beff2be0870e927f", "type": "eql", - "version": 108 + "version": 109 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "8.3", @@ -2603,16 +2741,25 @@ "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "de1531fede6b492b18663d799128c21faafc14bd82543c7cb449129e0e9a9b83", + "sha256": "daa833de111fdd82adf05f6795ee87754f8dd5a0631fdc3857995779eeb0743e", "type": "eql", - "version": 108 + "version": 109 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { - "min_stack_version": "8.6", + "min_stack_version": "8.8", + "previous": { + "8.6": { + "max_allowable_version": 104, + "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", + "sha256": "fadad966a91f932ed17c91f28dccd142d23d55cd4ae7ea7c57bdd1571b0c95ea", + "type": "new_terms", + "version": 5 + } + }, "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "sha256": "25daf6eb0539fcc0694b22088a27dd0f67fcba06669cc69450e34b994cc642ea", "type": "new_terms", - "version": 4 + "version": 105 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "min_stack_version": "8.3", @@ -2724,9 +2871,9 @@ "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.3", "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "f6ea79ffc24fc77b0b670584c9aa5ca184d1b9c530ad1e7835b22c26877e8123", + "sha256": "b071ea55c3cd817e5aec99970cd493053e2b94783f1aafb56e89004674a69b22", "type": "eql", - "version": 109 + "version": 110 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "min_stack_version": "8.8", @@ -2752,9 +2899,9 @@ "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.3", "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "4c3132cd12e5b050d008e9dda6a69bb2b2711b0f9596232fc8173985858ddd79", + "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", "type": "eql", - "version": 108 + "version": 109 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.3", @@ -2796,9 +2943,9 @@ "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.3", "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "124e5da33a22b0f85d527b9d8d7b6e77344775624ac22f9f7877357295bfcd58", + "sha256": "8bf850df70b51fc76b714e18cd7a173376cb3f8b205d59d19bf4656ff704fada", "type": "eql", - "version": 111 + "version": 112 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.3", @@ -2817,9 +2964,9 @@ "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.3", "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "1f58dea69a64bf4b35c2649ad0d707aa3acebce847cb0690b19d53233f956e5f", + "sha256": "46dc5171e6385fc71511dfe5c62bbfb3d211317614112565e2dbd8a177803a7b", "type": "eql", - "version": 110 + "version": 111 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.3", @@ -2847,9 +2994,9 @@ "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.3", "rule_name": "Execution via TSClient Mountpoint", - "sha256": "4800eb590fd93d7cfee2891f85ca1700e4d1b6151e4525ebbe6d01fb4b7a6737", + "sha256": "7e36c4f41ffd47e55fb0504fb3dee66108c384d0a06ec60f2c6de1e2b5d702ef", "type": "eql", - "version": 108 + "version": 109 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "min_stack_version": "8.10", @@ -2875,16 +3022,25 @@ "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "64fddd9615abe7545e62a0eb47f20a024c23decd8daaea1c670e1e4f518d9789", + "sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1", "type": "eql", - "version": 107 + "version": 108 }, "514121ce-c7b6-474a-8237-68ff71672379": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "sha256": "a5c1852e0f0b5d54d522bc9d34146368b3966050fdbb0b514ad8a5c883a865c3", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87", "type": "query", - "version": 105 + "version": 206 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "min_stack_version": "8.3", @@ -3017,9 +3173,9 @@ "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.3", "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "90fb6b5b747e2c33656a728d3ded9f2e44a82bf4beac024c8f53e31fd8e0a03e", + "sha256": "e67568b9c981e928c8780997ad8a1ad3532c6816c7ba4e0eaf9b8b18c5f3923b", "type": "eql", - "version": 109 + "version": 110 }, "53dedd83-1be7-430f-8026-363256395c8b": { "min_stack_version": "8.3", @@ -3031,23 +3187,32 @@ "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.3", "rule_name": "Uncommon Registry Persistence Change", - "sha256": "fc2a119aff01368fe7e6e9b4d6c90db7715a088bc7da33d27985eb8062ed03a7", + "sha256": "62ae21bef70ecd1965d7f2e666f067077780c120bcbef93083911dea04b33b17", "type": "eql", - "version": 106 + "version": 107 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { - "min_stack_version": "8.3", + "min_stack_version": "8.12", + "previous": { + "8.3": { + "max_allowable_version": 107, + "rule_name": "Exchange Mailbox Export via PowerShell", + "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", + "type": "query", + "version": 8 + } + }, "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", + "sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74", "type": "query", - "version": 8 + "version": 108 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.3", "rule_name": "Network Logon Provider Registry Modification", - "sha256": "0d2d7574f0cce64196c045d6a82209834616721007ea1fd7bed902cd6cb8863a", + "sha256": "c432bc081898b9f4cbbf9aca1bfde2c778015db0534e78dddccc213f25c9ed59", "type": "eql", - "version": 108 + "version": 109 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.3", @@ -3073,9 +3238,9 @@ "56004189-4e69-4a39-b4a9-195329d226e9": { "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Host", - "sha256": "ca08c87c1c1ebfbf7d02d83341733370de9f73bc116ee4557642d0149a432182", + "sha256": "60181e72437ae398200e9082d83f05217fb1a24754604f6147a583f83048b853", "type": "machine_learning", - "version": 3 + "version": 4 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { "min_stack_version": "8.10", @@ -3113,11 +3278,20 @@ "version": 104 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { - "min_stack_version": "8.3", + "min_stack_version": "8.12", + "previous": { + "8.3": { + "max_allowable_version": 209, + "rule_name": "PowerShell PSReflect Script", + "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", + "type": "query", + "version": 110 + } + }, "rule_name": "PowerShell PSReflect Script", - "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", + "sha256": "feeee2403f399c6d729c001a0178272237732cb46fe4d292f1b595d7910f782b", "type": "query", - "version": 110 + "version": 210 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "min_stack_version": "8.6", @@ -3173,16 +3347,16 @@ "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.3", "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "8f3c1355379a529b94f98cc0e27d42505f77c22b44f920fbb6f2237c96008767", + "sha256": "abc7e66357468013a69f39627f5e9976245ba741d55515881174e59942bf5edc", "type": "eql", - "version": 110 + "version": 111 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.3", "rule_name": "RDP Enabled via Registry", - "sha256": "e12182f0d2be63bfab11f485ecbb25e37f35b4b4736b3be8022379a95fb50937", + "sha256": "509028755d9bbaaabe41c984eebff548de67f107f346e42b1b4ee27cd12d5fdb", "type": "eql", - "version": 110 + "version": 111 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "min_stack_version": "8.3", @@ -3201,9 +3375,9 @@ "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "89d94e88b9dbd7a623d75c682c8ca3f5572371f7bb77a9995add825d2f18c57b", + "sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13", "type": "eql", - "version": 110 + "version": 111 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "min_stack_version": "8.3", @@ -3213,11 +3387,20 @@ "version": 2 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "O365 Email Reported by User as Malware or Phish", + "sha256": "6f1117902fd841998a715673511a3831fe99e7a953113854fd094e8aaf57d935", + "type": "query", + "version": 106 + } + }, "rule_name": "O365 Email Reported by User as Malware or Phish", "sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef", "type": "query", - "version": 105 + "version": 206 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "min_stack_version": "8.9", @@ -3245,9 +3428,9 @@ "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "1d981e59f3d02e064f6cd8379e9c9900be5705a0cbdcc0c596b866ae5809bcca", + "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", "type": "eql", - "version": 108 + "version": 109 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "min_stack_version": "8.3", @@ -3273,9 +3456,9 @@ "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.3", "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "cae0c739475e3022d321d0703176431dbaf1792d9e3f628f9cafaa57d986d412", + "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", "type": "eql", - "version": 108 + "version": 109 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "min_stack_version": "8.3", @@ -3308,9 +3491,9 @@ "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.3", "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "653114ab86902fd8f4c8ee2dad60eda337ba0cea3f366a5da9d2eddce611bf0e", + "sha256": "2e72ae9c5ca64669617999cec691b8f282cbf159464363b5d821bdddd4edd5d3", "type": "eql", - "version": 107 + "version": 108 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "min_stack_version": "8.9", @@ -3380,9 +3563,9 @@ "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.3", "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "c1db8c178bc05b8761de8f9b5eb2a539cde7eae8471c23a6f2dcd60aad668b67", + "sha256": "347fd2258a98937fc06440446d38f771f9d3df4b733661fc32c8df5a556b2c76", "type": "eql", - "version": 106 + "version": 107 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.3", @@ -3394,9 +3577,9 @@ "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.3", "rule_name": "Persistence via PowerShell profile", - "sha256": "72a57bee7c2bd77cf45d4286782cdf3feb1c3f97ea5f10f077794593e289807f", + "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", "type": "eql", - "version": 8 + "version": 9 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "min_stack_version": "8.3", @@ -3408,9 +3591,9 @@ "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "7f563f78e16e0d63433ac2b46218f66fc5ad3ac544c1e6b037b8c025db8eaca2", + "sha256": "4051d22fd7d1721a31073f7a8b1173bdced88d11e883da07bafb67030c11d4fd", "type": "eql", - "version": 107 + "version": 108 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "min_stack_version": "8.3", @@ -3436,11 +3619,20 @@ "version": 106 }, "5e552599-ddec-4e14-bad1-28aa42404388": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Teams Guest Access Enabled", + "sha256": "4e4a262b9c4e5ab8a6ad524df85e1f6b13bdcae8c45ccea1db5bb31e2acd028f", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Teams Guest Access Enabled", "sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838", "type": "query", - "version": 105 + "version": 206 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -3463,11 +3655,20 @@ "version": 105 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange DLP Policy Removed", + "sha256": "0886a8d4f32a069d4f64c2559bfc5d527f4a2d24045aab00ae97f1de9ad9efb7", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange DLP Policy Removed", "sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9", "type": "query", - "version": 105 + "version": 206 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "min_stack_version": "8.3", @@ -3491,11 +3692,20 @@ "version": 3 }, "61ac3638-40a3-44b2-855a-985636ca985e": { - "min_stack_version": "8.3", + "min_stack_version": "8.12", + "previous": { + "8.3": { + "max_allowable_version": 212, + "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", + "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", + "type": "query", + "version": 113 + } + }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", + "sha256": "8a06a6df25f7cd9d46fb890b91a35822e95e9ae636069608964018f12fa37d41", "type": "query", - "version": 113 + "version": 213 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -3640,9 +3850,9 @@ "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "7745782aa933ea91dbfdffeaa535df98d4ba5d6b908c75cabba52d20958e79d4", + "sha256": "8e989fcdb846e7c3c657728af8bbcfd54fd55209fe4cea539ff6aa9eaad2360e", "type": "eql", - "version": 110 + "version": 111 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "min_stack_version": "8.3", @@ -3682,11 +3892,20 @@ "version": 206 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "O365 Mailbox Audit Logging Bypass", + "sha256": "cac04714049b7a004fe00585d8cc3e351f442896feb07e367f5e3406853f595d", + "type": "query", + "version": 106 + } + }, "rule_name": "O365 Mailbox Audit Logging Bypass", "sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb", "type": "query", - "version": 105 + "version": 206 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.10", @@ -3726,16 +3945,25 @@ "6839c821-011d-43bd-bd5b-acff00257226": { "min_stack_version": "8.3", "rule_name": "Image File Execution Options Injection", - "sha256": "dffe42c5ab90869c537ef31605f87399b7061fd6480ca86d291ea97c3e7ad65f", + "sha256": "413e961dc4797bf3701be20c749258009705733592d081c9b030aed6a7b8e75c", "type": "eql", - "version": 106 + "version": 107 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "New or Modified Federation Domain", + "sha256": "c12b7d94ddd9ac7a54891cd86831775b8622d2c0681fcaf612e2842bed646cf6", + "type": "query", + "version": 106 + } + }, "rule_name": "New or Modified Federation Domain", "sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8", "type": "query", - "version": 105 + "version": 206 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.10", @@ -3756,9 +3984,9 @@ "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.3", "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "fe99222bad976791adb250b94f1a671e2fc854d9e940dcb1774abd08d4e941bf", + "sha256": "ca27a9f60eec10c769a8b530ccb040f0a6c4218b6af386a6daa5e6ffb6ca381f", "type": "eql", - "version": 109 + "version": 110 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "min_stack_version": "8.4", @@ -3799,12 +4027,19 @@ "type": "query", "version": 208 }, + "68ad737b-f90a-4fe5-bda6-a68fa460044e": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Access to LDAP Attributes", + "sha256": "307219345f44551ce020e8edcdc4a77f54cae4a0431f6fdd2dd7b9553c93519d", + "type": "eql", + "version": 1 + }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "54b41030764f446ffff3a1171e5a6ab48b398793afaf92aa0a74f457a0d97ea7", + "sha256": "0e58274266004591d50a31dccda8579c2e48897fecb54d3ff9aa6153e1b2f459", "type": "eql", - "version": 108 + "version": 109 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "min_stack_version": "8.9", @@ -3841,9 +4076,9 @@ "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "min_stack_version": "8.3", "rule_name": "Modification of Boot Configuration", - "sha256": "031efa575d3f85bf37358fccdc85ea7a26833d84a044e2dea0cd340a5b1e783d", + "sha256": "500524cf359e95ea7b5677b35a1d166b011fa0b33628d49b9e0ca3dcb7531525", "type": "eql", - "version": 108 + "version": 109 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "min_stack_version": "8.9", @@ -3864,16 +4099,16 @@ "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.3", "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "73d8b92d5adacbda2690be1cefec6b5055b8462a0899cefb5721cdb447880250", + "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", "type": "eql", - "version": 109 + "version": 110 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.3", "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "06d7311a4617060740277c5c255cc10d196a978a6b9d8c791dd4782f14bfafe2", + "sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f", "type": "eql", - "version": 110 + "version": 111 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "min_stack_version": "8.3", @@ -3915,9 +4150,9 @@ "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "f2d1dd7ef4bc9e7b8633eaca9e82e9bd3898d9211b31d2315326bdaca05e73f7", + "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", "type": "eql", - "version": 107 + "version": 108 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { "min_stack_version": "8.3", @@ -3943,9 +4178,9 @@ "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.4", "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "sha256": "ef918ece14946f78978846c902ca1e8891e295cc7065c895ba6e7e5b0d9f59b9", + "sha256": "296e88e08cfeb38dd5bfe7c3719ed7ce80f41022b51190abddbedacc66220afa", "type": "new_terms", - "version": 4 + "version": 5 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.3", @@ -4072,9 +4307,9 @@ "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "min_stack_version": "8.3", "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "e25fb2996e2838037ab8ab6de1cb526ff2e6af111288672810cf676904bf4d37", + "sha256": "db796cbae0d063b4f1a54079e8f00e82b333a78701059a9a9962630dd48cc857", "type": "eql", - "version": 107 + "version": 108 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "min_stack_version": "8.3", @@ -4109,16 +4344,16 @@ "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.3", "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "ed13a55ea9f9864fa3d8cf2ec597f8c8fd6f62b93c0f4413599d1d75cb17a69e", + "sha256": "a3fdba9254d6e0decace5b3bbe34f7365bdb09fb0ab62ce49b0058dc63af0cbc", "type": "eql", - "version": 113 + "version": 114 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.3", "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "3e328cd1d4443b14c40bd6976483e6b0a46fc4832c5ea51543992f77cb4d976a", + "sha256": "e9a9062beb0713d366bd638f7cf733c19ec8aed20b8603b3b0d460618a78aaa2", "type": "eql", - "version": 108 + "version": 109 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "min_stack_version": "8.3", @@ -4128,11 +4363,20 @@ "version": 3 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Potential ransomware activity", + "sha256": "065cd0cc51b5457baa9bc37901045907810e07d074eef16982399654fae10302", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Potential ransomware activity", "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", "type": "query", - "version": 105 + "version": 206 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.10", @@ -4163,12 +4407,19 @@ "type": "new_terms", "version": 2 }, + "730ed57d-ae0f-444f-af50-78708b57edd5": { + "min_stack_version": "8.3", + "rule_name": "Suspicious JetBrains TeamCity Child Process", + "sha256": "c9e084cfb0ca88c2cc8bfdeaeae122e26763a683878236cd17307ce5cabfe578", + "type": "eql", + "version": 1 + }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.3", "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "ad9e16f4c06eeb3f11eeba4c6b5f6ebbcbd669dae6909a420cc602ada36adf32", + "sha256": "65d25ee5fe0482453ec857754eb6d2d3273c48bcef76cea6d9c3843f555d19eb", "type": "eql", - "version": 110 + "version": 111 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.3", @@ -4275,16 +4526,16 @@ "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "a810edd1617bc4ef3ae1a664742c5516a727a73fc12d9aa3e001fd9a2fbe07a9", + "sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33", "type": "eql", - "version": 109 + "version": 110 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.3", "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "6aeba930f5f44ebe3664c42b528c463e2e6c8ccf360ef292fad035a88e96054b", + "sha256": "8ad7865bb2ea255f74f4010cbc3df77b3480c3878500abf1c5ebf0b7c924a7cf", "type": "eql", - "version": 110 + "version": 111 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "min_stack_version": "8.3", @@ -4353,12 +4604,19 @@ "type": "machine_learning", "version": 208 }, + "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { + "min_stack_version": "8.3", + "rule_name": "Suspicious ScreenConnect Client Child Process", + "sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0", + "type": "eql", + "version": 1 + }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "min_stack_version": "8.4", "rule_name": "Unsigned DLL Loaded by Svchost", - "sha256": "11fb3b45a1ccc2f104c91997fb4d7093f0efd5534a8f2048aa90ef37cc11f6cd", + "sha256": "693613eaf1e2584a9bc56d598ff28225091c888aa886521384faf26f2cc43a45", "type": "eql", - "version": 5 + "version": 6 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { "min_stack_version": "8.3", @@ -4384,9 +4642,9 @@ "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "min_stack_version": "8.3", "rule_name": "Potential File Transfer via Certreq", - "sha256": "c6ede1b19124b56c850d7eedf82e3104e0dd50089d1209a233c6146d28706b7e", + "sha256": "45f8eda9995222bc895d40fc9bab8fea41954def40702271c8a6b7af7bd09eef", "type": "eql", - "version": 7 + "version": 8 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.3", @@ -4408,6 +4666,13 @@ "type": "eql", "version": 5 }, + "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { + "min_stack_version": "8.3", + "rule_name": "Potential Execution via XZBackdoor", + "sha256": "3b5e1d6fe931166937ac8b2540f9f001897d52336750147eef0f13925a5f0c39", + "type": "eql", + "version": 1 + }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", "sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5", @@ -4589,9 +4854,9 @@ "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "1f86aaab6eae3947a5345279878d86101a66a07e2bc16cc341c0ef0d1694e094", + "sha256": "93f0d3a27ec93093c91f59d6a1bcd1a34b1f007ff0304b857a730c1c6c35f186", "type": "eql", - "version": 108 + "version": 109 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -4600,11 +4865,20 @@ "version": 100 }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { - "min_stack_version": "8.3", + "min_stack_version": "8.12", + "previous": { + "8.3": { + "max_allowable_version": 210, + "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", + "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", + "type": "query", + "version": 111 + } + }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", + "sha256": "da93c9757e2bcf7faed59270b7d6ee09006cacaab0f5d201d13e988814868cf4", "type": "query", - "version": 111 + "version": 211 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.3", @@ -4664,16 +4938,16 @@ "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "e48575e85ccf8ae97bd5dbbcdb93966f977cfa5497471f891a801e5b405c1dce", + "sha256": "7a9ce57d7b2a5c723facc456a26c549cb5acacc09fe4844360c1af34366c0744", "type": "eql", - "version": 109 + "version": 110 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "min_stack_version": "8.3", "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "01eb8e120deae737d0fc5aabc47de2c2ffb1ae2ad9d91fbda2f67016f9d71261", + "sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32", "type": "eql", - "version": 110 + "version": 111 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "8.6", @@ -4687,9 +4961,9 @@ } }, "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "eb9b0b0b83082c3d6dbac814bde52b8353d73b0924dc994669c557a187778df9", + "sha256": "8fb4c5a6040d9edf0a32b6e6fd809d366eea096495438e323e148d684c871404", "type": "new_terms", - "version": 209 + "version": 210 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "min_stack_version": "8.9", @@ -4756,9 +5030,9 @@ "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.3", "rule_name": "Enumeration of Administrator Accounts", - "sha256": "113a001053d28327c493ecc11edbf7d75e750102e0e8f5d30bcd79d564cf5cb9", + "sha256": "6a87be3b93e4a75c3dbfeba82b7aaa420dd43f042ec1bc9641d5649f8f6850b5", "type": "eql", - "version": 111 + "version": 112 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "min_stack_version": "8.9", @@ -4790,11 +5064,20 @@ "version": 4 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Global Administrator Role Assigned", + "sha256": "bb6703bc49a5b12297b62e2aa1b7a9e5f01ce6108eabbd1d541ec655dd35ac50", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Global Administrator Role Assigned", "sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66", "type": "query", - "version": 105 + "version": 206 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "min_stack_version": "8.3", @@ -4822,9 +5105,9 @@ "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.3", "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "45129c0ef751c5a0e94afce6b35dc37357e77b777868036377790f5c4fdf4080", + "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", "type": "eql", - "version": 107 + "version": 108 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -4835,9 +5118,9 @@ "897dc6b5-b39f-432a-8d75-d3730d50c782": { "min_stack_version": "8.3", "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "e013429a64b9dc5fb19c3b14f924b3a3a20fe2b5d6c7b02c25cc237dc5c6a3f7", + "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", "type": "eql", - "version": 109 + "version": 110 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.3", @@ -4884,9 +5167,9 @@ "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "9bfce88b49a258d2ab8fb3ec0f60bfbb33b38e761b4cd49784f22e499a372754", + "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", "type": "eql", - "version": 107 + "version": 108 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.10", @@ -4930,16 +5213,16 @@ "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.3", "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "3692dc005e94c6cb81f8745fe73b3dcbdb7ee3c1a9ef6a92579bd1d330ffc35a", + "sha256": "bccda8eb5129b06f4f741772f5096f1be5c8365b976b07a61c32e442f9138298", "type": "eql", - "version": 107 + "version": 108 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "min_stack_version": "8.3", "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "ea2781111fa286570f40efaaba709a54286c0669cfd802fd50b9f203a72f7fad", + "sha256": "78eb240c8eeeb4d9df8d9454ba4f91306bbffcdf8b395c3a62c87009f89504de", "type": "eql", - "version": 108 + "version": 109 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "min_stack_version": "8.3", @@ -4958,9 +5241,9 @@ "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.3", "rule_name": "Unusual Child Process of dns.exe", - "sha256": "c40456bb67141fe6e52ceecbb5652a86c0f2bc25c3569c830c27830775d9d826", + "sha256": "a6ecf9a561d41bac0bb75fbf33f868dc71ed4fc5e07f914780fd73c29dcdb1ba", "type": "eql", - "version": 109 + "version": 110 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "min_stack_version": "8.3", @@ -5025,12 +5308,19 @@ "type": "eql", "version": 1 }, + "8f242ffb-b191-4803-90ec-0f19942e17fd": { + "min_stack_version": "8.3", + "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", + "sha256": "60451d80b47ef91bfe8095934b32b4899ae705a33e3df155894a58dc67c97ce6", + "type": "eql", + "version": 1 + }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "min_stack_version": "8.3", "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "d3f17c275351dce43dbed1904257d053abe2a6e174ec12f91eabbc40236f918e", + "sha256": "bb44b0120653077a52d8fbfb935aa73998db23fe25b3c188024f3a96b09b8e4c", "type": "eql", - "version": 105 + "version": 106 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.3", @@ -5147,11 +5437,20 @@ "version": 1 }, "92984446-aefb-4d5e-ad12-598042ca80ba": { - "min_stack_version": "8.3", + "min_stack_version": "8.12", + "previous": { + "8.3": { + "max_allowable_version": 107, + "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", + "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", + "type": "query", + "version": 8 + } + }, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", + "sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f", "type": "query", - "version": 8 + "version": 108 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "min_stack_version": "8.3", @@ -5163,9 +5462,9 @@ "92d3a04e-6487-4b62-892d-70e640a590dc": { "min_stack_version": "8.3", "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "030d478f5bddae65e8f04f82a6157ab452650de7a6d0b647848e842651ac9d7c", + "sha256": "1985305e54165a73be2bdfd8d6de615ed21edde213a17f11911f0a25cdd28c0c", "type": "eql", - "version": 2 + "version": 3 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "min_stack_version": "8.9", @@ -5218,16 +5517,16 @@ "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.3", "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "df0ba86beb4118b6f55a5970adbe558c2f9a9845cc50d152084a527067efae03", + "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", "type": "eql", - "version": 109 + "version": 110 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.3", "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "97a385e0496447ac9bc02ec4f05003b37f913d60778bb33026ee4689321f305b", + "sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851", "type": "eql", - "version": 106 + "version": 107 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "min_stack_version": "8.4", @@ -5271,9 +5570,9 @@ "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { "min_stack_version": "8.3", "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "8c675238fbf36a2b6439b67333f1563d27dcfb24f7fd66154eea09190df6d24f", + "sha256": "31677cdb4cb00d90106a66e1b086ad61ada306117acf7b0af9e17d13a96b91f0", "type": "eql", - "version": 7 + "version": 8 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "min_stack_version": "8.4", @@ -5291,6 +5590,13 @@ "type": "query", "version": 106 }, + "951779c2-82ad-4a6c-82b8-296c1f691449": { + "min_stack_version": "8.3", + "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", + "sha256": "7675d578e4dd24bc57bd2bbf670bfc9415f87ba8a2f3ddf8e8a7c00d3641d5f6", + "type": "query", + "version": 1 + }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation", @@ -5357,11 +5663,20 @@ "version": 7 }, "97314185-2568-4561-ae81-f3e480e5e695": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "sha256": "5e3900d8aa0de4868a0980ccd44983433b4f857bddf099cf73275a57e5145c8f", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", "type": "query", - "version": 105 + "version": 206 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "min_stack_version": "8.3", @@ -5412,9 +5727,9 @@ "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.3", "rule_name": "Suspicious Zoom Child Process", - "sha256": "2ffff124b6528b62de29abc5f2e3c94b3f3da565038785122b8fbc2e0a502d46", + "sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976", "type": "eql", - "version": 109 + "version": 110 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -5438,9 +5753,9 @@ "97fc44d3-8dae-4019-ae83-298c3015600f": { "min_stack_version": "8.3", "rule_name": "Startup or Run Key Registry Modification", - "sha256": "531c4084f03ee3d1b847fd5b7e1a08b698d464c9f75172572d311ce3fd3c7b78", + "sha256": "361fc9bece9212d2816e83198a13e6951dc8e63c878162f552778218c8711684", "type": "eql", - "version": 110 + "version": 111 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "min_stack_version": "8.4", @@ -5464,11 +5779,20 @@ "version": 104 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", + "sha256": "a8d4e67d87194878313ca642bb0cfef0c9fc3750c6cf26a8b74eeac52d8a0c9e", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", "sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c", "type": "query", - "version": 105 + "version": 206 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "min_stack_version": "8.9", @@ -5503,9 +5827,9 @@ "994e40aa-8c85-43de-825e-15f665375ee8": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "7d474c1db1e3f8cfa6fc070c3448e092cb34a2592f3dda373c71601ce7875a50", + "sha256": "482926261657f74d6e44dd1fcdcd25df11184139e079a28e9558d172a94bc94f", "type": "eql", - "version": 3 + "version": 4 }, "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.8", @@ -5570,16 +5894,16 @@ "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.3", "rule_name": "Suspicious Explorer Child Process", - "sha256": "59e5a0e0931a902b5c7d386df804a1f9d8a829c127bee7f062d94eae7046c813", + "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", "type": "eql", - "version": 108 + "version": 109 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.3", "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "9076dc95ec176da1582e50d30bd0ee68097fdc5a13f6639cd77542543ff32df3", + "sha256": "70c14e4efec28255020d7227acf60ade921f89c6f4f6f20df7eefe9f083993ce", "type": "eql", - "version": 108 + "version": 109 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "min_stack_version": "8.3", @@ -5591,9 +5915,9 @@ "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.3", "rule_name": "Persistence via WMI Event Subscription", - "sha256": "7aa7543ffcc5542e1cc4cecc38eea33a5a697662ce334f941845b66396cabdfd", + "sha256": "36be7f5bc34d95f4e0db0866f200db91e20c57104c47535e70c0579f42c47d7c", "type": "eql", - "version": 110 + "version": 111 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "min_stack_version": "8.11", @@ -5626,9 +5950,9 @@ "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.3", "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "1557e125020f22f550954a48efb59d63def281e03eedb5aef393445f4df56377", + "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", "type": "eql", - "version": 109 + "version": 110 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "min_stack_version": "8.4", @@ -5664,23 +5988,23 @@ } }, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "da0d96328e9305e09c51d864be3b8ccd37f29f0be6110ed14a08805fecbaa285", + "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", "type": "new_terms", - "version": 208 + "version": 209 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "6039c4fddc944ad2363c6a8ed087a5f1137650a45d722478e022a34684c6925e", + "sha256": "c485e1358f4158ae03a14255b6d46e7c55467c0fadf17bb618b1ea57366ef1e1", "type": "eql", - "version": 109 + "version": 110 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "c9187ee2ac090322d625b811f9c9758f1f3f18e52fbe549318d885af07b81912", + "sha256": "9821305b0eebf7cd0540a8a4af112f0cb88abf4dc3bbbe323ade7a203ccf4b08", "type": "eql", - "version": 111 + "version": 112 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.3", @@ -5701,9 +6025,9 @@ } }, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "7e1573ee5a2439e23df62491f17b161f34b7807f0f35b767ea93b1b40e78af78", + "sha256": "88f6d6c995a534b5becc1676681e9c43a25e4a30332448f195ec5ae641b8b870", "type": "new_terms", - "version": 210 + "version": 211 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.3", @@ -5824,9 +6148,9 @@ "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "9b812a2bfc24c437f4a6867a57dffa0c92f1ded49780da916eac728d36e39a20", + "sha256": "45960ca284b367be8f1699088f866e56e2c72c2a5205c1c1ac4a309354ab6119", "type": "eql", - "version": 6 + "version": 7 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "min_stack_version": "8.3", @@ -5859,9 +6183,9 @@ "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.3", "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "53a5fc5d2f7c5de407de0f33a946575689b70044b0a333985d54afc07788e00d", + "sha256": "6c0ebc416f6fb4c7549a97d6a862ad6d780640637db60c907841fa20c7c70d8a", "type": "eql", - "version": 108 + "version": 109 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "min_stack_version": "8.4", @@ -5889,16 +6213,16 @@ "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.3", "rule_name": "Execution via local SxS Shared Module", - "sha256": "45610db4c1dfb5af66fd7794c88af23acafcc45889a8cdc31535e88522b6b777", + "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", "type": "eql", - "version": 107 + "version": 108 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "min_stack_version": "8.3", "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "2022d77c3a450819dba114be131ab4d32b3cdcb7b5b4d5048884740fc9ffb12e", + "sha256": "e99c94faaac0789d4c0eb4168bdc6ce7813ec01a2cecbf150147733d63850942", "type": "eql", - "version": 107 + "version": 108 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -5967,9 +6291,9 @@ "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Office Child Process", - "sha256": "2ddbd9552fb06d871be6cf3c6df05e82db51c0522c2c1fd0fc57533539f20d00", + "sha256": "255c381e83fba4080d9c7a3ab7f1997d7a8cb5d664c64a8cd19f0be970ca8ae4", "type": "eql", - "version": 111 + "version": 112 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "min_stack_version": "8.3", @@ -5988,16 +6312,16 @@ "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", - "sha256": "d07d1d6f15fe4ec31b7e048901b93e28b9a86c97749f465ae96b0605254edb9b", + "sha256": "ee29d9d05c756fbec35c09510be9ed92564671e5159b5e4afe4d9c4ff65d31ef", "type": "eql", - "version": 110 + "version": 111 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "min_stack_version": "8.3", "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "8be0d29840df5209032b472d52631f3b32a31c84e9f20329ad8cf4e232029535", + "sha256": "09276f9e697db4a2e29daddbecd34ad8fae5dcd59a2a81e1f5ef2bcfe9c3ba02", "type": "eql", - "version": 109 + "version": 110 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "min_stack_version": "8.3", @@ -6027,11 +6351,20 @@ "version": 100 }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "sha256": "6414cc66c7c80d4240492b269f8c591d61734d2cec368c51642c367fcb0a0fda", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", "sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2", "type": "query", - "version": 105 + "version": 206 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "min_stack_version": "8.4", @@ -6052,9 +6385,9 @@ "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.3", "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "1b00d88e46d2c46a81b2d4ff330ea35d106e96c250135e83c8f9464f7fa4dce9", + "sha256": "269e37223d35d504bd02023f1fc605e200979bbabb0ee082953950adaf35c4fd", "type": "eql", - "version": 107 + "version": 108 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "min_stack_version": "8.3", @@ -6080,16 +6413,16 @@ "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", "rule_name": "Remotely Started Services via RPC", - "sha256": "227b14152ef406f1f76685d2ce4eaa7e142e3dccdf9c18cf6244a4dddf55cb07", + "sha256": "a1bf5a848d6b73efd9cf627fe30e5f4f04215c6bb8bdd5f29b9e4749d22f7e6c", "type": "eql", - "version": 110 + "version": 111 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { "min_stack_version": "8.3", "rule_name": "Veeam Backup Library Loaded by Unusual Process", - "sha256": "9e919b338b25f9098acdb28f9ac805dd9d43425d8909e4aab5909c4c45f6a148", + "sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3", "type": "eql", - "version": 1 + "version": 2 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "min_stack_version": "8.5", @@ -6122,9 +6455,9 @@ "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.3", "rule_name": "Suspicious WerFault Child Process", - "sha256": "2f8517fcc799e218e702b6dbc5f69ca0a73a8c4829958fa3b4a4017656953c25", + "sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf", "type": "eql", - "version": 111 + "version": 112 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "8.9", @@ -6267,9 +6600,9 @@ "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "e46d6ec23006876133bf7f4911655b998c5f56cffbaef8488e7f9d052cde7391", + "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", "type": "eql", - "version": 4 + "version": 5 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "min_stack_version": "8.6", @@ -6288,9 +6621,9 @@ "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.3", "rule_name": "Local Scheduled Task Creation", - "sha256": "f568b0ef55ded0b22b5b7dd6b7b744ee901e68e1a8ec576c5f7c736ca1cb06d0", + "sha256": "5291c4a420b199ea0cda7c00ad93a5114d95d9fcd73a07e12060d164eb0601e6", "type": "eql", - "version": 106 + "version": 107 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "min_stack_version": "8.3", @@ -6350,16 +6683,25 @@ "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "min_stack_version": "8.3", "rule_name": "Remote File Copy via TeamViewer", - "sha256": "ff89ad4aea94c4e2d244dad812d4839a1f9d5e6e2da0237d8c78ede5a866a855", + "sha256": "f9c74dae522f96b99ef91c8690d3294d5bb57ed3568290e9c6c2b4877c99bbd4", "type": "eql", - "version": 110 + "version": 111 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Unusual Volume of File Deletion", + "sha256": "0e2607bb68d167a217bd28be737c707eb6729cb8c449efd2f3c45064ba35fb07", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Unusual Volume of File Deletion", "sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf", "type": "query", - "version": 105 + "version": 206 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "min_stack_version": "8.3", @@ -6378,16 +6720,16 @@ "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.3", "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "c2dd0de863712d8823fec709659ea8a08962a32c4a34cd409a13020217234029", + "sha256": "01e8d9f7974e3c66e2916edad7f04fe3fbd842ed064a7ac1067df9d6d61ecadf", "type": "eql", - "version": 110 + "version": 111 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "88b124d798fdc009c75ce590cb5313122089d2ac66fb58e6c2e75eec66b367be", + "sha256": "204caab60a2c4641de7b31aaedca2147bb76d02c5e8bae82907f04607536563e", "type": "eql", - "version": 6 + "version": 7 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "min_stack_version": "8.3", @@ -6445,16 +6787,16 @@ "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Console History", - "sha256": "f8d74d2c65e451203da1ba4c2ef800514575ffc18fcd3459bbaa537c6c85723c", + "sha256": "0d87128fdfdcb58febe6605148de68b8ab413e129191227eca12360248a76681", "type": "eql", - "version": 110 + "version": 111 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "1e1adb586a134fbb525d8e85a924a9ed9fd88a64cf4e00c2a16c9b123248e520", + "sha256": "7a7554033f500cdd7964ffd328c581dfbdd9b26c040569d42581504a70e468d3", "type": "eql", - "version": 110 + "version": 111 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "min_stack_version": "8.3", @@ -6540,9 +6882,9 @@ "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "bb62b769a2f4afd8ca4c917f5fd3c32ff9150db63688f907e5df4d2e37e91b70", + "sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93", "type": "eql", - "version": 107 + "version": 108 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.3", @@ -6554,16 +6896,16 @@ "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.3", "rule_name": "Kirbi File Creation", - "sha256": "ac09f79864ad4373c578be0ef95a154f24210dc62a17424c2fc90ef3275ef10a", + "sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f", "type": "eql", - "version": 4 + "version": 5 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "43bf576ded7e0de4ef6ba09eda56e0e82559c76c74254fd774de05559f6b8d5a", + "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", "type": "eql", - "version": 108 + "version": 109 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "min_stack_version": "8.3", @@ -6603,9 +6945,9 @@ "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.3", "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "630c3fd24836df1312da52e9a6f0a374049088974a55d1e8147b02323e80283e", + "sha256": "6cf76bf28c6818bd0c1e9cacc68a44909ca3c50f197b96e96bd34ffd2f935ec8", "type": "eql", - "version": 108 + "version": 109 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.3", @@ -6624,9 +6966,9 @@ "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.3", "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "99cfc367982521de6af65b58f549f4f4c67b5ab33da03ca14f04bab37a3f5b59", + "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", "type": "eql", - "version": 108 + "version": 109 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "min_stack_version": "8.3", @@ -6652,11 +6994,20 @@ "version": 205 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "OneDrive Malware File Upload", + "sha256": "4f273dae13ee4bb9564a60c6771439fc10cd7f3357de2aa65839ff10d4cde814", + "type": "query", + "version": 106 + } + }, "rule_name": "OneDrive Malware File Upload", "sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa", "type": "query", - "version": 105 + "version": 206 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "min_stack_version": "8.3", @@ -6666,11 +7017,20 @@ "version": 5 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "sha256": "f4f0da241f45040111a47879928011d3b90da922010348154b5cb1c44d2f24ee", + "type": "query", + "version": 107 + } + }, "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", "sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3", "type": "query", - "version": 106 + "version": 207 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "min_stack_version": "8.9", @@ -6761,9 +7121,9 @@ "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "49000faea36134e08ac5c4ff3d8cc8b84b5988a96fd65e353c45b5dcf1816b59", + "sha256": "6214fb2abc887c66d7d514ccfc914faf98cb9befe4cb35f2f58a0e300787eb5c", "type": "eql", - "version": 105 + "version": 106 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "min_stack_version": "8.3", @@ -6782,9 +7142,9 @@ "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "ff0debce710d52c303c02bdc17b9b38d4ac32fc6e847d04a076063e6dfd4bb18", + "sha256": "84baf4890842c179a0724a3835388a16dedfe1046dfd94a9b617aa56b37a7a2f", "type": "machine_learning", - "version": 3 + "version": 4 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "min_stack_version": "8.9", @@ -6796,9 +7156,9 @@ "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.3", "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "a1189a1dc60f8e7159d10f793ee8b06a65af312c1fe3716004dbc4f108ed9012", + "sha256": "a22b02dc207eed11a68b3bf9569d0f06d0bfcc3b14a71b32fc505ee86b53aed4", "type": "eql", - "version": 108 + "version": 109 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "min_stack_version": "8.9", @@ -6833,9 +7193,9 @@ "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.3", "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "7f05d87c5d2477fe79fb8c9cbce0f3b28ffc41fff1f214a4fdd9833b0705ece6", + "sha256": "630b95897e137de2d3ff315926d388d39ed6ad5c19948a8fe0cb4c564d32b99e", "type": "eql", - "version": 110 + "version": 111 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "min_stack_version": "8.3", @@ -6847,9 +7207,9 @@ "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "0246217f877df40526e3bc741011b89c6efb820aa436be5c3256cd7013db5d8f", + "sha256": "8020f015d723e31af612bbc7e570f0f7a2bf57c3cc13447eb5bccd3e39385ca8", "type": "eql", - "version": 108 + "version": 109 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "min_stack_version": "8.3", @@ -6907,9 +7267,9 @@ "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.3", "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "bcf33fe084537eed737bc441a6039ec1342b377f77dc505600f40b2ba8666ba4", + "sha256": "03334e1d43f8d53c06b92628435b5af954f2211ff41ff4ed7467bf8a8065cdef", "type": "eql", - "version": 109 + "version": 110 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "min_stack_version": "8.3", @@ -6949,9 +7309,9 @@ "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.3", "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "b88bece498dfaea5718d4d986625f0145871e56ab8f4101bdf228e4c98842108", + "sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156", "type": "eql", - "version": 106 + "version": 107 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "min_stack_version": "8.3", @@ -6963,16 +7323,16 @@ "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "min_stack_version": "8.3", "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "0d984ea0a0db400769aa7d3f97f7ea303d827c03bc543743cf2e23f2a850d7f0", + "sha256": "a814b9dc474566b81d9b80f83a1fbb21d506490be5d1a791c6a040402576193e", "type": "eql", - "version": 108 + "version": 109 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "527381ede531c0557419ed0a6bb636ea08e18112216dcaf858ae6256f42aa360", + "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", "type": "eql", - "version": 106 + "version": 107 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "min_stack_version": "8.3", @@ -7019,16 +7379,16 @@ "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.3", "rule_name": "Installation of Custom Shim Databases", - "sha256": "2374c5bb1877f116a333acf337c2c31df95ab45d58c6649a372498f6507b45b9", + "sha256": "7ea702b1b6d7a8309d8d11e16505cb9ca2a3b1c906e7aeadacdefea24d0397b6", "type": "eql", - "version": 107 + "version": 108 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "e0090d1a50eac10f4ade38ddb5c37dcedaf650a113144b7796a5c0f982f5b952", + "sha256": "a8e1a000f912f5f42f3894fdca0458d10666994f165781a4fbd5db031f5a6712", "type": "eql", - "version": 109 + "version": 110 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "min_stack_version": "8.3", @@ -7040,9 +7400,9 @@ "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.3", "rule_name": "Remote File Download via MpCmdRun", - "sha256": "a8f12f89203ac9f50f27c410b52db86730251b6f88772a401d2d5dece5460954", + "sha256": "3338fefccfc7c7d86404c1a054f09f2b43fdbeadba93b27dcfe7c04d6994303f", "type": "eql", - "version": 111 + "version": 112 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -7108,9 +7468,9 @@ "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.3", "rule_name": "Unusual File Modification by dns.exe", - "sha256": "b061f8aef46c559f3298c402f159b47b452a82c26a266b003760902b7ebe0059", + "sha256": "b865aba340d622e5f6840586849e814be1e565d1c59e1fcba5509683315c91cf", "type": "eql", - "version": 109 + "version": 110 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "min_stack_version": "8.3", @@ -7156,9 +7516,9 @@ "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { "min_stack_version": "8.3", "rule_name": "Parent Process PID Spoofing", - "sha256": "e1789b1189d98d1c0dd3e14aef3df67f994982f60001aab44c9785a8bab9bb3a", + "sha256": "43c26bdd413e7e6c52b50b9c579663b2ab48285b83a1f794fd636727baf21733", "type": "eql", - "version": 105 + "version": 106 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "min_stack_version": "8.3", @@ -7170,23 +7530,23 @@ "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.3", "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "244a5e84242633bf3546c512386425c374c6ef20cad83ad6e67b25e99fa3f0b5", + "sha256": "a3f4ddc31c6570250920dc60269e68ec6344884c88aba870fb9998c5c1fb5319", "type": "eql", - "version": 109 + "version": 110 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.3", "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "cb843dd0438b6f8219a949e952ec61f69968fe41c3eec24c9aae7be06defd202", + "sha256": "2326092f64de27cbf684cdd4130d6f8695d0a42277b02fff7ebcc62350e56411", "type": "eql", - "version": 109 + "version": 110 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "a5e68609def010ae4cea5c31b29ec9740ce793360ee2d0c8995ce5c93286ed58", + "sha256": "b8c86e533a37c36a2eaef8f1d48ca8aa5a24b6665dc2328de3b3cc5eb1d2ad51", "type": "eql", - "version": 4 + "version": 5 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "min_stack_version": "8.3", @@ -7196,18 +7556,27 @@ "version": 102 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "sha256": "fdddb91dc8eaf01e3cca5626ab5e3b2c4ef51e15a8544385057399574b3d9b3b", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", "type": "query", - "version": 105 + "version": 206 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "min_stack_version": "8.4", "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "677fab8ea10b09bc3d160f2d6ddf60228e80c7b07b65c9b0df182542f4001b4c", + "sha256": "6b71d73f704e96ab028ab9aa5fef9a3b487e35fe5cc322c1a118c9102720af9a", "type": "eql", - "version": 7 + "version": 8 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -7403,11 +7772,20 @@ "version": 207 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { - "min_stack_version": "8.3", + "min_stack_version": "8.12", + "previous": { + "8.3": { + "max_allowable_version": 110, + "rule_name": "Potential PowerShell HackTool Script by Function Names", + "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", + "type": "query", + "version": 11 + } + }, "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "3dd4e764e7be53ae0b8b137bef23861b698be87d17b04674b73f347810f11142", + "sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b", "type": "query", - "version": 10 + "version": 111 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { "min_stack_version": "8.8", @@ -7419,9 +7797,9 @@ "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.3", "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "1caaa5871fbfa78e0fe8a2323cbd8f452c5b1c8e166f80ae3f04b1efbe27608b", + "sha256": "38c701cbddca58faa29370862beddbbc9839ee8f8ef4985c006e2f03acecfdb7", "type": "eql", - "version": 108 + "version": 109 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "min_stack_version": "8.3", @@ -7463,9 +7841,9 @@ "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "min_stack_version": "8.3", "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "c8491acd12050d86d23ba74328aa0ac1d4f5ac05dee80019a088ee29b63ae3cc", + "sha256": "1e5d776df1e502f5d444b1a1e6cdcfc3de4ad784a603e7e0f23aaed9eae2f766", "type": "eql", - "version": 111 + "version": 112 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "min_stack_version": "8.3", @@ -7491,23 +7869,23 @@ "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "85d7491d891f74d1943d6d66829f7f495b2686bf716a2b2eff86964fc2f53af1", + "sha256": "4ec85ed3f6241a6015c998b91cdbbcf438629be2a40cdbfce1a173ebabd7c292", "type": "eql", - "version": 109 + "version": 110 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.3", "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "5f6a70d2ab2ac48645204e364a9d62da9e1f2834d58ad132edebba377a066615", + "sha256": "c8d1d7cc4181248cc8906dbc6d37aa62c162ed9bde92f7b4daf42b912e451197", "type": "eql", - "version": 110 + "version": 111 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "min_stack_version": "8.3", "rule_name": "Expired or Revoked Driver Loaded", - "sha256": "0d684b691957fc890cd55538f666f64f489388c1a1dc12a1be16a5bc3b4de1ee", + "sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2", "type": "eql", - "version": 4 + "version": 5 }, "d197478e-39f0-4347-a22f-ba654718b148": { "min_stack_version": "8.3", @@ -7532,16 +7910,16 @@ "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.3", "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "a5cfe995f5e61234b19b795e2e09d04cb07d7e0d5a3ea85415ad9aee106ee259", + "sha256": "603191c9e9fe22a6f972c18bfb548360ab4f4b1378a58e8a4a24479548e8b1d0", "type": "eql", - "version": 109 + "version": 110 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Event Logs", - "sha256": "7ab223b5ae8dccf7fe5e240a84aa15d0c3e7b5fb84756dca29ba288fe1bf6bc7", + "sha256": "1c0780a844be282bd8fdfb0d608fa65473ba2d01d1a5be9e50e2e08039542576", "type": "eql", - "version": 111 + "version": 112 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "min_stack_version": "8.3", @@ -7625,9 +8003,9 @@ "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "0e1e3b5f59d53215ae4432116b3ff34d82492327031fb05030a06a280f0fa027", + "sha256": "42e3e1682134a7ed8c26d9a5ce2bcf4830d6a7af85268a0d2455a75e23119f6c", "type": "eql", - "version": 105 + "version": 106 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.10", @@ -7689,32 +8067,50 @@ "version": 9 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "sha256": "3fa1ccf28083380bbb7d71135b1b5ab0753f90d5fde3ecdeda2cb4ffc6ae81aa", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91", "type": "query", - "version": 105 + "version": 206 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "min_stack_version": "8.3", "rule_name": "Modification of WDigest Security Provider", - "sha256": "b7c8f207268472165a7e8eb713ed3eb05723b6ff76a5933201d0405e647fd390", + "sha256": "c7b2137213e37ccba915d2c30fa260188c065d8e939c56b72e4fd1f4001d72df", "type": "eql", - "version": 108 + "version": 109 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "min_stack_version": "8.3", "rule_name": "Command Execution via SolarWinds Process", - "sha256": "e37263b5a6b5f6fad1b0ee0d7becddea5d24c5bbddbd0f16d1af2bc113a0e299", + "sha256": "84b33e85f61fe174e8ec6980e6480028773e96980d267505f090cfa2d2460192", "type": "eql", - "version": 110 + "version": 111 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "sha256": "4a8ffe50aa43eaf2654ac6a51517203a86c2951828434a1cb60bb435707c5a6b", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d", "type": "query", - "version": 105 + "version": 206 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { "min_stack_version": "8.3", @@ -7761,9 +8157,9 @@ "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "min_stack_version": "8.3", "rule_name": "Untrusted Driver Loaded", - "sha256": "aa9adda1ac8dfe9c91e83c7741e046bb1553fda39b7e023d70c58e86fa012e11", + "sha256": "2caaa3d2f80549be9ff1f1641f9f9f202ecdadf6b83b01fa9486affa8bdb566f", "type": "eql", - "version": 6 + "version": 7 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "min_stack_version": "8.9", @@ -7784,16 +8180,16 @@ "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "ffc3442e6c3cc20722b9c1f1a32d35551a15964ac11f7cdfc592b76719af0cc8", + "sha256": "32bc4e3bb16d80971b9c8bb068a743e7041477c34017d3fd5a9f1f42ca4873b1", "type": "eql", - "version": 110 + "version": 111 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "4fa393159012945bc722ed714aa371599d8c9cff942177209a16fa499c5c32af", + "sha256": "9ebf3042fc83b25b6a39a0cc87927cefb341ebb08bcce8749b4e07166ba98d0d", "type": "eql", - "version": 8 + "version": 9 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "min_stack_version": "8.9", @@ -7839,9 +8235,9 @@ "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "min_stack_version": "8.3", "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "6787d79433584e75afd2d32b2e0f9b054030958c1d82150a5ee9f0a5f5122b3a", + "sha256": "3bcb0230882be5c94ef22fde8ca625bfde5e40e20e1e545cf8a0f68d01c7e8f3", "type": "eql", - "version": 5 + "version": 6 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "min_stack_version": "8.3", @@ -7873,9 +8269,9 @@ "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "f37ab90a54a6c291b9cd4aa976743cd7ac5deb2abcac55cab6d64b965bfe48e7", + "sha256": "2d9e1771d9606f5f38126860db0e8757d223c30ae4a1b3b93d60ac17b0127a99", "type": "eql", - "version": 109 + "version": 110 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "min_stack_version": "8.9", @@ -7896,16 +8292,16 @@ "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution from INET Cache", - "sha256": "44f7baab75f773277a10c7030dcd1cfd26a107a3dc957f0fcb5163db547ae530", + "sha256": "6b58cc9b14a7fac5ea7f584782e3f3c7161f78158b1ce3fe3c33928ebba3d84d", "type": "eql", - "version": 1 + "version": 2 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.3", "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "6f5f7a6cfcaa1257d531efd9068625980be3884a9960c90a3894be9c4711f295", + "sha256": "51ebf76d12a58d9db10b3a9d16c79ee0ae0672fa77f9fd0682b3796a7520351a", "type": "eql", - "version": 6 + "version": 7 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "min_stack_version": "8.3", @@ -7917,16 +8313,16 @@ "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.3", "rule_name": "NullSessionPipe Registry Modification", - "sha256": "81c0aab3146bff977cf56daa4f6b8155b87a26c42990da92e1ead146d5ff2e3c", + "sha256": "6c3d142ca53ffc037b333b4699eb891e35c11d1ca95aa3ae6347fb173bc33735", "type": "eql", - "version": 107 + "version": 108 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.3", "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "2cf508d63c723bf1c8a65c682aca188141a400cdc3761094a901e95e793ac9bf", + "sha256": "0a0a64ff02f4040cf251994361f673fa3c6618edb6d38387c8adf5f5749f4b5a", "type": "eql", - "version": 109 + "version": 110 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.3", @@ -7947,16 +8343,16 @@ } }, "rule_name": "Query Registry using Built-in Tools", - "sha256": "66c6b23d0b93c2a355ec7809c00272dad9d6ae5d8e1b8c594010f6d352504e9c", + "sha256": "4f92c23c30b19e9208d921b84d709ec2775f026b2fe995a4ca3644cdf56c2d4f", "type": "new_terms", - "version": 103 + "version": 104 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "min_stack_version": "8.6", "rule_name": "First Time Seen Driver Loaded", - "sha256": "ad243a0040fbf3b300d379e356e6d3eb10209a2132942ac2f4e08962b1e8bd79", + "sha256": "7e66246ea00c9698fbfa57311793c02739cbad96d59bd88bbda9dbc752e4ac58", "type": "new_terms", - "version": 6 + "version": 7 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "8.3", @@ -8127,11 +8523,20 @@ "version": 104 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { - "min_stack_version": "8.3", + "min_stack_version": "8.12", + "previous": { + "8.3": { + "max_allowable_version": 211, + "rule_name": "Suspicious .NET Reflection via PowerShell", + "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", + "type": "query", + "version": 112 + } + }, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", + "sha256": "3cf8ff583ef123ebe0ef752da349e94652bcd203d089689bf6cfba36e727cc9d", "type": "query", - "version": 112 + "version": 212 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "min_stack_version": "8.11", @@ -8166,16 +8571,16 @@ "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "a5106b1d322ebadff7f28fbf1c711accfdc2a15bc9eb9040d4a3d09bd1aae28e", + "sha256": "3e63bc85075d9b743e6bf54268defc21c112e95ddb806edfb8a78a3ab78903bc", "type": "eql", - "version": 6 + "version": 7 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "585acd10a78e513b1329c305c032f10d56c20983fb6b6e247a83f36cbc5dd540", + "sha256": "bee7840c66166d2669fe2c9007db541d327d9ea4a3fdfda0b9c233e216e4a37d", "type": "eql", - "version": 110 + "version": 111 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "min_stack_version": "8.3", @@ -8187,9 +8592,9 @@ "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.3", "rule_name": "Process Activity via Compiled HTML File", - "sha256": "58b1c0d846d88c3860eca433ef5b9a49f46dccbb09d40c042618fb5cab6a109b", + "sha256": "6cef2e899c6b4e9645a167a889392bdc93d93b0cdbefafa881495069c49f284e", "type": "eql", - "version": 109 + "version": 110 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "min_stack_version": "8.9", @@ -8217,9 +8622,9 @@ "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "71a21b95dc853aa7a9f3bdebacbefd8c18bdae166c17c5eeadf71662eeede388", + "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", "type": "eql", - "version": 106 + "version": 107 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "min_stack_version": "8.3", @@ -8341,9 +8746,9 @@ "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.3", "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "1c76bc2a08b06825a177b0a25d39ca39d581ca953d40329e61cf82fd06714d77", + "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", "type": "eql", - "version": 106 + "version": 107 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "min_stack_version": "8.8", @@ -8394,16 +8799,16 @@ "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.3", "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "2894b45c8036eb38c332ca6f58cdcc5e872a80caa4e846636d051be8a166fcfe", + "sha256": "d821998e1160abb47ecede3b1c462e4239e82c189b4c1bb28462bb126a1b7765", "type": "eql", - "version": 107 + "version": 108 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.3", "rule_name": "Installation of Security Support Provider", - "sha256": "1acfa2f251d1860e05ac5ffd7e0d7fa0801737551ea5e58c102b5caf3fca6c97", + "sha256": "7bacfc5c36b455bd387840ed3881384dccf76c4613c11307d4d5d00b45b71f4c", "type": "eql", - "version": 107 + "version": 108 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.3", @@ -8470,16 +8875,16 @@ "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.3", "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "c5b7eef8ade7d3485a90b117038e54a8f7a1c4f8dd13df848304bb26845d46a5", + "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", "type": "eql", - "version": 110 + "version": 111 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "min_stack_version": "8.3", "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "a0ba2b3c599f12c32b5a0939253f61624c5aaef4f8bec7e3c2a58427a1421f1c", + "sha256": "d0a1dc56879cb56dc2747d8b68642dcb238491d808de81350698a3876b010d1e", "type": "eql", - "version": 104 + "version": 105 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "min_stack_version": "8.9", @@ -8510,9 +8915,9 @@ "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "9b562c38c4d362ac35e21b39fa028b653058315e266fd5853a388763e141b873", + "sha256": "d8ff4bf9daa5791d5125e828242e6da12e755fe8e6594f543661711e82994cfd", "type": "machine_learning", - "version": 3 + "version": 4 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "min_stack_version": "8.9", @@ -8582,23 +8987,23 @@ "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.3", "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "288578d5369a79c6373c3c0b0ce30d1e04accf4297f4378905ea03e926ef0304", + "sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98", "type": "eql", - "version": 108 + "version": 109 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "min_stack_version": "8.3", "rule_name": "IIS HTTP Logging Disabled", - "sha256": "4a54459a60e0157dbebdb4fa49edc3c3b44da95324d09ce432d90dfadc18cf16", + "sha256": "d83d663dcda70e00a6ab21131eed87f0b8c368ce720e9af6b55cc3ed301826a8", "type": "eql", - "version": 109 + "version": 110 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "min_stack_version": "8.3", "rule_name": "Process Execution from an Unusual Directory", - "sha256": "07d39ae66d7a091b5542973de8f3a914e6079b735c9af7282ec779f0f6eb0c91", + "sha256": "8df3afe86977d9a2b2f2229f4f6d2fb5bb39898849f2d887050d754afba715a2", "type": "eql", - "version": 109 + "version": 110 }, "ec604672-bed9-43e1-8871-cf591c052550": { "min_stack_version": "8.8", @@ -8608,11 +9013,20 @@ "version": 2 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", + "sha256": "ccb7629ab98a47b76d488ad0234349226bd54d20ba68a72bfa6d504471d57576", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", "sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df", "type": "query", - "version": 105 + "version": 206 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "min_stack_version": "8.3", @@ -8647,9 +9061,9 @@ "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.3", "rule_name": "AdFind Command Activity", - "sha256": "4cd8390b9a5306f1e517291c56dbd8724ce905bf484b914443323165263e92fa", + "sha256": "35efc8cf7bf58aeb31117f913287b60e74e904cbdce764bcd90b1a649e6318e1", "type": "eql", - "version": 110 + "version": 111 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.10", @@ -8670,9 +9084,9 @@ "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.3", "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "71c2c3a84c8776d4d55a196976af7988e418dd9269e2d47fbaa5e735f4e2a8b5", + "sha256": "6b7b9ccc19477616a522bddc2a00f166753629727474b6494a4460bfc09ec4f6", "type": "eql", - "version": 111 + "version": 112 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "min_stack_version": "8.3", @@ -8700,9 +9114,9 @@ "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Print Spooler Child Process", - "sha256": "407e751c426680a73a9f75665f0416cc6532f6ad24f7abe9cfa304be168522a1", + "sha256": "3b8d96d08eb433256b4fb0fd5206543e932d32caede2f0296b44a83ccf41868c", "type": "eql", - "version": 107 + "version": 108 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "min_stack_version": "8.3", @@ -8748,9 +9162,9 @@ "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.3", "rule_name": "Whoami Process Activity", - "sha256": "4367c7704290df656ff19eb3a68c7889e48d56cbce072457becfd69f434e35ba", + "sha256": "31ce332f330bc9a1bccdf8f56d0d422431517beafd6fd72a0263e72bf57f2202", "type": "eql", - "version": 110 + "version": 111 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "min_stack_version": "8.9", @@ -8762,9 +9176,9 @@ "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.3", "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "4af429bb1a2ee50c8ac17ce95cf78b67a2c514674d9f537ef5476aca56d12721", + "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", "type": "eql", - "version": 107 + "version": 108 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "min_stack_version": "8.3", @@ -8848,16 +9262,16 @@ "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.3", "rule_name": "SIP Provider Modification", - "sha256": "c9dd167236850ac8454b12127e31227e9bec1f9f5fd5a7786a600c1aba78e290", + "sha256": "637b95af638d89775bd2f924af80375c6ff258c63b53785edfb3543db910cbbf", "type": "eql", - "version": 106 + "version": 107 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Creation", - "sha256": "1753a2eee380188ceaa72056436275f1455b3e3bc6e9068cd318a9b0505cc539", + "sha256": "f75e7dbe109ab94981359e193e38bc31d50c60ac6258c2e42dd797649989a2f4", "type": "eql", - "version": 108 + "version": 109 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "min_stack_version": "8.9", @@ -8927,9 +9341,9 @@ "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "5d08c860cfdbbde6caa690f18df854a3f106b160401ffe9bdaef82b0f41d5804", + "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", "type": "eql", - "version": 107 + "version": 108 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.3", @@ -8954,9 +9368,9 @@ "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.3", "rule_name": "Windows Script Executing PowerShell", - "sha256": "b94e86645b289d8348ed42486795e77da783afb122ec48187d0350f3a20f52b3", + "sha256": "708503003bcee46e11babb11f8aa31370e2b00f8819ad6b533d88ae777974577", "type": "eql", - "version": 110 + "version": 111 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "min_stack_version": "8.8", @@ -8968,9 +9382,9 @@ "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "min_stack_version": "8.3", "rule_name": "Rare SMB Connection to the Internet", - "sha256": "b05c4528acef62397c715cb60d9752fa133ecba94e25e996871b92f58378b891", + "sha256": "a63046d792830722836c024689a5b5e9e1f3ac006e80e1445c1efa17bfbc98e5", "type": "new_terms", - "version": 2 + "version": 3 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "min_stack_version": "8.3", @@ -8996,9 +9410,9 @@ "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "841e7e3d259ad21fa37fbfa7cb65713dd10650212ef402434dcd94505006936c", + "sha256": "d6db5d4e54233628ba05c96ce487387f74b8d57d423cae36a1cfa4602ef0c312", "type": "machine_learning", - "version": 3 + "version": 4 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "min_stack_version": "8.3", @@ -9017,16 +9431,16 @@ "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "min_stack_version": "8.3", "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "82da4dcd3d85bbbce79c9338731f2d3faabeb93b9f8bd758a346c1bb3844926c", + "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", "type": "eql", - "version": 109 + "version": 110 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.3", "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "8c281efdd7ae17ef1dcf2df2b466453e0c5a6df40e5d5431f4389d20b1a438a0", + "sha256": "6b1d419bf9aa6949ee92ded6a11fd322e88da4c01130617ee0d215449c773841", "type": "eql", - "version": 108 + "version": 109 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "min_stack_version": "8.3", @@ -9075,9 +9489,9 @@ "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.3", "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "a60814f61dac11aa9d05163cc55d8da2b2cfb21fc612ed5f4d4d348060e57e80", + "sha256": "a1bc8b73c4533f942aac0721b6a1345272ca6770fde9d130e8f62f115eb42177", "type": "eql", - "version": 110 + "version": 111 }, "f7c70f2e-4616-439c-85ac-5b98415042fe": { "min_stack_version": "8.11", @@ -9089,9 +9503,9 @@ "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "51aacad9edd6ee0e09aa36fcdc008de023969ea682b6b8e0810e61d65a8311f0", + "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", "type": "eql", - "version": 108 + "version": 109 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "min_stack_version": "8.3", @@ -9103,9 +9517,9 @@ "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.3", "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "9dd2a2b3b83b8e850ca46a07ef95f7e14a78d5dc1d5e016c069ea25579284240", + "sha256": "78279bb6af6824e60ded36c81c6ef322b9ccaeb26c92549abc2921bf4227941b", "type": "eql", - "version": 109 + "version": 110 }, "f94e898e-94f1-4545-8923-03e4b2866211": { "min_stack_version": "8.8", @@ -9124,9 +9538,9 @@ "f95972d3-c23b-463b-89a8-796b3f369b49": { "min_stack_version": "8.3", "rule_name": "Ingress Transfer via Windows BITS", - "sha256": "17194641e5b83110a15ad1ea56df6e69c2061a202fd582a587fa4581966173fa", + "sha256": "5952fcaf652a5286441fc15039faeb8970ad18ef5832358bbc5385c6e09ed734", "type": "eql", - "version": 6 + "version": 7 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "min_stack_version": "8.3", @@ -9161,9 +9575,9 @@ "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.3", "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "d32ada1465167b6293df7280629172d0509463e769904db94d5f248237f0f48f", + "sha256": "3a766093b0d4f34997e59583bef56fb42b94ebe8b4d5d167f6f5123519f92525", "type": "eql", - "version": 108 + "version": 109 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "min_stack_version": "8.3", @@ -9182,9 +9596,9 @@ "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.3", "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "a71e0082cbfb886e234b2dde6fb3a70a5084af0eb33e07cf1a8e2841693cfb67", + "sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642", "type": "eql", - "version": 8 + "version": 9 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "min_stack_version": "8.3", @@ -9248,9 +9662,9 @@ "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "43cf4780d862e228583a5b86075630c0a699c981a923c89a6d17347b3f9a403b", + "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", "type": "eql", - "version": 108 + "version": 109 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { "min_stack_version": "8.8", @@ -9275,16 +9689,16 @@ "fd4a992d-6130-4802-9ff8-829b89ae801f": { "min_stack_version": "8.3", "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "8da3991d43d27d1307bfe952667feeaee10a17f086024460a72695f6a069495a", + "sha256": "c6e0f3ed2de57cd525aed211c660fafb3d244519f29423756b1e01f95a1f7469", "type": "eql", - "version": 109 + "version": 110 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.3", "rule_name": "Suspicious CertUtil Commands", - "sha256": "828207753a4524cab2f050a270a6c7daae8f14ef3bc46fdddabeb6e5a4fbaf9c", + "sha256": "1eefd434526b2d048a615ba540bf83da7ee5150eae84ff517f5de3e7668c964b", "type": "eql", - "version": 107 + "version": 108 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "min_stack_version": "8.6", @@ -9298,9 +9712,9 @@ } }, "rule_name": "Svchost spawning Cmd", - "sha256": "0f97a093a060747af65927b28394e233712aca82f61b9e3a0841aba43b6656a7", + "sha256": "c2e725e9eb19e33d6be3fc8161e3923a7db648a6233feb31e68837e724c7800c", "type": "new_terms", - "version": 210 + "version": 211 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "min_stack_version": "8.3", @@ -9333,16 +9747,16 @@ "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.3", "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "ca97f32f23e5e5a8a9980f4544b94a40f0c491f70e47c9a5d1bacc9f2acaf0c4", + "sha256": "1049a012554fe790510c642962136afe7809f3cb6743d41c94d9064cb5cd0275", "type": "eql", - "version": 109 + "version": 110 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Business App Installer", - "sha256": "40b6160ff1840321119de9eaf4ab17ad8efd8941b316318fda962bb59ada871b", + "sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5", "type": "eql", - "version": 3 + "version": 4 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "min_stack_version": "8.3", @@ -9382,16 +9796,25 @@ "ff4599cb-409f-4910-a239-52e4e6f532ff": { "min_stack_version": "8.7", "rule_name": "LSASS Process Access via Windows API", - "sha256": "3ebb73fb1bc78e99a7321c9da744e2462cb56b7b8b3a372342993176f40608c2", + "sha256": "45523e08c1b08b3aeb6e316fbfd73c257194c643b9c2d30533a4c05de668ca18", "type": "eql", - "version": 6 + "version": 7 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Transport Rule Creation", + "sha256": "e247dbb68f81f5c55155bea1dd2a757717bdc740b8259a933165e5a612d3cdb7", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Transport Rule Creation", "sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88", "type": "query", - "version": 105 + "version": 206 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "min_stack_version": "8.3",