From 90c6f24e8f4633b6c1139cf3c88e331cf98b09f9 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 4 Jun 2021 16:15:33 -0600 Subject: [PATCH] Lock the versions from 7.13.0 (#1256) --- etc/deprecated_rules.json | 127 +++- etc/version.lock.json | 1430 +++++++++++++++++++------------------ 2 files changed, 876 insertions(+), 681 deletions(-) diff --git a/etc/deprecated_rules.json b/etc/deprecated_rules.json index 8786ab345..dcb8ad9af 100644 --- a/etc/deprecated_rules.json +++ b/etc/deprecated_rules.json @@ -1,7 +1,132 @@ { + "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { + "deprecation_date": "2021/04/15", + "rule_name": "TCP Port 8000 Activity to the Internet", + "stack_version": "7.14.0" + }, + "0f616aee-8161-4120-857e-742366f5eeb3": { + "deprecation_date": "2021/04/15", + "rule_name": "PowerShell spawning Cmd", + "stack_version": "7.14.0" + }, + "120559c6-5e24-49f4-9e30-8ffe697df6b9": { + "deprecation_date": "2021/04/15", + "rule_name": "User Discovery via Whoami", + "stack_version": "7.14.0" + }, + "139c7458-566a-410c-a5cd-f80238d6a5cd": { + "deprecation_date": "2021/04/15", + "rule_name": "SQL Traffic to the Internet", + "stack_version": "7.14.0" + }, "3a86e085-094c-412d-97ff-2439731e59cb": { "deprecation_date": "2021-03-03", "rule_name": "Setgid Bit Set via chmod", "stack_version": "7.13" + }, + "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { + "deprecation_date": "2021/03/17", + "rule_name": "Execution via Regsvcs/Regasm", + "stack_version": "7.14.0" + }, + "61c31c14-507f-4627-8c31-072556b89a9c": { + "deprecation_date": "2021/04/15", + "rule_name": "Mknod Process Activity", + "stack_version": "7.14.0" + }, + "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { + "deprecation_date": "2021/04/15", + "rule_name": "SMTP to the Internet", + "stack_version": "7.14.0" + }, + "68113fdc-3105-4cdd-85bb-e643c416ef0b": { + "deprecation_date": "2021/04/15", + "rule_name": "Query Registry via reg.exe", + "stack_version": "7.14.0" + }, + "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { + "deprecation_date": "2021/04/15", + "rule_name": "SSH (Secure Shell) to the Internet", + "stack_version": "7.14.0" + }, + "7a137d76-ce3d-48e2-947d-2747796a78c0": { + "deprecation_date": "2021/04/15", + "rule_name": "Network Sniffing via Tcpdump", + "stack_version": "7.14.0" + }, + "7d2c38d7-ede7-4bdf-b140-445906e6c540": { + "deprecation_date": "2021/04/15", + "rule_name": "Tor Activity to the Internet", + "stack_version": "7.14.0" + }, + "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { + "deprecation_date": "2021/04/15", + "rule_name": "Persistence via Kernel Module Modification", + "stack_version": "7.14.0" + }, + "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { + "deprecation_date": "2021/04/15", + "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", + "stack_version": "7.14.0" + }, + "97f22dab-84e8-409d-955e-dacd1d31670b": { + "deprecation_date": "2021/04/15", + "rule_name": "Base64 Encoding/Decoding Activity", + "stack_version": "7.14.0" + }, + "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { + "deprecation_date": "2021/04/15", + "rule_name": "Trusted Developer Application Usage", + "stack_version": "7.14.0" + }, + "a9198571-b135-4a76-b055-e3e5a476fd83": { + "deprecation_date": "2021/04/15", + "rule_name": "Hex Encoding/Decoding Activity", + "stack_version": "7.14.0" + }, + "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { + "deprecation_date": "2021/04/15", + "rule_name": "Proxy Port Activity to the Internet", + "stack_version": "7.14.0" + }, + "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { + "deprecation_date": "2021/04/15", + "rule_name": "Potential Persistence via Cron Job", + "stack_version": "7.14.0" + }, + "c6474c34-4953-447a-903e-9fcb7b6661aa": { + "deprecation_date": "2021/04/15", + "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", + "stack_version": "7.14.0" + }, + "c87fca17-b3a9-4e83-b545-f30746c53920": { + "deprecation_date": "2021/04/15", + "rule_name": "Nmap Process Activity", + "stack_version": "7.14.0" + }, + "cc16f774-59f9-462d-8b98-d27ccd4519ec": { + "deprecation_date": "2021/04/15", + "rule_name": "Process Discovery via Tasklist", + "stack_version": "7.14.0" + }, + "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { + "deprecation_date": "2021/04/15", + "rule_name": "Socat Process Activity", + "stack_version": "7.14.0" + }, + "d2053495-8fe7-4168-b3df-dad844046be3": { + "deprecation_date": "2021/04/15", + "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", + "stack_version": "7.14.0" + }, + "e56993d2-759c-4120-984c-9ec9bb940fd5": { + "deprecation_date": "2021/04/15", + "rule_name": "RDP (Remote Desktop Protocol) to the Internet", + "stack_version": "7.14.0" + }, + "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { + "deprecation_date": "2021/04/15", + "rule_name": "SSH (Secure Shell) from the Internet", + "stack_version": "7.14.0" } -} +} \ No newline at end of file diff --git a/etc/version.lock.json b/etc/version.lock.json index ad6aecd91..987a066c7 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -1,8 +1,8 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "9fd22842d78b31392490aed929cb17cadea3ff1f5d1b92de22c7ba202918ff71", - "version": 5 + "sha256": "80a1e50be50bbff3ad4c80bdb84fae234c4b5ba106a15e6ed2570580a5d60b46", + "version": 6 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "rule_name": "Potential Credential Access via Windows Utilities", @@ -11,8 +11,8 @@ }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", - "sha256": "19a7de27f4afd70671c5b18f891926053d71637df671946030a7a4dcfd10f5a0", - "version": 8 + "sha256": "606d4f374fc98e99bd86c9ef062bb48f416b10951ed6138c0ff817fabd8c9ed6", + "version": 9 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "rule_name": "Potential Cookies Theft via Browser Debugging", @@ -21,28 +21,28 @@ }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "b0a37cf64b4b4ba2e0a041004784943edd15cc3c32bde131e660754be51e0d31", - "version": 1 + "sha256": "a2f14309ddc0b7a13f7b019b2b7350407d2752ab0df9f8665af61bc332727e40", + "version": 2 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "9caad75ec7574def8cbf8ee05c13118b5aecac89dcf42cfd646459815d560e08", - "version": 3 + "sha256": "0fe6db05d5bf9752a0ea1b245411830426bd39989f3dbf6855b38b8aaa12eb4b", + "version": 4 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "d3c85491c43408970d42c1b927c23cd6c0a690ed8b96fbcb84d81065be47fcec", - "version": 2 + "sha256": "5ccb45d0d495678162da46f277ecfca7343604daaea4564d9fe0884451c7dcf6", + "version": 3 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Modification of OpenSSH Binaries", - "sha256": "103e3e20a1129164d2bd6dac9138dceb577ecd75951f69691758d4d68181921e", - "version": 1 + "sha256": "aa59437d25cbe738b072814c67b5b678717edc99329c857a2eddcc4b0fc42290", + "version": 2 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Potential DNS Tunneling via Iodine", - "sha256": "9296a1f58fff4f043c856fe8310f458066aa080d0ae36619fc290fef47206ff0", - "version": 7 + "sha256": "b98a066f2cf74984ac8e04ea0db6503d30605711ac54d6d341f42c09a64bb515", + "version": 8 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", @@ -51,13 +51,13 @@ }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "a4bd75a7a91e1886e8798836d4833b9206c29c8c3d09e6a9bae27337804eee7c", - "version": 3 + "sha256": "d199c2fe63aef75d00d1404d2da28ece62aafacca1288fad7441a7febb506bc2", + "version": 4 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "7b1fe8dbaad6ea318a3f95ac4547646a0fa8b5338043822f714e5a1a111dc1c0", - "version": 6 + "sha256": "3f61f0f688bfc61699356e5e7f4973cd0b8836b77900f752f3eca5ea477681ba", + "version": 7 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "rule_name": "Remote System Discovery Commands", @@ -66,8 +66,8 @@ }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", - "sha256": "47d4e1e65e3a1c015019ad8161e49447930897e74ab76ad6df30445f8f10e46b", - "version": 6 + "sha256": "ff00a03f7ba5b02d01b5f7890ea3d3039465801d5c3ff943e57cdbc3f9d0bf41", + "version": 7 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall", @@ -86,8 +86,8 @@ }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "019a93733bdf8a597fa9216fd6bc89578add18dc6058735cf9974be5db89ecfb", - "version": 1 + "sha256": "ed5affdb15f11894bd6c79489368d13ba7d6be9cb53c34d65c7b30150ef24f55", + "version": 2 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", @@ -106,8 +106,8 @@ }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "9b7bd55891baec28d77bb897969b40cc982c15102259ffff69b3796919202dbd", - "version": 6 + "sha256": "3a049155b9db34c38b264d58bdfd85d877c43f3e7608b71f9faa6362afb4d0c4", + "version": 7 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", @@ -121,8 +121,8 @@ }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", - "sha256": "3858f3acbb3617200c0effe46d9f284940970045efbdf53b927613f428c6895c", - "version": 7 + "sha256": "4e12ac0fb84fd0825957284198b6a6419d7164c0a4bf84a19836ffe7a3839c86", + "version": 8 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", @@ -131,8 +131,8 @@ }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", - "sha256": "5fdc2bd59f8e3122de5f063b1c7b5b85e4625add85003fb7d794c254bf77e99d", - "version": 4 + "sha256": "a9f964b598c41ad6f015eaff73303e9f70e8c87ce2bef2eeca17742e02ec14f5", + "version": 5 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", @@ -146,23 +146,23 @@ }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "83d4b9750134c982b98575d88af2b900eae9cdc6af0018600b670fe3ba054773", - "version": 1 + "sha256": "2149a008d62b8e6a983abd178158948e2c370183a4e070931806ebd07b620ec7", + "version": 2 }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { "rule_name": "WebProxy Settings Modification", - "sha256": "b5af8f94b5401606c27cd0ce6128e4f9dc64a173581df4bf126adf3ca7f98aaa", - "version": 1 + "sha256": "5ceeed56054e254ddd1b7d9f6d34b66810422a1b885570227b5b24b1df1f5a1c", + "version": 2 }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", - "sha256": "fe7e1d6692e9f4763fef4efaa0a58df4c99b2fbe822d6110726dc9499f895cc2", - "version": 3 + "sha256": "bad712c7e3bf95a043fc2871cebcdd450fea6a3b005d3146372539993ba11f21", + "version": 4 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "sha256": "ca51b94b3c29316c10c03e610304f5677957a12dccc54d778b80f8a888d139ee", - "version": 4 + "sha256": "683cd269e40b092fff232c56fb89929f544f1bc09566ef0e03053ce621503fdc", + "version": 5 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", @@ -176,14 +176,19 @@ }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "fd5543ef34df35a3f89f31a7aa8b144f0fcf5c7ee4d4f7e0ba01944aa07148a5", - "version": 7 + "sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960", + "version": 8 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "120221c53163f94f7921394a5239a48a64c87bc263ebcb4fabe661f2813d19a9", "version": 3 }, + "1327384f-00f3-44d5-9a8c-2373ba071e92": { + "rule_name": "Persistence via Scheduled Job Creation", + "sha256": "efd7d2aa298941d3d4d452f08ace97c0c6a5bd2a26f9da698d06bae893f899e8", + "version": 1 + }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", "sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7", @@ -191,13 +196,13 @@ }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Azure External Guest User Invitation", - "sha256": "4e4ee6c8ffdc78dd61b144430434fbcf0b863fe87569b70f447ef27944132a32", - "version": 4 + "sha256": "a84027bf00f826384a1ba67bcc0f221a6ec9b4a6f53e2e48ab8f792f7363df7f", + "version": 5 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "fa80e2746a7cbe81b481e9e99deccdbbe6103281705265b702795d173428a0ba", - "version": 8 + "sha256": "6e62c6664dea80ac996968a0a7bbc02303f4bd4df96ff39881f6a1fa036289dd", + "version": 9 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", @@ -206,8 +211,8 @@ }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "6f80c029b353e70d9a1f7c36606e212b33eba9316d32af35617e27351e92c098", - "version": 4 + "sha256": "50ec2f5b9815c5cc153531c5a3d35d9393e03eb4c668ffd62c97b1e2efd616ff", + "version": 5 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", @@ -216,18 +221,18 @@ }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", - "sha256": "2bb1add88acb6c2c1709874e8fb81a697790ecd83275ec9a2c955c7fea26fb95", - "version": 4 + "sha256": "255c2d46d1242a17eb61b119f3ca491cfca8ed4f92271129b91f875b8d820350", + "version": 5 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "b3449825b9dc0d1404a9151db31d0ea7439870cc1960816cc1089a768004bc39", - "version": 1 + "sha256": "135b9a750efbc4e8e894e01c44e1a7780e7a59c222a3a94310c3eaaa3c11263a", + "version": 2 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", - "sha256": "631682b56b2b379e24924f00acd807aace8cb78f8c347751d601d084968f5e4b", - "version": 5 + "sha256": "f03abc33d51ec1f27adc73a01b69a305fa7cb0d73d21ae6b9ddee53ddc5e7c40", + "version": 6 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", @@ -236,8 +241,8 @@ }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "rule_name": "Unusual Windows Username", - "sha256": "9be6e9d33905da257f09d6239e9d870486b9c717bb33964f542ca7ba782f5628", - "version": 4 + "sha256": "e2e225e21975e985f3b317b2acab96e077fa87cf7e8904354bf8eae3d852b12e", + "version": 5 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "rule_name": "Unusual Windows Service", @@ -256,8 +261,8 @@ }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "rule_name": "Unusual Windows Remote User", - "sha256": "6301bb6c40b90afcc655e7203e2e3f15fcf4238f100a9f746635c2617b2cddb2", - "version": 4 + "sha256": "56324808be7511810a3929fc18e87820ab588197a384e84b772bc3f2addc8841", + "version": 5 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Suspicious Execution - Short Program Name", @@ -271,18 +276,18 @@ }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", - "sha256": "35a8d45c5765943a2b0854dfbfd7f9a7c05c534a58de18e214418ce3008ae96d", - "version": 4 + "sha256": "545191239ffa25aad0736095596c8b1da4fe02b5853b7d098de97c66a389724f", + "version": 5 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", - "sha256": "f930c016a444fe99f60d4358a2ddcc45ec3119fbb8cf3de8738eefc5251968bc", - "version": 3 + "sha256": "b95e0be3b71b1baa53dfb17cf053edb48f4d0c29d12ae4cc565cc34a231bd431", + "version": 4 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Azure Application Credential Modification", - "sha256": "0e553ebd2b48ffd3009e16ce1205812ac1be5735a01d970f370b341b6c4e72eb", - "version": 3 + "sha256": "6131c83a1cf59205fdd118cb16590961e705919f52e11aaf09b0c00bafc02db5", + "version": 4 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "rule_name": "Execution of COM object via Xwizard", @@ -291,13 +296,13 @@ }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "558d273d31db3b26cb8f5901941fbed9b12e0a325763c1575e72ef05365c6d3d", - "version": 5 + "sha256": "0cc28de03b95bd0c74e9d341f45454944363883a447d9c6f9a48eeb1451611c2", + "version": 6 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", - "sha256": "48eeaa5b92d1414286256cc18a96522927ab951e02ad33695747981f23a084fb", - "version": 7 + "sha256": "204cfc566c8562c3b0ab2cd9fb57da1ac55bf68b3ebae6eb23b3af72f735c458", + "version": 8 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", @@ -306,8 +311,8 @@ }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "9fda634b944d5b1b8496b6d82c3a59571af1b0dd7ff7e10ef6b98ef93590f247", - "version": 4 + "sha256": "0e87841dc0e6587203b2e298d78fa79c2d4f1aaff4b20d4407ef3c04734ae5ce", + "version": 5 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", @@ -320,14 +325,14 @@ "version": 2 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { - "rule_name": "Public IP Reconnaissance Activity", - "sha256": "6951b8fd1149be5a4ee15ce56da0be9905189e5e20a1f829b42f5af393eb8157", - "version": 3 + "rule_name": "External IP Lookup fron Non-Browser Process", + "sha256": "74f970cf5b235ba112b15830a51eb59ecfb8ca1a7c5f654c10e9ff7a6a28e132", + "version": 4 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "fa843684a8d65c3fe110c03105a4c698740ce245f7a8aa354c44087e1d9a3b65", - "version": 4 + "sha256": "677d44bbbcf6effef4b07da7cb1f03638418e0c63905ef6c5697c15a335d0169", + "version": 5 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "rule_name": "Execution of File Written or Modified by PDF Reader", @@ -336,8 +341,8 @@ }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", - "sha256": "62b1903d5035ffa9244e81b945b7f4c801d101d615281ce9914fa093541ec7ad", - "version": 4 + "sha256": "713e83e5cc4759b596713bad5c8b20ca123335d567bb2fe189ba8f139cd87b0f", + "version": 5 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", @@ -356,8 +361,8 @@ }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "da7b6e128ad5867cbd3456cf71fb4583caf272f62e76d422a6e765b5a019b508", - "version": 6 + "sha256": "756f8e566860406a290ee07a4ac7b9b2481347bf2d2ec4f6a524d3c65fcb86cb", + "version": 7 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "rule_name": "Suspicious .NET Code Compilation", @@ -376,33 +381,33 @@ }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", - "sha256": "ec73780468dff45dc2dcc20f8f517ae11fc0c908d85287c5f64e1054dfd43467", - "version": 1 + "sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37", + "version": 2 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "rule_name": "SSH Authorized Keys File Modification", - "sha256": "b636cdf117c8dbe569e93a97d6c59c53758757fd9b3f7743978cfb10a5d33b5d", - "version": 1 + "sha256": "e09b4081f8a3699114c413d133c7a1ac52dd6117fb38c45ad5a7e571ae266b0d", + "version": 2 }, "22599847-5d13-48cb-8872-5796fee8692b": { "rule_name": "SUNBURST Command and Control Activity", - "sha256": "61f57fd48f1fb63565f2b0bc95e9b394345522799cd75fa10b55e1b7fda552d5", - "version": 3 + "sha256": "f653154c491692a6cb83869048a8f92af0b6bd245f2161717df86a6aadd43a15", + "version": 4 }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "7c6c2fff0b01f346a5a4c24b8df93d4939cb25949d7fc9f4578b9594ccac78f2", - "version": 4 + "sha256": "de748771b0f8b17880428ba8fb0d03c3d1e2e359fdf241aba7593c3334d6c2d7", + "version": 5 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", - "sha256": "961b1deac49c71fddc94965ab111a3c85bd9f42d0f8aa826f31843e763f53882", - "version": 9 + "sha256": "20778cf6abac89fc8fe2c2a7c71dcd89074aa9da95a0c2bc14d9fd694fc7b9f4", + "version": 10 }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "edc4cb4820017d89a64e1e5f5190912787091e860fefdc09e47a1ccf3d2e28a4", - "version": 4 + "sha256": "bb8096354dce3087fc76625206e23fdf959a562504690ddde6c4e4e937092ce0", + "version": 5 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "rule_name": "Lateral Movement via Startup Folder", @@ -411,8 +416,8 @@ }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Container Access Level Modification", - "sha256": "dd2d9553b890f746fbcf9ab966b7e2252b590a2a0a2a27eb1b2ab7e9e7943318", - "version": 4 + "sha256": "64a8b7c2b0532a18d1e94f963c74136c3cdf97ace12540d5e9daf5af4455fc14", + "version": 5 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "rule_name": "Persistence via Update Orchestrator Service Hijack", @@ -421,13 +426,13 @@ }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "99d42e8419647d93781f48cd1dfae7aa518fdb7d64bbf14a5d92d3488610b2ce", - "version": 2 + "sha256": "542aade4dc8e6268eee81fb3f4974e882255636a433f7d784d71d1545896fb14", + "version": 3 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "38f1daaff7be80a26561301c00fa778dd3493fd89499628a87133aedfd459363", - "version": 3 + "sha256": "60461c35cdcd0a470e1bff0cfcb9901456a6a5ce40894cd430216cc2b474923f", + "version": 4 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", @@ -436,28 +441,28 @@ }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", - "sha256": "f72b655abdc07f8715c792d19d9c505d927a226d96119a4ce13980d1b61c510c", - "version": 4 + "sha256": "1d74ec0969839420f2e03143d2b535768a053e2d0107ef6ca49719cfe92adb03", + "version": 5 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "314b665e4aaee834713a0e81e740a6f90aa8531f20f57fff50776abee3561b1a", - "version": 3 + "sha256": "7f4f776206e7ea26e377cf5665556bb3d6268796fc06023b7b85d58502783e2b", + "version": 4 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Net command via SYSTEM account", - "sha256": "bcf411fda8a3e622613b7eddce8f38129bde7a1520c7e2b436d8628974441dbf", - "version": 6 + "sha256": "b46d627ebfd274fa9aae22cca0c0f99f53ac08424f9269e2c7e2085e77554727", + "version": 7 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "027892bbc77dec382e1fff007e985d1ddaa09db9765397a995bca7504228a92d", - "version": 6 + "sha256": "9edd40f31e655a0aecf8ed56d1b078ab5d082338fbe220bcc463b64d0d384ac3", + "version": 7 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", - "sha256": "2165f6cb7509d5e3c4d1e85f8f395edd0c5cac0eab932c77d292932af0ce26fa", - "version": 3 + "sha256": "b448efa8a3877578f365cdb010bb962b005c00c8233afaf30bdf8c06784f6dc1", + "version": 4 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", @@ -466,13 +471,13 @@ }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", - "sha256": "098b1c3015f7f3d2e4c182836e1cb291997e6bcae75991dc66dcbb4fd02c046d", - "version": 8 + "sha256": "b855256f23054ec5025f78c2ec0ddd70e36ef7b16856700f208936300525f544", + "version": 9 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", - "sha256": "04390626a994d38d1067e1f6102faf343e3946318596f73b4619c51aa0d7489f", - "version": 6 + "sha256": "f78114d6df86b5c2843abb41b8c64f807f94962e9ac46f1e19b5775d401ce38b", + "version": 7 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed AutoIt Scripts Interpreter", @@ -481,8 +486,8 @@ }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "1abd8a52908e88463907419e423538f77187732d05c2942900b1fa28958e7de8", - "version": 4 + "sha256": "31030aa4c70fd9144e6a59e40685b41c2be5699d13f5a039c957cf9345006e89", + "version": 5 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "rule_name": "Creation of a Hidden Local User Account", @@ -491,8 +496,8 @@ }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", - "sha256": "0cc8ce121a7f9ffea5aadb7586ba3f74a1b24c7f510506354622e0cb326a0fd8", - "version": 7 + "sha256": "dfe5b7e2dfdfef3b551d95c11686821ad9a6ac5e23d9c1fdf901d716bc7969e6", + "version": 8 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", @@ -501,53 +506,53 @@ }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "0c066a6c77276dde032a4c39d5f1e9d34b4de0e2c393e60531125f5f1770d887", - "version": 1 + "sha256": "937fbc97a49113063f6d84aae638a50b72efd271bb50a2746a74e98679049704", + "version": 2 }, "30562697-9859-4ae0-a8c5-dab45d664170": { "rule_name": "GCP Firewall Rule Creation", - "sha256": "3b68d16c6adae9c7ef0dc411d509e9fe76aaee87a78d1aba35a49ce1b34af640", - "version": 4 + "sha256": "33b768a4456770f5a2eb024ab81e723b4ed3a53b57ebcea0b5130fc245fd6b85", + "version": 5 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "ef7c4255f4cb9f05d51a45a2402b145fd585cece3349c3f9fd5844d5801daee6", - "version": 3 + "sha256": "a98ad9e22ab55a94f482cc8407cf7c072b80f53c858e9b115e018287b47d9f5e", + "version": 4 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", - "sha256": "fe37432e9e4d6ed45e85043fb7af715f22d688ee6d80f2c863726d68d49a4aaf", - "version": 7 + "sha256": "f225b443be89a3a05315d49229ab0a512a60c94e9b1db66a3d2656e9200b9a08", + "version": 8 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "262ac7bb0e14b8218fef8c90979e078c1650e9b5139891dade0f2d9831e03c95", - "version": 4 + "sha256": "f6e6b7e74c48f962508febf502668b78eda08a89e4cda91aa9c8e616fe9f04d7", + "version": 5 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure Network Watcher Deletion", - "sha256": "2c2a51b2f29298b70096505180c009bf1dfa23d27ae0fc5d42a4e8246e2f27ce", - "version": 4 + "sha256": "538db24a6c9fd8552fbd7a8dfc4002b7ccb6273ee79f3936eb16ced1b251ebf3", + "version": 5 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "07747df10d0c1f1f86f2cf45dd6109fe948618bf5fdc5fecc2eb06602e0e3114", - "version": 8 + "sha256": "04f44bb08ddbb0604f2f8a295fa3ab9107711bf25719957c4b12322148c00be5", + "version": 9 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", - "sha256": "5776969c744d8770af275525d4484eea657c06f85bb158a17ec46840bc0d8a79", - "version": 3 + "sha256": "3d6f296f6aa09dfcd1f7303be722bf62bacbd951fe957e4d26e0ef5b844f6a6c", + "version": 4 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "6e0051f68fbc7f951da463a0f13255d5db381abfa816f2af03ad3b5f9a2c310d", - "version": 8 + "sha256": "cc833cab5c0e547e8cccc3b115f8f6e99921d98eed41251c06cac69498d49119", + "version": 9 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", - "sha256": "393ce421873be12fab73cb0b0205c86660df523acdb5c217545723c86075a769", - "version": 5 + "sha256": "6e01c88d75910af821e1f30d5bd7080c279e17c8283814a231ace540228449b0", + "version": 6 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", @@ -556,13 +561,13 @@ }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Telnet Port Activity", - "sha256": "7da2279d0fe682877117672d7e68f973bb30b8c956507ebe82a96b7a3ac41d70", - "version": 7 + "sha256": "cdabefe4b5d10a79ff258d4effdfa7f9eb4cf946f6eb43c547dc08fe13f44621", + "version": 8 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "b7b1464cba3b3f44340fccf082c8a42407d3bdcbfcf90b85f2557ac58e97c3f2", - "version": 1 + "sha256": "244d04452b6c549e3bdb8a09990c159076e5b753b56ecd32209f2812d411b7f0", + "version": 2 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", @@ -574,6 +579,11 @@ "sha256": "6a46141b11cc0cb3310a27469db9094a6d2ae61b07373b4404f82802fd8b168c", "version": 8 }, + "35f86980-1fb1-4dff-b311-3be941549c8d": { + "rule_name": "Network Traffic to Rare Destination Country", + "sha256": "cc78adc072f0c2c615cf9a3897eeda60bc19fd83e315ebcafbc73eaf9d7f7e0c", + "version": 1 + }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", "sha256": "922ec3de8ec673c8094683d428592de1ad4d44af9afd45caa9a4cf8b0e7289eb", @@ -581,8 +591,8 @@ }, "37994bca-0611-4500-ab67-5588afe73b77": { "rule_name": "Azure Active Directory High Risk Sign-in", - "sha256": "02af1fc63fe53ac3d6bfdfd484692845851796c093f3ab4fe863c6b98d11dfef", - "version": 1 + "sha256": "ad1d5ab615b56e896714a88a89354cae4da732caf80542b588d03e6424cceb17", + "version": 2 }, "37b0816d-af40-40b4-885f-bb162b3c88a9": { "rule_name": "Anomalous Kernel Module Activity", @@ -591,8 +601,8 @@ }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "rule_name": "AWS Execution via System Manager", - "sha256": "f136a167c78ee46606a2f1c0087fa7367a67690ea10d482ff32f34271ea1ecba", - "version": 5 + "sha256": "ebfabf467dd8b14fa28c54259c168a98dc165de8bb93fd13dcc4354ef9029c5e", + "version": 6 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "rule_name": "Finder Sync Plugin Registered and Enabled", @@ -601,8 +611,8 @@ }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "21efa012a7a5b3da682402555b0dd29a6f9e59df51925e3c7592eb3651da1b76", - "version": 5 + "sha256": "5abfe9116b4ccb7e1143f2bcfa466f9280f7d3fe2ed2a632087c756dd44d65c2", + "version": 6 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", @@ -616,13 +626,13 @@ }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "User Added as Owner for Azure Service Principal", - "sha256": "46f760538182b2c1561e580c5254d30d295ae874156b2df1f7d7945d7f5ffc36", - "version": 4 + "sha256": "9844bec52014f739123ed6e75296b8ada4c863b14872750ececb4c8f3a939c69", + "version": 5 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "6a7f54980b56695b6e0e694eadb754eb92d921046139205187bec632cf8dcae2", - "version": 5 + "sha256": "2d105671b4b978e9620b0c65cb4159ec78655dbd4d55fa6a2a10bef3a8f7629a", + "version": 6 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", @@ -631,8 +641,8 @@ }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "fcf9efe1ab14be63857894d4a575c9d3c22a630d6e526295ef3c8f9df346e51a", - "version": 2 + "sha256": "e700245e5adf9b5950b075793d0b19fad2a623d52918a733ace3116e1abd3a64", + "version": 3 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -641,18 +651,18 @@ }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "918bcd3ff0c8d95983985346361a963c0422f1905c3da03bb0db1d3e0bec8de8", - "version": 8 + "sha256": "c8ef7b71bb1059379c1654dd566587b2d9a4611272692fda545242591e2ab456", + "version": 9 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "ee3b4a6b601f7f4929ff9f2d474a2deab9cef75f96c390b99208f95b12d8d619", - "version": 6 + "sha256": "1e6bcd8c9bc347e916e73bbf5adc8c3bc7b5951a8bd471197b2bd3ef22e72921", + "version": 7 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "d27efd2b8dafe3a2e0be361ab3c639e22431debe9d6d26b030e73f4ead90b40d", - "version": 3 + "sha256": "1c4973f2206952ea9b39bc9d3516f3facd27091bb2c9003d6725f7134d6e19cc", + "version": 4 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", @@ -666,8 +676,8 @@ }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", - "sha256": "9216d90a18952b805aacae52dbaa570bea4bd7fab61c0ed8256c3f755b144ef6", - "version": 5 + "sha256": "f97ef2cca95b757b6bf71ab8a99259fc96ac07fc4ec00fa81cdd6e64ef085337", + "version": 6 }, "3e3d15c6-1509-479a-b125-21718372157e": { "rule_name": "Suspicious Emond Child Process", @@ -681,28 +691,28 @@ }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", - "sha256": "8a40719ca1948bcfe7b12bb8eb054d89f0d93fda2bde8627d07c72269461296e", - "version": 2 + "sha256": "b0980e6fca207c792d7843fe87577c47e8cf247f5792fc338d293f06dc856b76", + "version": 3 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", - "sha256": "86dcf4ab94aac1674ce265cd27a0c7a873ee1b4cddffb646754f22e06fb8bd6a", - "version": 3 + "sha256": "0ec360815683ac95dccca9d337385dfc1389dd03b5d923f929ab310a2a3c8ad0", + "version": 4 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", - "sha256": "7137fff9945d2a9bacfe270cb70b11338e51815d181fa391c4d3b3e6b8690f14", - "version": 1 + "sha256": "49fca84019de306b693f25ee758a76113137f7f37277ac183c412540bf7dab04", + "version": 2 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "ea80efbc02b8aad167e451638ae7a69edc767de89dd986f6b9f4f76fb43a145c", - "version": 1 + "sha256": "e37a197e231dd5c778e7e2eba8094aeb962e5ce1fd3f101370d7c0dbc2a24ff4", + "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "f010eb32774ea99fee8e147ac454d08ab147e38306cb6ef8a6678b603f6c7da2", - "version": 4 + "sha256": "b3f891727a031658802366c46aa16b0456d98a653e97f0873ad9203e4a88005d", + "version": 5 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "rule_name": "Unusual Login Activity", @@ -711,8 +721,8 @@ }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", - "sha256": "f09ede4b1f68fffa1f520173d6012ec98bee09abdbfa6cbea491169459a1a96e", - "version": 6 + "sha256": "e7a80d2e9a35839780f87221305e6ee50fde768b34c00dbb3563bc4a114b47c4", + "version": 7 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "rule_name": "Shortcut File Written or Modified for Persistence", @@ -726,13 +736,13 @@ }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "905e269e6ada516092e74e17fb1bb5d2bdc1ffdff1d87d42e253940d621e10bc", - "version": 6 + "sha256": "be37d4430c577f95dcc6955d7df5454d2ce79665a551e5d27afa5b483049ccb1", + "version": 7 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", - "sha256": "edd24d6cd33cf4d97a8db4de08b016939e394923fc60273d7ab52e5324629e24", - "version": 1 + "sha256": "530536e43b2e7c308f3578a3bd010061cc3c281373fe5536e0dd2b7bd1395ddd", + "version": 2 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", @@ -741,13 +751,13 @@ }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "e0a43819f24cae47b5c43190b24e1621f8eed29e1ad91b44408ebb411ea176c3", - "version": 8 + "sha256": "8b06e2c4389580431725d7ec34eaa01ee257ab1980f1dcb62e9457c7fe3a5383", + "version": 9 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", - "sha256": "3d44fb859092c933ff07c33783f154c4f558523cdecfda53baaae7916154278c", - "version": 4 + "sha256": "25aef314e7ab742c617ec902978be738afda5d8aeab82edb2072e77ff9f4cae6", + "version": 5 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -766,43 +776,43 @@ }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "86d2748f31e20258f69fe7ba9854837085bc03cef366264cc8c829b8c6daad07", - "version": 1 + "sha256": "6cc74d6a74abae157494c559cbc80c499212df19327c2345e899fc8d77a1a089", + "version": 2 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "756cb216cd97d55f3734636ebb9f37e77bdf0fa739d61392234863ef4578ee3e", - "version": 4 + "sha256": "daf5012d72d5b808c18913125114e203c60be3702079f90e2e28d9098dbef69e", + "version": 5 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "c56f00f0dcd010dd2ae8232b248fe30e1b555070bf5763883d16d308344e46b2", - "version": 8 + "sha256": "c4e92b6369d96f03afcf8abe54580bb558b94689632aabc9b96b9e18ffbe4ea9", + "version": 9 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "494b14a0febe47fbf05ff1d46818cb54d8be78d60bd3ce1292780f02e2bae6a9", - "version": 3 + "sha256": "a95fdb458a6423309410cb46d41bda785e2690ffb9c4e06f7ca92cd28b2ad647", + "version": 4 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "64af2d4d1a6c0103a258da4f91072f1a0d5830d16444c435302c37abb1b9cef3", - "version": 2 + "sha256": "54f432ebeecc716460a030d6d37cdb842396275d6daf24813ce0f902486cd953", + "version": 3 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "a1c698224ee74f11eeba8d602264b9a9d46c89d48aad8869719dbcf780655d7b", - "version": 1 + "sha256": "0ae822fec1abd33c32277f40e993668c09ec575f0f6580a760937417c7d50e32", + "version": 2 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "8f13ebc41ff581ab9ee2142432046802d67c0df696829571a82d8bda22e1dc27", - "version": 3 + "sha256": "65957d10243835667b29df2c1bf74ef752f91f9ca378cf1382cc41ac5ed81bc6", + "version": 4 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { - "rule_name": "Windows Suspicious Script Object Execution", - "sha256": "6ca4e463c26cbc55ca658eac2c38ca905c276b64174e634c570821d22c5960f0", - "version": 3 + "rule_name": "Suspicious Script Object Execution", + "sha256": "86fbac365ea6f05358840e21847cdac1ba5feaeb3571e7edfdcec13820f6e50a", + "version": 4 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", @@ -816,13 +826,13 @@ }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "c0046a687a92a5db62c89a332014e61090cb179a01cf7ba29a9cfb6fc6d11045", - "version": 3 + "sha256": "68f1b81ce8b704e61cff1cb2a43c197043816098bc12bfa2c10a1506cd3a92ec", + "version": 4 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", - "sha256": "0af9c826220d7a09fd8d6762145489a933d134988a6cca9ebfe3fa7ea3ac0b6d", - "version": 4 + "sha256": "72654c880412c884a2b237d810c85bc30a68ec0d32fb122b3db8443f40fcf36f", + "version": 5 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", @@ -831,18 +841,18 @@ }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "67550129e26db722ab8421e82407ecf4289c7647b86dfaff159ced0e69960bb3", - "version": 5 + "sha256": "50f743f8c1dc8535da9536a6d64553823078d1600bcdc133bf616fbab76c162b", + "version": 6 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "dbaeba388f235b616bad9d6ca3a613a15eca038d6bfbc5a1b1fd0ab5a57ecc44", - "version": 8 + "sha256": "7ff0bcfa3881f85e17c3a55b1a9f87403aeda1da00447412024e69307cbae7e8", + "version": 9 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", - "sha256": "5f257bdb27a56eb43a27513f8fa691ecaabec3c3323b9dd95772ed912ece5022", - "version": 4 + "sha256": "0d9c301a2b9bb20f7dcae4b54ddc770c11a488cfa1168474deff316691f678aa", + "version": 5 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -856,19 +866,24 @@ }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deletion", - "sha256": "6c8e96ba4b07ed6cce18921a829831829bc4b6bba5d7ff87e9ed5a3f10fb99c8", - "version": 4 + "sha256": "8ba5acc8850e486039277d2da8132a4203da644e6a12e3b500bb67629678dff7", + "version": 5 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "5830f8b50da5b26e2a04464f2c05f012785a123a00594b577b53823ad1e45ab9", - "version": 6 + "sha256": "28f16475e1b77a83be53387c10dfc3e12a8cb30463ebed52c32e7a3f104093d3", + "version": 7 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", "sha256": "32c64b8fa0f6c50c2253632facb556b54d2013478619f79cc60cb6f6519ce918", "version": 3 }, + "54c3d186-0461-4dc3-9b33-2dc5c7473936": { + "rule_name": "Network Logon Provider Registry Modification", + "sha256": "53f0078220668a3e1693b3799b20e79a69c961485f0981c0fefdcb35a4bbad7b", + "version": 1 + }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", "sha256": "4e4fbdc65c3b54bf30a91147ac126d5e470995cd70f02c1dd673719b0738a0a6", @@ -876,13 +891,13 @@ }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "99b97b04ec67066da705129885b9ba38cc1e85079cbb82511602ffe6f32d9a21", - "version": 6 + "sha256": "0098059a0c6dca4b880d5b66cc7159ce16ab4e4d41a414d24d52aa3cc16c112e", + "version": 7 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "rule_name": "Potential Admin Group Account Addition", - "sha256": "ed5d0e8263555d6f10542d6785a859b3afd968cafccd087a25ca3db999148b86", - "version": 1 + "sha256": "433b4fee2d89c47433742f05b5869e7babde31127f434c8cce50899e14a270a6", + "version": 2 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "rule_name": "Dumping of Keychain Content via Security Command", @@ -891,23 +906,23 @@ }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", - "sha256": "e0c3667841d87d0690d68568ce1aba2ad6056277a7c9ab4b82c5c2cc0893543a", - "version": 4 + "sha256": "57391425e8c8e4d0c0c905061d6a9cf78cc26d40e4ff5aaf1afc44d6d4c2761f", + "version": 5 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "36b65bd4c5ed5603facd249fcdcde0d882a566a2035474487501b01caf373106", - "version": 8 + "sha256": "9c364d024d1238ca509316cb5936f0ed20dd86be940e7ec8902bc1bfc3c112f1", + "version": 9 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "e75e954e18e9d0dc6cbbbdbcb5deb63eb2dd29996703bc5dc2af235c82af3b0c", - "version": 6 + "sha256": "adb1c5873c29391a82b5763b8006396d122797154d046175018644669e6855c8", + "version": 7 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "e8343cc13f0ad5efb019926e8bb951cc8e1c715b6654d1949c57f02c5c697eb4", - "version": 8 + "sha256": "b6c38ee8d6644df3f58b6d542f3078384354af705656469a372d983cae9fb0e2", + "version": 9 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", @@ -916,8 +931,8 @@ }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", - "sha256": "d7c58b73bcc4feaab5f1d82dd5edf9cc3155848139ec12c8e8d3655314e554d8", - "version": 3 + "sha256": "929b90e9226b83b1269f9a04cb4bdf8e8aa9ae3754590e7b98cec10c44617a0d", + "version": 4 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Lateral Tool Transfer", @@ -926,8 +941,8 @@ }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", - "sha256": "4e4284e7019514dcefe6f8ba018488e50b39e72be8166a28ed4f53988c84c0f2", - "version": 4 + "sha256": "2bf52d927482feb03cac04824cdb09a4ffb538f59150d472a2f3be5b52f0726b", + "version": 5 }, "59756272-1998-4b8c-be14-e287035c4d10": { "rule_name": "Unusual Linux System Owner or User Discovery Activity", @@ -941,28 +956,28 @@ }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "3904144c2a84becbda46c175a1262beaa354b80fafc98a08af34b82ddb427b71", - "version": 3 + "sha256": "949d9585989c20d9adda4bea2921d82a86591c2f26aaf1ffff9db3fc76015f4d", + "version": 4 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "db6a48363181317379d1b10bafba451a8180220cabc58a4c99d0cadb003e6168", - "version": 4 + "sha256": "26c0664d074c41ca13825dbb77b7dd7dba82302a0d5ea7a9842d93e02da18f37", + "version": 5 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", - "sha256": "4d58659666dd2e75ce087788358695c725f6f898de4266ed07e5bb5513906022", - "version": 6 + "sha256": "9c0208d45564d4542b3d2b8a5bf247de7c1f52fd0d35c92870b6bae1e3a11169", + "version": 7 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "0e034939927514cb22b5337ca02e42f305c56eea2df55b5cf9bf016f06767e5c", - "version": 3 + "sha256": "ac6b9792a84324d6359fc162d768843bcf69e9d6a1e60f6a4001a40174a0a17a", + "version": 4 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "a4148086fb244ba1469dbab67e88e1f0bbe16902b3e163c9a321b2727518f61a", - "version": 5 + "sha256": "24a4a0cac51bdf0233f74876118b5e8041c2e80ec746286e65d13191179de4a2", + "version": 6 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "rule_name": "Unusual Linux Process Discovery Activity", @@ -976,13 +991,13 @@ }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "rule_name": "User Added to Privileged Group in Active Directory", - "sha256": "9909c3f640cbe91ab61036338e97be1d9d918b70a48bab400087cd58234c6563", - "version": 1 + "sha256": "4897f09298c4d423ccecd6048078eb42c74a9fa91c4f9ca81cde2f774bffce10", + "version": 2 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", - "sha256": "5b0652a7ac92c8c5327b4f724acb114886eb6d5e682b61ef61e151624b15b3df", - "version": 3 + "sha256": "f0280d78ef564558bec9ff8a9cad7c4ffa23ae2583671463d67d196023c86ad0", + "version": 4 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "rule_name": "Suspicious Execution via Scheduled Task", @@ -996,23 +1011,23 @@ }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "5f2c21e6c59b979f2837809cbf9b28a4a55ea2766479b0d25c07069830eb0339", - "version": 3 + "sha256": "b9d412c9321b3e83222714985fa57d21f61c631f0c564e171a5e934724fba4b8", + "version": 4 }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Command Execution on Virtual Machine", - "sha256": "de8c2546ec2c5678f109b45497f5f3fb0ebb6e24f94cab472f27eccf78df1c70", - "version": 4 + "sha256": "abb1da4a93de07129c1b5b615752a4b9824c9cf4fd8c0c555614dd029d6d7e8b", + "version": 5 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { "rule_name": "Azure Service Principal Addition", - "sha256": "dceafec5303d3fc9c0bedf1e61aae7d2df1ed99555c2bcfa553472e09e7cdb15", - "version": 3 + "sha256": "8eb451fbf3b33b73f8476b07b3b278f1f89028628f41bccd347c3ac556e4e031", + "version": 4 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "cb0a48398fe183e52d291d0d07befd88b3b6fcc1a445cc6cec11a77f07bb6457", - "version": 3 + "sha256": "13f394be840a09fd6e98a54fd6d019e58b817fecfc3b751359a485ffdcaa3565", + "version": 4 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", @@ -1036,13 +1051,13 @@ }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", - "sha256": "18a15c55696cf0d0cddd5cfaf86e3d2e40f8ff9343d96827bd04caddfaa765f5", - "version": 4 + "sha256": "37b73c63d5ac1950496a55b1a66b8fa30f97c7c519632bb5a884962a22a18ffb", + "version": 5 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "cc2e51435bfbcaee2bc001ddb08e9a13882b6fa7966902529b885591cb09d5cc", - "version": 1 + "sha256": "1291f8e74a129e13387f515122286762491f4a8a98539f725f35893c9e519257", + "version": 2 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", @@ -1056,23 +1071,23 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "a1fff4f3dbe5caaae711d5159e0accb5456b52a76123156b29cc95e157ce1a6a", - "version": 3 + "sha256": "c69ed40fb2e7829b02aeeca20498c23afc04e5731d46c52717cf4a7b13cf50b5", + "version": 4 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "1c968672e7ce48c011da51c976e9b3e08bb0163bf5c4d9ccaa5b6c734af30cbd", - "version": 1 + "sha256": "2cef3de3b774697cedfbed1c2355f06f346be0ff564bb51e664741418215ed35", + "version": 2 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "9f352402471508f9beb0380934fbab2c369b2cedb2883d4787c563e438ef2c26", - "version": 5 + "sha256": "d93bdd2f8eda2395c9b8ab7c737460f2201732e3176d605b489d38221cd18bfb", + "version": 6 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "0e37375debfa41285fb8bd8d59a3cc01d286c68b3c4b946d266950a0186358f4", - "version": 5 + "sha256": "d6726a1a5d3a598df105d959b2d8d7b02e10a98c4e8c5f0f47e124bb5d1fab62", + "version": 6 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -1091,28 +1106,28 @@ }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "rule_name": "Threat Detected by Okta ThreatInsight", - "sha256": "3dbd7c25330bec436d304357b5de1f5455d68b458e48cb7520cac32369bb8e8e", - "version": 5 + "sha256": "0f9bfed2053b99795b40e69a51bfdca388143a9a3a4ac6ecccff16c81657acc0", + "version": 6 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "ba8e3ade3df05a1fb64eb35dfeeaec65a32cde2c12fef701bc7886922086929f", - "version": 4 + "sha256": "a6dfc7259442d2824f1f911c11a11988a076b0da4e8f23558a73ad3edc789676", + "version": 5 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "f373fc616d2547e567eed968ea489d666d4aee4782aa5a5f4dbe0560bf9ae903", - "version": 3 + "sha256": "292f25114fc554d4d67e56d1a2d13c7832f65b0fab556ebc1b2910dc2f1d90cf", + "version": 4 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "96a498857ecfa3670559082998836262a34e0cbe938a3da03eb0d656e255135b", - "version": 2 + "sha256": "6f6e12923610a9a51d2eab7dfbb921da7be8506c71b0f61b259251f473cd6343", + "version": 3 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "3ee90e8c70ab9c127c4252c8b8b0ed6e8744b2e00427d290632a93f5c6870e1a", - "version": 5 + "sha256": "5def5ae6b739035c9ae3c5d16f1390b916a50842c36f8eba0ecd96a6385c6d17", + "version": 6 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", @@ -1121,13 +1136,13 @@ }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", - "sha256": "485320db38810d542bde35625e3d722b6a8d910527a2aa85e42678f9da452f68", - "version": 7 + "sha256": "79afa252f7863c4f972d34afac42983788cd12eb97358a12d668057fe6eda091", + "version": 8 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "e17154513b449918f01d301ed584a5f8c3e858fe1759fafa5326bf4d5687c41a", - "version": 4 + "sha256": "1429ae42606ee0f1531dd13daed17012855d148d9e0c9c714095e01dcae486e7", + "version": 5 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "rule_name": "Unusual Service Host Child Process - Childless Service", @@ -1141,28 +1156,28 @@ }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", - "sha256": "874476d64dc93e62fb147e271200d17de5f5b06c10e60f38204fbe5a561617a7", - "version": 1 + "sha256": "3d1a0bee2d79c035a599faffc03e74e4b4699b39dbb4418068b003eb6136050c", + "version": 2 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "ea100f0813f073c65e61677854ff4126e96fc1979da663bfdd2df094200eaf2f", - "version": 1 + "sha256": "578607308f1b76a89e24e98c1a2b553b5455443931198123c558adae551bccf9", + "version": 2 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "rule_name": "Unusual Process For a Windows Host", - "sha256": "c508e9d610c130e50e29fd19a1599886bd7354601146b78f00704320cf44c3ad", - "version": 4 + "sha256": "1b02664b15fd31520aca0ef9dae59735d6c260e17aa898a5ed1effdab5f77eb5", + "version": 5 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "rule_name": "Anomalous Process For a Windows Population", - "sha256": "8d9233246b62fa21f68fe8e03c480dd1112e790f3621b755bd9970ee24a660f6", - "version": 4 + "sha256": "8c532d5331badf82eb8460f78b9c9743623961cbd11b41ebabc7a040f16e39a4", + "version": 5 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "340bbc2617692d06162a232de13795a36bf540d34641506481d8e7eec565c66c", - "version": 1 + "sha256": "fa4544dbc92b6766522593e44bb10e0036b4824f8d70f381698fc38d56a08aa3", + "version": 2 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "rule_name": "Potential Windows Error Manager Masquerading", @@ -1176,8 +1191,8 @@ }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", - "sha256": "34354545bef5a283a7a05a7f0cea301b97b6925915dd8b795b579fb1a42c0fc1", - "version": 8 + "sha256": "e17fad5ebc0ca46c5a6d353543b8c3a7ec77d4f37afe29ccd6c1262fd0a3d317", + "version": 9 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -1186,28 +1201,33 @@ }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", - "sha256": "ac3b1dffa8bbfb7fef221d538429a07ab7335c6b57a250b4b18164d80e599a2e", - "version": 3 + "sha256": "21107426242da38569cfb7e29433bb0b98f92d9bbc49f532fcd2c554cc97f2c0", + "version": 4 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "f42e45a2a267bebad57ec1829fc225206d73496a6046e59740d10febbb7f6a1c", - "version": 5 + "sha256": "f62e04fe67fd11c43b10a59046afff2cff7a90d027f220619ce85068c759a5df", + "version": 6 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "rule_name": "AWS Config Service Tampering", - "sha256": "ec8ed91ddf4c947aabb68bcbac976bbfb567e91a8354496e0beab7b597c1237d", - "version": 5 + "sha256": "8e5473155c744a9d9579c9fde809857339d28ed1969699c8087d623f3be4eee7", + "version": 6 + }, + "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { + "rule_name": "Persistence via WMI Standard Registry Provider", + "sha256": "b7108f02310adf65cd5788774647644755ebe672e8bb53aa2be115338fa80da3", + "version": 1 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "033fe29096800453c53a4a100cbe2e826148a4c053b440ae8962c008ef04a476", - "version": 1 + "sha256": "3e2fb37fef273486c5032188c9b3bd7baeeeca83a4b49ebb212f95ad0e1451f9", + "version": 2 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "7bd86063fc605889d7271c9a07188685af2cffccb1fedcba8b0155e4fd81d1cb", - "version": 1 + "sha256": "342b7c894f423d41b16b531c7b2b5f8ea14601bc4ff275428e5c9434e3221384", + "version": 2 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "rule_name": "Unusual File Creation - Alternate Data Stream", @@ -1221,8 +1241,8 @@ }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "733c0472aa406d5f99fd60c84903d3dc4f9b0e87daa44e1437c857a70903948e", - "version": 5 + "sha256": "39f2ea0432ed3122a7a0d35999c6c5e031af504f3cb039cce854a4dbbf267128", + "version": 6 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", @@ -1231,8 +1251,8 @@ }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "rule_name": "Modification of Environment Variable via Launchctl", - "sha256": "22a035e178cd410860585cc37d70b21e123895d0c40a6eff9f32d0daab2e63a2", - "version": 1 + "sha256": "b9eee6e8e6eb2c238952d35b40ebd2ef4d70e4a462e513ac0bf3f939a447c986", + "version": 2 }, "746edc4c-c54c-49c6-97a1-651223819448": { "rule_name": "Unusual DNS Activity", @@ -1241,13 +1261,13 @@ }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "rule_name": "Web Application Suspicious Activity: Unauthorized Method", - "sha256": "24efd8911deea109938424203bf258676d9e86d311862341b034ecc6e2c4ee85", - "version": 6 + "sha256": "6bbf3c4cc80aa8bf0fcabd381be36d6299344c6945026c8d480781d97c17d1da", + "version": 7 }, "76152ca1-71d0-4003-9e37-0983e12832da": { "rule_name": "Potential Privilege Escalation via Sudoers File Modification", - "sha256": "1409f78ac3dbe51d37efaa4eedd30eff8c4744cece822d9ef22284af1d12ec32", - "version": 1 + "sha256": "244f9ef115052b03ab17b53de02594d6fb2a47a66970b7f34db63659f0d9ea3f", + "version": 2 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "rule_name": "Potential Remote Desktop Tunneling Detected", @@ -1261,33 +1281,33 @@ }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "User Added as Owner for Azure Application", - "sha256": "cbbdb9adc5c96a67cffb7a9edf791f5ea5c029f373be5d9704b7124f9055bc38", - "version": 4 + "sha256": "db73c1cae414a7e328d7bd8022798a8643bc9e40bd45b3dfeefa437c8931b5ae", + "version": 5 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "8319fdbcc75a28932ed1ad89f7cae48a392d08b6bfd4a78ff5272c567bd03f6a", - "version": 6 + "sha256": "19409ce1476a107a8db2f50aa91ed8c037a8bbe6ee70d0977c3fc8292ccf8116", + "version": 7 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", - "sha256": "643ea6cdd8f71ac2f159cfb7769bc1b22d62669de4d0a4cff6abc4427a88523c", - "version": 3 + "sha256": "d5aa1e44833da2806f987bfec4b2aafeee0e5d853bdc8f459fe684976717ba8e", + "version": 4 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "rule_name": "Azure Privilege Identity Management Role Modified", - "sha256": "dfa1d78e8e7e6f1d2e0b6db120101a10b676fef27656179ecf5fd03426cca4f4", - "version": 4 + "sha256": "84ac45e0073c5d7ef4203571ae659413ccd26eac3b505be34ee11115d25db566", + "version": 5 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", - "sha256": "84249aad3a778dcf0d66f4527ec8f01e4bad658abbe51e3ddf19c9dd3b1b35e9", - "version": 3 + "sha256": "b5bc993d6c5413b2d00802b37b709393a23dc41d7369ef8089211d0abdd6babd", + "version": 4 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", - "sha256": "2c9cd618d0709db211347fb0f927d39032c5804fb01e22615384d9c443a989f8", - "version": 4 + "sha256": "739693e9483eba009ac5ee8d2fd3c4da0f3637baa84dd3be947e4e455d60e0e2", + "version": 5 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -1311,8 +1331,8 @@ }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", - "sha256": "1973dff13c3ef1ce1395c7f5cd1a2f803af70309eaa9281d0d485b79e804c57b", - "version": 4 + "sha256": "442ed95d9672fab5f430323edace7c2ccf7ee203111de771abd23cd5cfbf3e58", + "version": 5 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -1326,13 +1346,13 @@ }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", - "sha256": "a0672af3749608279dff9f81ac44c3781a6f8d71d9c97251281c6871c84198c9", - "version": 3 + "sha256": "6a1b3c8d1cdd11b75a62b07d8d8bcb0d3c861634dd34dc9ad7b99fbd05a1ddf0", + "version": 4 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "e8ed57396574222f759925fd3d4da6c63688d077a18de5a0bcec00ecf6de88d5", - "version": 6 + "sha256": "9797df2e79190ab1940fe7d8adba5122b86c7a24ca42aea3da9e38cff1e60c9c", + "version": 7 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -1351,18 +1371,18 @@ }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "1185bc3fe349c578b958b90129b3cdf96bb44627762533355acd1826e7977b8e", - "version": 5 + "sha256": "3449f44c9a5177d0452aa0f21d1f8623a3e11180cb49cf76fdf227ee1f8be526", + "version": 6 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "rule_name": "AWS IAM Group Deletion", - "sha256": "b892135f26f63bdd82000f1b10fd897f193b478b9b68a599eadd52b5bc8d8f2d", - "version": 4 + "sha256": "ffaa732069c6a1b16566f70e5098d4564f451e921161a6a860a3b34c0c4e1825", + "version": 5 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "rule_name": "Security Software Discovery via Grep", - "sha256": "2788679679566bcd320e35c2a0470f4bfe32816d19f57c7e9aa8d3cb491e2d5f", - "version": 1 + "sha256": "b8282c5a925bd40137e5683f4353565a807bc6bfe47b82a52bdacf7e5c32b1ed", + "version": 2 }, "871ea072-1b71-4def-b016-6278b505138d": { "rule_name": "Enumeration of Administrator Accounts", @@ -1396,18 +1416,18 @@ }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "995613c20767772f136c8fd1e9042ebadc315863d6725a297e307e12c2585414", - "version": 1 + "sha256": "26e7c7e706638948c9e8b88b3e9595a11a572137460001ad4041278283dda8f4", + "version": 2 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "Setuid / Setgid Bit Set via chmod", - "sha256": "976ea459e84095bc4281a27b77f4485562dc5c9fe282e2cdaa5c1c252db1f86f", - "version": 7 + "sha256": "d97ec49f15814bfde2f3f6b0603a9cf03bc171cffb3a6004202db2c71153461c", + "version": 8 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "61571932334075bb61ef4e7014b640324aee7ce36641be1072a1857d9a822e22", - "version": 3 + "sha256": "39d70757faa0cbb8300bcfe88690a5ab67ac0efe7d33ac72e5975902b1e1b2a4", + "version": 4 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Suspicious JAR Child Process", @@ -1421,13 +1441,13 @@ }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "f30a96cc61cdf5e211d92b76487063c9e51353c4dc7ac405f49c36e2fc891fac", - "version": 8 + "sha256": "c332f69b3d3ebd232a3993fbbf6e9433dfb9d5393f91f60e13ecf8821ec69c8e", + "version": 9 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "rule_name": "Unusual Child Process of dns.exe", - "sha256": "91ed3efd44382abbc811c230cab6b7a9ac77631e30b47bb2cc12ea0019b1d085", - "version": 4 + "sha256": "cd28b1f77b37d6e9016c24c3cbbf4d94f8cd152004e883f3986a4d9e88687b3c", + "version": 5 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", @@ -1436,13 +1456,13 @@ }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "d8491d74b0dd8ca7304f3b8147e98c0dbb00f6551f61cc67bcbeb2a9a8ed8336", - "version": 6 + "sha256": "00940a7616f5a429eb7e75d4322a135cfeab187e3ac06d31dc6a9c2e22c41bf0", + "version": 7 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", - "sha256": "42b989e1865255c87d054240c23883f066a2754a30c73a484cf56416fb0eb29c", - "version": 4 + "sha256": "c457f1f1b2813439401359cec7480f53b710fb09f8a3af76de317538e47377ff", + "version": 5 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", @@ -1456,38 +1476,38 @@ }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", - "sha256": "83e917da62c777836f77e9163d3ac2a851f077c92b6fc6cd0c12af141a6ed5f9", - "version": 4 + "sha256": "bb302afcbb15dc8bd5a6a79059fb4d67396737dac261262ceb6d5711021f2b9c", + "version": 5 }, "90169566-2260-4824-b8e4-8615c3b4ed52": { "rule_name": "Hping Process Activity", - "sha256": "76a775773c732032200cd4ea84b9406164a1ba22e8fe524d080c917615b3d316", - "version": 7 + "sha256": "e95b011bb8a3aa490e0c1725dbcb086dcbe8f993b61947c9a5c274bf5de92b83", + "version": 8 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS Cluster Deletion", - "sha256": "dbd7891e19893dac401464b86d2890841e47bbf61bce56a9285676ebb7ca3f41", - "version": 4 + "sha256": "3208f7d39ab5979335729467dd5c020daf1d3a47a1bae5aaadd08e9a8df3d5b8", + "version": 5 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "9ddb866c4bcee8043e23af4c23c937710155ac26079a30b278687928aaed2b11", - "version": 1 + "sha256": "66c3b0f201fec745d9992dd9e1be815c5a7bf95a2412b6923721ec5aabc6f6cd", + "version": 2 }, "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { "rule_name": "Auditd Login Attempt at Forbidden Time", - "sha256": "eb4167409e9e670184fc8432258137ce52177203e8e9f51b5293b9ac3acbf7f5", - "version": 1 + "sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad", + "version": 2 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "0fa7a4734a239108ed3fd8f802e219ca6b58cdba349f463bf2d65484bc3b31e9", - "version": 4 + "sha256": "55f215d9e78466b8958e9c1981654985a3610f13bb53a13f0f89df25fd14f4e8", + "version": 5 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "69f44b552dcc33049009a47ddd1ccb1ad1dc684763b72919d71f36240b9b85f9", - "version": 5 + "sha256": "bf1c0c7a179545122e94628d2766b68125249f4dbd3d1a4c6edd30be67ed589d", + "version": 6 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "rule_name": "Unusual Web User Agent", @@ -1506,13 +1526,13 @@ }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", - "sha256": "ad003aaf442893dd3a1e0f83940bfc37799f5b3a99398ec4c486f35e0a7f1fe7", - "version": 7 + "sha256": "05ff439f67984de234a47b20f014bdbbcef5f63a6cb769333c50dc9f71995478", + "version": 8 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS EC2 Flow Log Deletion", - "sha256": "03212509b93a119cd88d9ada6c1d0e3cb72650ab432932f71c8e46c032b31110", - "version": 5 + "sha256": "92408aef719a265fd8137637ae156974a9b529940914de7a8654a081f52c2a75", + "version": 6 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "rule_name": "Suspicious SolarWinds Child Process", @@ -1526,38 +1546,38 @@ }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "e87ff7f7ca5e46e9d1e1cafece41081e23d1732fe7fd739d28016f593402c02e", - "version": 3 + "sha256": "fa6af21c1f9a06c900d961e446b5a34287eace94a987722a99bc36fe61495304", + "version": 4 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "33a3ec49d81d46e1b8a2f182b6768d52a01db4b71a670302ddf179a79e016955", - "version": 1 + "sha256": "4cff5c6b85db6da429555825630fa7972dbb0f8ac152b594c6c107ec398cc9e3", + "version": 2 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", - "sha256": "db1e447093400fb88cad39601df5fd94ef453efb368f573b2eb2ca93ab8038b8", - "version": 2 + "sha256": "2ace8198458c53b15c7adf10cc0de02c82e48e41985a44d13c87e907368f3022", + "version": 3 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", - "sha256": "bfc9cd72f6976408cf3032a8654ab41cf7e9f176e5de8659649595ec91349072", - "version": 5 + "sha256": "76e2c506c37e0ba6f11d046b0a7f98af64d20481efd5758e86f0adee37c6c80a", + "version": 6 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Access to Keychain Credentials Directories", - "sha256": "4ccc15d7accc12765f6c0132a6ecb106df50fe6d72c7a7cc40760d5f4428226f", - "version": 4 + "sha256": "35502f33157c641cfe6e83113f9301c7c9fbf8b4732eec46a13c0eb77b6df58c", + "version": 5 }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "5997f239182f18e7896e44985ede70d33356f240029502b5f827760328d602ba", - "version": 3 + "sha256": "d5703823dd5ddb6dc16bc0ab45fc539fe73ca80c722cabaf6a140cec3461ddd8", + "version": 4 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "fd2124864d86491d8102f28e4c9a925393dea3f947f4c86ee5078aa3f075b80f", - "version": 4 + "sha256": "bf46beb44ae071c1d51a5e3d5f2bb6fc6556087aaebec176dcacc2534e974560", + "version": 5 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "rule_name": "Suspicious Zoom Child Process", @@ -1571,28 +1591,28 @@ }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "rule_name": "Startup or Run Key Registry Modification", - "sha256": "b7924ce398182288ac6e386c7eca198ec8e4822ab0d0a81b6f3a4198c0e094d2", - "version": 3 + "sha256": "d5521e95aff90c5392494d06246dc1d72ea9bbb4e1f5a1ae37fe29756cc77f29", + "version": 4 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "f7f1704cb9744936c508fd2d2688f1ddd25483f7b721441613330cb0738e871e", - "version": 4 + "sha256": "68aa4d42f2f2bffd7b162017a2cd9ce719abce7722467cd08b9c2aa4864ae6b6", + "version": 5 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "ab124a4979eed853bf76b2c70e962fbb25b052fb780abc53bb57e108e439a58c", - "version": 3 + "sha256": "edba1170aa4156e96ed8e257319a8c947ffc532bc8adac01d334fe23a50c2395", + "version": 4 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "2bc8162a177286d484c667e5e2e9f116f91ce690daccbad88f506609c47af6c2", - "version": 4 + "sha256": "1d81b70ac1e4228bcd3d3d0c3c1e32856559b239753ac6e28bf198a118852208", + "version": 5 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "c3f63131525208fb1a8d655818506192b58ed5ddca6f26501f96672999d58085", - "version": 6 + "sha256": "6c9b748e3f01290624bc50f190eed75daed4f30b7e43c92e8259cbeeb8436d60", + "version": 7 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "rule_name": "macOS Installer Spawns Network Event", @@ -1601,13 +1621,13 @@ }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security", - "sha256": "31e256034eddcc3cd52c8bf4d19fb6f15bcf6f5baaff2667bc83c43340d66b46", - "version": 3 + "sha256": "35d86aa3177f1e13febf07e1a2921393a63e9661a1a326ef641997855f1eff09", + "version": 4 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "rule_name": "Suspicious Explorer Child Process", - "sha256": "67e04b668886cb15a8f78a419ebcd47a8872132bdd605220f5cee14fe7639f2a", - "version": 3 + "sha256": "c0fb8365df33514e95358c2dff239e8a61b31afbd060ab86ebcd8c00eb20e5fb", + "version": 4 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", @@ -1621,13 +1641,13 @@ }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "rule_name": "Hosts File Modified", - "sha256": "8554125184d18d61f09dd97afd8277b7c6d5ed67325839f8d7360240705593bf", - "version": 4 + "sha256": "4a0f91bdde24a42c4deee1abf27d87df4617f314a20aeea716275c663bc0d9fc", + "version": 5 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "8d17dd01441dcd298f4dde480618fba6f19c02c1cf38d30202bac38d155ef833", - "version": 3 + "sha256": "3672f0f401956a6aa3757faa0cf494a614115fe3a1eeefc8c7f5f61722c7859d", + "version": 4 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { "rule_name": "Trusted Developer Application Usage", @@ -1636,33 +1656,33 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "dae0c00990f6f60d49186a33af3b1a6d1f6f92959bec44fb7241a4d55aac5131", - "version": 7 + "sha256": "c11031d7a313ef26148a98e8acbcb7a30c1de205ff403a81f9ef0c5803f5e696", + "version": 8 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "590bb03aba7ebfa4693696414b268ae0f9614257e62403c35563a8c083beff67", - "version": 7 + "sha256": "5955ca92044b4e13f2b8e8b4a0e0356b42a88150a35d8d55b24a5cadbdc2cefc", + "version": 8 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "9f5ac6bea29ac60ffa4286fe619ae5fddaf595f4ee2841af7eb6cfab8dae87ff", - "version": 7 + "sha256": "1c02c7ab44f7a594bbd41f54d44643a7cce752492cd0dfc5f6359d2ceb865c66", + "version": 8 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Microsoft Build Engine Loading Windows Credential Libraries", - "sha256": "7dc0c63ed67be02b08bf0be148d7a335fb17160e97e483c927228f7a27b5ce0b", - "version": 7 + "sha256": "adee2abc28a974071b6f404a24a10cca641beed6625be5e838bab6cd31f8e9f0", + "version": 8 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "0a94d4c720be38237d84929f0d932fc8558b8da9d39ca3b4d365c2bbf61a550c", - "version": 7 + "sha256": "a61f532cce3874503bbd1987cc4617a2ad83fd6b289756ccd1b4830bdbf496b7", + "version": 8 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "d8821ed0858f6a691346f464fb1d272dcefda6e8f15fd9e38cf65737ebc86369", - "version": 5 + "sha256": "f8c58299787763270b2017db703e128e0ac183a555ebf4bb1de27ec2df22c46b", + "version": 6 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", @@ -1674,20 +1694,25 @@ "sha256": "99083f476f27c715e48e8664229115c61b61b1652bd1be73a0e95b65b31a879a", "version": 2 }, + "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { + "rule_name": "Potential Protocol Tunneling via EarthWorm", + "sha256": "03ea09bf741f0864cbfcd01045657c731176e2cb81f0a022f61644e68e543e95", + "version": 1 + }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", - "sha256": "1a9d8438f890d811aca47a6cf5535b3354b2a638cfa19ce66fbcc4b5baa3f51c", - "version": 6 + "sha256": "16cfbbcd52c7b8f485e51e3cad277ee20e1a5a59a61059cb884a61e67cc8ba1b", + "version": 7 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "AWS Access Secret in Secrets Manager", - "sha256": "910830753f6ca39288c0e8312d4bba1e472cb090cf2b13c2f6dec8d60cd6ce44", - "version": 4 + "sha256": "f3406ca397e06939999f7ca3d674b4fb81401a65f23403bef4494ccd159e7d6a", + "version": 5 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "fba36ab5e9facd0e6703c3f5a52f444f5f980b7eaf5ede0088575be015e4c127", - "version": 4 + "sha256": "9c7b365badd0e4749cdf8c368cd825a41d9246e97b0c5cb92fd9755fbc801f1e", + "version": 5 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", @@ -1696,13 +1721,13 @@ }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", - "sha256": "8bc002cf57e3e671b5ef34223004a44cf524df8ffb4cb6aa6ef2a02acda67628", - "version": 7 + "sha256": "f593f43ce7a9f78b7f49de94fbed61766e76d7721abd4ccc86f7b6f4f8edcb4f", + "version": 8 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "623706a44007241728253d103e92b255da36c504d8cc514d24a53cea8e891f67", - "version": 4 + "sha256": "7b3b1690df6c6b2ede0ea186a352d58f47717c62493f9e48c34776123c3f6d3b", + "version": 5 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "rule_name": "Potential Reverse Shell Activity via Terminal", @@ -1711,8 +1736,8 @@ }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", - "sha256": "de13eedea23c945a81a12d4393bcbb7d48d4f3459d695538e2c8b232329d8745", - "version": 3 + "sha256": "fee8b8d1d56be16d7fe1a0de049286cf7095506b3bf9cc39d48e18ea8fbfd356", + "version": 4 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -1721,13 +1746,13 @@ }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "d7bebb3418b06fec41e8e4b9a0bcced408ec615c3f701103e1910a038a9588d7", - "version": 4 + "sha256": "b4e96a5981f76437befb7a429bb81752d2b1bdd22fbb69f417fb410c63c2253b", + "version": 5 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Azure Active Directory PowerShell Sign-in", - "sha256": "e78212df0e0c85c1d5dfcb9207809ca0c3c63f989d4adc919cfd7b65f9f0e495", - "version": 3 + "sha256": "a8f05e0880af5eee9583781ae4d138b80f47204e064fbac508d287673ca17255", + "version": 4 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", @@ -1741,8 +1766,8 @@ }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious PrintSpooler SPL File Created", - "sha256": "2a0914aa97e2201bd9cd4c0871e9e6f6bd7e123b73cdbbb2ee3b5fcaf83343dc", - "version": 3 + "sha256": "f4e0b1722307631cf5e4d40f510227283e04df89bb1190886dc8016879566d4a", + "version": 4 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "rule_name": "Credential Acquisition via Registry Hive Dumping", @@ -1751,8 +1776,8 @@ }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", - "sha256": "402eda0840f057d5745f80da37de2cc12278f41bfdfd97c9565cbb038c4bf02a", - "version": 6 + "sha256": "7f353ebd8f16d4c4a3b7dad87ae483b9066963da676549c7ee9e1c15fd05b743", + "version": 7 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", @@ -1761,13 +1786,13 @@ }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "8aaa0b8723f3b1582fce4296f1c1030b46a9f9b9e3a940cc77e66a00b286668d", - "version": 3 + "sha256": "7a890a45f6645a6041921b529de7bab0abfac3cf0eb877763a2dbea6938e94e5", + "version": 4 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "rule_name": "Google Workspace Password Policy Modified", - "sha256": "5fbff45220e92791589b63e50e96565c6288a79b9113408ab7d494b85878bd4c", - "version": 3 + "sha256": "11ee39429935e0f7e5c0a8aac027869c23d59bf4cabf4509fcd3a37efb6f40d0", + "version": 4 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", @@ -1776,13 +1801,13 @@ }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "281775cdb10cfd72c657efd352e0e4e353ebbf76881975360006712205c4fb1b", - "version": 7 + "sha256": "bda40067c1d339d646167ed025118e572c4cd7e85e6e664d43594056a35fab79", + "version": 8 }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", - "sha256": "3ffc8d0be63b9d659bd057ea434e84c97f892672af10fc0854ed591f2a3dc218", - "version": 4 + "sha256": "b6c540b68a41f7216a8d8b4af6d01b2cd03a17584ca7b8cc097fd74067dea719", + "version": 5 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "rule_name": "System Log File Deletion", @@ -1806,38 +1831,38 @@ }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", - "sha256": "92a14b8bc9231fe013cddddd37609e98198b47e982944a5ada59181d9c432fbf", - "version": 1 + "sha256": "441dfd8343418bbfed2e8b8d16a371e1bf8e4d742fae0d6237c8cc4f4754fad8", + "version": 2 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "rule_name": "Suspicious WerFault Child Process", - "sha256": "800020ac496ff5c0b902a63bcb062d8826ed18b9b1f39f034672161ac17ce8a8", - "version": 3 + "sha256": "f9937673d94c8d62bfbabf458c5e1153c72a785fbe91043e3598f248d75f9f98", + "version": 4 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", - "sha256": "7159b3c6dbd53b8f52183c0b0b5f45299596e1d7bb1103d53c56edc7be68a465", - "version": 3 + "sha256": "8c2587b7bb22ffc9e8c5342d92aa8f5ab5bb229855d76d62619b91d0b73758d2", + "version": 4 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "sha256": "c6581f03d21ae8a5eb2567a5436e1540f1e47b0b2f197470c75ae91078433c81", - "version": 3 + "sha256": "1913ec9b0adabd34257793f57c3c395ee487edd0d8b65c0858ffed4568dee866", + "version": 4 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "033bfbf2936df4f89c54f792dc8d26f41d6740ede72c06a677570997ff2f11d7", - "version": 2 + "sha256": "a5a4d4e22517c9c256ff22db014e7d01eb48986c27b2efa495761fbf3c430a8b", + "version": 3 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential SSH Brute Force Detected", - "sha256": "b098f232c244a6954d4c1f45c6531e642460c20421ba7b1bc4bf6cfc72310bc8", - "version": 2 + "sha256": "d29b62554e453edb9dea6a8ac0d579c62aded9e00bd9d832e71760d5738d5c1e", + "version": 3 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "c39f627f7725c511821f5ecf8676fa04e647cd972e28dc000fcf13a2504c4a77", - "version": 3 + "sha256": "471a87bc02e6f7d085e50a6378130101e802abd05fc78def073643851037c95d", + "version": 4 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -1846,13 +1871,13 @@ }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "ef51da9c29d2dc7632f41325f697fb2a509c98a0b3ed628d2f8f664fa381c3cb", - "version": 3 + "sha256": "ecc15a48e7e31cd3c31770d02cede45e83b1f6b4640ba33070ce44e4bb50cc15", + "version": 4 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "64ef95d8833c1fbf3a7a6dbb5b14bebf776f6c08908d08649b38b3ce185cbfae", - "version": 3 + "sha256": "4818e94c1c67173f475242f9d94f941902a8457697ee622ba20f9daffd897bbf", + "version": 4 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "Netcat Network Activity", @@ -1860,29 +1885,34 @@ "version": 6 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { - "rule_name": "Local Scheduled Task Commands", - "sha256": "6b39ac27e1a2a39b75e415bc4b32500b6710cea014eca9ec7a2a6bb0aa5c58d8", - "version": 7 + "rule_name": "Local Scheduled Task Creation", + "sha256": "ff34f929f7deef7c202a29aa90c2643c58e0478eda70efe49120e5d1ab63ad3e", + "version": 8 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", - "sha256": "b1f1833e7b0764bd1035d2b800cf4ff321791b7cac554d6dfa01fc7282251f28", - "version": 3 + "sha256": "46f80cee555f16f5b0d6567797b79aff56bf202703fcc3d718d0b057fc05d2d3", + "version": 4 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "fa36d7b890ef23869737bf47f07c4bb54ea4eeaf8d76a9ee04d4764acebba5e7", - "version": 1 + "sha256": "826bc637cc0f012b3a24a3c6e47b41edc9957eb2d361245eab2562f4d43b6247", + "version": 2 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", "sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed", "version": 1 }, + "b240bfb8-26b7-4e5e-924e-218144a3fa71": { + "rule_name": "Spike in Network Traffic", + "sha256": "9b4c9eeb5b8b2bceefe216fe315f33c7680b1f19cd1bbff8ed2bc1fcd381c045", + "version": 1 + }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", - "sha256": "b435103e31234f00d279b4f5134c81c3e2e2da55e4026bcf7a7d3076cfccdae9", - "version": 3 + "sha256": "ecd0137032c4c2466aadefa7b02e3e577736b37087d25529efc58f34c28a71c8", + "version": 4 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", @@ -1891,8 +1921,8 @@ }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", - "sha256": "5b9bcfa66a94e8e2af88b1ebba8f7ad2ea6b2836af5703ba6580b11c2d7fa61b", - "version": 4 + "sha256": "8d3fc06101f76d3625158c866245c82c55efaeea5aa68a7998d5f4c2f55b0074", + "version": 5 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", @@ -1901,18 +1931,18 @@ }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "1f872ba3822ca3fc62b14d06a16c7d41eab825219301e36176e71ce80737b03d", - "version": 1 + "sha256": "9f2b91695b4312bdd195b4b435baca4915e550c4d1d524e7d2fd81ad7f56f9a1", + "version": 2 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "971ab7f8d1f13ec382d2ccc9cc9c9adbcc93dbb3a7bd4d2eaaa9ae31f3f8f76d", - "version": 5 + "sha256": "c2e6159b2299edf22ee885dfe16c66885739f453c602cca8929190fd39417dac", + "version": 6 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deletion via VssAdmin", - "sha256": "17ec523e58ff0c0d228cdd14bc65df380d20a91827091e13fc40bd54e6020a13", - "version": 8 + "sha256": "54f267e7bd737926f39f468d39a596a292325d0c0df660749a18f33b46955066", + "version": 9 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", @@ -1921,23 +1951,23 @@ }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", - "sha256": "a84360424dec6a9d0df7d8aff7c9f95d1ed399fc96c9b3b75d43c0f1c6c0e959", - "version": 4 + "sha256": "90d50261b3b2a019e5fc38ce8a60d012d3ce78cee9a83709883621fc5c108150", + "version": 5 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "5dfd653fffd2aff3f6bec413d999a462b31e2d754d62ff6b29b0b765f4b08cf5", - "version": 5 + "sha256": "54696851213ea2ef95385bdc4cb58d942bcf0ffa4d5663228c057dd9b5303bee", + "version": 6 }, "b8075894-0b62-46e5-977c-31275da34419": { "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "95a70200a2c9cf5dc68be723a5ba0e402786a731e0e395b0ab26aabded7f6e5b", - "version": 5 + "sha256": "0ab87cf62524d8d39578a9c8b1af307d665f1a412a64dc559e92432735cacb55", + "version": 6 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "86adaceaff7d0a2bc2ec81db78d82881807861c701e84dc6558aaa84737e4baf", - "version": 4 + "sha256": "6c7e16490d9df6da2fe93c0c2bdebb5cb6135c50dd4f5d2ac3aa76cd30e97617", + "version": 5 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", @@ -1951,8 +1981,8 @@ }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories", - "sha256": "7ec928ddf9f3fd92bf58dad475cc2a4842c4cd781f1fe62c70721421f24aeb6a", - "version": 6 + "sha256": "b77c134e2c672646234f8b9181dfc74b88aad6591310100b27bad31f7176a5ed", + "version": 7 }, "b9960fef-82c6-4816-befa-44745030e917": { "rule_name": "SolarWinds Process Disabling Services via Registry", @@ -1961,8 +1991,8 @@ }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", - "sha256": "26566d6c946ec7530e1b6af6e8f2b8ec2d1c27e99883ac821a1e25f55134fe66", - "version": 4 + "sha256": "5b1caa506744552a652673d21edc0a4715dd0a771e3ae9b85b6727892cdf35c1", + "version": 5 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", @@ -1971,43 +2001,43 @@ }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deletion", - "sha256": "7bfb5e62c950a7fcfb8ea6b5141e61a6da9cc96ca78ce4511f9475c3e776bfbe", - "version": 4 + "sha256": "05d3511a18870e475f0a29b788a09df1b90b7dd3d8c30d71c1fd0f102b7a028b", + "version": 5 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "55933e0eb52eea93da9b6c0e938794fd084901c1e53cba3625ae2bba79b6d666", - "version": 5 + "sha256": "adb8ef40d1bdb8dc542122c628457232cfa38a8e3cfa3154dbc75847eed0012f", + "version": 6 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "5d03f2d49b7db7d437ae9117a9a68e0b4ff5f220d258660c1884f2fc6ff9cbb3", - "version": 3 + "sha256": "4afbeb67bbc9007999a0c1b63060ebd6481a1fe0f6c220a1d437d4f4c98e4315", + "version": 4 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "AWS Root Login Without MFA", - "sha256": "92fda82a332bc3f4b5010b4408bacb9bf3b7d71b6bfde1a03d6c993110aa750a", - "version": 4 + "sha256": "e1f5cf52a7d175097f8214d1df8ae5c8b9210b46830621e04baedc8df3670668", + "version": 5 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "rule_name": "GCP Storage Bucket Deletion", - "sha256": "dd407aaf6b910d7c9952519485eadb121aff19727a9a86f844de5237d3375e90", - "version": 4 + "sha256": "43e5316b633caa29ce029d7bab8ed1d5feca21db7904c079be8acadffbefb45a", + "version": 5 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "rule_name": "Attempt to Install Root Certificate", - "sha256": "7da7e303d7866590beb66ec6718fe019a0c59fabcb29f6c1ba04461784bc8fb6", - "version": 1 + "sha256": "ecbccde9d45ab87e4c3959dc93eb79ec19b29919d3e172c6a30c702e1b5b59bd", + "version": 2 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "rule_name": "Azure Conditional Access Policy Modified", - "sha256": "7618a0825bbeb38f428739abf8aaf89def1c176a613d66652eb94fa810f55ebc", - "version": 4 + "sha256": "a00630117e151eb94950ab0413bee80f0492d7520ffb5cf7f4444e9206eb6752", + "version": 5 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "rule_name": "GCP Service Account Disabled", - "sha256": "80e73e310938c8d40a031384144f602807fb3e25559804101e7708b0b3d119ae", - "version": 4 + "sha256": "660c3b64b35ea795bb74c9eb7b6b3b83154cd7b2eafd8eacd053cb30c89785e1", + "version": 5 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", @@ -2031,13 +2061,13 @@ }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "2bb462336ce0a0b88e9fa9a928fa5691963175450bdbf0191770e42241a3f330", - "version": 4 + "sha256": "4ce6036775350e31b5f760f1fa899ee7be508d50e17e38b822a2ff9fa0ba172d", + "version": 5 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "a536250a00d6139b67326b7a160bef3ce820b1202add2eb68e37aea8c81b572b", - "version": 6 + "sha256": "12a78ccad8ab58509933133ec1744e27bf37d404718c54a47f796a7e6eb86180", + "version": 7 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", @@ -2061,18 +2091,28 @@ }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "b8e5fdd1a58640907a636b837eff2d2740c456b57954eac5fe0325d8f31c156c", - "version": 6 + "sha256": "4a65754dacdcffe2c3607c8b561183da367f3fd7bd366e85fb05d301a7ae07a6", + "version": 7 + }, + "c3b915e0-22f3-4bf7-991d-b643513c722f": { + "rule_name": "Persistence via BITS Job Notify Cmdline", + "sha256": "15021e6cafece04e5c66ecb8390c4a899e2cd9d5728ff2a165a0ff303dc24d4e", + "version": 1 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "fd98829f6683e70e5a3d3fe8ed5fe7ea2a35a9eb323b012ee895ea1e3b563c46", "version": 3 }, + "c57f8579-e2a5-4804-847f-f2732edc5156": { + "rule_name": "Potential Remote Desktop Shadowing Activity", + "sha256": "7a378b1a7fa710354f67ee1b8b60ce93653a48edd7466d796f3e9d64d03aed7b", + "version": 1 + }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "6b0813f5d8be94af50cf0a174be37f842a1fde4ca2cb55b480cf3cff34e357ea", - "version": 4 + "sha256": "88bf63fa5666b708286c1c057c13d9395886468103724aaf6336f5715d4fdc31", + "version": 5 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", @@ -2081,13 +2121,13 @@ }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "0017cc9a14815a2ece7b02f5317bc0aad4ed130634380b77b3f10a8302dbbc64", - "version": 7 + "sha256": "ee3ab5606f836c98a65ede43ac5c1d0c7fbdb968b0054830dfd47af55de52f62", + "version": 8 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "rule_name": "Remote File Download via MpCmdRun", - "sha256": "3593df23a6d32b6ecb9dfce5a7fc3c9303406e0d9fbebb8925f517fd03aa17f1", - "version": 4 + "sha256": "0677ca2d233fcadf37a6e15f291d8266722f3b18c926aa5b76f3b1b71f57bde0", + "version": 5 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -2096,28 +2136,33 @@ }, "c749e367-a069-4a73-b1f2-43a3798153ad": { "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "c11d4ec637208a3ab9addbdb9a3ff12f60aeffd8a81cecbc9b6e110de5db9908", - "version": 3 + "sha256": "324244d3a1a21367876830445120fc9ce2a3693ac832ce11442f9c71ba26cf1b", + "version": 4 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "rule_name": "Attempt to Modify an Okta Application", - "sha256": "63569595577b2895a4bf897233c4b637393ff6b9d26d2e964c98b5060669ada4", - "version": 3 + "sha256": "897b7cf567d45aebb4daaaba655d2627aac02b5c883882dad6f9cd26c1243975", + "version": 4 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "rule_name": "Unusual File Modification by dns.exe", - "sha256": "1af709717fea56a51cdb2fa1e90258a832e958394cd7edf744fb8e328cabb566", - "version": 4 + "sha256": "28d8ceeeae367d91ddfcc5654ea7a2a4f188e3914886461d1379da1a9e2a4e48", + "version": 5 + }, + "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { + "rule_name": "Spike in Network Traffic To a Country", + "sha256": "6774d8dd42a2fb4f9e99da7b446f5cb28437e10cb1d775b9c55d0fbb38e0a10b", + "version": 1 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "fe0f7a5ee7efbe75ef977c4457d16241099e4993f5219064e20272bb2a7059fb", - "version": 1 + "sha256": "c665f0d60e076e72797559c0ff97e531d71229d9be1751859d7ba30bf3cb6981", + "version": 2 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "10e7e5d37db0f145e1406fbbae6bf005969c827d4bc0e76dde43ca2026320472", - "version": 8 + "sha256": "163112dd69e87ecc6ca848d4231df956cda7684f020f26ff600ce24495af9698", + "version": 9 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "Direct Outbound SMB Connection", @@ -2129,30 +2174,35 @@ "sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d", "version": 7 }, + "c8b150f0-0164-475b-a75e-74b47800a9ff": { + "rule_name": "Suspicious Startup Shell Folder Modification", + "sha256": "73592f3bf7a304f413433934022d07f75af6301df302ff33e8d876396c3cf782", + "version": 1 + }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "490cbfae68721fb35c3c8b8a0d41bc4b6efed8cc396d829e4afecc2e651c9ae1", - "version": 6 + "sha256": "4bbe86d4477f58024b62e8f44eeea5e38812e479cbde03a5c0c0490faffd3362", + "version": 7 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "0237f4f4bc00913f03f9e9af8e5bc4d31eedaa0903f8b617d6a1fbf0b7853a55", - "version": 3 + "sha256": "84cd19aa5eb8159517cac17c44198881d28f9d3277f732e4d158d4eb342d4a04", + "version": 4 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", - "sha256": "d113bb2088767739621deaeaeec2cc09bbf142a7cedec2b35c634ebc18bae1bf", - "version": 1 + "sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed", + "version": 2 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "e4d99a2d70d99d2ba70d5055a5c75720a7aea9b24a0cb5f65399890fdc467818", - "version": 3 + "sha256": "fc32fc89f62378a14d4ea384b312368f9626a4b8e461abe33e8afc2a7b9b1399", + "version": 4 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "rule_name": "Suspicious Calendar File Modification", - "sha256": "6ac1c6f9edab1cd65da00e3aace8a3254ccebe8005b2a934ce4337c5d5515228", - "version": 1 + "sha256": "ea21157960f47745d507cee8da54a4fcc8f75c41b225f6ee08d8462e6879a7c7", + "version": 2 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -2161,18 +2211,18 @@ }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { "rule_name": "Attempt to Enable the Root Account", - "sha256": "95582925506246d2fa357ea7c342c4e5b50c36bf4ec7ea80ed184b4420c58e21", - "version": 1 + "sha256": "25a2832a5de142a55071b950816a7c18bc95e803ac391db31c6caa1ed11689da", + "version": 2 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "a80fd1a590247c2fc81456f355e6282d844b4e5db55e546ebceb0b11c13745cf", - "version": 4 + "sha256": "46e1de9c9821ca79f473124ba6484cb5c30e3f71ad90c8fa4a4cd0d8a86ac589", + "version": 5 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "be469b4af0fa7081eb2cf835882f8b442828842a88450a6d6bf989c2201a12dc", - "version": 5 + "sha256": "dc85297baf482232f011b9ce98f169f3b7be8b1422de1cceb9f7af2b50560327", + "version": 6 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -2181,8 +2231,8 @@ }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "a2321405cd840a1f32d79d96603ee9595d6cbb2b4bf217fb85e7edfaf93a977c", - "version": 5 + "sha256": "3f66423329bee6d660afe1e7d5e5d4cfd7203312e3babd6015ca1fee60af2659", + "version": 6 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -2196,13 +2246,13 @@ }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", - "sha256": "4002d3ed57c9f2e27385ad356a8fc0762aefd4cf26c4de249ebe309685652a9b", - "version": 7 + "sha256": "ada4b7f1536b5940bf11ef7267b8ccefd251c58d01db796b01ab135fc4d18a32", + "version": 8 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "Attempt to Deactivate MFA for an Okta User Account", - "sha256": "f4bbb32afedf3c684ba753b08a2a19d41ecbb9449ccd5462dd3c33ccac159a35", - "version": 5 + "sha256": "a3f866bf18352bd51f590bd78b5ea55a23c8bc7788e93a4b0c6e4a1f1d222873", + "version": 6 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", @@ -2211,18 +2261,18 @@ }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "de043669d8aeccb6415b5637679b7c6564a23c246f1285513aabbff8d80e1866", - "version": 4 + "sha256": "0a6002faf9de25741761baff24faccdd17b528cb5230891cd2f8ec3a05515e05", + "version": 5 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "bd9c727a1330fa038faa6902dffbebf579329ea3382ee4ffdb2e7c18bd145d5a", - "version": 3 + "sha256": "767437eeeab9a86f91974019d0fbf4be4c4a73500044b2718748c48459b4abb4", + "version": 4 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "c2787c84eb693a04421d6abfa4665a506a5c2f33237e2746f8e84162f3c4babb", - "version": 3 + "sha256": "a361597bb52abf436cbf188b582ac1d3f77be85d7fe6c10a6e00c6acbc6938cc", + "version": 4 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "rule_name": "Registry Persistence via AppInit DLL", @@ -2236,8 +2286,8 @@ }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "ed49330a9ef16ef0cb23a1622235f7b72a9f7f70bbc21c0d254fd53c04051d32", - "version": 1 + "sha256": "8021ff270be998297c5c97ba9fc27fd8a1b77952434ed4dd2bff1fabca2860b8", + "version": 2 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "rule_name": "Disabling User Account Control via Registry Modification", @@ -2246,8 +2296,8 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "331f169dc027e0578a41cbbb35579744a453f04a5ad699ccde4851745482a498", - "version": 8 + "sha256": "9bf1c8265176919a62c9cc82b85c1373bca39e43838a5dd64f282d64b45de863", + "version": 9 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", @@ -2256,13 +2306,13 @@ }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "rule_name": "Attempt to Delete an Okta Application", - "sha256": "14796a11a57d57f5506411642259e5dbe5b8341de64a466c14c48bc6dbb568ac", - "version": 3 + "sha256": "015b43d6b11252e9e5bc11ccaa1d78aa3587aa342e429b51f668a160ef3402df", + "version": 4 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", - "sha256": "687ca8052da11de5df83115f646aee96264ed6dad8fcda20900cce276c4cda3b", - "version": 6 + "sha256": "d88d17c4e3a52a407447872f4791d77d827a21e31877415051656d25e3b18a5c", + "version": 7 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "rule_name": "Unusual Linux System Information Discovery Activity", @@ -2276,8 +2326,8 @@ }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "6d9f05167f0f7337735ae593572297e00b95e28dd46043012291611762e2dc38", - "version": 3 + "sha256": "36945a6918d4b8f1672682279ce8123b9ebbf06b04d6193f67d7f70ee25c2a17", + "version": 4 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "rule_name": "Service Command Lateral Movement", @@ -2286,23 +2336,23 @@ }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "fc8029a8e47bea0a82eaf38501c517425fbb79501efcc3760067c7a75d6e46ab", - "version": 5 + "sha256": "3abec5a7b069cc59b63e4b4d55b7660745db9297afb748a15844eaf5e56f2a47", + "version": 6 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "1b91588d39021314af52b44e8be4d1712e1a9cb564dbb2df8df0f451462393b3", - "version": 4 + "sha256": "606882e2efe620c60006ab35520e3562df9c1094f047bf712664f4646dea8716", + "version": 5 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", - "sha256": "68cbcddbf04144359c4c2393175fed316e1985fb91b41a750b22ca2ca068f0cb", - "version": 7 + "sha256": "394e164b962405824e20fa9efd81e7a2a8b9017ec483bc0d0dec04f4bb9684d1", + "version": 8 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "35a34dd03d6e890f2bc57c571d014b0d42bee0f699da5c4273b4ff48080fe865", - "version": 3 + "sha256": "28051e514a52881f0903f3ae2754b955823c73d50708b2e0c1837fe5d981ac61", + "version": 4 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", @@ -2316,58 +2366,68 @@ }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "3417df0c9b3780d7a5d115e57ce6f937f0345103d6c6853fea9321fd2c4aecc5", - "version": 3 + "sha256": "c02de415919eba4b61ceac86fbc4f06fcd4cba96eb271b027885d41bbaa6314a", + "version": 4 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", - "sha256": "a59fae590fb4bc141a082f217d75c09a68188daa738f9272f99fbeabeb62578c", - "version": 1 + "sha256": "a18ebe990afbe127f7ea57580737c9d7db9d0e80b10c21bdb54457f92be02107", + "version": 2 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "4a2c4600a5034552f066401120a8ce5c5795271b1a86f8a5fc9cc0dd658998ac", - "version": 6 + "sha256": "1b8e9ea27c151d2de3fd5c94f0ff8de14098ccc0348a81ac3a39dc28f0dd118f", + "version": 7 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", - "sha256": "6a240c0235a8d9411864104c55e5dc2db3f6535204b5fdab884a5a2c3cacaef3", - "version": 7 + "sha256": "29bb5b04d88c72fbc2d1446bb6137cfa342c46c539cd05476869fbea71f2353f", + "version": 8 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "914638a74ccd18310d5ea716fdbaa27482d1e7f8c13bae39ad347f00da8f6c12", - "version": 4 + "sha256": "a96204e734aad61228f51845056ce0f072c2740658b3d7b8af4eff8706a9ba9d", + "version": 5 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Multi-Factor Authentication Disabled for an Azure User", - "sha256": "1f690e67a2d90393ec43f1f3313f6c963c08304a4543a8c18dc03ca8872bfe5c", - "version": 4 + "sha256": "11c865273e884bc2fc14a65de9455d9d999fec216a350a79742055ea2689a328", + "version": 5 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "27d6e4256f3c3e790e0339e015ee47e5c922269bdbb9091c04efe12ed0ec4592", - "version": 6 + "sha256": "50110a30804c91bf54051c533e4bb8373a0ba5e6aedc4c16effdc46ba981e7b0", + "version": 7 + }, + "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { + "rule_name": "Threat Intel Filebeat Module Indicator Match", + "sha256": "22044ac757cd8ff685631dcc80bb0a463fe35ea0cdb50402bad9c202d902e381", + "version": 1 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "b7b3f2827dc1bc96a8c1e5a804e19cce2f509418f2ce52b0923112b5c01d0ea0", - "version": 8 + "sha256": "51ca2215f79efce05cf6065687607be7812ee829dbe9de2c46e31a24baeb63c7", + "version": 9 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", - "sha256": "2f2aa4fe1129b07fb289dc8e70a84d075f42bf1a44c4a01c41cc24c0675c5957", - "version": 3 + "sha256": "74067a1bafe61469a5555b6fffc68a96e2746e45c3c5a55bc453fd53e6c52150", + "version": 4 + }, + "ddab1f5f-7089-44f5-9fda-de5b11322e77": { + "rule_name": "NullSessionPipe Registry Modification", + "sha256": "a6ad52049db17556bce016b8cdc6ffd9a9cb311bc45bfbcabe972cf30456f3e7", + "version": 1 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "04edb4316172408505a52e6f43378c345af10c981ed4db2c7e45f8902b6c46e9", - "version": 3 + "sha256": "25b0e6100151bd4ff5c5484ce7221fc4dda10c7d24dfd447a7f604fe70ae74d2", + "version": 4 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "c345edb4dcc7ab10412b07d3293d643773657193c3527b15c474d96be60c6a99", - "version": 7 + "sha256": "2dfa50e7bce0eb5396a016deae281f948ed101975bee4806e8d388199a8b4012", + "version": 8 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "rule_name": "Unusual Windows User Calling the Metadata Service", @@ -2376,33 +2436,33 @@ }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", - "sha256": "6a6c68a107427de0f6838ce00430234a18bf5034f29e805fc48cce986dc0d9e1", - "version": 4 + "sha256": "5edf3bc8df71a855a4dab07c6f921c2a459827567c3c4149ec1f3aefda5453ee", + "version": 5 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", - "sha256": "71e059c24c99903cb975e9f95323e5c9be65e5912fc7eb67acef26cc102524a2", - "version": 7 + "sha256": "8d4ae843cb9c1a4ab4c415b00ed10ca09a6ff0c4911446cf5d667f379e7e2ea3", + "version": 8 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure Firewall Policy Deletion", - "sha256": "010e005af1b2b84dd10de59d5cbccc011c644ea19adc9a472d599e5691f439b6", - "version": 4 + "sha256": "31e0903dea50c51c1f410db000a6989625140cea792e6cc154a6e51002d2c9bd", + "version": 5 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "f07fec07d7217a8a6e8dea785e9b8243992c7bba24d966b3a050d7521057dd95", - "version": 3 + "sha256": "d3a19e30b74d6b53aaae15b0678ea25c922302228cea85dde5aed39d9db25bd3", + "version": 4 }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deletion", - "sha256": "261f158221738446b5fda02954b3c090dc67b73675520f1ad0676b62ce3a3858", - "version": 4 + "sha256": "64e549b8b5703062cd3bd1677df0e23c99eb1a924b818a819267abdbd5248488", + "version": 5 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", - "sha256": "23369a564ae52cbfd7ed52fe15acad95c978a89e2a3617100d052897fc28fc33", - "version": 5 + "sha256": "7de7854de44a80b0bd2a2a0197d6ebb3213a89c8f2f2257284f1948d008f4760", + "version": 6 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "rule_name": "Connection to External Network via Telnet", @@ -2411,8 +2471,8 @@ }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", - "sha256": "552ca05a359012daa1c10f17cbb300ae59e0af6e8816bce331bff09883148a6a", - "version": 4 + "sha256": "94dcf7938345325b7cca64d3a410cffbb9e2503ddb509afb63a9721087a0b906", + "version": 5 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", @@ -2421,18 +2481,18 @@ }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", - "sha256": "c56ffa923af31ec4df6216d5d78247df3561dc46ca522a556ba4e766274ecaec", - "version": 4 + "sha256": "19a86cc9ac6669998a4fafb86a6d799bff7dabd879076d5214900421681ea297", + "version": 5 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", - "sha256": "d13eb44ce8c1e9c575b49c967a1cb48a88e92b7fdb1a9d220b5189addf6950fd", - "version": 7 + "sha256": "81c0684aa15cce486e20b18305135c90b2e696990f9f9928b916a604ec1607d7", + "version": 8 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "843eb805ba1977ac107e77885fa675b0633fea7cdf90a7437b83997cfe6ff5c8", - "version": 6 + "sha256": "53753455f7a7da08d4ed29d6563630e2a7b77ebfb0330af09b5b52a8a6f800c1", + "version": 7 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", @@ -2446,13 +2506,13 @@ }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "7a2279b7eeb6a05d016d7ddefdc6822aa7a9970aa56842c07c41e7d499d23d38", - "version": 5 + "sha256": "8d8985d87033dc11c0e673c1d9963cf89369e11468d2d4ea2c786fe7ed03b518", + "version": 6 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "724aadbeee971f131fc341654bf461b52ea82fe077e59ebf9914b7807e663067", - "version": 3 + "sha256": "65040d81fb2f4106c2816c529b620842ee4b50427b2f97aa763b8e201dd7908e", + "version": 4 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", @@ -2461,23 +2521,23 @@ }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "rule_name": "Bash Shell Profile Modification", - "sha256": "89d30ce0d3a7a7934c3a31d917bfd1236d723ad3376cf9480c5d8346c44f3861", - "version": 1 + "sha256": "0644cb8d5ee6d8f8d2eca5e1e089a6de88309254de7216df280a3974006bc763", + "version": 2 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "rule_name": "Authorization Plugin Modification", - "sha256": "e44af923e00fc997967568bffa247c4e58c9fd3d60a81bf6d7bf01ce3e03cc1f", - "version": 1 + "sha256": "ad9317a7f7fd99c1ba80a7666b86353686bb19e51c37e2af77267750ef650018", + "version": 2 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "rule_name": "Possible Okta DoS Attack", - "sha256": "7e9f9eae422c39e7db34668d41955de13bdbdce00bcdc6533104ab87baadbbc5", - "version": 5 + "sha256": "be780601c9e4a7e1aca8845facddfea5d71bf738376e9880f61beae46ddc51a4", + "version": 6 }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "bc01c79f9051695dd063de8366b0df7e2db34d60c75d68211fd08f586607a4ed", - "version": 3 + "sha256": "b899b9419a4b24b77421765474521deb2de93b5d9784581ed9fd261ed1951409", + "version": 4 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "rule_name": "Execution of Persistent Suspicious Program", @@ -2485,9 +2545,9 @@ "version": 2 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { - "rule_name": "Local Service Commands", - "sha256": "7814dde5ffa0cb6d55314e3d635a938cbe1f3c1ff4cb9064489fc7319be15c43", - "version": 8 + "rule_name": "Service Control Spawned via Script Interpreter", + "sha256": "06690c0658d2dd465f3f42e62ce6289924edceaa79f26b4aca756c585acfaa13", + "version": 9 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", @@ -2496,13 +2556,13 @@ }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "ae54cec54f65ae013686d6cd34841d666efd26e0f65ad544bd743c1f2a21a7f2", - "version": 3 + "sha256": "16c391783d2d3d04c29a353d392764a8aec830daf68db15d29649bb9c067ba12", + "version": 4 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "821eca0bcbdff22a5082301443edb973245e33bbc8f31ca70b20b7b47b2060dc", - "version": 3 + "sha256": "dd2054d650d5ab62a662b60e2b292f49f99261c71ae4c360686b78ea3f5362f8", + "version": 4 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", @@ -2511,8 +2571,8 @@ }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", - "sha256": "adc35e58e49925dbe1df80ba70785f41102ce0d32a3f5f3f8379b935eada8fa2", - "version": 4 + "sha256": "6c51a2f7039139e42c9c5ec21c8e61544c1b2becdcebc6fc2923654efffa8169", + "version": 5 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", @@ -2521,53 +2581,63 @@ }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "9aee800e271c99dfee70b36fbe34a3607ad2b2c9030f77b26db66977cce7621f", - "version": 4 + "sha256": "05d4c9f087486af875f198e0211e9ed7966e7e37e52aa9cd375374e56eb87fb1", + "version": 5 + }, + "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { + "rule_name": "Spike in Firewall Denies", + "sha256": "65ba8a3c5cb671c8c0f365caf5c11450c484b61eb9ee92645bf4229b10ff2ff2", + "version": 1 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", - "sha256": "9107eb5172f577c66c5ab38340c4c4632a571e69c40b2567d4df76b2d8b5d786", - "version": 3 + "sha256": "ede87f21df9ef4874fde0720c5a1050b79ec63509d7fc140cadb2d1b2fbd72aa", + "version": 4 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", - "sha256": "49e14c39aa219a236e6fbb4af269b913d96a1b4a60c92fab7328e6a86f5f753c", - "version": 7 + "sha256": "062c1916cf85ed48401162e51109dc371e142f7983c9f404ab00cbc1846a3a40", + "version": 8 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "2a3514bdbd9aea38dcf49dd803fbdccfb02c7d77f17cbc0d0c4b697611ca6127", - "version": 3 + "sha256": "df9854e81170ce396fdfc35f6fdfb40c97ee5a8edc656f3e146e11102777b8fb", + "version": 4 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", - "sha256": "9c8cd12bec3bbf0c2631d1a86bed02cc2c1c49c1df9748e5768f61aa429d2968", - "version": 4 + "sha256": "c5dc6b1040c2435cfe6ae76ca3334add285aa323acbf57de8d290fcb1df713e6", + "version": 5 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "rule_name": "Process Execution from an Unusual Directory", "sha256": "5aeab7a2f59aecec28d8a1dc26d6183214c0b766a78fe542ffa59d282b42e2db", "version": 3 }, + "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { + "rule_name": "Microsoft 365 New Inbox Rule Created", + "sha256": "d9a9c04470d880e9ee6f62e370377653bd27823145528495347993bd0511e499", + "version": 1 + }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "7900695a24927077e5cbf12d7c5e64e28d4cdf217e656b48ef3d7bc7d57b6b33", - "version": 4 + "sha256": "e55c3cf978d32cfb164c5b8c8aa39ae007961fe094ad77f3c841b63d07cf2bcb", + "version": 5 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Azure Global Administrator Role Addition to PIM User", - "sha256": "876234fe53ca39b6228fa3994254732fa47c6ecaf36521255bab9106417154e2", - "version": 4 + "sha256": "081fa89e03c534503260ad3e556fc428c707a6d443a39e2608dfe96f6f59d34b", + "version": 5 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", - "sha256": "79ed2edf7b89ecad6bcf3fb625c06c3d211b1f77f64cd0021d9c8b195873e334", - "version": 3 + "sha256": "6ddd06f0d57dfe3c9f2a0bec8b2f39773e8b40e1213a52ebbae19d90c9d43b85", + "version": 4 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "6eb482908d306cb93ef5c9f9f94e615ee6df658aba85e74c89c00d613b075440", - "version": 3 + "sha256": "8da582f29fb72ed46e190081bbe82f4b0666ad3b883cb74b3986eff63610ef66", + "version": 4 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "rule_name": "ImageLoad via Windows Update Auto Update Client", @@ -2581,8 +2651,8 @@ }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", - "sha256": "fff740535905b1eb36dbbc7da9296ae022e22848536b5e2418168f42c59e4cc9", - "version": 6 + "sha256": "fe2c910bebef36620062b269c0448a3fd9b43c00833778137700385bfcca4a7b", + "version": 7 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "rule_name": "Unusual Child Processes of RunDLL32", @@ -2591,8 +2661,8 @@ }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "ef90c9bb3f1f8882390ef3f6d5f5443d080ee1290776d4422e39f164125a7774", - "version": 3 + "sha256": "66263b5a6a9cb7c17f2fd4a6c8c79078cc09d49f8f35ca811226da66e5002fea", + "version": 4 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Attempt to Remove File Quarantine Attribute", @@ -2601,8 +2671,8 @@ }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "9f4bb06f4f7052f9a4d703bb2938bf81a48febfcc3c0f2e03f952979431e604e", - "version": 2 + "sha256": "4f8fcc4f978c267b58a59c41a4e4f617ba6b8792e2aa22fb26f971279ea9f8cf", + "version": 3 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", @@ -2621,8 +2691,8 @@ }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", - "sha256": "90941235f90bb017456e6ad2ee37ded92e3187f11346b674d676f18c1c5723a8", - "version": 3 + "sha256": "79631e38ec873ab7281bd533d4827e487ce9da67c8af72a09ee12bc1cef3b04a", + "version": 4 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", @@ -2631,8 +2701,8 @@ }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "4e2f4382ebdd90b0b3e25ca50dfa944f4d50ec58704cf116a92b06a07ab23b6a", - "version": 1 + "sha256": "6e5898678bcd1b9c833fd090aabbf6e7e2fd69692405c532e8e7db74f71f9ae7", + "version": 2 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "rule_name": "Persistence via Microsoft Office AddIns", @@ -2641,23 +2711,23 @@ }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", - "sha256": "7385ea7c1d0a15ded463637f6632bc97d802590f4a566fcc7098f79f14471002", - "version": 8 + "sha256": "9675f6c2d6b7bc26b770ed6f8bb5668058bb865b782423786a1ebb70bf5de797", + "version": 9 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "8dea91bdeeb9c2f206a4fc9ef2a924dba812b0fcd934d2b8abda6f1a52026f36", - "version": 8 + "sha256": "cc34e136a98a0c3da501db77e87e4418a36d9fa1a9af7f2809b0e876a0685baa", + "version": 9 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "3c213d93c01717a35630316d34f77ffb086ddefdb6cfb17420ca7446631eced7", - "version": 1 + "sha256": "baedc4fcc8fd933fc5bf8e2f76c4ebb6acb9bded48fe91f102727b5978c797fa", + "version": 2 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "49431fea2a247593c5efad95447e82c1e91b82f3c19955c60b33f3a5f120501a", - "version": 5 + "sha256": "83bd482803cdbcf79f22ae7c03238a8783130b4a702cf5996896ad74fe45cd14", + "version": 6 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", @@ -2671,8 +2741,8 @@ }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "68381fd6b57b4c5f03f2078e9a06e98d5e1180659dac5b0e1cb3c61d0b8c65e2", - "version": 1 + "sha256": "a1fab020030d01dfba1dc1c38293f9c6f11877acef2296e84bd9934cb13f0b29", + "version": 2 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux System Network Configuration Discovery", @@ -2681,8 +2751,8 @@ }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "a4f427b8e45a8b09377f98c48e1738ab08e566534215cbb78cbb8bd29e91971c", - "version": 5 + "sha256": "c0e090cd568639eb8a72c9c5cffc485a12fe5c1e837a054e3a9ed90da45f7748", + "version": 6 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "rule_name": "Remote File Copy to a Hidden Share", @@ -2691,18 +2761,18 @@ }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Registration Utility", - "sha256": "6633d1f8b6246ece6fc716b697a7b4150c0e67db46bfeeeac669cf59fcfeb038", - "version": 7 + "sha256": "55b97f236823525ebcdff6607f3ce89dccea9b4d7acc813986d8a35ff65094c7", + "version": 8 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", - "sha256": "b54cabaca98a7b1b1e9f1405a208db6aeb709830026f560b3a1c44428296c339", - "version": 1 + "sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412", + "version": 2 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "f77a5039b24fc1587785fd0f3b51aaf211e54760b25772b21f622aa00e1b71ff", - "version": 5 + "sha256": "f3105951c9d7b6566cb1ba921365735bf3b75776e1329e5acf10bc0827876c00", + "version": 6 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", @@ -2711,32 +2781,32 @@ }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "d20bd0cedd6be03196e44e9a5fc14e5a8a9ee377ce352088b45709f39b0cf002", - "version": 7 + "sha256": "96d6852fdd698f7298c41ddc6f5f45e8b8a82fefa5c52e1d9183b97850470400", + "version": 8 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Encoding or Decoding Files via CertUtil", - "sha256": "461bc75cf19856ebfc5cfb09d8a493cb27c39b4f4d27ccff01276891ca1f41cc", - "version": 7 + "sha256": "9e50d4deeb60f96f6fcab96ef64ca154647683c59393e99f14c3a95aa7119ad9", + "version": 8 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", - "sha256": "6759df772f8f777e47e7d246d3ccef103f62dfb94cc72616e9e7065eec2e37c5", - "version": 7 + "sha256": "3d1669ea32950b0330c14ea0ed19dd4205c656d44f4860b304c3b103c487c717", + "version": 8 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "aa23e0632177249272262d3a6a5e1077ae75a2c69215f4bc538f7c020e07f204", - "version": 3 + "sha256": "fcb59813bb82c4a09e274f7748df5c9dc10d89f50b7466d9f96819dae17b0177", + "version": 4 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "72bae97021b3cfe8ac1d561a532ee5e976fc0b09e97e0e067f03c55746a42b64", - "version": 3 + "sha256": "294224cbc1a5d95a5fa349fb0e4f7f241d79f04636eeee63c2c3174896068699", + "version": 4 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", - "sha256": "e69d584ed79e77116f0f985069ecfc8f441e9a057ec2873fcd4037a4830bc797", - "version": 4 + "sha256": "d1a7cbc54b4f8910cb9a43b7d0d568b13418ca9fce205a9fbdcc2396a3baf618", + "version": 5 } } \ No newline at end of file