diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index f690cbba2..9d94a0e50 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -7,9 +7,9 @@ }, "00140285-b827-4aee-aa09-8113f58a08f3": { "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "6e291a5cddac92af2120612d0e5b2a5db1929ee4fb58d53071642dc7e37fee20", + "sha256": "6a4eb911446aa850681cf14d125f358e8b44319da80c66a5b5495c9978aa3004", "type": "eql", - "version": 318 + "version": 319 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", @@ -186,10 +186,10 @@ "version": 4 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { - "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "30d23f6e345652ddecf8a6ccafdc4a3f18af50c9a8ecef16578e14094e8d3d55", + "rule_name": "Suspicious Microsoft Antimalware Service Execution", + "sha256": "0dae8d0010c9ebf4d51a556663c7a4e0f0b4a9d1780196c19012553a41e2fa5d", "type": "eql", - "version": 215 + "version": 216 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", @@ -229,9 +229,9 @@ }, "064a2e08-25da-11f0-b1f1-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection - Sign-in Risk", - "sha256": "2d9696b9804309379956f4234f1de956bb83f53271f594fef7e22b983003fb70", + "sha256": "9d77ad59ab67340207093d23cf72b00957c566c940adb6438730e18d6bce208d", "type": "query", - "version": 2 + "version": 3 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "rule_name": "System Time Discovery", @@ -421,9 +421,9 @@ }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", - "sha256": "8306cd0929a80bd742350e33bb52b21777571e2b6fc75217422a551ed8d0ba6a", + "sha256": "1ef43eb1d0f9697f8d917b9a66f4d2299dd5647ec74b29074b19ad6e3e05da88", "type": "query", - "version": 217 + "version": 218 }, "0b76ad27-c3f3-4769-9e7e-3237137fdf06": { "rule_name": "Systemd Shell Execution During Boot", @@ -463,9 +463,9 @@ }, "0c3c80de-08c2-11f0-bd11-f661ea17fbcc": { "rule_name": "Microsoft 365 Illicit Consent Grant via Registered Application", - "sha256": "91a39207de666908bf7de22f812fa33236c0103b9f9c3cd9f7e847353fc6f1c8", + "sha256": "b383b192b38838c6c2f6c8d91f31214a4d169ac00e42bd66adbcd416ba67c93c", "type": "new_terms", - "version": 3 + "version": 4 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", @@ -535,9 +535,9 @@ }, "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": { "rule_name": "AWS Access Token Used from Multiple Addresses", - "sha256": "e78a9969bc5e054975c375e52db0dac90ce3655bdc77387b2748d688714f3375", + "sha256": "f9a9b14855cdf4301bdc0e0ea559eb414df0e0156f82ab0b548cfcda7145f622", "type": "esql", - "version": 102 + "version": 103 }, "0e1af929-42ed-4262-a846-55a7c54e7c84": { "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", @@ -661,9 +661,9 @@ }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "2f9c6ebcc168fd73263677e3306698c105ac5996bf07026b2d5b29808c561a63", + "sha256": "3e3281f18ce3ea8d213d81c02aa7392e82725b7561db23878c2c8734e0f2f225", "type": "eql", - "version": 216 + "version": 217 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", @@ -781,9 +781,9 @@ }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", - "sha256": "a5cd731c12b8a6223c831ec20fa4a17a899b903d5629bcc6f0f821342b5bcbf4", + "sha256": "f73b6f00fd89d78df5f96c1b7d8638cd91e59b9334f0b12e1b527dba7e06099b", "type": "threshold", - "version": 209 + "version": 210 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -793,9 +793,9 @@ }, "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score", - "sha256": "c7887e579a03c71e110612389d59d34e3270e6f56f2edc4ccd1f9703a2b6ee1e", + "sha256": "d1e0458ecbccfbf0108f8542b7a799fe551a086c05f2a61ab2df36d16092b7ab", "type": "eql", - "version": 11 + "version": 12 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Azure External Guest User Invitation", @@ -907,9 +907,9 @@ }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", - "sha256": "5993f0d872bbf12af1cc908245ea8a9f120cf044728d32423fa24ddd77f30ebc", + "sha256": "07391674964f4ab57f29fb37e8ad1618dd899f3b8abd1ced5b15ecae703690e9", "type": "eql", - "version": 116 + "version": 117 }, "16acac42-b2f9-4802-9290-d6c30914db6e": { "rule_name": "AWS S3 Static Site JavaScript File Uploaded", @@ -1081,9 +1081,9 @@ }, "1a3f2a4c-12d0-4b88-961a-2711ee295637": { "rule_name": "Potential System Tampering via File Modification", - "sha256": "7c83bc5eaa2a069cb0d447c66e1c513d530dd45bc557a9d026acd112fe4dc407", + "sha256": "103948de64613c9e00529640ef48bc2472935b80420628f0917df58b4f57ff10", "type": "eql", - "version": 1 + "version": 2 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "rule_name": "Execution of COM object via Xwizard", @@ -1135,9 +1135,9 @@ }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Microsoft Entra ID Illicit Consent Grant via Registered Application", - "sha256": "6a310f46b8d33d9e702de35ac1b436bc874e148c5f8eac44d17d6bbef6a8839a", + "sha256": "0bc6b157e5b4771d99167a0a631d01edfd4d4f00c425c79e02b2991897f72241", "type": "new_terms", - "version": 216 + "version": 217 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence", @@ -1165,9 +1165,9 @@ }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "a84e20c2c4fc5066af8592c0955130207146c842eee469e7530c0bf8af7b911a", + "sha256": "354ab9d610ce0c57ea34757dc89731d585970c4c401d30aed415349b8f552ae5", "type": "query", - "version": 209 + "version": 210 }, "1d0027d4-6717-4a37-bad8-531d8e9fe53f": { "rule_name": "Potential Hex Payload Execution via Command-Line", @@ -1212,10 +1212,10 @@ "version": 11 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { - "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "77163f2c8a75481511e44a1f0dde1c220b2317dff48cefe5b5073a90eb32878d", + "rule_name": "Deprecated - Execution of File Written or Modified by PDF Reader", + "sha256": "3caf1dd70a817330534a0dc7cdc46d615214890e6f3d34081977f33977018794", "type": "eql", - "version": 210 + "version": 211 }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { "rule_name": "Potential Linux Hack Tool Launched", @@ -1279,9 +1279,9 @@ }, "1fa350e0-0aa2-4055-bf8f-ab8b59233e59": { "rule_name": "High Number of Egress Network Connections from Unusual Executable", - "sha256": "5950b86e681b4be75861a8e08306a72d54926b09bc5d6752cf63f4877beeb107", + "sha256": "c7a8ee25d1dbd3f36d7e967a1a1ade02348f712c5434c99e551d822ea1cd4f53", "type": "esql", - "version": 5 + "version": 6 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", @@ -1339,9 +1339,9 @@ }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "7ec8afe61b5d5522ddf1602ca5848c01b0299fdc1421f213ccabc57b07849efd", - "type": "eql", - "version": 215 + "sha256": "591b6b1f70000a85406841ab2da5998d65bbb536ca44563cf9739d26d2467844", + "type": "new_terms", + "version": 216 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -1356,10 +1356,10 @@ "version": 9 }, "2112ecce-cd34-11ef-873f-f661ea17fbcd": { - "rule_name": "SNS Topic Message Publish by Rare User", - "sha256": "8e256f5c59c82008e662a265098cf1faf568d9097724091f4bfbaf86cd2e6152", + "rule_name": "AWS SNS Topic Message Publish by Rare User", + "sha256": "9e1527dfa34c8a262625248c7a5788f2e59f32a8c1f26af52aa804ae2eeee552", "type": "new_terms", - "version": 3 + "version": 4 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "rule_name": "Potential Reverse Shell via Child", @@ -1466,9 +1466,9 @@ }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "ec2b9766f4880d475594b910e6ce3cec44256f4c0b698a073eb77b47d4147e95", + "sha256": "fd002bc758bbb043c92aa8a457a383e329ff5721b72f64d9702c8bb16bceb9ad", "type": "query", - "version": 107 + "version": 108 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "rule_name": "Potential Reverse Shell via Background Process", @@ -1532,9 +1532,9 @@ }, "267dace3-a4de-4c94-a7b5-dd6c0f5482e5": { "rule_name": "Successful SSH Authentication from Unusual SSH Public Key", - "sha256": "b8f51f44908a71953949cf0f0702cc9980b44c6aebdfeb31879ae51ba80901da", + "sha256": "c392cc11c27ffe962a0da8eb5da8ada66422358b223ed6af3bbdb4b8b0c7b1b7", "type": "new_terms", - "version": 3 + "version": 4 }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "rule_name": "Potential Defense Evasion via Doas", @@ -1682,9 +1682,9 @@ }, "2917d495-59bd-4250-b395-c29409b76086": { "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "2218a1c255bf313d4fac1bfa65c89a0eaf83fb6b9e130f7b08b7b5006ec5fd01", - "type": "eql", - "version": 419 + "sha256": "45cbe9246667f2d56463ad3f08c71e062639589b26baf228ffdc9526e4819225", + "type": "new_terms", + "version": 420 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "rule_name": "Enumeration of Privileged Local Groups Membership", @@ -1712,9 +1712,9 @@ }, "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": { "rule_name": "Microsoft Graph First Occurrence of Client Request", - "sha256": "b4148f8d9943e630d980806e0c498a1c96623a4c53fbd882da857b6004a18c27", + "sha256": "1b0cb80fcc3dc2267145c0a970ac20d31934cf9c2bd309e9a7076558380dca50", "type": "new_terms", - "version": 2 + "version": 3 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", @@ -1748,15 +1748,15 @@ }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "97edcf002d5b54384c4481eb6f11d314671d3d193ca79b8445658cbd54e0a2c5", + "sha256": "114f9531c6f7277c8cc743ecf821000f04fab47ce28cde1ea88bfa9ca40f90e2", "type": "eql", - "version": 316 + "version": 317 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "94590de540b69a69312f51d1f069adec57f1c9744166166497c75c55d812574e", + "sha256": "c22b3e1c37ec22f448030cd1e024fefd0147a393609a60363ad325a47039b1e7", "type": "eql", - "version": 214 + "version": 215 }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "rule_name": "Potential Foxmail Exploitation", @@ -1779,9 +1779,9 @@ }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "rule_name": "Command and Scripting Interpreter via Windows Scripts", - "sha256": "02ff68c3e74a02dd1c10175b332be482843ce4eccac1fb124a8ca96b399b8705", + "sha256": "5b526c5e3b8b64acda426d7aa6bcffe7c582c40a5d2b6a9a89061d9d34eab6f6", "type": "eql", - "version": 206 + "version": 207 }, "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { "rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected", @@ -1869,9 +1869,9 @@ }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "3800e4eeb11bcd2d1f6285aea2e290d6efd3fee146ac7a3fd8be669f22d60db3", + "sha256": "626bd220c455c59636dee56cc13b8d6e035a79fcee06b113ffb73b854659b3fb", "type": "query", - "version": 214 + "version": 215 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", @@ -1959,9 +1959,9 @@ }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", - "sha256": "22a7b42cd7db90c18eec4376c4b459b6c966d9abf31f08e91303adf90d243eee", + "sha256": "15ec1bf4d34174c04c219abeeaf5b0b370bd00a31d1c2b24d99ea9120ffee8f3", "type": "eql", - "version": 320 + "version": 321 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", @@ -2013,9 +2013,9 @@ }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Portal Login (Atypical Travel)", - "sha256": "cd8506a92089084d040969a20d1ccc5b2fb5736e176ba3fb3e6339a0ea066f53", + "sha256": "a4ce0502b3c36a2a63710f8ce397de99009cc125818e204b07b5a08018f4aefb", "type": "new_terms", - "version": 6 + "version": 7 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", @@ -2049,9 +2049,9 @@ }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", - "sha256": "09b1d81d0502706b885718655ac15e456d5dd6b94d4a9dd2eab8d63ea2cebfaf", + "sha256": "7b066e109e29dc047b8d5180ee81d6cc258861389ecfcefea7dbe5d1a8f9a4be", "type": "eql", - "version": 113 + "version": 114 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container", @@ -2223,9 +2223,9 @@ }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Portal Login (Impossible Travel)", - "sha256": "c0b3fdff344187ba74e33c839e4148dff4b058f036d74c25ecf27ff52d71bedd", + "sha256": "1a136232efc098e05492a02b38c1de4c37e1616b2bb6c7c8047271d53864c005", "type": "threshold", - "version": 6 + "version": 7 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "User Added as Owner for Azure Service Principal", @@ -2349,9 +2349,9 @@ }, "3c3f65b8-e8b4-11ef-9511-f661ea17fbce": { "rule_name": "AWS SNS Topic Created by Rare User", - "sha256": "f95af67b1718bc838064eb5cff6a41b8318bf03fe0193dc1b2edfb9c75e81dd5", + "sha256": "6e5674a983c2dee63298075c177a37833a7edb11df47076a5975e9936ac9db95", "type": "new_terms", - "version": 3 + "version": 4 }, "3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d": { "rule_name": "Potential Impersonation Attempt via Kubectl", @@ -2379,9 +2379,9 @@ }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "ec1f9a5db847b5ee7337de5d58e367e15d071615a3da8502f74073a8b94a0699", + "sha256": "8f2ca239d2218e6e52e1d647acc0e7c03554c548b312f30435e3bd5f3d1c6e84", "type": "eql", - "version": 207 + "version": 208 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { "rule_name": "PowerShell Script with Log Clear Capabilities", @@ -2390,10 +2390,10 @@ "version": 210 }, "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { - "rule_name": "AWS SNS Email Subscription by Rare User", - "sha256": "c83ec09fca8600fea07fc5cf1b06c642fbc48905ebdaf13aaa4ee47a02113828", + "rule_name": "AWS SNS Rare Protocol Subscription by User", + "sha256": "6058fa96b4d3ccbd3cbe0800857ef03594df77f0f35cf37710da392649d733c3", "type": "new_terms", - "version": 5 + "version": 6 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", @@ -2685,9 +2685,9 @@ }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "976a7216513f549bc9459fe3a970cfbef0d4d4e058c30ff781aa46a3b6c302c4", + "sha256": "d587f84061510af81e4d24d6a46b7d23a87048e8f6d3d1172b32452a1d829ae5", "type": "eql", - "version": 216 + "version": 217 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", @@ -2853,9 +2853,9 @@ }, "4ae94fc1-f08f-419f-b692-053d28219380": { "rule_name": "Connection to Common Large Language Model Endpoints", - "sha256": "c76a051731982498c30d4de759dd360f9f9dd6617102e0143a3ed622b1280d5c", + "sha256": "420d27afe834c13cd4781690dc6e0fc24038b9325999348e590100d83d31c0c5", "type": "eql", - "version": 1 + "version": 2 }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", @@ -2865,9 +2865,9 @@ }, "4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection - User Risk", - "sha256": "c5af00471be7064f2bfaee19936213324f7b4fa530bd99fdc16906ebab0a5800", + "sha256": "64f9e7a03be2d883b4449110a9303b2251f0041f342770d1fac5487d115b82bc", "type": "query", - "version": 1 + "version": 2 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", @@ -2919,9 +2919,9 @@ }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "rule_name": "PowerShell Share Enumeration Script", - "sha256": "c6ad717010035336451a227f68b1e9c169b8913d0c8d3227bc0c19dc890a6e97", + "sha256": "349376f0919d8ae78cf2e2593e35a385db6c651dcbd0f2d3bd65e481acf834bb", "type": "query", - "version": 113 + "version": 114 }, "4d169db7-0323-4157-9ad3-ea5ece9019c9": { "rule_name": "Potential NetNTLMv1 Downgrade Attack", @@ -2955,9 +2955,9 @@ }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "6f71b90d34a16c61fe28ce3de74b6384b3e873433f05c7fd24a99a9f8b899303", + "sha256": "9da3a00827b47a5c8bc78213e855c936d592e23250b29822768cbd60a9c7a8de", "type": "eql", - "version": 317 + "version": 318 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "rule_name": "Multiple Logon Failure Followed by Logon Success", @@ -2973,9 +2973,9 @@ }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "e83d31d2f2045bd4a904365e77ede3c00d17f5969f78df29b0379fc1612ea527", - "type": "eql", - "version": 316 + "sha256": "c244bdf6026d00890decfa2967be12774a0a0856e9c2b4648c27e387152ef430", + "type": "new_terms", + "version": 317 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "rule_name": "Suspicious Script Object Execution", @@ -3009,9 +3009,9 @@ }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "f2424834e44a69340ce5568b0d5fe81eba881e0c3a8bef999f8951a46b3106a2", + "sha256": "765c282f30b0895e1d0260ea7fd4e8cc74f36d47fd286a736aad6211de527511", "type": "threshold", - "version": 209 + "version": 210 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", @@ -3171,9 +3171,9 @@ }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "f3db37c5995ca1922f0f5ef5d8f42c98be68375486e044c65fe06e76e3aa763a", + "sha256": "bc4331c82d520ff042039108c9e24f4e368808f251c17b5decb7e6b1bbac1236", "type": "query", - "version": 212 + "version": 213 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "rule_name": "Network Logon Provider Registry Modification", @@ -3183,9 +3183,9 @@ }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "ca9db385c3cfb574b246035ad74f0343c577db921ac9a6e0341c758e17e26ca2", + "sha256": "d9d7b7c944e438656c8d6c348d8acd34be6f45ef68c23cdc5c1e679c1eb476f2", "type": "eql", - "version": 216 + "version": 217 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", @@ -3363,9 +3363,9 @@ }, "59bf26c2-bcbe-11ef-a215-f661ea17fbce": { "rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source", - "sha256": "afd8f32f6156383a46c4c1d56ca7897828ee05b79901ae05dd3d0d647211b298", + "sha256": "f1081bb686a1f4c071e6049ff5f3869cbfd18cadedb1bf0f268c8cc84d409bae", "type": "new_terms", - "version": 4 + "version": 5 }, "5a138e2e-aec3-4240-9843-56825d0bc569": { "rule_name": "IPv4/IPv6 Forwarding Activity", @@ -3615,9 +3615,9 @@ }, "5f2f463e-6997-478c-8405-fb41cc283281": { "rule_name": "Potential File Download via a Headless Browser", - "sha256": "e53bd1c61f4c344019fc1486685bbeff6040e549e4a75c172d4ef57fb4466686", + "sha256": "e1bc7738d6422a53137fd0fd3a0f1caea8ad0963f3c1ad4e800995133bf37fd2", "type": "eql", - "version": 206 + "version": 207 }, "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { "rule_name": "Docker Escape via Nsenter", @@ -3771,9 +3771,9 @@ }, "642ce354-4252-4d43-80c9-6603f16571c1": { "rule_name": "System Public IP Discovery via DNS Query", - "sha256": "5eed6d39b3ff549f9fad07deb25f6b9f17ef4b11d01d6291bea126940dfea36e", + "sha256": "2441c0f7156104f1405a955199b80b4134fefeff71f2746eb534985a66a1ad90", "type": "eql", - "version": 1 + "version": 2 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", @@ -3867,9 +3867,9 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "e0bcdab50088ca7a1827ec90afe4ec21cf937ffaf9b9069142b1709b1dae722d", + "sha256": "4320517339b259e2c41c8dd0238e8aaa22a70b05af5d5ce9dff159584b796373", "type": "eql", - "version": 121 + "version": 122 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", @@ -3975,9 +3975,9 @@ }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "bce5140482d1ba1ce7f47b0bb3a39d375abf3c7ed00c4a7b49ebf194b2e94f80", + "sha256": "9fab68b7507df7a39b1c270256e4a76068864536bc4cb87e03748b50de0410a3", "type": "eql", - "version": 106 + "version": 107 }, "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { "rule_name": "AWS RDS DB Snapshot Created", @@ -4065,9 +4065,9 @@ }, "6b341d03-1d63-41ac-841a-2009c86959ca": { "rule_name": "Potential Port Scanning Activity from Compromised Host", - "sha256": "4b223bbbb2de1fdda098f39923b4c779a6e2bfdd88ccf0137b08808a96c02042", + "sha256": "98f22dcd741fe6865d68065d976c1b066ef4466d9971f43d4e06d2e861033362", "type": "esql", - "version": 5 + "version": 6 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", @@ -4391,9 +4391,9 @@ }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "8879780b1e7f8e78d71a5f73adadde4ba4d0ed831e4b18682eca96c1d3d0db5d", + "sha256": "3a1f9137b0ac5c869b1a85c1f9cf33b9842c078786d4f226f86133349f0dea88", "type": "eql", - "version": 215 + "version": 216 }, "74147312-ba03-4bea-91d1-040d54c1e8c3": { "min_stack_version": "8.18", @@ -4512,9 +4512,9 @@ }, "77122db4-5876-4127-b91b-6c179eb21f88": { "rule_name": "Potential Malware-Driven SSH Brute Force Attempt", - "sha256": "bcfd7354aed5a764e46baa036e742d25e5e2d484a217268320a01bf60b2a2bc1", + "sha256": "8636de92418ba0fb4da7c8ecf7acdb02dc3d945c502ffcedf1c9f4dcdcf5827f", "type": "esql", - "version": 5 + "version": 6 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "User Added as Owner for Azure Application", @@ -4756,9 +4756,9 @@ }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "8bd90f260cdbeb5d6567c41d2954e4ee3d028c6594291717fab5917b67d1358f", + "sha256": "493e22ea78c761eae9056fac3878d9b6d1ebbaee2624fee14ae21875d09353b1", "type": "eql", - "version": 312 + "version": 313 }, "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", @@ -4767,10 +4767,10 @@ "version": 3 }, "7eb54028-ca72-4eb7-8185-b6864572347db": { - "rule_name": "System File Onwership Change", - "sha256": "81a9e544cead76ee7b81192939ed74e86ec20a6e1ace52d27147aaaa2aa0cc93", + "rule_name": "System File Ownership Change", + "sha256": "cd283fa0bc6b54331bf4d6de31672ac996500854d552589e0fb3d87ee53718d7", "type": "eql", - "version": 1 + "version": 2 }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { "rule_name": "Security File Access via Common Utilities", @@ -4833,10 +4833,10 @@ "version": 107 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { - "rule_name": "SSM Session Started to EC2 Instance", - "sha256": "504f3a50d1bd25b8e6af53a7de52f7536a9a2b90a733395388672099dd77243f", + "rule_name": "AWS SSM Session Started to EC2 Instance", + "sha256": "7021d0a49f1f181d98e8c95a1f7b133889bb579c31106b36cec007663429cb20", "type": "new_terms", - "version": 4 + "version": 5 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", @@ -4990,9 +4990,9 @@ }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "rule_name": "Potential Subnet Scanning Activity from Compromised Host", - "sha256": "6937741695dc02c9bf74f0e166bf81212b51bfd952ae6f5c91c84cc592a66e86", + "sha256": "2e528cbe49d075785c8bfdb56f1f98a894355c967ffedb16520edafc3eb1b59b", "type": "esql", - "version": 5 + "version": 6 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", @@ -5038,9 +5038,9 @@ }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", - "sha256": "2f9acb987606670ee684082ddc4ae38064488e0333b5be54d7f7000c85689401", + "sha256": "1bff13467a04532f781289acccac6530eec7856ea37dc12f8e82d159117fdaab", "type": "query", - "version": 5 + "version": 6 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", @@ -5068,9 +5068,9 @@ }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "15c2ef603fa386034d9c15726475fdb118c5068f3a25df4559a4213273c5b1f9", + "sha256": "685630c86ccd94d5d35f3d645871ba6f361ec9e8884ca3274452c07780f404ca", "type": "query", - "version": 210 + "version": 211 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", @@ -5134,9 +5134,9 @@ }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "5b134678f04342b904ee4c63980fc14bdcf2f7cbf135b07967094491c2b4da6f", + "sha256": "fb1ea0e63a803e1940dff9f62dd54930786b39fa993f1997a8229653dd5551ec", "type": "eql", - "version": 210 + "version": 211 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { "rule_name": "GitHub PAT Access Revoked", @@ -5170,9 +5170,9 @@ }, "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": { "rule_name": "Unusual Command Execution from Web Server Parent", - "sha256": "9f04d7a84b28aa6755992666e62838bd70bd7b7b428ad1d9788f1a083e115f6b", + "sha256": "b46ae0c3ec957325459e7b26755db5f31c216654a2fffa191c8814e5cfc43e8b", "type": "esql", - "version": 5 + "version": 6 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -5212,9 +5212,9 @@ }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "rule_name": "Unusual Child Process of dns.exe", - "sha256": "bc0a906f4a1bb8f44279b6c9baf876b4b66b45f19e8afb6fe1d23e5ec613a4c9", + "sha256": "049ee13aaa5ccfc606fd52f980a2bce0189ce70877afc655a8218996270d86b3", "type": "eql", - "version": 316 + "version": 317 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", @@ -5308,9 +5308,9 @@ }, "8eeeda11-dca6-4c3e-910f-7089db412d1c": { "rule_name": "Unusual File Transfer Utility Launched", - "sha256": "69c8afa3b8a767b0a2458a7b93bb995598c358f351aba9f58d4c8594929e3d74", + "sha256": "b22313068d9b66259cfc59c5bdd36076a9d504ead65aeed21bbcd51d82eb3453", "type": "esql", - "version": 5 + "version": 6 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", @@ -5434,15 +5434,15 @@ }, "92984446-aefb-4d5e-ad12-598042ca80ba": { "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "1900e8b5d7fcee1a459e9679ad51643080f62aeca67caae4f511dfb6a093f9aa", + "sha256": "73b6bf7401d30d109605b9cf75a75198af638954f0bbe0a63547a9d1d334ff47", "type": "query", - "version": 212 + "version": 213 }, "929d0766-204b-11f0-9c1f-f661ea17fbcd": { "rule_name": "Microsoft 365 OAuth Phishing via Visual Studio Code Client", - "sha256": "69ec4930f25e7ceca53b47c161c1c163a656a0077256cf62957b709a3059adaa", + "sha256": "692c4ff17f9e1810fb3a27e8b707cf00beceb4a48a3b9e34da970c6be84a18c9", "type": "query", - "version": 1 + "version": 2 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "rule_name": "A scheduled task was created", @@ -5536,9 +5536,9 @@ }, "952c92af-d67f-4f01-8a9c-725efefa7e07": { "rule_name": "D-Bus Service Created", - "sha256": "a87d692f51495c10a178636bff52caeb6b6be4413b4620d6af670c058e9cce56", + "sha256": "3d9a3fba66bf4fc424d7c396a8a2f2ce0f835c4c1822bff9567d48644d7f264a", "type": "eql", - "version": 4 + "version": 5 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", @@ -5584,9 +5584,9 @@ }, "96b2a03e-003b-11f0-8541-f661ea17fbcd": { "rule_name": "AWS DynamoDB Scan by Unusual User", - "sha256": "0da9d5a9ea1fe0814c0fa7782ac2a24f7f7f89aeb8855498aab85a14ed332a58", + "sha256": "3eed4a4c3204cad01ff4a9d1c6cc455649e35300c8afa58eb7986f4f11d49357", "type": "new_terms", - "version": 3 + "version": 4 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", @@ -5644,9 +5644,9 @@ }, "976b2391-413f-4a94-acb4-7911f3803346": { "rule_name": "Unusual Process Spawned from Web Server Parent", - "sha256": "450d7bfd876b254e435bbbab830503697dc8637b22533ccdebd455e521f31ac0", + "sha256": "86e6bb848041609668083d39fe198b49fdcba76b3f0cf20ff5996c0d9f52abeb", "type": "esql", - "version": 5 + "version": 6 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", @@ -5655,10 +5655,10 @@ "version": 210 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { - "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "4041c4ae09570e6883d75b0cc6d734066a4ad40fdd5c2249576cc80d9efac0c3", + "rule_name": "Potentially Successful Okta MFA Bombing via Push Notifications", + "sha256": "e60ca0f40eef1090732be6cccd54853228ee8d052ddf109441c7cc42cf9e8ba2", "type": "eql", - "version": 416 + "version": 417 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "rule_name": "Suspicious Zoom Child Process", @@ -5752,9 +5752,9 @@ }, "994e40aa-8c85-43de-825e-15f665375ee8": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "87a4644df0fd8f0a046677d6b1a8af3beb420efbcbfe4436f6e44bfce6b47200", + "sha256": "6cf048e21ad41cae88785d4f7b6e79867ef3e76d331df8daf1e6fa1102ac3843", "type": "eql", - "version": 113 + "version": 114 }, "9960432d-9b26-409f-972b-839a959e79e2": { "rule_name": "Potential Credential Access via LSASS Memory Dump", @@ -5987,9 +5987,9 @@ }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", - "sha256": "6d3f6bb39a4f822e9bf45d3e0eb26e9ce75a3107ccb975e76fc570cb3436a1db", - "type": "eql", - "version": 219 + "sha256": "58e3c0aea20cbb6bf38b5fc51576fdae9771ad92b74fb600c1c75aa17ea15d1d", + "type": "new_terms", + "version": 220 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", @@ -6095,9 +6095,9 @@ }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "rule_name": "PowerShell Mailbox Collection Script", - "sha256": "5f446fb38d518c427dbfd811969facf2a57d911b25d6114a49f2c87041288f1c", + "sha256": "a86c369f124cf2f2f7c82de0f059a5b27045582c8b3d5cd4946ba4b1c60c6e0f", "type": "query", - "version": 111 + "version": 112 }, "a300dea6-e228-40e1-9123-a339e207378b": { "rule_name": "Unusual Spike in Concurrent Active Sessions by a User", @@ -6330,9 +6330,9 @@ }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", - "sha256": "1b613902a9aa3ad498f7900c9f46a694be4b4e7e2cfcbfb1da8d53bd0131831e", + "sha256": "ba6a7e7182b3e4e89dd7160487180370114627b90990a51a90214b42f7d0f8c8", "type": "eql", - "version": 119 + "version": 120 }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "rule_name": "AWS S3 Object Encryption Using External KMS Key", @@ -6366,9 +6366,9 @@ }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "rule_name": "Outlook Home Page Registry Modification", - "sha256": "e9af0100dd5e405bec735bd4a058de9c52e7f4715ba7f3d5594024939f5744ae", + "sha256": "ccb9c2dedae4339f4a8402f20a272f5e31e98268fe151021905c5803581264a1", "type": "eql", - "version": 206 + "version": 207 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "rule_name": "WPS Office Exploitation via DLL Hijack", @@ -6499,9 +6499,9 @@ "aeebe561-c338-4118-9924-8cb4e478aa58": { "min_stack_version": "8.18", "rule_name": "CrowdStrike External Alerts", - "sha256": "3ed638538030b56001a17551427ce3c28872dc46cc8d25eaf05b09d40b3973c6", + "sha256": "037f1bbd2a34edbd83be30b5fe879ea4147544e216a7ecf2e0337b876b72ec45", "type": "query", - "version": 1 + "version": 2 }, "af1e36fe-0abd-4463-b5ec-4e276dec0b26": { "rule_name": "Linux Telegram API Request", @@ -6691,9 +6691,9 @@ }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", - "sha256": "1849ec3a92f24a502e0be40851768bf74b4cf3dcc88de15152a1d57fd5f54841", + "sha256": "e4ec3eeaca70a7fb0ab7f2aad3186a62aed903bdb8d828be833b9f203430f468", "type": "eql", - "version": 316 + "version": 317 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", @@ -6949,9 +6949,9 @@ }, "bcf0e362-0a2f-4f5e-9dd8-0d34f901781f": { "rule_name": "Multiple Microsoft Entra ID Protection Alerts by User Principal", - "sha256": "0fbdb8e00dba1a4aceb7eb5c70df0824c3d964c15dbf1b26067578febc1ff849", + "sha256": "0e0dc347d7de069dea3850ce6e5f8286f9c302c957194e2657230354dd08ce3e", "type": "eql", - "version": 1 + "version": 2 }, "bd18f4a3-c4c6-43b9-a1e4-b05e09998110": { "rule_name": "Manual Mount Discovery via /etc/exports or /etc/fstab", @@ -7087,9 +7087,9 @@ }, "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", - "sha256": "c9a7bbb04ccab7586337b2c5014a2d31e6d22110531e1a7be7ff4491245dcdc3", + "sha256": "00569a9b31b0877aebf27e35148d1eb321eb3fce94e84b0d5bfc0200b24775c1", "type": "query", - "version": 106 + "version": 107 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "rule_name": "Suspicious Renaming of ESXI index.html File", @@ -7237,9 +7237,9 @@ }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "9cdc147e01b3c94e9180516599fa9b5117aacf7c4d90a60e3d6c65a8aca52d66", + "sha256": "0641c9ee39050bac0336ca03815f4418d8f42b3f9c4a05788a18e4b115f51438", "type": "eql", - "version": 312 + "version": 313 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", @@ -7344,10 +7344,10 @@ "version": 208 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { - "rule_name": "Unusual File Modification by dns.exe", - "sha256": "f6c49793b59a31c7cfc0818e0322fc29ca3c4b4faff5f3179af11c94f57ddc41", - "type": "eql", - "version": 214 + "rule_name": "Unusual File Operation by dns.exe", + "sha256": "18f10b0d95ce2774e641f8c939f7247f358d75ce2659ffe4ed433dd85f478a61", + "type": "new_terms", + "version": 215 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", @@ -7399,15 +7399,15 @@ }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "d8df42b3b1ae015ff855bf033f6d9c5600ea1e6fc0a453067fd1db55845d46eb", + "sha256": "7371f8792db6004595209da0e87adcbc16e1e4332f7ebd4d5ffa984adab5790f", "type": "eql", - "version": 317 + "version": 318 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "9da89e6e1b0d7df821d52776490f501defca46b4bcdc1466528a3dae99b8cbfd", + "sha256": "15827979279c1de9ee31614d226959b7c9932923d85da38e9b599c365263ebbf", "type": "eql", - "version": 316 + "version": 317 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", @@ -7447,9 +7447,9 @@ }, "caaa8b78-367c-11f0-beb8-f661ea17fbcd": { "rule_name": "Microsoft Entra ID User Reported Suspicious Activity", - "sha256": "2b26266bf5ae68b193aa06b9346248c70882cafeb1197534177438fc861cf584", + "sha256": "07bae5fc1bad34a258b4714e6a78dde2ff9662bd3645353f70f514431ff208db", "type": "query", - "version": 1 + "version": 2 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -7562,9 +7562,9 @@ }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "ea5c43802417daa4603e8ddd5c129a8c63d3a5fc0bdf6ac8a481e2499dba26db", + "sha256": "bf90da01585328d17be5647a18e2fc86f587ba6f75076c99f406a8bb81f8dd88", "type": "eql", - "version": 416 + "version": 417 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "rule_name": "Okta User Session Impersonation", @@ -7574,9 +7574,9 @@ }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "db282c1b5260005aaac9a7be20f9fdf5dfd6193ead99215421700d509c677f57", + "sha256": "c5d8f7341c8aa94026664e5ad58319bfe7157e03a65de4182baa55387cc32856", "type": "query", - "version": 217 + "version": 218 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { "rule_name": "Shadow File Modification by Unusual Process", @@ -7730,9 +7730,9 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "337b782d00948e278a7de8caa6d63586734531851be789d1189ac9b8e2a3ce00", + "sha256": "6b9f951c8a016b83f49461ef758a4357b60f7b5a193b7244d68edf903d216ae8", "type": "eql", - "version": 318 + "version": 319 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "rule_name": "Remote Windows Service Installed", @@ -7815,9 +7815,9 @@ }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "7494f21c1a6239837a702192482b3b6e108643fa3a163d51904e903ef6c1a780", + "sha256": "15fe34ca3118484deea0a66f9eae2dd88581f0e7135f0478d0ab3f9b5e98a61b", "type": "eql", - "version": 312 + "version": 313 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", @@ -7869,9 +7869,9 @@ }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", - "sha256": "da6d7bf15db5db69aa929b79b5115b96859594a01abbce0973d1d41785cc4af2", + "sha256": "b78d84ead9c2e2f8c0b080d7539804c006d2e82dda1e1d1bb489a991d1db248a", "type": "eql", - "version": 213 + "version": 214 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", @@ -7935,9 +7935,9 @@ }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "rule_name": "Untrusted Driver Loaded", - "sha256": "fefd28d4a5e4cbad93ef34c95fce341b58293c0d2c1b4ede0b99b541b64c82bb", + "sha256": "521c26dd7b4a866375b12d8bf94fc96f58c4609c18d20e1af2bbb6737116b711", "type": "eql", - "version": 12 + "version": 13 }, "d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6": { "rule_name": "Potential REMCOS Trojan Execution", @@ -8013,9 +8013,9 @@ }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Entra ID MFA Disabled for User", - "sha256": "d9319ceb9da40cec88c21a7d267fdb0cb63da883fbf7f093b124f8ccb2566f39", + "sha256": "b54fc8c1edfe9d6f2035c2846c98bf0d3c51413ae61ac58e234172aa4fdb711a", "type": "query", - "version": 108 + "version": 109 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "rule_name": "Network-Level Authentication (NLA) Disabled", @@ -8079,9 +8079,9 @@ }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "rule_name": "Suspicious Execution from INET Cache", - "sha256": "9d191d331a016f26d74e6a8ff918ea6da71312840a3f8c9a1bcad323ad7cfcd8", + "sha256": "3e7ff7380de734a0b98762b61a6c34d06b5e6209fa1b42b89385a27f3e709e1e", "type": "eql", - "version": 209 + "version": 210 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "rule_name": "Attempt to Install Kali Linux via WSL", @@ -8133,9 +8133,9 @@ }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "84d467b82d0972b0fd22be0fc6fa605093b59f4f5daddf51446d9c5ed62aac35", + "sha256": "25831887f2b7a10edc4724e5638ad06bd25f32f80be91516cad1f801bfd2738b", "type": "eql", - "version": 316 + "version": 317 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", @@ -8193,9 +8193,9 @@ }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "28291ea5acbadc2b2f130aa01a4f9e6aa7a20a78a50c745da103073bf77febd3", + "sha256": "04754d1f1115e42d25e09ec628091486bee331e78bf83009b4038c838f2f8606", "type": "eql", - "version": 207 + "version": 208 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", @@ -8246,10 +8246,10 @@ "version": 105 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { - "rule_name": "AWS Route Table Created", - "sha256": "21e51c5933809c4bf21ab2a879c7027d6c01e1307debe33424cde70529d1c818", - "type": "query", - "version": 210 + "rule_name": "AWS EC2 Route Table Created", + "sha256": "fe71bd2e04d2740f750bee99dce9836d1c19395bd839f149df0d88d449550a3a", + "type": "new_terms", + "version": 211 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", @@ -8410,9 +8410,9 @@ }, "e516bf56-d51b-43e8-91ec-9e276331f433": { "rule_name": "Network Activity to a Suspicious Top Level Domain", - "sha256": "80233c232a063297a6d2d98af570a6f67133069809ce4ac8b5bb2d49e1ff9b59", + "sha256": "f8dc4af0148e141008908dd527b014edcd102b900be700caf85e476f6e2d30f4", "type": "eql", - "version": 1 + "version": 2 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", @@ -8488,9 +8488,9 @@ }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "5fcd64c31ca352a24eb4c4f4c9621e1a36cf309181f8767686ccaae96169317b", + "sha256": "7fa81f350e13f62767add8eac8f6ed5ff6bded35dfbc9240a90f6afc1a74579b", "type": "eql", - "version": 204 + "version": 205 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "rule_name": "Potential Linux Credential Dumping via Unshadow", @@ -8500,9 +8500,9 @@ }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS EC2 Route Table Modified or Deleted", - "sha256": "06d2351adcbe53c22f6391cb5d9f67194f4a07a82458392a9cf41a83e60d136f", + "sha256": "f18144745e343e210c9169d503a65725d2a19d82ea50df322b5d417924d93cbb", "type": "new_terms", - "version": 210 + "version": 211 }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", @@ -8524,9 +8524,9 @@ }, "e882e934-2aaa-11f0-8272-f661ea17fbcc": { "rule_name": "Suspicious Email Access by First-Party Application via Microsoft Graph", - "sha256": "86ff54b665e83cd9f3393f348b5867905d4f8c0479c8d2ba5c6a3f21800bbc3d", + "sha256": "7551c909b8558596c14479c86523da13336c3d8821f3b8875a0e9af930a51263", "type": "new_terms", - "version": 1 + "version": 2 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "rule_name": "Host Files System Changes via Windows Subsystem for Linux", @@ -8542,9 +8542,9 @@ }, "e8ea6f58-0040-11f0-a243-f661ea17fbcd": { "rule_name": "AWS DynamoDB Table Exported to S3", - "sha256": "cbcdba95167e3fe5aedb626c9e00fcde6ef078a991ce7489ab9502dc94e23b81", + "sha256": "7a1c848b9332b7abde093a99eab67afa7b533fe25cef0d9374d8854c2e0a36e7", "type": "new_terms", - "version": 4 + "version": 5 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", @@ -8650,9 +8650,9 @@ }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "f80f86cf2a5809c248da43094b092cfaa13c63c643f7d8938a671e86c19733b7", + "sha256": "73ed7f4606338a54521e32877619bc354d61bd8652897f531386f61601c386ed", "type": "query", - "version": 215 + "version": 216 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "rule_name": "Suspicious Network Connection Attempt by Root", @@ -8680,9 +8680,9 @@ }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", - "sha256": "7b283786203dd991a1e97f88b0ebc561bb71945130014a6efc0a600d08ca2025", + "sha256": "639dbba324d05efce28f2d414c6687f844c4a2bf1bf2c510e07a4ab8b7728728", "type": "eql", - "version": 315 + "version": 316 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "rule_name": "Process Execution from an Unusual Directory", @@ -9130,9 +9130,9 @@ }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "4d82c8b13cf75884cb608b21d63c3f9a10f67404536c5d28a993d0a8418ec11e", + "sha256": "696b0f2a0dc84944f6e5c874bb805643fba4e2ac642c897e9d439fc5d0a4074b", "type": "eql", - "version": 314 + "version": 315 }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", @@ -9155,9 +9155,9 @@ "f6d07a70-9ad0-11ef-954f-f661ea17fbcd": { "min_stack_version": "8.18", "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", - "sha256": "c0a00db3b763631ed603f36b60c52448f86de8074b5d4ccb41c65939b791d142", + "sha256": "4f6aff694ee1ceca5e76ef24674d820f88d7d41199aa0acf061466fd2a17f791", "type": "new_terms", - "version": 5 + "version": 6 }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", @@ -9203,9 +9203,9 @@ }, "f7a1c536-9ac0-11ef-9911-f661ea17fbcd": { "rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance", - "sha256": "b6ae0f3d5e5790671f6b90680f9d8c041cfbf0bac41d7f9a6281cb8638714fb9", + "sha256": "62ae72c726fceedcc62eca5b723bb6a64e92c8c54e1b2444e2242babdf604457", "type": "new_terms", - "version": 4 + "version": 5 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", @@ -9227,9 +9227,9 @@ }, "f81ee52c-297e-46d9-9205-07e66931df26": { "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "8f20c4f77a4aba5735e7f0ee1ddc1df40a80401369e7fde49fec90409bb94ed4", + "sha256": "7f5921e49d7d378d9126e4e01f1bb63e3abd0633ab4ee92b798e220f40aa258c", "type": "eql", - "version": 312 + "version": 313 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", @@ -9497,9 +9497,9 @@ }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "e0d9cceaa382c6dee76d417d5b1c1f804a62349c4988af90f1e60a50339c4e22", + "sha256": "103f74536c4e37ff883b84981835bc8056adec27739d13553205d37b95f434ff", "type": "query", - "version": 109 + "version": 110 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index 9fcbd1a88..a487048d0 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -158,6 +158,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-network-traffic-http-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-traffic-http-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-network-traffic](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-traffic.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-network](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-okta-system-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-okta-system-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-okta](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-okta.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-onedrive](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-onedrive.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-orbit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-orbit.json&leave_site_dialog=false&tabs=false)| diff --git a/pyproject.toml b/pyproject.toml index 64929db2c..034014cba 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.4.3" +version = "1.4.4" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"