security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 (#3270)

Browse Source 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2023-11-13 14:45:58 -05:00
committed by GitHub
parent d52546eee5
commit 9195eedb9c
1 changed files with 809 additions and 767 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+809 -767
View File
@@ -18,9 +18,9 @@
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "c12251f0ebf415936a88178bbe670516848a774c5cf3e9bc888a6a8824a0e13a",
"sha256": "456e5ed43e056841aea460851e9e496aa85a9828fcb4bebade3a4f8b1d2a637e",
"type": "eql",
"version": 109
"version": 110
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.3",
@@ -69,9 +69,9 @@
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.3",
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "1fcc8d07520fa392cbd941dbaaac5fef1dc5dee48d5ab029ca64cc5409f7089a",
"sha256": "5717d643abdcfef9a6d60fff6d57720c82151980bb8e27c67620f86f538f9a1a",
"type": "eql",
"version": 103
"version": 104
},
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
"min_stack_version": "8.4",
@@ -92,9 +92,9 @@
}
},
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "789be8d5147c605bb71d3b8591d50e528487c9440450bf27e1711d36edb5b5c5",
"sha256": "e194561c4501f18810b36c5747c2d6cdddb401d1dc29d19507a4af173c85ef22",
"type": "eql",
"version": 206
"version": 207
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"min_stack_version": "8.3",
@@ -127,16 +127,16 @@
"03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Scan Executed From Host",
"sha256": "247079101b736a6f3dfb963c2106e2d5dfaf9523a631e74b57ca03fa12e6c429",
"sha256": "ec82385a8fee3e9b8a3e2bfe0b4a9678a7cd9d31611bbc8c5538214912a0831d",
"type": "threshold",
"version": 1
"version": 2
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"min_stack_version": "8.3",
"rule_name": "Modification of OpenSSH Binaries",
"sha256": "77e56ceb38921c2a4b69d7e793e5cebe8412e613b9f767bf3e7d272f297aa00d",
"sha256": "a8e44864c0255586bcea1d4b241810c54170028501986f52bb80bf79c2136c98",
"type": "query",
"version": 106
"version": 107
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"min_stack_version": "8.3",
@@ -155,44 +155,44 @@
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"min_stack_version": "8.3",
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "900e474f07b795dfe109f252a2d4a9069cdb9a8471cde0a8e19a36b84f3797ba",
"sha256": "e916c4a76f7f4724dde59c0d5c7fadb93add0c6ad283f0e1d57ae6305853886f",
"type": "eql",
"version": 107
"version": 108
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.3",
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "dc6dc5d5b9bb5d8022327de5bbdc2e934503ba0e31ae2336672439cbcc22bf74",
"sha256": "1e11e71d550916f3027c212e5cb88b8489cc66382f8969badce547b978a64358",
"type": "eql",
"version": 106
"version": 107
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"min_stack_version": "8.3",
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "6df780c2019fb6ff0102a70515a5233d958c58be4522ce64b31da80680965b27",
"sha256": "73ca1614ed192b3b473355db2817b5f0a68bdd630741d03fa3c3ac9fb6596bfc",
"type": "eql",
"version": 107
"version": 108
},
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
"min_stack_version": "8.3",
"rule_name": "Tainted Kernel Module Load",
"sha256": "a546a22d29ab39e34b84e1d2bb96312c59c8c0072948b715eea31b3cae42f3fb",
"sha256": "096c4047e2d5c332df1556e653b387ff45bc20f504f8a4b0a6b48151a55674ed",
"type": "query",
"version": 1
"version": 2
},
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
"min_stack_version": "8.3",
"rule_name": "Interactive Terminal Spawned via Perl",
"sha256": "e707dd532d4c099c31f5b95bdc9d237af995a146109cd6caf07576bac95509f4",
"sha256": "c509bf24e613999a96e9f6e7ec6a6754b69d21683106ac3528a730fb635ad675",
"type": "query",
"version": 106
"version": 107
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"min_stack_version": "8.3",
"rule_name": "Remote System Discovery Commands",
"sha256": "43d5cfda7bb1c28139045da08dfbda821d56fd45af89f05a4cf932a0b7eee839",
"sha256": "3ff2e26f26973251308b3a47b92955b2d31e844b07905f658b693e4464638cc1",
"type": "eql",
"version": 109
"version": 110
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"min_stack_version": "8.3",
@@ -225,9 +225,9 @@
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"min_stack_version": "8.3",
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "f00b9c39c021a4f1b4bbb9b99497ddbe906de70e57582440fa6dc315977892e7",
"sha256": "6992b6ee67e76b2c6fa0320f7a2f7acccc539973b27803777e37f928b1adce03",
"type": "eql",
"version": 106
"version": 107
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"min_stack_version": "8.3",
@@ -239,9 +239,9 @@
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "8822c17823d2a397a734dabe9b76dc5786f7ea603e234dc22bac765c440f88ad",
"sha256": "9a08bba2e66dd9f99a6a87ab539e1f2f205273b9af8e42a91a6be93beeb479e8",
"type": "threshold",
"version": 4
"version": 5
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.3",
@@ -310,9 +310,9 @@
"092b068f-84ac-485d-8a55-7dd9e006715f": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Launch Agent or Daemon",
"sha256": "f6144e95dc8aa7800b86c6582df0d1251a9c27f1585675fa011b5ac9ebe844c2",
"sha256": "bffb87c25d97a23ef42d1aad12239934aaa88f15fbf46680f22c595a801286da",
"type": "eql",
"version": 104
"version": 105
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"min_stack_version": "8.3",
@@ -330,9 +330,9 @@
"09bc6c90-7501-494d-b015-5d988dc3f233": {
"min_stack_version": "8.3",
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"sha256": "86eaafcb32b1483e8453f37ecd655c5e8c33aceb5c823ab84d86ff4a4759ca09",
"sha256": "41f9768d8739cf9cff0a5ab80f5ac4056209af12abd8a87456875d5fabd271ee",
"type": "eql",
"version": 2
"version": 3
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"min_stack_version": "8.3",
@@ -348,12 +348,19 @@
"type": "query",
"version": 101
},
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
"min_stack_version": "8.10",
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"sha256": "0d74c78086416566df6174db2e219ff1366b37b544a388f89b465f5ca7ef7dda",
"type": "query",
"version": 1
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "010e64048d380d35b40f806816a62483d54ed2f3cdafafd01f6d92feb6df8f79",
"sha256": "4d8b6dfe62f6b9bc2ce89b79f7ad0e881dc744022d619b382b2e6e2d3ed15a17",
"type": "query",
"version": 3
"version": 4
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"min_stack_version": "8.3",
@@ -365,16 +372,16 @@
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
"min_stack_version": "8.3",
"rule_name": "User account exposed to Kerberoasting",
"sha256": "0cdcc5efba4bbbddd11d3637a92be7d075bd2bbd3e8f44698ea7dde40dc77ea1",
"sha256": "4d9914b3179a3e81042daf2378c760535c3b1fe6a90367a9f939f8427e1c4500",
"type": "query",
"version": 107
"version": 108
},
"0b803267-74c5-444d-ae29-32b5db2d562a": {
"min_stack_version": "8.3",
"rule_name": "Potential Shell via Wildcard Injection Detected",
"sha256": "c545678521c2df966a1a7b9a11ac1e9e2bb8d0acad65746d1bb12f47607f2149",
"sha256": "4de1162d4124823c1b08df4e7630411d08269eb515c9cfc8179d1eb8a06327ae",
"type": "eql",
"version": 3
"version": 4
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"min_stack_version": "8.3",
@@ -386,16 +393,16 @@
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel IP Address Indicator Match",
"sha256": "421308bb2c832aaa4cdbefbde389b0ff645e12fc5d7ea78c9296139099772abb",
"sha256": "0226bcc18f65bc8670480b12a71f13488f9f7fc519e664d5a16634de8b356951",
"type": "threat_match",
"version": 3
"version": 4
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"min_stack_version": "8.3",
"rule_name": "Peripheral Device Discovery",
"sha256": "5b50fcf0eaef2f2da52e18a413845a9342f1271d669f06c117524bd4afb7db27",
"sha256": "9453d6d14110a5bd8e263b6c8438683e2151cdb64a07cc0497960ca3ce991b4e",
"type": "eql",
"version": 106
"version": 107
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"min_stack_version": "8.5",
@@ -430,9 +437,9 @@
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"min_stack_version": "8.3",
"rule_name": "Nping Process Activity",
"sha256": "a268355fc0423778888b7e0b1d9b8e7e5dd149344e2b5baa79b585c6189698e4",
"sha256": "affd117afc6ebeb37b988f85e144c43ebcadc77ed73c48470478dd749dd593f3",
"type": "eql",
"version": 106
"version": 107
},
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"min_stack_version": "8.3",
@@ -474,16 +481,16 @@
}
},
"rule_name": "Potential Persistence Through Run Control Detected",
"sha256": "514ea9a49add087a7f2f10f48d370ebfea15dc09db5bb9d5a908453ced80567e",
"sha256": "2fbbc2683f2b38e5fbfa30e12d93b04afa2aa3f59df9b312bb793cab7f3211d8",
"type": "new_terms",
"version": 107
"version": 108
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"min_stack_version": "8.3",
"rule_name": "Netcat Listener Established via rlwrap",
"sha256": "ff53f0363d8f483a8cedf49e6a907968b544472e09fd83e82d1eb9b2f3b16af0",
"sha256": "709341b184f3833219d910074fc3df6035266d8b90c5cdcf213a48afbcdcc538",
"type": "eql",
"version": 1
"version": 2
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
@@ -503,9 +510,9 @@
}
},
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "11e0bf29e964bfa87c51e81ea74a1e1174e444b2585a44c67e5a7db58fd0391a",
"sha256": "202c9c176a43f16620bdff4bf9d03665053b52c262d0277462afd841a08c623c",
"type": "threshold",
"version": 206
"version": 207
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"min_stack_version": "8.3",
@@ -537,16 +544,16 @@
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"min_stack_version": "8.3",
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "73bcd7b6468b86456d40fae00cecf6d091d5f5b42458d68c4ba96cb0f0304967",
"sha256": "8b1466a22fc9368899862a84bebbbc8304df306ba80857e8857991f935d82953",
"type": "eql",
"version": 107
"version": 108
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "b0824ce814b7fa05a5a6e8d9f8f54849dd033892fd3ad5d850a4a5e2df77645b",
"sha256": "b49dd643b78ce80ed0ff86c6b03d206c7922e4364a738c813cb0d96194b9e53d",
"type": "eql",
"version": 108
"version": 109
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"min_stack_version": "8.9",
@@ -573,16 +580,16 @@
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "d41a56fd39249f9a8ecaea4b7739a996efe8bbd66aa4165345951de99ac2d102",
"sha256": "1c0bf38efb6972def16721d8a6cdfa4657dcd306a120b1f283193fbf9adf6574",
"type": "query",
"version": 8
"version": 9
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"min_stack_version": "8.3",
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "f48869c0c1a7667d8c8a24d78167a2e33fa2e5db8b4d71bbab951f29a6571875",
"sha256": "e3f49374583b3283173ec5a2b56bf984b274041c4f13c423595f0740c9437bc5",
"type": "eql",
"version": 108
"version": 109
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"min_stack_version": "8.9",
@@ -631,9 +638,9 @@
}
},
"rule_name": "Suspicious Lsass Process Access",
"sha256": "76c9bb0e0674d8903c7f1429ef3267a939de6bd90838451429533396f7bfbbb8",
"sha256": "9a0adebc4688de3fd5a514af5e63944ea533f9a6b3a1b9832c1736e34b9ff2a9",
"type": "eql",
"version": 105
"version": 106
},
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
"min_stack_version": "8.4",
@@ -677,16 +684,16 @@
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "91ce748803215def5fc3e0a13c3061c7a533494b7bfd86f66b778586a56f4ee9",
"sha256": "6f00425e03b75ccad2d669adf599edf5e627579bfd6c02dfd5a8b8074c9ee0e1",
"type": "eql",
"version": 107
"version": 108
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "d49a0d61c82206a76e5ea5062c272c71b644034b559db7579c8be76bb8dc36d6",
"sha256": "f7da8ec3bf0a1cd28b4e1bc7a091b73bc0f8a408eb3510bd3abc386277dca211",
"type": "eql",
"version": 104
"version": 105
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"min_stack_version": "8.3",
@@ -762,23 +769,23 @@
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "2f29328dabd08f923a8df391ea35c8ea653ed3968d056d71b05ae11f402b17c9",
"sha256": "7429e9a1ede15a8d3ef3f9c969e435fd27f290eba5d56942784d6b43291cb85b",
"type": "query",
"version": 108
"version": 109
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "65f575f302777f8e9f896d45ad7e2b53416d03fc3d711a6058f740c933b3e1c4",
"sha256": "ba1b29894e3714a467099698c2a7111489b3e522d59f5b61ad2f7d791d5adf30",
"type": "eql",
"version": 107
"version": 108
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"min_stack_version": "8.3",
"rule_name": "Virtual Private Network Connection Attempt",
"sha256": "d963ef7eb139996297e8b66dc040b9ed8dd898130265bc0f428c48f57690155d",
"sha256": "2fddf303d95fc9181afbdf53833cd1e53d7499cd79cd616b07838eab1dc5f378",
"type": "eql",
"version": 104
"version": 105
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"min_stack_version": "8.3",
@@ -820,16 +827,16 @@
"16a52c14-7883-47af-8745-9357803f0d4c": {
"min_stack_version": "8.3",
"rule_name": "Component Object Model Hijacking",
"sha256": "6f7e78b34dbd113748d1850790a473327c1ae2f910eaed28ea59e14871d611f2",
"sha256": "c0cd1aaa9aa6759d34b3b00592c50454726fad1c02fe5887b0a6f33c1e4ef794",
"type": "eql",
"version": 108
"version": 109
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"min_stack_version": "8.3",
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "da818e423eb85083fbcbe6984e8f3a75595575cfe82ec3d62e8a531eb3627fad",
"sha256": "c1962ed3ad486c1c8ab7837d32854ef5d5c1026a407b61542db8e9886def0da4",
"type": "query",
"version": 107
"version": 108
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"min_stack_version": "8.3",
@@ -869,9 +876,9 @@
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Service Created by Previously Unknown Process",
"sha256": "4ee6af63081a009901c6f3b4f3f314e8c3dbe15dd4d5751b7c5536708cc01fed",
"sha256": "a1c8a579032003cb718a31611540b8552f7995938b5042e9fa19a6b59d7b8e34",
"type": "new_terms",
"version": 5
"version": 6
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.3",
@@ -910,9 +917,9 @@
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
"sha256": "f58eb1cacf84d92e06f41776bcc67711b803714568ae64ad82e907c980a3c4d5",
"sha256": "8806cde9bf6f85d4dbf7c642a37a0723d2c9cda4383535560b018b1ab8eb2df1",
"type": "eql",
"version": 2
"version": 3
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"min_stack_version": "8.9",
@@ -954,9 +961,9 @@
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
"min_stack_version": "8.3",
"rule_name": "Execution of COM object via Xwizard",
"sha256": "c9a9234db42533396f1a25a5036711a9363213918faa1187a99e65ae616c78b4",
"sha256": "f0bed76a611cf637f400967119419ac503bb528123d294a8a6b149fdcd8cfabf",
"type": "eql",
"version": 106
"version": 107
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"min_stack_version": "8.9",
@@ -977,16 +984,16 @@
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"min_stack_version": "8.3",
"rule_name": "User Account Creation",
"sha256": "bd9e8d97604e499b249740f537c152e6e886cd82a2d77ceda0bbd4ef99ac37b4",
"sha256": "e9425321d9364d0c69d31c985962e0e5af2b19bb9d6ccea2c92aec82e0f73f6d",
"type": "eql",
"version": 106
"version": 107
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"min_stack_version": "8.3",
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "aae5d1cb44fafff6fe643a706d5eef8d83794dfae46ea638507259cb2c9bb041",
"sha256": "1a9795116a97f7bc045cbda5a8af5e8e78f0d62a88cd641583e3838f293c26b6",
"type": "eql",
"version": 105
"version": 106
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"min_stack_version": "8.9",
@@ -1007,9 +1014,9 @@
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"min_stack_version": "8.3",
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
"sha256": "0b4cbcadf42c525059f293cf8894de62f587e228878dfc70d1d6aafdfebaa221",
"sha256": "38c57c420c15a1f0758f68c979f680379cd78121e64ea43be7600b11823ed5f6",
"type": "eql",
"version": 8
"version": 9
},
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
"min_stack_version": "8.3",
@@ -1028,9 +1035,9 @@
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Creation in /etc for Persistence",
"sha256": "d5fac2c07f8912a7aeb5987420d21df972ba3bcfda92b5c66438a6f37625e973",
"sha256": "2c7b3afb5bcedf1734a00e47303d98eb4df820d760aee5553c8e9763cfa58d9e",
"type": "eql",
"version": 109
"version": 110
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"min_stack_version": "8.3",
@@ -1077,16 +1084,16 @@
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "09504eee0ca293aed720134b083bcf30791788c02f630b563bfb73e34fe17918",
"sha256": "9d74966200ab76215b5f75666d8a4991c2b0147b50e7786298a59b9b037dc303",
"type": "eql",
"version": 105
"version": 106
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"min_stack_version": "8.4",
"rule_name": "Suspicious Inter-Process Communication via Outlook",
"sha256": "7ac0061e940b4f3f683e9552b00466fbce21ca52e1c3a8b5e155fffed0764c4d",
"sha256": "4c8c8473db95992186d566e79adf668d651878042f01dc8c4a1de75f8a44c347",
"type": "eql",
"version": 4
"version": 5
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"min_stack_version": "8.3",
@@ -1098,16 +1105,16 @@
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Hack Tool Launched",
"sha256": "1d7ffe0b0cb484baa86ed92a884c1b7c1ed28b7a8d3591393beaf14d5ffe7fc4",
"sha256": "03227f8f005fd0a6e2824b8615533828cdad806c0d69e6d5f11c0504f4ceb316",
"type": "eql",
"version": 1
"version": 2
},
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "e1abdaaaa56dcd60699f61e183b6ee3d637065363a4aef48e49785d0f3d52a12",
"sha256": "476840872bfeccaff488dd65134b6a82f2299b815ee751a661219204e8c1ad9a",
"type": "query",
"version": 3
"version": 4
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"min_stack_version": "8.3",
@@ -1168,16 +1175,16 @@
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"min_stack_version": "8.3",
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "94fec9b0c4fecdb1ba512be811459a1cae6d7efcac880fc5d63a308a8f87be8b",
"sha256": "38254e10c94b71503f642eb25ccf9bd0e66542f343d369ab1cfe7cc1e0d8729a",
"type": "eql",
"version": 107
"version": 108
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "f38629eb459ab9343b9f3748109d6c691baf729de86d85d83d10c0740baa869a",
"sha256": "8db003c9e7d9158d52c379347dee67ace799d72c640e8beaccdc4a3d26caf8f5",
"type": "eql",
"version": 106
"version": 107
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"min_stack_version": "8.9",
@@ -1198,9 +1205,9 @@
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"min_stack_version": "8.3",
"rule_name": "Access of Stored Browser Credentials",
"sha256": "f8275d90cfe0ef660c6505002f3eb7a22afc1b4c189c9ba4e9f9dd4184dc1161",
"sha256": "3d1c5ae1b6b6134946ceb0fab3b028b7757a3cae9213e83e12d2ef7fb4af7498",
"type": "eql",
"version": 104
"version": 105
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"min_stack_version": "8.3",
@@ -1212,9 +1219,9 @@
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
"min_stack_version": "8.3",
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "1c23cc9b4544d51bbbd10ce33e915cb6276bf71aeedc24400651d0995cb17dcc",
"sha256": "a1c0793e46ef70df7a07d937496dac757813e319583a4835ca03b7889dc59aab",
"type": "eql",
"version": 108
"version": 109
},
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
"rule_name": "Auditd Max Login Sessions",
@@ -1299,9 +1306,9 @@
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
"min_stack_version": "8.3",
"rule_name": "Kernel Module Load via insmod",
"sha256": "4c816b9ebae8561e4197ef52689ef05de8036037dc74de66afdae2a9aa6a2845",
"sha256": "2cc6d7aa7add54ada5a4d8c00fdb52a0b87509638431999e633b74055b8c0f4a",
"type": "eql",
"version": 106
"version": 107
},
"2377946d-0f01-4957-8812-6878985f515d": {
"min_stack_version": "8.9",
@@ -1320,23 +1327,30 @@
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.3",
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "7eb4bab3a9d22066a5b70d36c5d06224bd14bf207e4152a20a04bd323f5fc06a",
"sha256": "d8e20705353d3835109854dff70bf6bcec1d3cc3959cb9434fc53f2e46925c1b",
"type": "eql",
"version": 105
"version": 106
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Background Process",
"sha256": "98913787308b752f32b96a1d2e394c59c7a0c880b2caa632f30c81842f2cb0c9",
"sha256": "707d343409c8eb1b73e83d906c6564b4401912393e9d157bd4913b267dd1c108",
"type": "eql",
"version": 2
"version": 3
},
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"min_stack_version": "8.6",
"rule_name": "Network Activity Detected via Kworker",
"sha256": "135aee6821b8cd1ee41d9c054c4f355427b8352720b5463c6e68144a5f53830a",
"type": "new_terms",
"version": 1
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious DebugFS Root Device Access",
"sha256": "15d66149f0f83ab636bbca6591b3cda98a98989d4e8cbca69c06725499d7fd2e",
"sha256": "e7d2c248c0ef9948b7461ecd30161e9e5fae46a1bd58ce87073cb10b5b354b85",
"type": "eql",
"version": 3
"version": 4
},
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
"min_stack_version": "8.3",
@@ -1348,9 +1362,9 @@
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "0f3875681feabc9889f6f06cf0687e0b3f367b347f46f58fe88448b97c69821c",
"sha256": "22c2959b31f776a92a435478b6ab0d09b9f9faaaee332d070e0e0a5236352c97",
"type": "eql",
"version": 108
"version": 109
},
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"min_stack_version": "8.3",
@@ -1376,9 +1390,16 @@
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "2a8ff80cbf124d75571a8831f389c7e67129f89c0f2d1b512133a48bbf0d3478",
"sha256": "3a7e860d0d7d4932d1765d9a9890853d23ee8dbe1726f151accf8ed96efd88c2",
"type": "query",
"version": 3
"version": 4
},
"2724808c-ba5d-48b2-86d2-0002103df753": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Clear Kernel Ring Buffer",
"sha256": "e93a1e9fd50b7401c5d62def71f3729c535a1a070f8e42194e4a2a9bfe8843b4",
"type": "eql",
"version": 1
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"min_stack_version": "8.3",
@@ -1418,9 +1439,9 @@
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.3",
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "900b6c0dcc73edd29b7f8b445d08d37da743dcd1e18c5a8cc4a545be1c9e4c72",
"sha256": "9d0bcbf7b54f9ec62e6ac93c6fc9afa7729ae93e9eda196e3470f9f2ce3c3131",
"type": "eql",
"version": 107
"version": 108
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"min_stack_version": "8.3",
@@ -1432,9 +1453,9 @@
"28738f9f-7427-4d23-bc69-756708b5f624": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Changes Activity Detected",
"sha256": "29566bc20e44999833de4b93b85e993bbca41d4c16ca41f5fe01ea80ad52937a",
"sha256": "748d22c0d796641d48a1bc6cc42284615cf7f1682f6204efa1dc80e97ca715ac",
"type": "eql",
"version": 6
"version": 7
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
@@ -1445,9 +1466,9 @@
"28d39238-0c01-420a-b77a-24e5a7378663": {
"min_stack_version": "8.3",
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "765e6c39bbdfecbbfd3ffa1a44b4838d06c295b53d4b73143316ec99c8b3550b",
"sha256": "7812955eb756c08f5d9f17dbf1d672b0f9a1587bf4d1f8fb36bbd42fab2a4a82",
"type": "eql",
"version": 3
"version": 4
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"min_stack_version": "8.9",
@@ -1468,16 +1489,16 @@
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "a6231a8bcd050f72676f997117e09ea1f8873a178971237eb2b54404906f0c95",
"sha256": "ee657966d36d8e1dcc396dedd56fee8e5c2f1fdc6d06e0ad9dd4b9c5bc655463",
"type": "eql",
"version": 108
"version": 109
},
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.3",
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "13c2fcb9dbaf1339d3e3b7e5fa159bc1a2875aee235776f1bb13518d49a8d738",
"sha256": "583bcc5f3c4c54715db820cfd49175943c5c77bcf448a46843c29a7dfe8a1e0b",
"type": "eql",
"version": 107
"version": 108
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.6",
@@ -1491,9 +1512,9 @@
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "6f6f6175fa206cf7e0c3a47488388561ee39b49bc0b1f18f6baede4fe3ded355",
"sha256": "63b960b37cd4248376f81706924a1929775fa96a6eaf6575da361e96fafafc8b",
"type": "new_terms",
"version": 208
"version": 209
},
"29ef5686-9b93-433e-91b5-683911094698": {
"min_stack_version": "8.6",
@@ -1512,9 +1533,9 @@
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"min_stack_version": "8.3",
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "8dd9f5b2abfa297105040ebfc4e441af646a5bec20f8ee97a6856351c8e1f99b",
"sha256": "304872798cec74b70f3b39512a44006ab49849897e5b760c45f57663f6cbb753",
"type": "eql",
"version": 4
"version": 5
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"min_stack_version": "8.4",
@@ -1535,30 +1556,30 @@
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
"min_stack_version": "8.5",
"rule_name": "ESXI Discovery via Grep",
"sha256": "01993ae1314c912204f7b87a0999c27cd2861f56a7a0b766dd0bbe4119dc0c9f",
"sha256": "60b8604133b04c233608035975acff3e5c7ffae33d7e6f65d97cca37326561a3",
"type": "eql",
"version": 4
"version": 5
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.3",
"rule_name": "Adobe Hijack Persistence",
"sha256": "6c4da0a89fa984f5f93fd0fa33b26bc6bee17987271ce73792eb19e342bd9289",
"sha256": "d4540f314ef044ee0c2fbf1fbfe559d927eaadd79f9cedfbad924a877eb3a5ca",
"type": "eql",
"version": 108
"version": 109
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"min_stack_version": "8.3",
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "5d23ecdc51a103c5863a93a34aea633e2691b91c8dbeb2a3551c652bfc691f8f",
"sha256": "30fae5f472da92e741d6c44d0ad23b2c739fee3b3ccd38f73960e06567dda767",
"type": "eql",
"version": 106
"version": 107
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "86de8c98200d07e566af71b1fa99113d43b1493e4faf47609359a69d1f0138b4",
"sha256": "6240a5e2945d67deadb4e2ae6462053f9659a0144f048bc91767c92e390ffe30",
"type": "eql",
"version": 106
"version": 107
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"min_stack_version": "8.6",
@@ -1572,9 +1593,9 @@
}
},
"rule_name": "Enumeration of Kernel Modules",
"sha256": "2fa255256633606f39637f99e60437fd03db8f4721370c5cefa5c65857661e01",
"sha256": "11cd32635c6cb009185cf4605d2b361f086b0699c8ac390eb8bf7fa0b988192a",
"type": "new_terms",
"version": 206
"version": 207
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.8",
@@ -1588,16 +1609,16 @@
}
},
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "2c9cb831e23495341a51736efbfd144c71ae76cd1e9219fdc2078d70cdbc0407",
"sha256": "02194b622839ad66b2931225a725b2013f5ba1b1ae524083ede33369dc018840",
"type": "eql",
"version": 209
"version": 210
},
"2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": {
"min_stack_version": "8.3",
"rule_name": "Potential SSH-IT SSH Worm Downloaded",
"sha256": "2235a3c31df521f4cbbff7cf12df793eb343d389777cc8851c382a1434bef647",
"sha256": "65f4f675acd03a58a2f89697fff8a4bd8c77099a91215437f4453ac89851caef",
"type": "eql",
"version": 1
"version": 2
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"min_stack_version": "8.3",
@@ -1616,16 +1637,16 @@
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"min_stack_version": "8.3",
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "00fd95465bfe881a5dfb2b30e171b6d3addca0be3abcb66e67427c52a8e540fe",
"sha256": "0d68982c3ad2c66fe584668a2a911d7ba89c1e7a8e876b33f359f2f58a1094d8",
"type": "eql",
"version": 107
"version": 108
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"min_stack_version": "8.3",
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "3921a45db23fa07aa23f52a05c6cc6645307b5795c62c52f1ab0e7119b93182b",
"sha256": "265f859057d32706bc44115c2b619366f405b94b82a1930e01559999ad451bc1",
"type": "query",
"version": 108
"version": 109
},
"2e311539-cd88-4a85-a301-04f38795007c": {
"min_stack_version": "8.3",
@@ -1644,9 +1665,9 @@
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"min_stack_version": "8.3",
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "c682c5d7a2d90176791ea60cfc2d52a941a2c145e96c42c88a6802013e6d594e",
"sha256": "7def1140f5946506db0986d62813b2d07f78ddedf08032f5bb4d2e74b12db501",
"type": "eql",
"version": 106
"version": 107
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"min_stack_version": "8.3",
@@ -1658,16 +1679,16 @@
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "65b15ece2e91066379c4bf4c8646bde0a3f995c713d228332c5ef3af665e3c0d",
"sha256": "63a0240e890b59f4e0d8ef6057b38f2c59f013ac31f0899372ea40782b935ee2",
"type": "query",
"version": 108
"version": 109
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "bdea522d5730e3c4d4239717173a709ebc5ff118296edbcb70faeb3e62cdcc0d",
"sha256": "b5c037e4028ed9b2148058177b53b6f8cd416c2002692c954030a5797c8c08b9",
"type": "eql",
"version": 107
"version": 108
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"min_stack_version": "8.3",
@@ -1679,9 +1700,9 @@
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"min_stack_version": "8.3",
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "1e95c5544b74d84ae96e15fafa7f0ffb9e564fa1552c02adbdf2d0bb9e68e7a3",
"sha256": "4da6b62b7ec7cb25f041951db128ea15b7b77213f4dcd6d830e9a1d1f4d349ed",
"type": "eql",
"version": 107
"version": 108
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"min_stack_version": "8.9",
@@ -1700,9 +1721,9 @@
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
"min_stack_version": "8.5",
"rule_name": "ESXI Timestomping using Touch Command",
"sha256": "7f96205f8ffdfb7be7c57a34dbdf149f99a13961e1477d17815ad48f85b7bdc0",
"sha256": "9648e6c27ae63c4d6b1419abbd96b927ee8834cb13bac73d2f3c36c874122c45",
"type": "eql",
"version": 4
"version": 5
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"min_stack_version": "8.3",
@@ -1721,9 +1742,9 @@
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"min_stack_version": "8.3",
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "2ca2ed5d2836beb7bbbfd48b039b171774baba1b8995a88ab16943fbbb170fa9",
"sha256": "daa92a1b6f43697ea1240f49a719d9b47291cfa4bfa6656460a9ede23b2d00e3",
"type": "eql",
"version": 108
"version": 109
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"min_stack_version": "8.3",
@@ -1749,16 +1770,16 @@
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"min_stack_version": "8.3",
"rule_name": "Program Files Directory Masquerading",
"sha256": "f389c3e2a3f8696ba905bbf5f2e7cd9d651bba9bc241a8a4d1b2b38ae984e5a7",
"sha256": "9224ce80ac3a2d46b853cb988075ebe71f9cbbdc90695974a1bd7abe58726911",
"type": "eql",
"version": 105
"version": 106
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "dfea65085c4b690895eb691760b4a9025da59cecbf5c4ff242c26713ede0bb2c",
"sha256": "9c7b1be8cd662dea09651d051b6aedfa04b3380cfa9fcb294a5776f8f883980b",
"type": "eql",
"version": 107
"version": 108
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"min_stack_version": "8.9",
@@ -1779,16 +1800,16 @@
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"min_stack_version": "8.5",
"rule_name": "ESXI Discovery via Find",
"sha256": "f71d1a0fc2a3a9498c1c07bb8d19631c82ed04d6216b650b39cf5c767ccd0ea4",
"sha256": "e78c45bd7a967de7c4defaf1dd745c826bfec1fd5423a3925426ae981a8822ac",
"type": "eql",
"version": 4
"version": 5
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via PowerShell",
"sha256": "9a87c68d2c67e9d7c764bd3e0b48bc4c59f6ef3559661cf0ac814f61ec9bbab6",
"sha256": "38dc15a0612dfcb492d058cb2414f7cb66550cc57d1a90b28469f9a499391d7a",
"type": "eql",
"version": 107
"version": 108
},
"342f834b-21a6-41bf-878c-87d116eba3ee": {
"min_stack_version": "8.8",
@@ -1821,9 +1842,9 @@
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.3",
"rule_name": "Port Forwarding Rule Addition",
"sha256": "2ec830c30a80eba9d2bfb5dc78d0ce64e7eb8f66ea2f8266e666d077fa916852",
"sha256": "291793bdb267500bb51af75132d44acbe6c3514e74d3fac34ce187ef4cc58d43",
"type": "eql",
"version": 107
"version": 108
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"min_stack_version": "8.9",
@@ -1835,9 +1856,9 @@
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "eb0fbd449489cc0545518f8343446262c27a6955ff5c0843713e629582eb112d",
"sha256": "f43b593fe851b23a69b109c4a9fd1e07aeb8374bab2d9c192ef74fc76cba8ec0",
"type": "eql",
"version": 107
"version": 108
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"min_stack_version": "8.3",
@@ -1855,9 +1876,9 @@
"3688577a-d196-11ec-90b0-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Process Started from Process ID (PID) File",
"sha256": "cafe78e9310f27ba8cdcfb8fbc318a1a2f55223679ea3d91c3a0877dd578b7d3",
"sha256": "954fc970c7c982de04f1ec41cdd8c4c8f00fe8b2bbc5507e42e9e255d9150c96",
"type": "eql",
"version": 107
"version": 108
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"min_stack_version": "8.3",
@@ -1951,16 +1972,16 @@
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Certutil",
"sha256": "c532585e329cfc2a78418e835c1c40593c75045ae9725cbc39486ac6a9236bde",
"sha256": "574966e6333af6f15b7e801105f1325ba602693577dd5b5c77c6d1821abdb360",
"type": "eql",
"version": 107
"version": 108
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"min_stack_version": "8.3",
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "04689f3ff304d7f32e7686e38a520a66df28fb8ee9d2e13149768a9667183188",
"sha256": "7838d2f36bacd85c4a8333291f41d0755a4918b3a06ea5b7d88eb8a7e29dd8fc",
"type": "eql",
"version": 104
"version": 105
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"min_stack_version": "8.3",
@@ -2002,23 +2023,23 @@
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "6f54ba0ae7f973881e6d519845715c8888960f217bdaffbbbcabf2ccd305c49f",
"sha256": "2d7c95cdf099081d29fe694938ae75a1e1e05d03d14e2314b91abcf074cb3d2a",
"type": "eql",
"version": 104
"version": 105
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"min_stack_version": "8.3",
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "fb96d295d12b3d405dc93ad509f792885c4e32bb760c7518b005755a6ad6acb4",
"type": "threshold",
"version": 107
"sha256": "1feb23973523f2629afbcfd02fc9042a94493d897f520c7db2799fb1f9e27af7",
"type": "eql",
"version": 108
},
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Module Loaded by LSASS",
"sha256": "5daa50c7701a3bf0e4c82229b8fb7696df740f0bf74dd874a9283b541715f970",
"sha256": "94f504dbd294572829f124578db222617f24279fa9d20443db1c7497f5f167a5",
"type": "eql",
"version": 4
"version": 5
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
@@ -2050,16 +2071,16 @@
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "97b3141cf72282ca02c73091a527edf31e31d10d22d241e91c6d173bc1abd792",
"sha256": "373baf17283c276e152b141c68c56eee4698cd1a52b9fb64f8343325b5e7d7b0",
"type": "eql",
"version": 107
"version": 108
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"min_stack_version": "8.3",
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "691edf20cc218616ece6013dbbfe102d01c87c91cfd3bd49ea126eb3830c5982",
"sha256": "4ff0e24875bfb35972c6017f875f3f557a82affb8d01f26b1e841de629d3f418",
"type": "eql",
"version": 107
"version": 108
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"min_stack_version": "8.3",
@@ -2071,9 +2092,9 @@
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "ad925532e35677e84cb73970b142002377617338f4574eb6ca4dbd7bfcdb37a7",
"sha256": "d2820917e295f70cedcc97c012d7e6f4bfa4368d8a77e79023225614feb95c7a",
"type": "query",
"version": 2
"version": 3
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"min_stack_version": "8.9",
@@ -2105,6 +2126,13 @@
"type": "eql",
"version": 4
},
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"min_stack_version": "8.3",
"rule_name": "Kernel Driver Load",
"sha256": "bf54a568cf07cb6372551ed2c315a350fd80ec33811327aa6c5473d64f5aa928",
"type": "eql",
"version": 1
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Emond Child Process",
@@ -2122,9 +2150,9 @@
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "34be040a61351672e5b29280ad568cf664732a1ab9ae5ac0b32bdb72b49f10f1",
"sha256": "09ed4561cb386a7b90520c318b820066f354c61f1b5e023d10563ad64a035c2b",
"type": "eql",
"version": 106
"version": 107
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"min_stack_version": "8.8",
@@ -2159,16 +2187,16 @@
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via Chisel Client",
"sha256": "2bc6f32144a2b110dfc14493dc5930b3aa2c23ca7d00b46924c2643ac2d73c45",
"sha256": "cb2bfaf035ed8f6cda1b9f14af8ef78a36f0984d1f3d5baaf375ba1bdfd833f2",
"type": "eql",
"version": 2
"version": 3
},
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Binary Executed from Shared Memory Directory",
"sha256": "511ca509d7faf58b68373d12932edd1aef607c53de1314647b3764b976fb35fe",
"sha256": "a99ea10f8baeb92b2c9e2c4363393f2718bab9daab338ce36617565d14e8a3c8",
"type": "eql",
"version": 107
"version": 108
},
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
"min_stack_version": "8.3",
@@ -2210,9 +2238,9 @@
}
},
"rule_name": "Suspicious Modprobe File Event",
"sha256": "c6ccd9c0ba411da8142f15ca71dd04dca27e1ec82b527324439621b449f4812d",
"sha256": "adfdf5e7e2b042ce698eaca7b4100de49ad0b439725a5ae9ed2da41b4164de0c",
"type": "new_terms",
"version": 103
"version": 104
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"min_stack_version": "8.3",
@@ -2224,9 +2252,9 @@
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.3",
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "1de1e9aa9030d56c6c6629cd92e3ba65d61bfc9063b76ea2abe412899a224d3f",
"sha256": "88b7f3edd6dcf39eb51d9ad50f608aae26b1aaaff95adb1f19b6565abcf8d9e1",
"type": "eql",
"version": 107
"version": 108
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"min_stack_version": "8.3",
@@ -2268,9 +2296,9 @@
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"min_stack_version": "8.3",
"rule_name": "Process Creation via Secondary Logon",
"sha256": "ede0c21a7bcb75d8f44e0d0a869533c261bd3c91323dd5eef691534aefb54675",
"sha256": "65781e6a82dfba3a861174decf22fa460a0930a12169646ca3d6d4aa7eaa7c6a",
"type": "eql",
"version": 7
"version": 8
},
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
"min_stack_version": "8.3",
@@ -2289,16 +2317,16 @@
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
"min_stack_version": "8.3",
"rule_name": "Linux User Added to Privileged Group",
"sha256": "3730f04f7a829d9ca0f149c00ebd1c6cd07226bad5915f6295d82656e40bf5f8",
"sha256": "8b01aed5f72d886c28700069c04c106550f8803094c43e8fb5f458bba3e843ff",
"type": "eql",
"version": 4
"version": 5
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"min_stack_version": "8.3",
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "c1524c8e450507403654a2f7bbdc7609ef590afe3fb8de408270d3c012559b54",
"sha256": "dd409ade4fd40ee77479589620573779b153ec9c46ba6ecd32a0b3878b417730",
"type": "eql",
"version": 107
"version": 108
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"min_stack_version": "8.3",
@@ -2317,9 +2345,9 @@
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"min_stack_version": "8.3",
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "3338f91573d9f2de9fec741a8de8feac5f2b0486ab6c185b94f5f37b938c89fc",
"sha256": "d1dc99f54476ef81bf7b7a1b8a5ea2e40a3c58ee6cad0f93459808bc06d3fae9",
"type": "eql",
"version": 8
"version": 9
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"min_stack_version": "8.3",
@@ -2338,9 +2366,9 @@
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.3",
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "576f44e57f57bcc5a260380c704c2c253b9f8fcefa472e5b4339b0e138c9112b",
"sha256": "87876e96cffd8fcaa7701a062020cde8d6ada8f48aeed13a7b7153b0274318f5",
"type": "eql",
"version": 108
"version": 109
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"min_stack_version": "8.3",
@@ -2366,9 +2394,9 @@
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through init.d Detected",
"sha256": "c231805a854c98302dcc5c774688217904e4960a000e193bb04158fac9a0b743",
"sha256": "bac9e6b18e0ec38e0b8930bb9402ed0d4c8000c06cacaaabaa388556a67dcb48",
"type": "new_terms",
"version": 6
"version": 7
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"min_stack_version": "8.8",
@@ -2380,9 +2408,9 @@
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "264b7c418b25b248ad38bc172ac651d639a720a652fba044e02596419b889ef5",
"sha256": "b3e13c97d0c0bff23ce9255d93a0a60d4aed4d262d14236423927bff1458d583",
"type": "eql",
"version": 108
"version": 109
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"rule_name": "Execution via Regsvcs/Regasm",
@@ -2400,9 +2428,9 @@
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "99db297efd0e9e1c456c8eaddae105366196554aa82301813ee7a4aba19911cd",
"sha256": "639eb15abbef368443484e39fabea441656acc3ae63f1e516bcf0809870d0297",
"type": "eql",
"version": 105
"version": 106
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"min_stack_version": "8.6",
@@ -2414,23 +2442,23 @@
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell",
"sha256": "b10222772b435ef7d9cf4dfa4b50a492a7900cc176fdf11e901159c69d62d2b8",
"sha256": "63175dac732fef15d41d1dc2201b78948d69e4bb32c1409f60fb541ac7831b56",
"type": "eql",
"version": 5
"version": 6
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "1ffc6db4a92f04db97e68bfd6a7d7ce6b90f4b4ca3accb51924be0ed5ebbcd9e",
"sha256": "b4fb37e1e7527312d0819a95373e8bdd68e9b4b4f4cbfb074007c7fbe3cb736f",
"type": "eql",
"version": 7
"version": 8
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"min_stack_version": "8.3",
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "31b89667c022bf5310c60d364fc7c26136c4e66d8287d9bd7923dc18b558b647",
"sha256": "50e43811992464777ede6c447f47e0331e4022df0f013c9e69d644081c56d93a",
"type": "eql",
"version": 104
"version": 105
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"min_stack_version": "8.3",
@@ -2456,9 +2484,9 @@
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "333fc1776029a4e23f0c6df62d3370c335760abb4aa501be982831e2e71341d7",
"sha256": "5b5bf047bef61d90083e4c43c267c4ec7b4769ca32b5928ea33b8ddd31fc7530",
"type": "eql",
"version": 4
"version": 5
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -2500,9 +2528,9 @@
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"min_stack_version": "8.3",
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
"sha256": "42573412f6b2d0083dfd8c9fc5945f654cc818d4cea60939076a6cf5967a2b7d",
"sha256": "854656d39824472174625ba831a52a49485204da2450fdca9db0362d785b2ca6",
"type": "eql",
"version": 3
"version": 4
},
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
"min_stack_version": "8.3",
@@ -2514,16 +2542,16 @@
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"min_stack_version": "8.3",
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
"sha256": "c71a551642317ffccfbd85c414cc689e14d3a2deea09251aa8ac9895963bb204",
"sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982",
"type": "eql",
"version": 5
"version": 6
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "d7c419a09a28e530daed1534d397eb968d8b4695f1798649928228865fe7f1bd",
"sha256": "a04f9f214a8657301ff6f4a703643d13ac53077379481968c70e4bf2cea816a6",
"type": "eql",
"version": 106
"version": 107
},
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"min_stack_version": "8.8",
@@ -2549,23 +2577,23 @@
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "dccb06c47c184196bb7064a9ac9d5eaf589159eb7776ac44300650a960c9445c",
"sha256": "502fa24c53c1494b06d2a0ced551622a637c45233b440fc68dc1742cd299071b",
"type": "eql",
"version": 105
"version": 106
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "0ad222085b8d696dd4df1055275c7fc6989064286734182865e772fbd8aac3c9",
"sha256": "8912807ab7734bcfcf236a07a04964d896253b8066febf03afd16256f013020e",
"type": "query",
"version": 7
"version": 8
},
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"min_stack_version": "8.3",
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "d4da085e36a4b1a471325f7c34f050486db0b5900302611bfda3c2d85305028b",
"sha256": "53f533ffdd9d2d9f7c1a5cba374de00d7db74d814cde9706d3750390086f3c78",
"type": "eql",
"version": 4
"version": 5
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"min_stack_version": "8.9",
@@ -2593,30 +2621,30 @@
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "cdad95a52719987cf204d9063951cbe05b1e08a28f4d91b3cf8f5d5aa48800d2",
"sha256": "6bb389b8e69d040d951bc64627e254593b1ba372685398e81c21eb814dd51b62",
"type": "eql",
"version": 108
"version": 109
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "757d9270f22b3d376359ff570598911b4adcd81a9ca69970386248e414f5ba13",
"sha256": "1c8451ec310e430b6d2658e6aa679415e4b0556d560352b9d484325e46721c23",
"type": "eql",
"version": 7
"version": 8
},
"4ec47004-b34a-42e6-8003-376a123ea447": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Process Spawned from MOTD Detected",
"sha256": "ed16c35ba79c045b3ae6cd2406ac39e5ee143767a2f8ae4a0a8ac6fb738b16c3",
"sha256": "2e853ef0a4b3eea2270e8d8fc0910e0cfd526c79682e1776dbf7500c6d825341",
"type": "eql",
"version": 6
"version": 7
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.3",
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "05f50e5500930fb6e8ed1646e88db67b24a1430eb1fb589bb9976dd052f0f44d",
"sha256": "a1c46d81fd67c7642daa17b16bf816cde74efe2dfaee7d15579ef7111e42b7ee",
"type": "eql",
"version": 107
"version": 108
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"min_stack_version": "8.3",
@@ -2644,9 +2672,9 @@
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"min_stack_version": "8.3",
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "1717dbef17fd0507846473218f580ffdf11e5ba35497e2beb391d506d75289dd",
"sha256": "675fe51d000d7b660cd1a39a19d74d93f2ee7341be001e5ad5e10cd547cdf869",
"type": "eql",
"version": 106
"version": 107
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.3",
@@ -2665,9 +2693,9 @@
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.3",
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "d098bba4900b382c6cd742182baba85a01b2337fbd4ff36da2bc9fdf6b408b7c",
"sha256": "6f0e1ffcea5865ac47fd6f0f59001b4cf947d26aefdeeb3eda27d545d84820e3",
"type": "eql",
"version": 105
"version": 106
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"min_stack_version": "8.3",
@@ -2693,9 +2721,9 @@
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "4111de70c21f8c5461da2f1b30720b9621c857bc8526b1d4e71bcc108b95c928",
"sha256": "d6684969f3393c5d0071672900ffa3557f7b96875f0fb073ddf04801bf9fcb4f",
"type": "eql",
"version": 3
"version": 4
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"min_stack_version": "8.9",
@@ -2716,9 +2744,9 @@
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"min_stack_version": "8.3",
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "0076c9eafb579f6fb93d35d66309a205f3d0912a8b7a302ea2e917e5e04dd2f8",
"sha256": "24bd83686da07cb3f3459249f9eb34318aaa69517e06082b9df92f5456b93485",
"type": "eql",
"version": 110
"version": 111
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"min_stack_version": "8.3",
@@ -2763,9 +2791,9 @@
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"min_stack_version": "8.6",
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "1fcaecb0c8b60fb9a393726f18411473957d935a9676d2e345121e3f07f5c200",
"sha256": "a4ae81b9425df791d01fc8bf3060f56f1f40fc0dbdeeb4756b36b8f1562aead5",
"type": "new_terms",
"version": 4
"version": 5
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"min_stack_version": "8.9",
@@ -2790,12 +2818,19 @@
"type": "query",
"version": 102
},
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
"min_stack_version": "8.10",
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
"sha256": "852b52290a8f1d6864befff3b58e40a57c50f4a30a58d4415118a26871b6c013",
"type": "query",
"version": 1
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "ddf1b60a6118bc0c50833a0f13cf88f3838ebcc8f0f60d42ad91bad81b07634d",
"sha256": "740a3469ba041ca4f12509b7a293c6506daa3b69237686b4d407c20e3300931e",
"type": "eql",
"version": 107
"version": 108
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"min_stack_version": "8.3",
@@ -2821,16 +2856,16 @@
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"min_stack_version": "8.3",
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "ad743cadda3e3dee154c726922e4f4e1ff0a7b26c8c350d7084d477e65e4a1ef",
"sha256": "576b851afcf1857641d4f721b18a5617a334cc07ab3d60220ac1a8c5fc5ecd46",
"type": "eql",
"version": 105
"version": 106
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"min_stack_version": "8.3",
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "bb2c6c314a9f328d7f500d24c4a54ed4f6aca50ffe834082341a97d3659c9902",
"sha256": "837622000e1ecb3a269462a17f996c294b62888bbbd19f9585ad12521b4326a3",
"type": "query",
"version": 105
"version": 106
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"min_stack_version": "8.3",
@@ -2870,9 +2905,9 @@
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"min_stack_version": "8.3",
"rule_name": "Dumping of Keychain Content via Security Command",
"sha256": "b9bee3578c8c5581f2c86ddb1bcb84c7929ed4d44a302adae4ec5a7ff74ed6a0",
"sha256": "56cdf3c97b7ed30414d2fc5ed2cdb95c0779392ef7347954cf3f3e6be61600e7",
"type": "eql",
"version": 104
"version": 105
},
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
"min_stack_version": "8.3",
@@ -2884,9 +2919,9 @@
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"min_stack_version": "8.3",
"rule_name": "PowerShell PSReflect Script",
"sha256": "8d62732e2d51a8e4d9e1d8705b48e82534ff622c316a9d2a217a2765ae84e988",
"sha256": "b61f13daa6709718b5efc18e44952a5b335d296a74a6958432dbc67304d4c731",
"type": "query",
"version": 108
"version": 109
},
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
"min_stack_version": "8.6",
@@ -2928,9 +2963,9 @@
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"min_stack_version": "8.3",
"rule_name": "PowerShell MiniDump Script",
"sha256": "c0d675ffa38a191db718cef276121a40567626d3b4c0fea4dd9edd038d2d216d",
"sha256": "35dd040100009d246bc9f9a4dceafd8567877a83869db407986601d55633e369",
"type": "query",
"version": 106
"version": 107
},
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"min_stack_version": "8.3",
@@ -2942,23 +2977,23 @@
"581add16-df76-42bb-af8e-c979bfb39a59": {
"min_stack_version": "8.3",
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "f0914d5ae89b3f5372c087cd0c5983df509da91941322047aaad22d445cfb577",
"sha256": "1f51a18c5b7294c2940d6c10a4cf3140689a2b6d361f967a6a5b091240ad4a7d",
"type": "eql",
"version": 107
"version": 108
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"min_stack_version": "8.3",
"rule_name": "RDP Enabled via Registry",
"sha256": "a599e437dfc14b51f8ce6559e5595673b50429581388655e03d7999961ec6cf6",
"sha256": "ce293530acf459b922e5fc59532707e9f1aa5a0c2d302c835cc83e427a9937af",
"type": "eql",
"version": 108
"version": 109
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"min_stack_version": "8.3",
"rule_name": "Zoom Meeting with no Passcode",
"sha256": "98a47d996a6d80939cb7222d643873b69ba45d90457a2cc0724ea08c3a889bbd",
"sha256": "bdc5d37d933591a9e749303f4d0da889d2fd76c0cc51bec4152b74f1518bd85e",
"type": "query",
"version": 101
"version": 102
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"min_stack_version": "8.3",
@@ -2970,9 +3005,9 @@
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "04c918e4a5b742f9df828e957a708565731d36df760ffbf94a8dc6f331539f7b",
"sha256": "304917eeb1af9702d87f54af173823bfcc8f3c5dd3212076b77290bce0667d28",
"type": "eql",
"version": 108
"version": 109
},
"5919988c-29e1-4908-83aa-1f087a838f63": {
"min_stack_version": "8.3",
@@ -3014,16 +3049,16 @@
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "21be01742858a1db7d297c338482f5a580a441699ca10d99874c0c9e24f50499",
"sha256": "124e2a2505d5c7c0a21c7253177b086db714b6d1ae3ba8ea59bbf20adf715237",
"type": "eql",
"version": 106
"version": 107
},
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Java",
"sha256": "78ec1a1157f2afe9c030908365e734669d12f566fd1992245244eb8def7d4314",
"sha256": "9aed8f99e318764fbd5eddbb31ec2b2f68e3d1f169f6b441ab560dd2a7a9e36f",
"type": "eql",
"version": 4
"version": 5
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"min_stack_version": "8.3",
@@ -3042,16 +3077,16 @@
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
"min_stack_version": "8.3",
"rule_name": "Virtual Machine Fingerprinting",
"sha256": "cca11b1e320068fb951e6be8baba9a7f49cfef803b613bda1ccaea95922f3a00",
"sha256": "7fa5c6ec0c42f301e37556a06ef4523f6ce815cae9e248f5928dbf04495f7c47",
"type": "query",
"version": 106
"version": 107
},
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
"min_stack_version": "8.3",
"rule_name": "SUID/SGUID Enumeration Detected",
"sha256": "484f49639b052fc38d358f83984230e1a524fdb9d60f221668f8fe55b7485c50",
"sha256": "41cd9d8a7f6fb679feae8b8bfb68140693c08e8c276e33b6eeb919788312d60a",
"type": "eql",
"version": 3
"version": 4
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"min_stack_version": "8.3",
@@ -3070,9 +3105,9 @@
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "6a00941904d85936d537193bcc28a4a4550b2df62bebd6ec46deb6e7479b87da",
"sha256": "4ef5a001820e5135ffd557947919a55c875cd3a75ed5f351507a7f3c9e06c77b",
"type": "eql",
"version": 104
"version": 105
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"min_stack_version": "8.9",
@@ -3093,16 +3128,23 @@
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"min_stack_version": "8.4",
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "1021f7351d5cc378ded4585010e7ba4b057a05fab6f8e42157c6facf422bf6ec",
"sha256": "6d5bf9fe5d4e6cc423f1a2c017576e9714f20baf6d4fa80d1bdf31e37e1e7267",
"type": "new_terms",
"version": 7
"version": 8
},
"5c81fc9d-1eae-437f-ba07-268472967013": {
"min_stack_version": "8.3",
"rule_name": "Segfault Detected",
"sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8",
"type": "query",
"version": 1
},
"5c895b4f-9133-4e68-9e23-59902175355c": {
"min_stack_version": "8.6",
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "c29613a13876b018582e791f2843e3b12181e06c36266665efe4711c52945024",
"sha256": "a6d98ac9e83fe086450761623ed3be2ecb0ee7a1cc965b3334fe3f9e226a05f2",
"type": "eql",
"version": 2
"version": 3
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"min_stack_version": "8.3",
@@ -3114,9 +3156,9 @@
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
"min_stack_version": "8.3",
"rule_name": "Potential Defense Evasion via PRoot",
"sha256": "a4e1f03bf2a4863f8922d20b5ab31fc5fffea4c27e35c47e61634b492dba558e",
"sha256": "178b04d6fc23202ec48ba3400969daf969f8d4985439414241705f5d43766ae0",
"type": "eql",
"version": 4
"version": 5
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"min_stack_version": "8.3",
@@ -3128,9 +3170,9 @@
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"min_stack_version": "8.3",
"rule_name": "User Added to Privileged Group",
"sha256": "3d850464bad4437221f6f350a9c2e8a26592a38e76229d1756195368d05aab2c",
"sha256": "7884adba746a934e4698623cb4c2553c24162fb3cb42176f7939bd3b0abb7ea5",
"type": "eql",
"version": 107
"version": 108
},
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"min_stack_version": "8.3",
@@ -3142,16 +3184,16 @@
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Login or Logout Hook",
"sha256": "336c261b171bb4cfc280ac1c4170fc07388cd5b96c4674694bdc7108ccaf7b18",
"sha256": "5cd203eee04afdcba2fde9accdf21b565daaa0b4045828ae0000738b5bb25a43",
"type": "eql",
"version": 104
"version": 105
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "f99460b7128f713e96cead9f3d34cf8f19a3561e1e51d86f60ca99f765d7d93e",
"sha256": "ee93ccc7c656e52fd7841c8332e970ea5217ce16621e6044e8fe23e5c775ca70",
"type": "eql",
"version": 105
"version": 106
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"min_stack_version": "8.3",
@@ -3220,9 +3262,9 @@
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "123e32643dd7c3052f52ade724c9c93759749d28fdb592ffbdccec9ea688d1a2",
"sha256": "a2efc8419825dff241841f4cd67f7a4249150821200aa74a49a973b274ba1b66",
"type": "query",
"version": 110
"version": 111
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
@@ -3233,9 +3275,9 @@
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
"min_stack_version": "8.3",
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "ac85da0bd50146a9acd21f199d77bcce98ff857d768071bb894e26118b26a239",
"sha256": "0c65d784e165a4fcbc42ac4338574c946caae6bd23afccceeb079c4f7346a467",
"type": "eql",
"version": 108
"version": 109
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.3",
@@ -3303,9 +3345,9 @@
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Recently Compiled Executable",
"sha256": "b277d6162b8343013d1498f692467e7cec38348da2ba5058ed1fd1aebcc40eaf",
"sha256": "b50544cddecd269cc3a27814bdb19f3f1683fd8dcb3d2967588b2d38e487eb96",
"type": "eql",
"version": 2
"version": 3
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
@@ -3332,37 +3374,37 @@
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Mount SMB Share via Command Line",
"sha256": "40c37dec53eaaed25df091561d4f9e4a2c8417d1dc82cf070db4fe72793510d1",
"sha256": "4b0aa397b2a5a31b54907a49393ecd97e46a33ceedcd629218f8f7175ccb86b4",
"type": "eql",
"version": 104
"version": 105
},
"6641a5af-fb7e-487a-adc4-9e6503365318": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Termination of ESXI Process",
"sha256": "2d5c0856617f70f9ed2e5835c40dec8304a2290370c5414745c806fde457e583",
"sha256": "0e3ded27dacf0a1e45129b4113f2ffeeff96888a708939d266d839584ea1431c",
"type": "eql",
"version": 4
"version": 5
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"min_stack_version": "8.3",
"rule_name": "WebServer Access Logs Deleted",
"sha256": "b3eaab822d17ebdb4ba051295077d3b54352fe5c633183047aaa1169ff1732d5",
"sha256": "03195d08eb16678c89d37803e31e7a409256687ff2402dfe25c3d36759a3ee10",
"type": "eql",
"version": 103
"version": 104
},
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "de1f883c87b1b49ce0932b95dd0ebaabede9c5334b6f18e2222c3fc3a5628bec",
"sha256": "fb115e87e89044c32e58806b7d33104eb2b1ee8f3db90054d8643f6d6804f05f",
"type": "eql",
"version": 3
"version": 4
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "4c82661472cef610b0a6a24cb6654b4f11869bf4401d656eaa68c78289f66302",
"sha256": "d7b20d3341cd184a82b2bd8a88373bc4fb3a7cf01c5073cb059c987420cf3d9a",
"type": "eql",
"version": 108
"version": 109
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"min_stack_version": "8.3",
@@ -3381,9 +3423,9 @@
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.3",
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "086eafbc984aa6480575297071ab4771019ea9eda87148c85e6f2eb40f7674f0",
"sha256": "971d5caa27171542c27406ef2aee1d385c7010cdc026d2ef226d4ea1346ffac4",
"type": "query",
"version": 7
"version": 8
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"min_stack_version": "8.10",
@@ -3433,9 +3475,9 @@
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"min_stack_version": "8.3",
"rule_name": "High Number of Process Terminations",
"sha256": "21d744da94221fcbec162dddffe8794cefc8fd26321d770c472b47093b28a95a",
"sha256": "588f2aa6d820fea6e191906cb8791cee0b8a293222a681b6cc4ff1c3ff8f8ff6",
"type": "threshold",
"version": 109
"version": 110
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
@@ -3476,9 +3518,9 @@
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"min_stack_version": "8.3",
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "6223d04f4e618351c760d259ecbc3d42c8da22daf8a9bd58497228d13304bab4",
"sha256": "cc263ea8f46aac31f4c4fc112a7dcd7ff453c89fa45066ec2569deff91b85ef5",
"type": "eql",
"version": 106
"version": 107
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"min_stack_version": "8.4",
@@ -3522,9 +3564,9 @@
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "0feac3bd75fcc2317ee0e9e91a7f2f35063c0c5a62b5c47076545998d3ac12ae",
"sha256": "cb8466c3025fb4f8c5556eb62e311c02c11b56950756e170960f6bb8c9684090",
"type": "eql",
"version": 106
"version": 107
},
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
"min_stack_version": "8.9",
@@ -3561,9 +3603,9 @@
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"min_stack_version": "8.3",
"rule_name": "Modification of Boot Configuration",
"sha256": "8d25051f7633a37c4b90403be6fcde6352db2dc292a62a2098620fafb843e26c",
"sha256": "a66226c5678227263920328ccc24dfca32a0620f02290922dff137101e01a7df",
"type": "eql",
"version": 106
"version": 107
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"min_stack_version": "8.9",
@@ -3584,23 +3626,23 @@
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"min_stack_version": "8.3",
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "d6efd876704aecbc61e32f00bc3fc87660de3486490102dee717f3cafeef34ee",
"sha256": "79a34adf5b2d2e77e4b9db0d019c6af379cfa51e10a016385e4127e496667530",
"type": "eql",
"version": 106
"version": 107
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.3",
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "2094e45cb6acf5514345f45de5980fa93856dbe2564c14cda824cfb92609fe9b",
"sha256": "482861108067248f10161a39651726c2df97b6d2e8b7c5952cded1053b172ac9",
"type": "eql",
"version": 108
"version": 109
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "36f237a42a890a47fd41636119b3f4f6cb483699638fa0570dee4cc7ba1bdd6e",
"sha256": "f455bea3a4c14a782b77a9cdb3ec5213825e368ccbdf1c2a55bf0522cd28dca1",
"type": "eql",
"version": 2
"version": 3
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"min_stack_version": "8.6",
@@ -3614,9 +3656,9 @@
}
},
"rule_name": "Sensitive Files Compression",
"sha256": "2665a4bfaf61af8a5033e6aff2ce6950c77fc795eb6bba42b6b5064e84fa8841",
"sha256": "f67a0194e92a6a62746f2344bc677d6a37e9b34cbd8ea2bc5bf99dc15e4050d5",
"type": "new_terms",
"version": 206
"version": 207
},
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"min_stack_version": "8.3",
@@ -3635,9 +3677,9 @@
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "6c77473acf3dec0fc8fd9d0d2f4a0de620f5007008bf85e61fc224fa1087b63a",
"sha256": "fe55558d2f4c218f2fdfdca871cbaff991aabeb33b6622a44fdefd4d8ae81963",
"type": "eql",
"version": 105
"version": 106
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"min_stack_version": "8.3",
@@ -3649,9 +3691,9 @@
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"min_stack_version": "8.6",
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
"sha256": "0a052fad94510f59c9efd5ffec0901831516c7ea937d86e3532157035d86466a",
"sha256": "d76c1108876f14e891d2625826f200b3eb225ace76c842c366b24949e9c28f73",
"type": "eql",
"version": 2
"version": 3
},
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"min_stack_version": "8.4",
@@ -3677,9 +3719,9 @@
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"min_stack_version": "8.3",
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "5049be04a29a5554df2ccf242d0b225a72316ad6e31acf19295f898d1ed96774",
"sha256": "4bcdfcf964b59e07e704d0ae1768231f6895fdeaf16019ec2530b3fd1e908b6a",
"type": "eql",
"version": 104
"version": 105
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"min_stack_version": "8.3",
@@ -3691,9 +3733,9 @@
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"min_stack_version": "8.3",
"rule_name": "Security Software Discovery using WMIC",
"sha256": "7400438cd326b5fa5137479c92eb2898c709c3338757a1f631cb718de551a551",
"sha256": "f6dfe76cfea61ba2324b275dcd960ad3daed43c02c2cddc708af6ef3f3937ae8",
"type": "eql",
"version": 108
"version": 109
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
@@ -3704,9 +3746,9 @@
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "9a958c72f2b71c12da6147cd83e0d798c1e114b362bd577b27f0f921b0a13465",
"sha256": "466d37f1b0c5665f804109f5ba5eeb6e361102da2c027522a5cc3ddec2a83be5",
"type": "eql",
"version": 2
"version": 3
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
@@ -3808,23 +3850,23 @@
}
},
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "72fea82152115abc97ea9e34b7e9bf40be8d5af11313625404f62dfcf5ca61e1",
"sha256": "ee370bb455e172738e8297e76bea0e3601dd176b407bb84768a2db8181e6ed4b",
"type": "new_terms",
"version": 207
"version": 208
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"min_stack_version": "8.3",
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "9f0f49705389e6d3d70937bb6c9f6947b3a18dfcae7e1cc504c66380348e68ad",
"sha256": "460b042ab7e9d150c7f94a033204c22f67fdfe53c7425fedf71ff3765653154e",
"type": "eql",
"version": 111
"version": 112
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.3",
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "d442a3b1c1b313c54f0bad14de16f98cd68ae8ada5e87c99e8c29aabe78f2d7f",
"sha256": "89ab2e24c739c528f048080597db9f446386a62730ba1e392eae623512e2ec6f",
"type": "eql",
"version": 105
"version": 106
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"min_stack_version": "8.3",
@@ -3865,9 +3907,9 @@
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"min_stack_version": "8.3",
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "6936c736181dd010bee7cff6349ca6fd1495ff2e37f3c814d03edcec4f025dcd",
"sha256": "9f5997c2b0fe4dada04cf6f3b344fbaddbe1f19800ee466dd053e2f7cb2879e5",
"type": "eql",
"version": 107
"version": 108
},
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"min_stack_version": "8.3",
@@ -3902,9 +3944,9 @@
}
},
"rule_name": "Suspicious Sysctl File Event",
"sha256": "cdae4cce31893b3eb3b3a3472011e11708a7c9e1fcf4410bb88e18a099a94361",
"sha256": "c8fa3c2ccaa18f3f2c9e8646cd67af9b2878616c81a2bc734f64af0e6f293d9d",
"type": "new_terms",
"version": 103
"version": 104
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"min_stack_version": "8.3",
@@ -3946,44 +3988,44 @@
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"min_stack_version": "8.3",
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "d2e53030dc005a302f0b5bb530360d58ce429809a0ed1827bc6d5b89de8b351e",
"sha256": "665e0cbf656dd660a585342d9ca129af8624f7d4926bd110ac065ffa8c2a1895",
"type": "eql",
"version": 8
"version": 9
},
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "a3536eb13408e7fc538952bee75a1362e3be277b14f1edc18c2f63fda3f5f08c",
"sha256": "799b4669a8e13bfbb627ddec54045adfc695820ba3e46b6dd098a33d9bf72da8",
"type": "eql",
"version": 107
"version": 108
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "d839f2d7fbce2eec0bc89c413ad6e482595c60d724f25203e08424a6fd768cd2",
"sha256": "244ab9baa1c9c448b5266b5f61c1aa9a0a2ff4c56704e282a654e2a42221e5f3",
"type": "eql",
"version": 104
"version": 105
},
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "ee743b928b61e259c3e46fce5b16400121f6ef6affdc122ea1f47e9a199900ea",
"sha256": "2f44d242c4986efb3033aea6b16548ece740afab086c732a010c52b375b323ec",
"type": "eql",
"version": 5
"version": 6
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "df53ce37b5877a6a26f2e5b7d78d60000048e5eaaa3d152f9ead7ef84d700a19",
"sha256": "0a25436ab1e2f5bac3e48c5faeeda31383d3a1d24fa948ba070025f02583a311",
"type": "eql",
"version": 107
"version": 108
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"min_stack_version": "8.3",
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "863f7c79c8a07dbe9f74d5dd1ecb111219e82a3039c95ed6d56de800b2e13c69",
"sha256": "d09566023f3a3ae877ed4d879c94ce1f4165ef8c664e0ef6794d43385d49cccf",
"type": "eql",
"version": 107
"version": 108
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"min_stack_version": "8.3",
@@ -4083,9 +4125,9 @@
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.3",
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "4ac2004e028233a74da95a3da67e70091128c58db82ac8df61b7cdbc9b564671",
"sha256": "5b2bc83ca0b1db8a3ce856ff7e859f4fec413978c1f0ddcd4886820fe2585e16",
"type": "query",
"version": 106
"version": 107
},
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
"rule_name": "Network Sniffing via Tcpdump",
@@ -4096,9 +4138,9 @@
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
"sha256": "d77a6da669fbbb4406a59bd7061baf788f0f9fef20b43321c6fcfbb00a24690b",
"sha256": "37b23adf3530355a483eccca0d78d8bb47a4e3700e5cef77ef45018e2b92ecbb",
"type": "eql",
"version": 3
"version": 4
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
@@ -4125,9 +4167,9 @@
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"min_stack_version": "8.3",
"rule_name": "Windows Network Enumeration",
"sha256": "a02a471585a3b5aafa89be56f312db81bad278d8eafbf7463f73cfdebf9c80bb",
"sha256": "1393d48866e1f5b0f4b57ee571029deeb6d2324314b1a1f037389847bb510a15",
"type": "eql",
"version": 108
"version": 109
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"min_stack_version": "8.8",
@@ -4141,16 +4183,16 @@
}
},
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "29e6369ddb5da23c00355cf063d8da8f8dc008a9cd28b2d2f6324d8b9618c53a",
"sha256": "f019fa7b9d9928dde2726f094f938de608d17db63b48a3250216ba18df59aa50",
"type": "eql",
"version": 206
"version": 207
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"min_stack_version": "8.3",
"rule_name": "Tampering of Bash Command-Line History",
"sha256": "87fe7e562ce227a8493a541cc86e41d99ea61aaf827cce77b997f82c7a94c935",
"sha256": "85f902935229ecdf379a249362b9275a5392b2e83a4012e4302c874e93861074",
"type": "eql",
"version": 103
"version": 104
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -4207,9 +4249,9 @@
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Timer Created",
"sha256": "94cbc646d3a0879e403b786c2c25535db4aebbd67a3f041a8bf43b206462b8f2",
"sha256": "74881e97ab7721a1e539586fa0f192f38d25d7565c81928c9a8515daff525604",
"type": "new_terms",
"version": 6
"version": 7
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"min_stack_version": "8.6",
@@ -4223,9 +4265,9 @@
}
},
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "bcfbab89662a36049bb509952b29602fc3e552bc91c4f6851b183c3881604f7b",
"sha256": "9328c54c32125014fec6bdbd75bf9d2b513fccfc86f1ea0a04e8ca44d8a6a097",
"type": "new_terms",
"version": 103
"version": 104
},
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"min_stack_version": "8.3",
@@ -4287,9 +4329,9 @@
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "2a512f65b3d174a8cea1e7d419378e4fb46c850bc7e3a514409f3093ae43dc92",
"sha256": "c3b7387b5dcfde107b183b9113a7218cc9cb00b15d06c8d637eee902809f04a3",
"type": "query",
"version": 109
"version": 110
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"min_stack_version": "8.3",
@@ -4301,16 +4343,16 @@
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"min_stack_version": "8.3",
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "761723a38f1f9d88a679524aa3ccd687c0cfc74e3b66a8bd2e62807a050d44ea",
"sha256": "9674dc1bd6cc5c17c8038a4e71b92f2737ef72aa1601bbf05b06fe0d5fb2136e",
"type": "eql",
"version": 104
"version": 105
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Local Account Brute Force Detected",
"sha256": "1dd8817884ca577039baba5ede3be91c85119efdb77f580810c95c223816ebcc",
"sha256": "11bd5d0b943d146c2e7e684fa4b128c4692eae1ef64172cc1e8969eeabddeb73",
"type": "eql",
"version": 3
"version": 4
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"min_stack_version": "8.3",
@@ -4328,23 +4370,23 @@
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "73d35f95e41d651a5e75315cd4b570345c8cc6334b9dec7db8adf08b57f52e30",
"sha256": "02f2a52e75f96bb21611dfd66db9eacbdc7bde77eb1e7da4a5934751321134cc",
"type": "eql",
"version": 4
"version": 5
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "515f6e82dbcb3fd847170c6268af85216b517109cd597240c70908e1e6d0affb",
"sha256": "814b05ca584b27e70940b7b56b00e0a980f69f27a29a732faf88da9bab468c7a",
"type": "query",
"version": 1
"version": 2
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"min_stack_version": "8.3",
"rule_name": "Potential Upgrade of Non-interactive Shell",
"sha256": "3ab2c7dffde8d59a7f0d31f4f475c98f5325a94adb789cc4096286ae73e70e36",
"sha256": "851087e9141cd70c44f496078e66eaf761bf4622e80e942be61280452391a62e",
"type": "eql",
"version": 1
"version": 2
},
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"min_stack_version": "8.3",
@@ -4356,9 +4398,9 @@
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Credential Access via Registry",
"sha256": "7e3d4366d0e82917ab82b493fb7f89d6c89013e0e9483692037c1e3264ebefff",
"sha256": "014fc8d0bc9296aba032766dc003316df6e0c776dd7afbd1eac19022bc646ba0",
"type": "eql",
"version": 108
"version": 109
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"min_stack_version": "8.6",
@@ -4427,16 +4469,16 @@
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"min_stack_version": "8.3",
"rule_name": "Security Software Discovery via Grep",
"sha256": "39e477f562630dea0f3f3b68106d7c699a87d2ab0764247fc8bd0de442981f4f",
"sha256": "f4d2ea0ece674f039a63702423275a0d16239f282e580bcea41aaacbf1505ae0",
"type": "eql",
"version": 106
"version": 107
},
"871ea072-1b71-4def-b016-6278b505138d": {
"min_stack_version": "8.3",
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "16de3139ef7299ea2fe5dc3a874629d2079e250e032b7f33ce0250a0b0e931e6",
"sha256": "faff9c1bc769a66960918e1a2f77f18910fbc478e2c1ab36d62656ed1756c01e",
"type": "eql",
"version": 108
"version": 109
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"min_stack_version": "8.9",
@@ -4477,9 +4519,9 @@
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"min_stack_version": "8.3",
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "de3dc029c5f1bbfc9c187b002dd15ae68bcf1310360b2f17694e84ce55051314",
"sha256": "2440310a8c23cbde04e7ac92d579c678d852f3426d6349638199d49af0a46c85",
"type": "eql",
"version": 104
"version": 105
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"min_stack_version": "8.6",
@@ -4493,16 +4535,16 @@
}
},
"rule_name": "Potential Sudo Hijacking Detected",
"sha256": "90ab70272d3bdc85151e9bc2add9998f4819f17d13c282ae54e1b047602630e4",
"sha256": "23ef2c9b687dd9563523331067722ffb249e171d96bed0cb0aa2f444e2f69e54",
"type": "new_terms",
"version": 103
"version": 104
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "81f56a2b806be5fd445f656c540705be59af15be47b97fc7289e0b70ab357fca",
"sha256": "fed96548137a4b9070b314d8dc25e74ad14c31c93a56277474da3a50d52a271b",
"type": "eql",
"version": 105
"version": 106
},
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
"rule_name": "Linux Restricted Shell Breakout via the vi command",
@@ -4513,9 +4555,9 @@
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "90b8b19f30fb314195c63df104ccdd6013d5b93cb7f2d2672bc0e0fdce6e53fc",
"sha256": "6bf3ed975864635c702041b46dc27221005da366c7bea70255734a81a64a71b6",
"type": "eql",
"version": 107
"version": 108
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"min_stack_version": "8.3",
@@ -4534,9 +4576,9 @@
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Symbolic Link Created",
"sha256": "bd4e75d4bef5c733959b047c5466da2d7768bfe892c50c383b7d1d46240bcaf9",
"sha256": "4567be1709664ab3c6b7714b68a3da2e392c751aaba951f50336affeacd7e7b4",
"type": "eql",
"version": 3
"version": 4
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"min_stack_version": "8.3",
@@ -4548,9 +4590,9 @@
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "7b1e58c15587d23240b63b8dfd696aa8de530ddbf9be2c384db2620e9c9bd4ad",
"sha256": "ac475836b78129386282207de17ce5b3665934cc05cee7e2f8f2a225ad06962e",
"type": "eql",
"version": 105
"version": 106
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.10",
@@ -4580,30 +4622,30 @@
}
},
"rule_name": "Suspicious JAVA Child Process",
"sha256": "9bcba792d96bb90055853bbc119cff04fa2f40b46cd77ea9bab938ab61056074",
"sha256": "951a0bb72f0f5df1d2a10560cdc54d757d5fee1b3ee2c3156ea9728b05591a19",
"type": "new_terms",
"version": 205
"version": 206
},
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
"min_stack_version": "8.3",
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
"sha256": "e79736c160e70b66e87aa690264e4ebe08b958d00a2d8178556525a57dae4323",
"sha256": "17f895c23f484acde825286a1ddc686df34874b11ab6f8fe31bb183d6ecb0277",
"type": "eql",
"version": 2
"version": 3
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "8.3",
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "cf5d70e346d64085f11501ee4ee6aae18cc9a72891310160318db69144acd12f",
"sha256": "4198ea79876c82869eb8f56696ccca913c64daa9e44e66fef25cf4092cf41029",
"type": "eql",
"version": 105
"version": 106
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"min_stack_version": "8.3",
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "b5ba453579b913af45987a4158da3836e9f6d5c089b322ed9b4feb5d3def09a6",
"sha256": "96398ef66e31c53fd65b2620d26184f54dca1cf241e0f8776db22fb848da94aa",
"type": "eql",
"version": 106
"version": 107
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"min_stack_version": "8.3",
@@ -4622,9 +4664,9 @@
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "32ad67514f438b6e30f64bc4b7b4eb626be6582afadb55c240c2e4efe9b7cfcb",
"sha256": "50847b0a7904637d6c3c188fe6025061218aaea691f8e17e0eea0b75949cbdce",
"type": "eql",
"version": 107
"version": 108
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"min_stack_version": "8.3",
@@ -4643,9 +4685,9 @@
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful SSH Brute Force Attack",
"sha256": "65f9ce05fea76a9a8692e1eab5ad90ab0904e79b28d0c1f077f5d0422c5a2098",
"sha256": "468af262f4fb45988c3072a2883f218b9b867218c50bfd7a910fdf553f88feda",
"type": "eql",
"version": 8
"version": 9
},
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"min_stack_version": "8.3",
@@ -4664,9 +4706,9 @@
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "bb4dbd0f9903378286cb13efb8f0898a00bf9c3255d58d6a58bd21da8997c9b5",
"sha256": "d10513c76a16d9b08cc676bb9c075b5cb14a570fc47bbc001974e164a33c7fde",
"type": "eql",
"version": 106
"version": 107
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"min_stack_version": "8.3",
@@ -4719,9 +4761,9 @@
"90169566-2260-4824-b8e4-8615c3b4ed52": {
"min_stack_version": "8.3",
"rule_name": "Hping Process Activity",
"sha256": "bca55701a9d9f3c48b1f6d8df6d0672f880ea5e8f7b5252ada7c42af6458802c",
"sha256": "74d72e7e3dd68055c5ee97e48e346ba23e5f097eab561f664ba954586941ca4b",
"type": "eql",
"version": 106
"version": 107
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"min_stack_version": "8.9",
@@ -4742,9 +4784,9 @@
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"min_stack_version": "8.3",
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "41382d29e3c6849b93e948bd226cdb0679034847a9d11893198c735da08564ea",
"sha256": "5fd3c8920f816415b48c716e7a2374f0fd76b507f2f5d3669969829ede88cb01",
"type": "eql",
"version": 104
"version": 105
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"min_stack_version": "8.3",
@@ -4806,9 +4848,9 @@
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "7fe6f04aad78c1165b56664a6e2b192a15c39a1166c3b1e24906d7ff5b91b1f0",
"sha256": "56cc019faadb8280664ecf10a42855016007af7f3413a2503ba3216c9b8307aa",
"type": "query",
"version": 6
"version": 7
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.3",
@@ -4868,9 +4910,9 @@
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"min_stack_version": "8.3",
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "7ee6e483fa2c41549ec9d26ae3a319f27efcef92d7ebfc4c9e232c80f50c28d0",
"sha256": "6b57124ee39f8300e5f18425933da9f3a453ac5c4b36f209412a6fe5dd615b60",
"type": "eql",
"version": 106
"version": 107
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.3",
@@ -4951,9 +4993,9 @@
"959a7353-1129-4aa7-9084-30746b256a70": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "5290a21ce82c80c1c37b7d9e1f8cdddb44b22b0de1bb721928355e6338583e5f",
"sha256": "e78782a0cdbd987aa3010fccef02313ff6034a0bd881b5c21e14d0e2697e512d",
"type": "query",
"version": 106
"version": 107
},
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
"min_stack_version": "8.8",
@@ -4965,9 +5007,9 @@
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"min_stack_version": "8.3",
"rule_name": "File made Immutable by Chattr",
"sha256": "951d63b6557d5c3fb3f155e45999afcdd86791f7d830c26ba0ff9811f2ae0367",
"sha256": "c2ddd9f37a21375386f51998a552ce13bd1b9a8a140474192da60553fa322aba",
"type": "eql",
"version": 108
"version": 109
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.10",
@@ -4988,23 +5030,23 @@
"96d11d31-9a79-480f-8401-da28b194608f": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through MOTD File Creation Detected",
"sha256": "6adb4dbd03b3b5ad0d5318c1e811e89f0c4c560f2c2cac1830b06b007134962c",
"sha256": "a65b4ea716da6e7c3ff70fae5abd7b6618963ba8e8e6f089bcf2d264bce4f23f",
"type": "new_terms",
"version": 6
"version": 7
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"min_stack_version": "8.3",
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "3a52620ed72c8ba4b60a75bb884dab068504e8759c80fb2a40d44961074ab786",
"sha256": "fe23aa5928440dd067c2f16b8a796d46a7480c4f130d91319cfcba852fce1f0d",
"type": "eql",
"version": 104
"version": 105
},
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"min_stack_version": "8.3",
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "0cd5c0bc7910d590183a34269f1482a68cc7c267f915cdd7cdb8c11894ee3d6d",
"sha256": "6e8d2549a28b15014cb6b7629b580649e27bef8496ddb32de9b5181c9dc480e4",
"type": "eql",
"version": 4
"version": 5
},
"97314185-2568-4561-ae81-f3e480e5e695": {
"min_stack_version": "8.3",
@@ -5068,9 +5110,9 @@
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Renaming of ESXI Files",
"sha256": "cd7035a0017aa4b845f94e3aa665721e72fe1dc535c9cfb0867b4657d8a94ef3",
"sha256": "b87b60b05b9803f0259a56de2a7e627e99f798c1c705c13683be2ed8ce2cdfa0",
"type": "eql",
"version": 4
"version": 5
},
"97f22dab-84e8-409d-955e-dacd1d31670b": {
"rule_name": "Base64 Encoding/Decoding Activity",
@@ -5162,9 +5204,9 @@
}
},
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "7fa3b7d91df0f6450cc6e044925c196edd851d9521299f034167bb892f7b39dc",
"sha256": "7c1bfb7ad5929a367b5f379a7dddffadf5d05a96b023c46d9f9dfc0f65c293ff",
"type": "eql",
"version": 207
"version": 208
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"min_stack_version": "8.3",
@@ -5199,23 +5241,23 @@
}
},
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "353e07144858914694113a7e9d29ad53687500c1f60ed7c8b02d9c7cd634bad3",
"sha256": "25484718086d5b02486408a92befb4c3f5ad9114ca059168686f84ada6efb1c0",
"type": "new_terms",
"version": 107
"version": 108
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Explorer Child Process",
"sha256": "51c78c6f9a1af947f778a0b2a2529d21600647e60786daa70a728174bf87c995",
"sha256": "c3d174846da93503bc0c6e8bad7457d78fd6407edb3c26126d26f77f0cfa641c",
"type": "eql",
"version": 106
"version": 107
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "26cb627c3803eec6cbcf9455a27b56c29ea1f604049232bf2d38813ad0a4d87c",
"sha256": "61f8172cb58555796f4e21453eed4c63c104954b1dd8b0c1bc083e27d2cbb30c",
"type": "eql",
"version": 106
"version": 107
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"min_stack_version": "8.3",
@@ -5227,16 +5269,16 @@
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "cb0771065ca25ee179d357d9e53676141cadf572ac31da5e1f00739f85cf36aa",
"sha256": "01291523553fdba38e5d3c7f1d2a822a56c6fecf2ae5081e5a3fcdd6421a827c",
"type": "eql",
"version": 107
"version": 108
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"min_stack_version": "8.3",
"rule_name": "Hosts File Modified",
"sha256": "8f40a74de7484c5086f69c398cea506911f52935e23a27e3a229439cd5c239ce",
"sha256": "50338b66af75925ac6caab0efac8d88389c5fc35d36c0c79d9cf13e6c5216d4d",
"type": "eql",
"version": 106
"version": 107
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"min_stack_version": "8.3",
@@ -5248,9 +5290,9 @@
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.3",
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "594410ed9a140c2439264f3ef7b7bdefa77862b3865a95a2287437856a533db7",
"sha256": "7c85cda2ba8c616a49ecb284a9667fff21227a2b0dab8e6841784917cb0f5528",
"type": "eql",
"version": 107
"version": 108
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -5286,23 +5328,23 @@
}
},
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "fb85a79f99efb89bc92c481ec8e21aae037df490635821d5df16cac9b83057fa",
"sha256": "49ff4c065b98857ff01ee88c9052d337d8e6a1c932b1e257d3a2022da734fa7f",
"type": "new_terms",
"version": 206
"version": 207
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "dbebd3797fdae528a8f432c6944ceb33a92b55466eaf7317a77173ea58b80423",
"sha256": "72663ce937cfe8297eab4c6f26dd8146c42d0a5c335c22dd556e6c6fda096a26",
"type": "eql",
"version": 107
"version": 108
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "8cbc8f08a554be1ad891d12df42a2e456602b21ce9cd4062d2c6428a80073296",
"sha256": "0d0e8c94d7ee081e8bc9cc4346749b06acc07871ad4b8e3506d6a50db76a8e8f",
"type": "eql",
"version": 109
"version": 110
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"min_stack_version": "8.3",
@@ -5323,9 +5365,9 @@
}
},
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "1f08334b425a0821c64aa8990f322f468a74567993e56ff39c7f39cfafb44380",
"sha256": "b6e512dc643a38fc0f3437b2ab9b8a2ab3d056ec85db592e39c41a9e5941c0a2",
"type": "new_terms",
"version": 207
"version": 208
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"min_stack_version": "8.3",
@@ -5351,16 +5393,16 @@
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "e2394c0d8724d9f2e57e47f5a50cbfa2d1645b0cf50c8bfce9ce10a202bcd28f",
"sha256": "374e0e8d1e934d5f1bfea0c8256c5ea2425f5bd9be8374f7728ce60d1545baa4",
"type": "eql",
"version": 107
"version": 108
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via DCSync",
"sha256": "dfd7fcad40d953ee8a27b0f8510db3d0cddfa4002ded1a896dbc248170dfb00a",
"sha256": "ce811f22916b00b56a6bdde9eeaa631f6ccf08130ad18edfb552d0205424c5b1",
"type": "eql",
"version": 110
"version": 111
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"min_stack_version": "8.6",
@@ -5374,9 +5416,9 @@
}
},
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "ed6e7a8e67076b9fae1eb03416f9d82c7915364a8c9a99c7e4c881a6ce932693",
"sha256": "f9910945cb1925f34c18653ab7d5b0ab2d6ba8491db17ce29349b10dd5af8e4c",
"type": "new_terms",
"version": 206
"version": 207
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"min_stack_version": "8.9",
@@ -5411,9 +5453,9 @@
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
"sha256": "410784f14d7bf622572e26d5b794f3a0c338a4e24485cc977afa183933cd6ba1",
"sha256": "34d3a3910421f8e47718cb1b17c6aba5121961b5615a4efd54311a63be1e1996",
"type": "eql",
"version": 1
"version": 2
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"min_stack_version": "8.3",
@@ -5432,16 +5474,16 @@
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"min_stack_version": "8.3",
"rule_name": "File Deletion via Shred",
"sha256": "6a172e2439d747140f251d1d0e83f556e72ae03725f37bc760d2d4d7649fdd03",
"sha256": "afbf43fb0d4ed4dc316833240730da4201b617ea02e60983d0ae60fa628e4926",
"type": "query",
"version": 106
"version": 107
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"min_stack_version": "8.3",
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "2a6a370e108c2703a6ecd9df127d8c0f1b6d7306fa6cc25b5c364095b1395a63",
"sha256": "3ff59549bc7312fb3e7d7ad2ef2c07ffa133897254e66a01276691c4242bfa47",
"type": "eql",
"version": 104
"version": 105
},
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"min_stack_version": "8.3",
@@ -5467,23 +5509,23 @@
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "cf164c11d3db4e9e02e907d5c0aef8c3c4aadaf05536b522bb73c9ab3bdb9560",
"sha256": "8f69f6ae427ea73eafb4cf848c309276fe9aca7580196ae73c4ab5c04f17f76d",
"type": "eql",
"version": 106
"version": 107
},
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
"min_stack_version": "8.3",
"rule_name": "Linux Group Creation",
"sha256": "ddc90b07b8915afee1601844439c2165c76171d61574db74efb13bca0d2783d8",
"sha256": "82a50a210890c906316f6d24693a3fc54e187dc59bfda67f20fee0bf8d3814e4",
"type": "eql",
"version": 2
"version": 3
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"min_stack_version": "8.3",
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "914a39f1d00e560fa0f28e8f67e57de3b2185f0ca422a7b395f419f567383cbe",
"sha256": "efe8131f73b131021b975ef3db9981aa32094d89390efd450ec9534e861bed51",
"type": "eql",
"version": 106
"version": 107
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -5504,23 +5546,23 @@
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "af441eec9facc8c5fa2be399c6d3a1a2383c4e937ccfca40f8455f599c5d8a24",
"sha256": "3087ff625a0c9849ca67d67b189bdf8521aef5642122426e1c7503f7c6e0559d",
"type": "query",
"version": 5
"version": 6
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"min_stack_version": "8.3",
"rule_name": "Execution via local SxS Shared Module",
"sha256": "45df842bf3fc84a101466bbe60825f7c421c1bb2a632e810a097e320eb227154",
"sha256": "afc5e36abc802e9089f1c9b9220fa3199749c285d95ab25286451b2cb0647fe0",
"type": "eql",
"version": 105
"version": 106
},
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
"min_stack_version": "8.3",
"rule_name": "Windows Registry File Creation in SMB Share",
"sha256": "47565477aafa65e36a393078e2728881f6776c4ab363e183c347d8b0e72f349f",
"sha256": "2022d77c3a450819dba114be131ab4d32b3cdcb7b5b4d5048884740fc9ffb12e",
"type": "eql",
"version": 106
"version": 107
},
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
"rule_name": "Network Connection via Mshta",
@@ -5538,9 +5580,9 @@
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"min_stack_version": "8.6",
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "e730ecd8da8e472be98472039b0fe0d3367e75d284b97851b915bac433ec17c2",
"sha256": "5314fd78f655b74a006c62ee1eb2079163be8e0e9035bd70e879958302847147",
"type": "eql",
"version": 2
"version": 3
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"min_stack_version": "8.3",
@@ -5575,23 +5617,23 @@
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel Windows Registry Indicator Match",
"sha256": "4c02e860e8200660cdd059bfaa155532f5b584f3325ac7ffbdafbebcefe5a234",
"sha256": "ad3072e4913ac770d5ec08abc3f4164ebaeadfceadf19007ec2c196a86be9022",
"type": "threat_match",
"version": 3
"version": 4
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Office Child Process",
"sha256": "1b6c475dbb4e03fa67ed24f68234e633e098831572aef47077e72f8dfe6957cb",
"sha256": "5aad9bb6f69714bb192aff73543dd6712d88a59758b870c26af66643e481fab7",
"type": "eql",
"version": 108
"version": 109
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"min_stack_version": "8.3",
"rule_name": "Emond Rules Creation or Modification",
"sha256": "eaba66ce5e3e1670940bb55f81b29ea66ffea88a4e63f1c2485ba55bbb0b0487",
"sha256": "5059d25e53e20ecda5bd0bddff5f19aa0c90190e3c58cf6926c946c26f701839",
"type": "eql",
"version": 104
"version": 105
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"min_stack_version": "8.9",
@@ -5603,16 +5645,16 @@
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler SPL File Created",
"sha256": "d2ecc2ccb29c2a4acf6790274133e976ad48787ab37bfdd12667ae6b58bfbc45",
"sha256": "39dc07aae00d71e5e210d726a51202807f31ce7e26afe10c19fb8a6d773e2537",
"type": "eql",
"version": 107
"version": 108
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"min_stack_version": "8.3",
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "913d17dd423ad4f09f41eb01380f802d3c2c209812a27e963fd5198d566bdb8d",
"sha256": "027498bcace88695c3b5e09df27735c8b2063701ea3b27328d0fb52f8c6533b7",
"type": "eql",
"version": 106
"version": 107
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"min_stack_version": "8.3",
@@ -5624,9 +5666,9 @@
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Potential Malicious File Downloaded from Google Drive",
"sha256": "9e184df192757ad8e29a2cae60356352e84d9601bba380c446bbc4b64deb76c0",
"sha256": "7a0d22e648caa03cd127a00cad9baff4f242263c35d9ad59ab1c7a9fe46a321a",
"type": "eql",
"version": 1
"version": 2
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"min_stack_version": "8.9",
@@ -5667,9 +5709,9 @@
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "7844ec8c0187f632d87cd6160ec6fbfa6968c5922e6a07bb3372475a6a1b5f31",
"sha256": "a4fa9c90990fb09a05cf7871a006a72eaebb98589699350427858c062146d05b",
"type": "eql",
"version": 105
"version": 106
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"min_stack_version": "8.3",
@@ -5688,9 +5730,9 @@
"aa895aea-b69c-4411-b110-8d7599634b30": {
"min_stack_version": "8.3",
"rule_name": "System Log File Deletion",
"sha256": "14e5354aa44af54186285133c4a176bf18dd8b2c1dc22c1555bd658ca8aed767",
"sha256": "13abacac9bff946a2754663dce57296eb4b411ca308e66b45f82112bec190bdb",
"type": "eql",
"version": 108
"version": 109
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.3",
@@ -5702,9 +5744,9 @@
"aab184d3-72b3-4639-b242-6597c99d8bca": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel Hash Indicator Match",
"sha256": "1532d5577abdf44288ebeb628cd80e676e02e99367876b31e9c46200d37d5e81",
"sha256": "67453761dd40533419f89a508cf05c8bf7e992831ad5f324e18f2b3b19929e59",
"type": "threat_match",
"version": 4
"version": 5
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"min_stack_version": "8.3",
@@ -5730,9 +5772,9 @@
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WerFault Child Process",
"sha256": "0f822c4116038c91a881a8b8eda9017407457ea3498167dea425f66a161a9067",
"sha256": "6fc6cae28ebf0c75451af175b21022b2c33ceb781032192f90c20d91bd0ad2a8",
"type": "eql",
"version": 108
"version": 109
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"min_stack_version": "8.9",
@@ -5753,16 +5795,16 @@
"ac8805f6-1e08-406c-962e-3937057fa86f": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via Chisel Server",
"sha256": "48bea2e83f12194db4f91544236e97199adeadca828f332acc5c23da9f9d9206",
"sha256": "be83fd066d79be0ffae0c129953fb19a321244c86fd3c8fc46fa0f89905e3ac0",
"type": "eql",
"version": 2
"version": 3
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"min_stack_version": "8.3",
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "97beb0996e664075d6702369fd69d1ecd9b94f7d1bcbb93b2d51e49ebbe397b9",
"sha256": "f9fa4733a750754f6f49fbaeaf98e2523d57e77e5daba2e13bfc9c2d201f92aa",
"type": "query",
"version": 106
"version": 107
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"min_stack_version": "8.4",
@@ -5804,9 +5846,9 @@
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"min_stack_version": "8.3",
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "b154a1563dfafd9602e3c33dda6d0d75a294b8547da34bea70512edfeae98e01",
"sha256": "aab56ec768cc094769d54446314b0acd0757ae4db3a9da69e5099246b4710246",
"type": "eql",
"version": 105
"version": 106
},
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
"rule_name": "Proxy Port Activity to the Internet",
@@ -5833,9 +5875,9 @@
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "8f2f24455938fb5ea09e3ec7060090a25a269b6678183d00e54a6414e2df8ebf",
"sha256": "ece2a16a9368d49618c91e7029dec21e11078bc4c3f43049efcc7a83009a327c",
"type": "query",
"version": 108
"version": 109
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"min_stack_version": "8.3",
@@ -5847,9 +5889,9 @@
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"min_stack_version": "8.3",
"rule_name": "File Transfer or Listener Established via Netcat",
"sha256": "8cd17e47485c9d7340c14995dfe14cbab3158f5de2a29a64a2e8281e1236dc66",
"sha256": "20f29e024f8e2c4bfc4ab6a034eae6d65d6ea9e12e66e31fef4166c5db5a2ae4",
"type": "eql",
"version": 108
"version": 109
},
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"min_stack_version": "8.3",
@@ -5868,16 +5910,16 @@
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"min_stack_version": "8.6",
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
"sha256": "aad1b5a33619e6512fe65f763c3bf7efc9340426847e9521aef7529ed7b820a1",
"sha256": "93e731444b08dd8f1dbc6e88f457ee9aacbf61c1f988464f84cf5db0e056ff51",
"type": "new_terms",
"version": 4
"version": 5
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"min_stack_version": "8.3",
"rule_name": "Unusual User Privilege Enumeration via id",
"sha256": "c98963d7bd8d88e43392beedefd94e993beba6832757358cbd30700b542c64d8",
"sha256": "61d1e232e65d235e74fb2f09d2e3448d548edebd7ed582d6304475ea93299e0d",
"type": "eql",
"version": 2
"version": 3
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"min_stack_version": "8.3",
@@ -5889,23 +5931,23 @@
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"min_stack_version": "8.3",
"rule_name": "Network Activity Detected via cat",
"sha256": "3efeb12f45b961fb82eedcf17858c557c07e762e46a219c0988da6b4f07502f2",
"sha256": "bc5df61663e521c91606721992cd7a8151188b39742d369c2537dabd15b0937d",
"type": "eql",
"version": 2
"version": 3
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
"sha256": "0bf1a7ca2b5b8e549eb4f67bc0935b74f3f25e139397f7b67fa4657d5d14de9f",
"sha256": "b3876016cbc0e3a82a911ae80577053bb2c945e539ccb227a3ae520814c476ef",
"type": "eql",
"version": 3
"version": 4
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"min_stack_version": "8.3",
"rule_name": "Timestomping using Touch Command",
"sha256": "ed8ed608b91ec1f89f10e2b4ef5ba1ca04884dc57c910b94f5f0b4cbb73021c2",
"sha256": "2079a604f3faff6cc6b6b781db98c42700096fb46d6944292c62c13c01a7810a",
"type": "eql",
"version": 103
"version": 104
},
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"min_stack_version": "8.3",
@@ -5944,9 +5986,9 @@
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"min_stack_version": "8.3",
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "078de5b8caba30df61a3bc9e859848f359bf7a766344430b00b2c2046ed17aa7",
"sha256": "5140f51472bb51e246f8a5076ee0138186c0db463f337c8cbc044bbede59a6bb",
"type": "eql",
"version": 107
"version": 108
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"min_stack_version": "8.3",
@@ -5972,9 +6014,9 @@
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "aa283cd7566eebaa3e98d93024a7710926f4bb3dac4a46d97159d6377f7ee8ca",
"sha256": "2f2309ef87dbeb7c8500ffd750c33a466ec912231e35d601c99ed10b5254c68c",
"type": "eql",
"version": 107
"version": 108
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"min_stack_version": "8.3",
@@ -6032,30 +6074,30 @@
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via OverlayFS",
"sha256": "c7deb10ffa59d05fbac1583edf15b565628cec521edbceb803f9b15c91400b85",
"sha256": "03a4f6b34b5dd327671e71297f46ad0cedca4be702f6d4e86c8bd886bf03f510",
"type": "eql",
"version": 3
"version": 4
},
"b5877334-677f-4fb9-86d5-a9721274223b": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Console History",
"sha256": "9f885fb22e236780df0b7209ca3b783bbbe19b69cd285ad32c8a24005ef089e7",
"sha256": "3887ad885e0ebf5e37828d1e8dde4d5183e83f831a2a4c6c6d00a77cb3d15e0c",
"type": "eql",
"version": 107
"version": 108
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "2a1696db25e3e2cd7578545491d669f6f258b52993267c6da8d5b2de3409c9b7",
"sha256": "ca11a431744e13425dc24b1f98000a04346735be332e41061ba730bbcf3eee37",
"type": "eql",
"version": 107
"version": 108
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Elastic Agent Service Terminated",
"sha256": "201dd81fbc35d779e3102c505a0546583887b43b606d36a68232641653d1ca02",
"sha256": "36bd8dcc31b17a81b4108c6de71cf9eda443039b95e0c299255c8a89f2e8499f",
"type": "eql",
"version": 104
"version": 105
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"min_stack_version": "8.3",
@@ -6120,9 +6162,9 @@
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "9514a809ca145d976ad76c91de53390221ffa8bde79020b93c643058eaccd223",
"sha256": "d902ba9e2e987d47b2388ca3a51d868c1807f2d5e0b5aa7dfc634c448c664986",
"type": "eql",
"version": 105
"version": 106
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"min_stack_version": "8.3",
@@ -6141,16 +6183,16 @@
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "c5173c7852d544188783ae8ad6360a27c4dc99276c45cd65516112c2f3a24d88",
"sha256": "4ae1fadfcda3b3eb16cd5ce038f967736e4b625bbc9a7296f347615d21d7725c",
"type": "eql",
"version": 106
"version": 107
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"min_stack_version": "8.3",
"rule_name": "Chkconfig Service Add",
"sha256": "975875643c470662591b7f92890f341af3ec06aaec4d7462d89b555ab08b31ea",
"sha256": "ac46e57d571273c025c91e46c20c1f7c46db80b9f6a1e181de6ec4e267c91867",
"type": "eql",
"version": 107
"version": 108
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"min_stack_version": "8.3",
@@ -6169,23 +6211,23 @@
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"min_stack_version": "8.3",
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "50ce20970c0225897cbd6278da8c53629372100b61e456082a1018b045d9d8c3",
"sha256": "e7702b1cb759c6daf40a6f3464d984e9b0b59eb02c5ef8a4b805abddc598d678",
"type": "query",
"version": 107
"version": 108
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "24e7bf23a9b423f0ee788a5d588692dbf4cb7d5a9de672b20db27deb8f3d05fb",
"sha256": "b62ce757409f5b83483a6178edf83f96ca9f2694c59261960462d1d5aa5c823e",
"type": "eql",
"version": 106
"version": 107
},
"b9960fef-82c6-4816-befa-44745030e917": {
"min_stack_version": "8.3",
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "c475fe418c9dd5c5b6a357004cecb0f77ec12520167b225d77dcb436eb1094fd",
"sha256": "268cf591802efa58ca8ccc81f92c143605f8684dccee5d40e37775cc905c1ff5",
"type": "eql",
"version": 106
"version": 107
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"min_stack_version": "8.3",
@@ -6197,9 +6239,9 @@
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "4e20d0099e197e490805cd6edaf652e4b192b1c67cd120c9583905ac929dd623",
"sha256": "dc0a8c9cd0d7f0e1844a5c6402ab1504415faa41aec3f0ae1f68c80b0e74947d",
"type": "eql",
"version": 105
"version": 106
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"min_stack_version": "8.3",
@@ -6313,9 +6355,9 @@
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Keylogging Script",
"sha256": "e5e42d67e73c95c6558439ae96e3515ae045a15b9cf9349190ccb7ce1a5c3258",
"sha256": "fa1f00b9443c5ad654f7b853629f4075bf14005339a418325a786b9efeba54ad",
"type": "query",
"version": 110
"version": 111
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"min_stack_version": "8.3",
@@ -6334,16 +6376,16 @@
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"min_stack_version": "8.3",
"rule_name": "Potential Pspy Process Monitoring Detected",
"sha256": "95a277633a730cc76f1f3dd56678af752c6c0b11bd0eca7bf678452efce66786",
"sha256": "d760fb7f319139f03665f98df0dd2e9878098619330d3d740f424b742ed5a3e7",
"type": "eql",
"version": 3
"version": 4
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"min_stack_version": "8.3",
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "49544ad4d81ab915c9fd10546c551f9f16cd314bd11afeb39e1d8c2f92d61242",
"sha256": "46222aa552fbb0eb3445b6863d48086e14b83f540e63bf7f048bf0e645855756",
"type": "eql",
"version": 106
"version": 107
},
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"min_stack_version": "8.9",
@@ -6362,9 +6404,9 @@
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.3",
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "836e67e32ec8fe118f5d1934b55e659b1dbcfce76125cce36bdb3c0e1f8ab9bb",
"sha256": "729e64a5fe9596b9514a3e5a2b56e8374fb6079ec891f4b85681422fc07671e5",
"type": "eql",
"version": 106
"version": 107
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"min_stack_version": "8.9",
@@ -6399,23 +6441,23 @@
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"min_stack_version": "8.3",
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "48070e6a13563fdaf1cc968863fd1afaf4838e89682767a13af387858571ec00",
"sha256": "a96413f43b35602b04b7947dfc44ba77f545ed0130c1d7c09cae4116e51754f7",
"type": "eql",
"version": 108
"version": 109
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"min_stack_version": "8.3",
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"sha256": "9f7b054508c77d58f7d726725411dc517eef84d474347b3a8557ab84761eb842",
"sha256": "0afe2d906b4e49920bacb79b64404fb8d2ad10c938ab6066d1775c4498d2c1a1",
"type": "eql",
"version": 104
"version": 105
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "b703ff542262a1b01cce71377aa6ca313a15387e5c2b986a98d27924ecb2782f",
"sha256": "f03d327ae09793a9ec460b44da54cfc1c07d946b2d181da5ec77da0c5d2fa4aa",
"type": "eql",
"version": 106
"version": 107
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"min_stack_version": "8.3",
@@ -6434,9 +6476,9 @@
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Renaming of ESXI index.html File",
"sha256": "6ce01312cbd857003098b2b0753a1ec8356a09b109b020cdc2ab369082ffbf8c",
"sha256": "2acd7bb084fcacdbb12ec8d9c6a04121f2a5bfd99c81cd043158d03bd202e2fd",
"type": "eql",
"version": 4
"version": 5
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"min_stack_version": "8.9",
@@ -6473,9 +6515,9 @@
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"min_stack_version": "8.3",
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "10b03b0d2a557fd9f1db04ceba979e83c8291a46dd1430959c27531b5e55a74b",
"sha256": "e5ae5f0e597165278b0ee70abc0aaaf7bfa067cc6b731e26e4d4a9f8c130d70d",
"type": "eql",
"version": 106
"version": 107
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"min_stack_version": "8.3",
@@ -6508,9 +6550,9 @@
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.3",
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "a694c2c72d254cbfd29fbeb4d0893e558337476a755af6c851563a1014065d26",
"sha256": "331c14e73d76aebdcd4cac4d0fab69ddbb53ef866ef1a68f1868a3755733226f",
"type": "eql",
"version": 104
"version": 105
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"min_stack_version": "8.3",
@@ -6522,16 +6564,16 @@
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
"min_stack_version": "8.3",
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "d375bc56966923722625e5df9e79b926dbeee902679aa6cb57b02a7dae9b0923",
"sha256": "43fcbbce0e30de8a963685bf58748b27635b19c08af085815f6fff113533bd37",
"type": "eql",
"version": 106
"version": 107
},
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "fe7c45ba7ffa9b0a75ac69678e899b81b70778bc9e472fa57463c14bb425caf5",
"sha256": "30182cfa6804a26e730d3c6e33a15816fbc229f1b76ba3b0a372388c91434099",
"type": "eql",
"version": 104
"version": 105
},
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
"min_stack_version": "8.3",
@@ -6557,9 +6599,9 @@
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "0710403c8d618e71c165c7b8eb160bed4e6e439b9d9c904d9b5af9aa9be9588e",
"sha256": "ef18c4509361dc748c03f900e0cb04331a3870f4d37673c65632f7edcdc5fe80",
"type": "eql",
"version": 106
"version": 107
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"min_stack_version": "8.3",
@@ -6571,9 +6613,9 @@
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "9703a3f1e0ab87710ef683407452f9491a296fbb9fb21c1270d48f28039443a0",
"sha256": "98c498d667d0e19468ae624112a73bcd2a85d40b0caff39529b93ce06206aaaa",
"type": "eql",
"version": 105
"version": 106
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"min_stack_version": "8.3",
@@ -6585,9 +6627,9 @@
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "a6a7a57d9d9f53170aaca5b52e31fa5987b52d03287d461f35903e7a94f3c49e",
"sha256": "7e7ffc94375f810fc0ec2748a6a096644fcde37cdf4979fb00de46501a74f0c3",
"type": "eql",
"version": 107
"version": 108
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"min_stack_version": "8.3",
@@ -6599,9 +6641,9 @@
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "cddefa7d53013d704fc6ae7740caee316c50acd79b1fc321a6f2f0b9120d905f",
"sha256": "576d3b6a56808d5c581e4f82d4571613bdb9f304eb4165c3d972990f968f7abf",
"type": "eql",
"version": 107
"version": 108
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
@@ -6667,9 +6709,9 @@
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"min_stack_version": "8.3",
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "462a72ca87888591497bad05c41909f4b20b28e8be26d594546e563f178bd706",
"sha256": "29d7cf667acb99a68d444c3d61446d0b3ac071880d4ad6333c3be80645841c97",
"type": "eql",
"version": 107
"version": 108
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"min_stack_version": "8.3",
@@ -6702,9 +6744,9 @@
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"min_stack_version": "8.3",
"rule_name": "Virtual Machine Fingerprinting via Grep",
"sha256": "c9158b1c2fd25aec7b65a7112e5bd5234e1f16fe85d6cea011a2c447f8845de0",
"sha256": "4e2c160e8b311df59edc07d890988f42898b8ee8467760d2692204ecc13cdede",
"type": "eql",
"version": 103
"version": 104
},
"c87fca17-b3a9-4e83-b545-f30746c53920": {
"rule_name": "Nmap Process Activity",
@@ -6722,9 +6764,9 @@
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "d16c1571f4991e8257fc206ff4e66afbab3d14994c0b00534ab992bd948529be",
"sha256": "644224b9f3ebd8dc3b7a7d5b2fb1b90cd7142ffb1853bfa847346361c0e952d3",
"type": "eql",
"version": 6
"version": 7
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"min_stack_version": "8.3",
@@ -6736,9 +6778,9 @@
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"min_stack_version": "8.3",
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "a2dad54c59a4df7c89caa5e11af6d9425532fe82b26ef1c0588f4d7b835f71ec",
"sha256": "f98a75e410bae28c2958515cf867ad360c55e5628e4074ff04168355fe113ee6",
"type": "eql",
"version": 107
"version": 108
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"min_stack_version": "8.3",
@@ -6764,9 +6806,9 @@
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "cbc3f42a7bcbc551c94f4915bbf898b210a4747c014608e39f4a2a12501d1682",
"sha256": "cb3e06584ef3df219502f541a38afdd93024219e4a99f76ed05857f3b96c5772",
"type": "eql",
"version": 5
"version": 6
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
@@ -6786,9 +6828,9 @@
}
},
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "5f9d6f9747305b2a9d59f1c2bb89ec12610c7490a57f1ccb24de236f42839d9b",
"sha256": "55ab77b10e0bcb868314e0a9c77ad2c6b64b6a3dc98daa287fc5d3318225afe1",
"type": "new_terms",
"version": 210
"version": 211
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"min_stack_version": "8.4",
@@ -6911,9 +6953,9 @@
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"min_stack_version": "8.3",
"rule_name": "Kernel Module Removal",
"sha256": "7b92ec2e6a2290e49b0168c42351731b5a03508b59cbed4d0dd0127f6ab8ded1",
"sha256": "3389bde0d2034a85fbb3b9902602f9751c82b86ef92ede4fd68b2c2aaac43319",
"type": "eql",
"version": 106
"version": 107
},
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"min_stack_version": "8.3",
@@ -6957,16 +6999,16 @@
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.3",
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "cb505702842c62bf14d57f592e2da9b793b4232bb14db1dc07ce3ee3dca88d72",
"sha256": "fb56f30729c9d160477b06f02df315c4d6c9387007b670146b4c0060f556afce",
"type": "query",
"version": 6
"version": 7
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.3",
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "2abbf97e21f0197022ef274f0c7aaf1326d6645628f586e1bbc7e75dd4bf6dac",
"sha256": "e2c5ca3d894271fd19e6f8f2a1766756db89da4380da5f63313dd2f1843b9589",
"type": "eql",
"version": 106
"version": 107
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"min_stack_version": "8.3",
@@ -7008,9 +7050,9 @@
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"min_stack_version": "8.3",
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "33d3c47a50a64210f5b2ffc25ccdff6d5d37d16fc71e6dbbc5c13a18b6780cde",
"sha256": "63f22faabb2c7cdd85b0f0550ea39855fbcdbb14b96b274cd260a985e747a7a9",
"type": "eql",
"version": 108
"version": 109
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"min_stack_version": "8.3",
@@ -7022,9 +7064,9 @@
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"min_stack_version": "8.3",
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "400a4ff29714ab2561d2a413f2f404116f8fe1067cb678f32d05daa204ee8316",
"sha256": "a856106c03c826b7cc37c298845052a3d071b61fc13d0a7e32d11346c49983b3",
"type": "eql",
"version": 7
"version": 8
},
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
"min_stack_version": "8.8",
@@ -7036,16 +7078,16 @@
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"min_stack_version": "8.3",
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "c206dc61a4c2ae0d1f412a63bcffc413ce72bb6de4d4c86c670d3c066dd1662e",
"sha256": "283072265b8d9a5eb1ce5e409ca6923c251b01d80294784d68db0745ea03ff46",
"type": "eql",
"version": 106
"version": 107
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"min_stack_version": "8.3",
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "077587010e7e194ab3d20e99f290d4a9813931fa3a4c1f4bd01f8a875b0a274a",
"sha256": "486befefb895d04393ea8ab494e45aa9071d538f5f4afe5d9ac67aee4e990ac0",
"type": "eql",
"version": 107
"version": 108
},
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"min_stack_version": "8.3",
@@ -7077,16 +7119,16 @@
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"min_stack_version": "8.3",
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "52bed23a3a6e8d13a93def9f01fc3f4de6094c7cbd2b55eb10637d659a556dd1",
"sha256": "258220c18110c30e13d2bf5c9c5b47b97d2591c38e6a207624eaa1335b384462",
"type": "eql",
"version": 107
"version": 108
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Event Logs",
"sha256": "8ab63a4886ad2a72cbb3c1b616a3f462298f7cc74de154654064c96b035d343e",
"sha256": "8a73c10ef60c4773647f268027e24eae42f6ade586978349bdf9041116d0e531",
"type": "eql",
"version": 108
"version": 109
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"min_stack_version": "8.3",
@@ -7149,16 +7191,16 @@
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"min_stack_version": "8.3",
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "f5c2c64714e19cc3d5437f0039d3baa83ae9aa8fd5af5dcbd5b6655156c6e9af",
"sha256": "fe9f5628cc8de2846077446c09d501bd05f366c5f81e3900c513dfa420b6ff75",
"type": "eql",
"version": 2
"version": 3
},
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected",
"sha256": "3c95ccf8f67a50f03ac411052a8a2da81d0483634ff43782835b20a2eee49275",
"sha256": "225b46731e54716469e060d028dc5a204d7dfeb3ec1062bc93ffdd4663f7acd1",
"type": "eql",
"version": 3
"version": 4
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"min_stack_version": "8.3",
@@ -7222,9 +7264,9 @@
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"min_stack_version": "8.3",
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "e19053836a709b816dc84ce8ced0ba8168ccd803d9c077141d35d3a0679f082f",
"sha256": "cc8a7869299dfb327b8a78d1709292c90e765523ecaed24698ec7fff46bb4440",
"type": "eql",
"version": 7
"version": 8
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"min_stack_version": "8.3",
@@ -7236,16 +7278,16 @@
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
"min_stack_version": "8.3",
"rule_name": "Modification of WDigest Security Provider",
"sha256": "80570780af03c2efcf7f4a9003e2c21b34eb66a062aaad55d9676514ffea140d",
"sha256": "0d92e00788578df71a3085d97bc9e16656ce1ab64a2d00cefd71d7ede7c98ce2",
"type": "eql",
"version": 106
"version": 107
},
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"min_stack_version": "8.3",
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "be781bb6c568f6e3338fe8a85423ad7b2bed67673e71befc92524a519bf29602",
"sha256": "75e96d95e76853c07370e086de891f29c8521f0570f5afbc6c674fb8ff2e13df",
"type": "eql",
"version": 107
"version": 108
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"min_stack_version": "8.3",
@@ -7264,9 +7306,9 @@
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"min_stack_version": "8.3",
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "c44526d9a91a1fd72764e5afb5ad5c6a99415825884efde1516a72afc827756a",
"sha256": "135ce1e246c6be718c533d4528fb82c9d1798007fda71bb7aa4126f2766cff68",
"type": "eql",
"version": 108
"version": 109
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"min_stack_version": "8.3",
@@ -7315,9 +7357,9 @@
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "8442e8cbb922de0f547562302bde985f3e343662547902ae1b3ad81817991b14",
"sha256": "35cec24c6f40b74359e76b1c0b8b19ada3b0c73c18fdc5f92b4fc732bb168c40",
"type": "eql",
"version": 107
"version": 108
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"min_stack_version": "8.3",
@@ -7384,9 +7426,9 @@
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
"sha256": "e4df76ec7b5df39c1969e559f1a6da83fa65a42ce5b7d0309e543137738e41d0",
"sha256": "48b2377c407c6fd267364cd6a28cedd0830236fe92ed4e08111591a7a77999b1",
"type": "eql",
"version": 3
"version": 4
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
@@ -7397,16 +7439,16 @@
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
"min_stack_version": "8.3",
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "d42dea9b11a475bd84ac3a3f2a7556720a15eec56ff92168c87ed712e91e8908",
"sha256": "e947ad288f1da43e4a883eb9da07ee706c06e2905ae2445421e2280db1d72486",
"type": "eql",
"version": 4
"version": 5
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "068a220aff143f426d32e403fb68a377e120e375f657e84217c3eb4f399e543f",
"sha256": "6d5c7271ac35ece6b3d5ad727effafd19fad5b0e1fc68ca0ba309bbd0a1ca4c1",
"type": "eql",
"version": 107
"version": 108
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"min_stack_version": "8.9",
@@ -7448,16 +7490,16 @@
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "573c9ca2dbe19f1a028b5b5819057f1cd784de1be52279fb1eb1b99bf3aa91a4",
"sha256": "1b4652f974e6422672d712e10f16590cdee1527efd0cc592e2cfacaf6ab10754",
"type": "eql",
"version": 106
"version": 107
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"min_stack_version": "8.3",
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "e1754aece5bca9de7f3a297a9ebcfde160a4c48fdba1042e55a503c43af3a487",
"sha256": "3fdd204c8b26e4dc4f20eaf80a88b4f37cd9093b77f365fbf505b27c37e500d7",
"type": "query",
"version": 106
"version": 107
},
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
"min_stack_version": "8.6",
@@ -7499,9 +7541,9 @@
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
"min_stack_version": "8.3",
"rule_name": "Dynamic Linker Copy",
"sha256": "4c3f4b8b94c3abf50fada6c7104d6fcffb6126ad61920c98219b8ca2d1f7af00",
"sha256": "ad16600cea0282022eecee3a9321b3df7956ff9592e8c777caedaaf750b505c9",
"type": "eql",
"version": 105
"version": 106
},
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
"min_stack_version": "8.4",
@@ -7542,9 +7584,9 @@
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
"min_stack_version": "8.3",
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "0cb624873a820339db88e27f6c934f951767b06b5fa612ba655162ddac81044c",
"sha256": "b59881ecde4fbb260ada06f008c2bf8ff29a1dd8964b75ba7e4aab3e5d1cfbe2",
"type": "query",
"version": 105
"version": 106
},
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"min_stack_version": "8.3",
@@ -7625,9 +7667,9 @@
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
"min_stack_version": "8.3",
"rule_name": "Connection to External Network via Telnet",
"sha256": "ecd74e5b4a0d9320b567ccff15b0551b10812d52a6a99e120eb4e09dc3c70a70",
"sha256": "20d3c6c6a6f6513706a2ebd8383166c55e2c6bbe55be87a27695bc4d93937453",
"type": "eql",
"version": 105
"version": 106
},
"e1db8899-97c1-4851-8993-3a3265353601": {
"min_stack_version": "8.9",
@@ -7639,9 +7681,9 @@
"e2258f48-ba75-4248-951b-7c885edf18c2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Mining Process Creation Event",
"sha256": "c283a96f0e6778b4047079842cb8724e31caef3444301c6475256a53b012ee57",
"sha256": "f0e1450bcee3627ea25c3f1149f19e23d974096a93f38f4fcb2f8b1f3cbf4760",
"type": "eql",
"version": 4
"version": 5
},
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
"min_stack_version": "8.3",
@@ -7653,9 +7695,9 @@
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.3",
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "8c840abd0eed39efbf4517ceb247d5a1e29c14df891f7fc68b9c8ca19af732fa",
"sha256": "f96c27d17387a29f3c9e0a76e761e50f58980ca2e8c5c47c750c1112b007a612",
"type": "query",
"version": 109
"version": 110
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"min_stack_version": "8.9",
@@ -7690,9 +7732,9 @@
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "f4aa9648ae148430d56ec66b1b05383eff95f446f9d746fa618a5fd5d74b932d",
"sha256": "66e388663b228b2c8dd94c6fd5c4d2747293af0ad3223e8467b6dff513bfce19",
"type": "eql",
"version": 108
"version": 109
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"min_stack_version": "8.3",
@@ -7704,9 +7746,9 @@
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"min_stack_version": "8.3",
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "71b3674d3f5ae08be304fa711dd538194ebb2c5624de5518b705a973ce44764b",
"sha256": "3e2a12fecf522267ef3afeb66114c8854824c72cc1d0e2ae4f0f4bc3a2308f70",
"type": "eql",
"version": 107
"version": 108
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"min_stack_version": "8.9",
@@ -7734,16 +7776,16 @@
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "db6c8cc00bdbaf0ddb428a155db94ed7c9f288d60b6f199fab061f577a7bd7f4",
"sha256": "5c04199205cb13930875dbab67b50a81f6de209289212579901c2a02bec11afe",
"type": "eql",
"version": 104
"version": 105
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"min_stack_version": "8.3",
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "47990704fcf218a068f07339d376b36fe1ff72c831754b08f0dffed5768cc04d",
"sha256": "2e2da840f77c57538857f88568962b68c7ed2da6036ccc86ed73e23d95b97f90",
"type": "eql",
"version": 107
"version": 108
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.10",
@@ -7771,9 +7813,9 @@
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "ff07330e7b280ebe26aff63e3c933ca68bc9e57095f06822a1ce1a766f8aa2d4",
"sha256": "714940633134a4900fd804da4e9b3e223c9d3ff128f229f7a46599938fe9322d",
"type": "query",
"version": 108
"version": 109
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"min_stack_version": "8.4",
@@ -7830,9 +7872,9 @@
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"min_stack_version": "8.3",
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "077f0a7711bbf837f2e67231c713061aab1388e7194845c2724884baba2fcba8",
"sha256": "1732013a4ba605cabe48c7b619ab0091ebe06309b90dd143c75a2212213833bf",
"type": "eql",
"version": 104
"version": 105
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"min_stack_version": "8.3",
@@ -7881,9 +7923,9 @@
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"sha256": "9dabc489226c779aadc8aebd27fd06248863464f8c3eb77f8e3e65ea9de31581",
"sha256": "332682a3600cb59f9e5416f1a36782dd5b2cd5140ad2365e794fe319c8057d6a",
"type": "eql",
"version": 5
"version": 6
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"min_stack_version": "8.9",
@@ -7911,9 +7953,9 @@
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"min_stack_version": "8.3",
"rule_name": "Installation of Security Support Provider",
"sha256": "05e809fb643c5c0b932f08cf325d5b980c1be26c2322a33497bf7931a54612bb",
"sha256": "8547cdc3808d7f235d3d0abae6b3718604a0f5fd3b25275e55649bcb89548514",
"type": "eql",
"version": 105
"version": 106
},
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"min_stack_version": "8.3",
@@ -7934,9 +7976,9 @@
}
},
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "b2bf47b2d754b97d1201f5d927c49421ceb71609ac667f07c240495f839cd6be",
"sha256": "db2a5674e261bc84e14f1523a5864fc02bf8d27e779d4bd8b3ef5e0f8c2a77d8",
"type": "new_terms",
"version": 103
"version": 104
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.10",
@@ -7980,9 +8022,9 @@
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "0932a11d1af761dc69c880afac16d9f8543316e5b003ac9c7f31d6a1b903eb5b",
"sha256": "3f3eec9bc3511f8a7b04c2ea53960d28e2c4cc9c1919b4ac0415627e28f49b80",
"type": "eql",
"version": 108
"version": 109
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"min_stack_version": "8.3",
@@ -8057,16 +8099,16 @@
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "4fd30c5b6cde137af4b4bfbe6147e6b9b22ee92011d517f81f11bfd501ecd62d",
"sha256": "801852a3300f7b11b19c32b8f4151194247eb06f60814b531d70187da14da0a1",
"type": "query",
"version": 1
"version": 2
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "19a8d98813f7227deaf511c0d633facc03ce98eca134cbf0ad8d95277312d2bd",
"sha256": "f2b652ded44a6da7a65d03f5aeb3b74b8f9790089a0d1c2e3346e02ff70f66af",
"type": "query",
"version": 108
"version": 109
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"min_stack_version": "8.3",
@@ -8078,30 +8120,30 @@
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"min_stack_version": "8.3",
"rule_name": "Potential Disabling of SELinux",
"sha256": "039692bcb30d46067fc586c4ebcd04997a968d5c426694130fea5aeb0a48d46b",
"sha256": "67e5d80d98a14e59513c76c67d9e7b585867dfa1bd03bc7fe57b4e529040abcf",
"type": "query",
"version": 106
"version": 107
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.3",
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "cc34ad5743714d022bd3d06b3eef95da4715d5b72e531c4235b17576ba88d2d5",
"sha256": "76c37cc7a589fe10dfaa88f6b7b661dea40b32593c1b666971619610af0593c6",
"type": "eql",
"version": 106
"version": 107
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"min_stack_version": "8.3",
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "160ed3a375dcc3e55e6117241ad6a6bc1ef32411c7d4a0d406c968aeeb017680",
"sha256": "4bf7615c712ba6551f11469f116ac403329d8282ac9506d5ccd5b57da83c51b6",
"type": "eql",
"version": 106
"version": 107
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"min_stack_version": "8.3",
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "7ef91946b0330f608783b4afaf455fe3bb69d40331bd9be9573e1e1b3b9429d2",
"sha256": "1d657da119ea7a4f4925fb9854f9b300a165f2e51b196233358018c3c2c34b10",
"type": "eql",
"version": 106
"version": 107
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"min_stack_version": "8.8",
@@ -8150,9 +8192,9 @@
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"min_stack_version": "8.3",
"rule_name": "AdFind Command Activity",
"sha256": "b3773d30c5a81754f182b5e16112b660ce51afc7217b471c07c135c92343561e",
"sha256": "8a1027b9ad2f5361439241c61ece4bf8059f137a0718d154612fc6bc4e1582b6",
"type": "eql",
"version": 107
"version": 108
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.10",
@@ -8173,23 +8215,23 @@
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"min_stack_version": "8.3",
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "2879ba6dedb4672f2a2edf42d9b51a445ad7e87deafca2d3e115c225361d1e52",
"sha256": "7e36739ca38d86c13233d562ec0ff5e3019b17cd4efe9373ee963d0412184cbd",
"type": "eql",
"version": 107
"version": 108
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"min_stack_version": "8.3",
"rule_name": "Linux User Account Creation",
"sha256": "a543b60be5b2a1233c9fb7a049c1556d3cf7a3df31ba9a09fd4e7f1b427e5109",
"sha256": "13b3b537fd8a6d150005572a86b138310ddc48a6341f26efff995090c828b47f",
"type": "eql",
"version": 2
"version": 3
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "2bd1115d1a41b7a4ddd1ec2a4b7dac55b76173ff8ff1e3df92775705269ba0c6",
"sha256": "1b81a42027a994ad37e3fd6a68e0cca9c1f3620c0ec4479d34cc05a33c94986c",
"type": "eql",
"version": 104
"version": 105
},
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
"min_stack_version": "8.3",
@@ -8207,30 +8249,30 @@
"eea82229-b002-470e-a9e1-00be38b14d32": {
"min_stack_version": "8.3",
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
"sha256": "05d0abb50bae439b769843646d3b7295eef4a0bc5c024cf9798ecf355acd3575",
"sha256": "9893771c796bd09dcc8f046fd8356942e6cdc5159da8de8a23d418df3220c216",
"type": "eql",
"version": 104
"version": 105
},
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
"min_stack_version": "8.3",
"rule_name": "BPF filter applied using TC",
"sha256": "d3b6a041bc5f899f14ba0e350fbb36350e02d5800b1751b2bff3950a02bab9e4",
"sha256": "0ea652ae4056c21deda839089e82be5e8d139fe2a4d663b1c351ea38f5373b52",
"type": "eql",
"version": 106
"version": 107
},
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"sha256": "fa04606235d591a3a18f27ac11497e0b0b3c0db64ac9d3cdae52dac5bebb9ca1",
"sha256": "b484fef67869242e81d258aa6dd2f985dce79cf7ac6f49d81e8d62e1b34d69aa",
"type": "eql",
"version": 4
"version": 5
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"min_stack_version": "8.3",
"rule_name": "Whoami Process Activity",
"sha256": "a5131bae94678610d7c365c497f62c084b0c6c3c2954fada880c3531d5e342e9",
"sha256": "69d5354c891fc163e1c5ade3bb65daff48c54108062356e2608bbe10b4bc33dd",
"type": "eql",
"version": 107
"version": 108
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"min_stack_version": "8.9",
@@ -8249,9 +8291,9 @@
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"min_stack_version": "8.3",
"rule_name": "Suspicious HTML File Creation",
"sha256": "7ab8c378ff7083c1a6c05954e86861bc3ea942fa39a3e3ae31cdc225509315d7",
"sha256": "b3a8f746278cc301f6dc58d9f527dea32590a6d76cef0455b4f613d70e2d67a6",
"type": "eql",
"version": 104
"version": 105
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"min_stack_version": "8.10",
@@ -8272,9 +8314,9 @@
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Remove File Quarantine Attribute",
"sha256": "6433cb81a632852cd17a4e72400aca36cfc55a5f7dcd8826f139d7a029c91097",
"sha256": "d7bdcd2de9485c0496e83b118d9a4206a6bb8b4d6a4708797dc89b42403f753a",
"type": "eql",
"version": 104
"version": 105
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"min_stack_version": "8.3",
@@ -8293,9 +8335,9 @@
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Code Execution via Web Server",
"sha256": "9472c913dfa8869854d45e63066366097bc76d22561deba5f0332c0e764850d5",
"sha256": "9879db0ee4eb6fa5d55af57657d48ec0820bae075840304cdd6e403fc3ab1a1f",
"type": "eql",
"version": 5
"version": 6
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"min_stack_version": "8.4",
@@ -8314,16 +8356,16 @@
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Login Item via Apple Script",
"sha256": "f296c42702e111663ae6795fba27be54503e7ec2e1c6a433a0f3cf3ff1c376b6",
"sha256": "e9d5cd6f343029ce8db6fae1ac69791d81d0079795f15c27d2b04cae4d5692b5",
"type": "eql",
"version": 105
"version": 106
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"min_stack_version": "8.3",
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "5b99a39e1fe7e357d865152fc9bddaf95dbcdef3438bbdd9a2de4b9ef6351120",
"sha256": "401bf25e8e77ccc790d62c63f3b09edebad5cd9b70eac15912db6aaa46127d58",
"type": "eql",
"version": 107
"version": 108
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"min_stack_version": "8.3",
@@ -8335,9 +8377,9 @@
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"min_stack_version": "8.3",
"rule_name": "LSASS Memory Dump Creation",
"sha256": "ddf5498423537a85ccdbb7552f2986e755918e505b195b2aa3e6c58ab2825bc0",
"sha256": "c5245d22a0267264ade24de174cf1032b9c68466730cc42d6e58734984ae0c96",
"type": "eql",
"version": 106
"version": 107
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"min_stack_version": "8.9",
@@ -8386,30 +8428,30 @@
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel URL Indicator Match",
"sha256": "f8210c3d8a13d1354dfe9c14053034eafc71b8bef3477f9e8e7279672ce95601",
"sha256": "15e6c5f162e68e3e99d55f3e56f8e12ff21a337b3225df19df18e23d5223c734",
"type": "threat_match",
"version": 3
"version": 4
},
"f41296b4-9975-44d6-9486-514c6f635b2d": {
"min_stack_version": "8.6",
"rule_name": "Potential curl CVE-2023-38545 Exploitation",
"sha256": "397ef632c840d0922b83d252b5b41db9cbaa48dbded3e4274d7b714ea636231b",
"sha256": "ad7d073b51e1fa98d9af62232945217608d7cb3996a06e33226a4dcd83b222ef",
"type": "eql",
"version": 2
"version": 3
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "292a400f924bdf495a355385c16ff53e68f9f3339a16f03722da0a67d20439f9",
"sha256": "3532dcb1643708a0b5c5e2ae8f0674579cbb77fe60a022151328d4b38fbb72dd",
"type": "eql",
"version": 105
"version": 106
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"min_stack_version": "8.3",
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "26b40ddcaa37e8f078da5fbfc2a20a67103717af9bed0188b9002a14836ffe5a",
"sha256": "d98a7e83fa24ec297e90f61de9d4e6781cfc0ba17dc00049f79130145d7ab7c7",
"type": "query",
"version": 108
"version": 109
},
"f52362cd-baf1-4b6d-84be-064efc826461": {
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
@@ -8420,16 +8462,16 @@
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
"sha256": "7c8538ccb98edd565c3e77089791a93f35d6fe22c6f6622b1b5830797dfce87b",
"sha256": "ddced9a0cc70d7a97aff4223b6abe5ed8faf61be30e7e56fbc87b2d124b9e693",
"type": "eql",
"version": 3
"version": 4
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"min_stack_version": "8.3",
"rule_name": "Windows Script Executing PowerShell",
"sha256": "137fe700650e80f99c3e810ffa7887f243a69e3fd36267afd3685955e5b3a7e4",
"sha256": "98f9b2395052ffc073feec29bc55c3952eae38faa5304ab59098692287a2995e",
"type": "eql",
"version": 107
"version": 108
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"min_stack_version": "8.8",
@@ -8455,9 +8497,9 @@
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"min_stack_version": "8.3",
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "05f3189fe09c5f5c72a44871e7af8a36a085d5f5642ee65deed333c490888820",
"sha256": "7fb454ea923d4be1c53da0fce33be447e1856c41f237f0cbea512aec928fa237",
"type": "eql",
"version": 1
"version": 2
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.9",
@@ -8469,9 +8511,9 @@
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"min_stack_version": "8.3",
"rule_name": "Masquerading Space After Filename",
"sha256": "b8733fd0fd4e27a60869420a23f949e588a94ab43ebbc2bacdcb58250c6a82bb",
"sha256": "c008022dcc942aac497e03a345678d4351f22bd37f8df7b55687be5b5ed9ce43",
"type": "eql",
"version": 4
"version": 5
},
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
"min_stack_version": "8.3",
@@ -8483,9 +8525,9 @@
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"min_stack_version": "8.3",
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "23aef572b50810af907ee7bd6ef6657623f6592f933f9406a58dda38ccecb9d2",
"sha256": "48ce252c07058d2ee1ca0800d2b1fecbe03128d07992d41375ca0c03b6a48f48",
"type": "eql",
"version": 107
"version": 108
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"min_stack_version": "8.3",
@@ -8541,16 +8583,16 @@
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"min_stack_version": "8.3",
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "afb59ffb04d13b21e0f2cff08ed6f27c27dde808d3cb5b84a5eb3ddb2d566665",
"sha256": "cba0ef209d381391715a1d4cc32407099e0cc2826fad303f04e46cf39d3effb6",
"type": "eql",
"version": 108
"version": 109
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "0e07c2995af6088f4c7f371ce44780cab7ffe75d215408752857ac720cea0465",
"sha256": "eaf1fe196b0fd766b9dd3e92a9dea8ee67510efe613dff0483b398abdcf91389",
"type": "eql",
"version": 105
"version": 106
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"min_stack_version": "8.3",
@@ -8562,9 +8604,9 @@
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"min_stack_version": "8.3",
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "11ff5b48af4c6fe451b2ce1623b1cb2cb5bb35007bef94018597f897219a10af",
"sha256": "902e8a91c828264acc25b9b1ef81880b919f5739fef7a59cc8b1af766f54d38b",
"type": "eql",
"version": 107
"version": 108
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"min_stack_version": "8.3",
@@ -8576,9 +8618,9 @@
"f95972d3-c23b-463b-89a8-796b3f369b49": {
"min_stack_version": "8.3",
"rule_name": "Ingress Transfer via Windows BITS",
"sha256": "f58b2bc6df6119dd19b628c293c7dff6ea595e65b39223cf2d0dde59b882b15f",
"sha256": "2b0bea22a5bf532f9af15d9ab5ed07db310010798335f52475ceb9d0292017b0",
"type": "eql",
"version": 4
"version": 5
},
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"min_stack_version": "8.3",
@@ -8590,9 +8632,9 @@
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"min_stack_version": "8.3",
"rule_name": "Privileged Account Brute Force",
"sha256": "f5252571a3884a621635498b85bfdf070a396d30be00c83e6336d0c4e91979e7",
"sha256": "36afec4fdbf0b0dbe5dd5f33cf28d0866a711012c96115ea0e205eb6bd791364",
"type": "eql",
"version": 7
"version": 8
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.10",
@@ -8613,23 +8655,23 @@
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"min_stack_version": "8.3",
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "56bfc5a88cfcdbba392ce9e25d0e7838831cac7440f8ef2a35107b6257261115",
"sha256": "07cb5a601ba090bd310db66dc7a01f3be28530f661533672dc80eae9361219ca",
"type": "eql",
"version": 105
"version": 106
},
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"min_stack_version": "8.3",
"rule_name": "Potential External Linux SSH Brute Force Detected",
"sha256": "fac6f9cee3f43e0193ffc987c11e25fd31bc52cf43af80e9cfabc8dc453c1812",
"sha256": "218530cac5856894e6aa5cd3de9220598341cf39e21207726a8736e796656132",
"type": "eql",
"version": 4
"version": 5
},
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Binary",
"sha256": "91a2395bf7620588ccb74be3c35e5550521b5efb2e5268f5e5f700def971d705",
"sha256": "0614d99e192ebf727ca5211629665791841cb5b9db109bf11e3b8d8c67d84491",
"type": "eql",
"version": 5
"version": 6
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.3",
@@ -8641,9 +8683,9 @@
"fac52c69-2646-4e79-89c0-fd7653461010": {
"min_stack_version": "8.3",
"rule_name": "Potential Disabling of AppArmor",
"sha256": "af928c417577e8cc0260d0553a69112ffe4cce0432ff7dd3e11a6bf0e6c446d1",
"sha256": "34fdcfc5bff48dc2d657a33d95b6f8a56e38e5110fad29d01863329e1f5e1f68",
"type": "eql",
"version": 2
"version": 3
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"min_stack_version": "8.4",
@@ -8693,9 +8735,9 @@
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "d82de3a511d6f9d1fdacc568ea1f4f13dcb5c7b1923e37472627edad3bc0e244",
"sha256": "695672533f96849fc04744a44bb0c3d2c8ad763e56b29d8e9df74708aa58ec0e",
"type": "eql",
"version": 106
"version": 107
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
@@ -8706,9 +8748,9 @@
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"min_stack_version": "8.3",
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "4b954791de8751f010850822c06e03453a0570b6d49480dce1b58cd1a05b269d",
"sha256": "1b6fb7fa94a0e738049d247dc04b6264f0be47b0bcd5ad5a93807de37e0d5f67",
"type": "eql",
"version": 106
"version": 107
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"min_stack_version": "8.3",
@@ -8729,9 +8771,9 @@
}
},
"rule_name": "Svchost spawning Cmd",
"sha256": "2cf4b3a4a92c5be889a51b4f1d51c3eab77327b7bf883a2a045d1571d8779e4b",
"sha256": "7848efd45bcbe0c34fac7bba24931d7f0cafe07c08a91af0e478d23d723a0bfd",
"type": "new_terms",
"version": 207
"version": 208
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"min_stack_version": "8.3",
@@ -8743,30 +8785,30 @@
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"min_stack_version": "8.3",
"rule_name": "System Binary Copied and/or Moved to Suspicious Directory",
"sha256": "590ac86e1af3b8706e4cb2a69e8fdd314724e77dbb5799e8fb98370ce40c9e58",
"sha256": "5429be9bfc7f82918122fa6dcc5088a9f5934fa0b93cd24eecb1b3a33e52a053",
"type": "eql",
"version": 2
"version": 3
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "5c50aaa0928ecab2b1476d973bb4bfb90d78dd9e2448e1aaa8c61daa32ddedce",
"sha256": "752821996ecca2eaeacb9d0694eea57ddf1ed278ab32ceecfa6fd0514f9a16d6",
"type": "query",
"version": 1
"version": 2
},
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "7e932f33b6e1585cd992ffb8d0c475283c7c7d9e5f8480d9858165a716090f61",
"sha256": "233aae2af8866a118d0080a5d695beef8bddfb17bf9788964055df0f6cfdad5b",
"type": "query",
"version": 2
"version": 3
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "a8eff42378039fb19f5db47284f5c0fc7ac55a01a9ec1c5d9b1a664f91fff887",
"sha256": "c96941a5ebb42e39bd2527bcfd0d2be708992dbdf722a7622a1642525b235ddd",
"type": "eql",
"version": 107
"version": 108
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"min_stack_version": "8.3",
@@ -8785,9 +8827,9 @@
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"min_stack_version": "8.3",
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "eb594f40b846f2e27c3ac05de62f5c78c771164a6d579245e5e4c27990e1c049",
"sha256": "df7ad57c972d298da6bf985f44b45cc04e2ebac358b7aa99a0662df6ab2d550b",
"type": "eql",
"version": 105
"version": 106
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"min_stack_version": "8.3",
@@ -8806,16 +8848,16 @@
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"min_stack_version": "8.6",
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
"sha256": "b1a94af889b3bd5f19d461f40cf67ebb70a8c9c19383c1c6b821e829e49477e8",
"sha256": "dcc745dbac15e8073ffc6bb416dd3a2f1b170e3ea46bfb1c41085cf82a6f009e",
"type": "new_terms",
"version": 5
"version": 6
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"min_stack_version": "8.7",
"rule_name": "LSASS Process Access via Windows API",
"sha256": "592b792af644dd525e7bb61b8ba69a59219b797775997301b8ca62e5e71e03bd",
"sha256": "1b7ddc7981baef1561c102347f23a1168fd3023c338e394cc8ed2956864b7ffb",
"type": "eql",
"version": 4
"version": 5
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"min_stack_version": "8.3",
@@ -8834,8 +8876,8 @@
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
"min_stack_version": "8.3",
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "7f5618048d9c9a947da0f5e7789a02590652382297e9fc2355be088f7eb8a2bf",
"sha256": "0e051f6a89e0dd3e32af0d2331b7ab799d7e1f852849859f6cab82b3b5d8b4d9",
"type": "eql",
"version": 3
"version": 4
}
}