diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 7444b4537..c787f28f1 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -18,9 +18,9 @@ "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "c12251f0ebf415936a88178bbe670516848a774c5cf3e9bc888a6a8824a0e13a", + "sha256": "456e5ed43e056841aea460851e9e496aa85a9828fcb4bebade3a4f8b1d2a637e", "type": "eql", - "version": 109 + "version": 110 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.3", @@ -69,9 +69,9 @@ "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.3", "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "1fcc8d07520fa392cbd941dbaaac5fef1dc5dee48d5ab029ca64cc5409f7089a", + "sha256": "5717d643abdcfef9a6d60fff6d57720c82151980bb8e27c67620f86f538f9a1a", "type": "eql", - "version": 103 + "version": 104 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "min_stack_version": "8.4", @@ -92,9 +92,9 @@ } }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "789be8d5147c605bb71d3b8591d50e528487c9440450bf27e1711d36edb5b5c5", + "sha256": "e194561c4501f18810b36c5747c2d6cdddb401d1dc29d19507a4af173c85ef22", "type": "eql", - "version": 206 + "version": 207 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "min_stack_version": "8.3", @@ -127,16 +127,16 @@ "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { "min_stack_version": "8.3", "rule_name": "Potential Network Scan Executed From Host", - "sha256": "247079101b736a6f3dfb963c2106e2d5dfaf9523a631e74b57ca03fa12e6c429", + "sha256": "ec82385a8fee3e9b8a3e2bfe0b4a9678a7cd9d31611bbc8c5538214912a0831d", "type": "threshold", - "version": 1 + "version": 2 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "min_stack_version": "8.3", "rule_name": "Modification of OpenSSH Binaries", - "sha256": "77e56ceb38921c2a4b69d7e793e5cebe8412e613b9f767bf3e7d272f297aa00d", + "sha256": "a8e44864c0255586bcea1d4b241810c54170028501986f52bb80bf79c2136c98", "type": "query", - "version": 106 + "version": 107 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "min_stack_version": "8.3", @@ -155,44 +155,44 @@ "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "900e474f07b795dfe109f252a2d4a9069cdb9a8471cde0a8e19a36b84f3797ba", + "sha256": "e916c4a76f7f4724dde59c0d5c7fadb93add0c6ad283f0e1d57ae6305853886f", "type": "eql", - "version": 107 + "version": 108 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.3", "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "dc6dc5d5b9bb5d8022327de5bbdc2e934503ba0e31ae2336672439cbcc22bf74", + "sha256": "1e11e71d550916f3027c212e5cb88b8489cc66382f8969badce547b978a64358", "type": "eql", - "version": 106 + "version": 107 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.3", "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "6df780c2019fb6ff0102a70515a5233d958c58be4522ce64b31da80680965b27", + "sha256": "73ca1614ed192b3b473355db2817b5f0a68bdd630741d03fa3c3ac9fb6596bfc", "type": "eql", - "version": 107 + "version": 108 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "min_stack_version": "8.3", "rule_name": "Tainted Kernel Module Load", - "sha256": "a546a22d29ab39e34b84e1d2bb96312c59c8c0072948b715eea31b3cae42f3fb", + "sha256": "096c4047e2d5c332df1556e653b387ff45bc20f504f8a4b0a6b48151a55674ed", "type": "query", - "version": 1 + "version": 2 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "e707dd532d4c099c31f5b95bdc9d237af995a146109cd6caf07576bac95509f4", + "sha256": "c509bf24e613999a96e9f6e7ec6a6754b69d21683106ac3528a730fb635ad675", "type": "query", - "version": 106 + "version": 107 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.3", "rule_name": "Remote System Discovery Commands", - "sha256": "43d5cfda7bb1c28139045da08dfbda821d56fd45af89f05a4cf932a0b7eee839", + "sha256": "3ff2e26f26973251308b3a47b92955b2d31e844b07905f658b693e4464638cc1", "type": "eql", - "version": 109 + "version": 110 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "min_stack_version": "8.3", @@ -225,9 +225,9 @@ "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.3", "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "f00b9c39c021a4f1b4bbb9b99497ddbe906de70e57582440fa6dc315977892e7", + "sha256": "6992b6ee67e76b2c6fa0320f7a2f7acccc539973b27803777e37f928b1adce03", "type": "eql", - "version": 106 + "version": 107 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { "min_stack_version": "8.3", @@ -239,9 +239,9 @@ "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", - "sha256": "8822c17823d2a397a734dabe9b76dc5786f7ea603e234dc22bac765c440f88ad", + "sha256": "9a08bba2e66dd9f99a6a87ab539e1f2f205273b9af8e42a91a6be93beeb479e8", "type": "threshold", - "version": 4 + "version": 5 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.3", @@ -310,9 +310,9 @@ "092b068f-84ac-485d-8a55-7dd9e006715f": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "f6144e95dc8aa7800b86c6582df0d1251a9c27f1585675fa011b5ac9ebe844c2", + "sha256": "bffb87c25d97a23ef42d1aad12239934aaa88f15fbf46680f22c595a801286da", "type": "eql", - "version": 104 + "version": 105 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "min_stack_version": "8.3", @@ -330,9 +330,9 @@ "09bc6c90-7501-494d-b015-5d988dc3f233": { "min_stack_version": "8.3", "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", - "sha256": "86eaafcb32b1483e8453f37ecd655c5e8c33aceb5c823ab84d86ff4a4759ca09", + "sha256": "41f9768d8739cf9cff0a5ab80f5ac4056209af12abd8a87456875d5fabd271ee", "type": "eql", - "version": 2 + "version": 3 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "min_stack_version": "8.3", @@ -348,12 +348,19 @@ "type": "query", "version": 101 }, + "0ab319ef-92b8-4c7f-989b-5de93c852e93": { + "min_stack_version": "8.10", + "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", + "sha256": "0d74c78086416566df6174db2e219ff1366b37b544a388f89b465f5ca7ef7dda", + "type": "query", + "version": 1 + }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "010e64048d380d35b40f806816a62483d54ed2f3cdafafd01f6d92feb6df8f79", + "sha256": "4d8b6dfe62f6b9bc2ce89b79f7ad0e881dc744022d619b382b2e6e2d3ed15a17", "type": "query", - "version": 3 + "version": 4 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.3", @@ -365,16 +372,16 @@ "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "min_stack_version": "8.3", "rule_name": "User account exposed to Kerberoasting", - "sha256": "0cdcc5efba4bbbddd11d3637a92be7d075bd2bbd3e8f44698ea7dde40dc77ea1", + "sha256": "4d9914b3179a3e81042daf2378c760535c3b1fe6a90367a9f939f8427e1c4500", "type": "query", - "version": 107 + "version": 108 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "min_stack_version": "8.3", "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "c545678521c2df966a1a7b9a11ac1e9e2bb8d0acad65746d1bb12f47607f2149", + "sha256": "4de1162d4124823c1b08df4e7630411d08269eb515c9cfc8179d1eb8a06327ae", "type": "eql", - "version": 3 + "version": 4 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "min_stack_version": "8.3", @@ -386,16 +393,16 @@ "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "min_stack_version": "8.5", "rule_name": "Threat Intel IP Address Indicator Match", - "sha256": "421308bb2c832aaa4cdbefbde389b0ff645e12fc5d7ea78c9296139099772abb", + "sha256": "0226bcc18f65bc8670480b12a71f13488f9f7fc519e664d5a16634de8b356951", "type": "threat_match", - "version": 3 + "version": 4 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.3", "rule_name": "Peripheral Device Discovery", - "sha256": "5b50fcf0eaef2f2da52e18a413845a9342f1271d669f06c117524bd4afb7db27", + "sha256": "9453d6d14110a5bd8e263b6c8438683e2151cdb64a07cc0497960ca3ce991b4e", "type": "eql", - "version": 106 + "version": 107 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "min_stack_version": "8.5", @@ -430,9 +437,9 @@ "0d69150b-96f8-467c-a86d-a67a3378ce77": { "min_stack_version": "8.3", "rule_name": "Nping Process Activity", - "sha256": "a268355fc0423778888b7e0b1d9b8e7e5dd149344e2b5baa79b585c6189698e4", + "sha256": "affd117afc6ebeb37b988f85e144c43ebcadc77ed73c48470478dd749dd593f3", "type": "eql", - "version": 106 + "version": 107 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "min_stack_version": "8.3", @@ -474,16 +481,16 @@ } }, "rule_name": "Potential Persistence Through Run Control Detected", - "sha256": "514ea9a49add087a7f2f10f48d370ebfea15dc09db5bb9d5a908453ced80567e", + "sha256": "2fbbc2683f2b38e5fbfa30e12d93b04afa2aa3f59df9b312bb793cab7f3211d8", "type": "new_terms", - "version": 107 + "version": 108 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { "min_stack_version": "8.3", "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "ff53f0363d8f483a8cedf49e6a907968b544472e09fd83e82d1eb9b2f3b16af0", + "sha256": "709341b184f3833219d910074fc3df6035266d8b90c5cdcf213a48afbcdcc538", "type": "eql", - "version": 1 + "version": 2 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -503,9 +510,9 @@ } }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "11e0bf29e964bfa87c51e81ea74a1e1174e444b2585a44c67e5a7db58fd0391a", + "sha256": "202c9c176a43f16620bdff4bf9d03665053b52c262d0277462afd841a08c623c", "type": "threshold", - "version": 206 + "version": 207 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "min_stack_version": "8.3", @@ -537,16 +544,16 @@ "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "73bcd7b6468b86456d40fae00cecf6d091d5f5b42458d68c4ba96cb0f0304967", + "sha256": "8b1466a22fc9368899862a84bebbbc8304df306ba80857e8857991f935d82953", "type": "eql", - "version": 107 + "version": 108 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "b0824ce814b7fa05a5a6e8d9f8f54849dd033892fd3ad5d850a4a5e2df77645b", + "sha256": "b49dd643b78ce80ed0ff86c6b03d206c7922e4364a738c813cb0d96194b9e53d", "type": "eql", - "version": 108 + "version": 109 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "min_stack_version": "8.9", @@ -573,16 +580,16 @@ "11dd9713-0ec6-4110-9707-32daae1ee68c": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "d41a56fd39249f9a8ecaea4b7739a996efe8bbd66aa4165345951de99ac2d102", + "sha256": "1c0bf38efb6972def16721d8a6cdfa4657dcd306a120b1f283193fbf9adf6574", "type": "query", - "version": 8 + "version": 9 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.3", "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "f48869c0c1a7667d8c8a24d78167a2e33fa2e5db8b4d71bbab951f29a6571875", + "sha256": "e3f49374583b3283173ec5a2b56bf984b274041c4f13c423595f0740c9437bc5", "type": "eql", - "version": 108 + "version": 109 }, "12051077-0124-4394-9522-8f4f4db1d674": { "min_stack_version": "8.9", @@ -631,9 +638,9 @@ } }, "rule_name": "Suspicious Lsass Process Access", - "sha256": "76c9bb0e0674d8903c7f1429ef3267a939de6bd90838451429533396f7bfbbb8", + "sha256": "9a0adebc4688de3fd5a514af5e63944ea533f9a6b3a1b9832c1736e34b9ff2a9", "type": "eql", - "version": 105 + "version": 106 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "min_stack_version": "8.4", @@ -677,16 +684,16 @@ "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.3", "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "91ce748803215def5fc3e0a13c3061c7a533494b7bfd86f66b778586a56f4ee9", + "sha256": "6f00425e03b75ccad2d669adf599edf5e627579bfd6c02dfd5a8b8074c9ee0e1", "type": "eql", - "version": 107 + "version": 108 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.3", "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "d49a0d61c82206a76e5ea5062c272c71b644034b559db7579c8be76bb8dc36d6", + "sha256": "f7da8ec3bf0a1cd28b4e1bc7a091b73bc0f8a408eb3510bd3abc386277dca211", "type": "eql", - "version": 104 + "version": 105 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "min_stack_version": "8.3", @@ -762,23 +769,23 @@ "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.3", "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "2f29328dabd08f923a8df391ea35c8ea653ed3968d056d71b05ae11f402b17c9", + "sha256": "7429e9a1ede15a8d3ef3f9c969e435fd27f290eba5d56942784d6b43291cb85b", "type": "query", - "version": 108 + "version": 109 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.3", "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "65f575f302777f8e9f896d45ad7e2b53416d03fc3d711a6058f740c933b3e1c4", + "sha256": "ba1b29894e3714a467099698c2a7111489b3e522d59f5b61ad2f7d791d5adf30", "type": "eql", - "version": 107 + "version": 108 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "min_stack_version": "8.3", "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "d963ef7eb139996297e8b66dc040b9ed8dd898130265bc0f428c48f57690155d", + "sha256": "2fddf303d95fc9181afbdf53833cd1e53d7499cd79cd616b07838eab1dc5f378", "type": "eql", - "version": 104 + "version": 105 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "min_stack_version": "8.3", @@ -820,16 +827,16 @@ "16a52c14-7883-47af-8745-9357803f0d4c": { "min_stack_version": "8.3", "rule_name": "Component Object Model Hijacking", - "sha256": "6f7e78b34dbd113748d1850790a473327c1ae2f910eaed28ea59e14871d611f2", + "sha256": "c0cd1aaa9aa6759d34b3b00592c50454726fad1c02fe5887b0a6f33c1e4ef794", "type": "eql", - "version": 108 + "version": 109 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.3", "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "da818e423eb85083fbcbe6984e8f3a75595575cfe82ec3d62e8a531eb3627fad", + "sha256": "c1962ed3ad486c1c8ab7837d32854ef5d5c1026a407b61542db8e9886def0da4", "type": "query", - "version": 107 + "version": 108 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.3", @@ -869,9 +876,9 @@ "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "min_stack_version": "8.6", "rule_name": "New Systemd Service Created by Previously Unknown Process", - "sha256": "4ee6af63081a009901c6f3b4f3f314e8c3dbe15dd4d5751b7c5536708cc01fed", + "sha256": "a1c8a579032003cb718a31611540b8552f7995938b5042e9fa19a6b59d7b8e34", "type": "new_terms", - "version": 5 + "version": 6 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.3", @@ -910,9 +917,9 @@ "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", - "sha256": "f58eb1cacf84d92e06f41776bcc67711b803714568ae64ad82e907c980a3c4d5", + "sha256": "8806cde9bf6f85d4dbf7c642a37a0723d2c9cda4383535560b018b1ab8eb2df1", "type": "eql", - "version": 2 + "version": 3 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "min_stack_version": "8.9", @@ -954,9 +961,9 @@ "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "min_stack_version": "8.3", "rule_name": "Execution of COM object via Xwizard", - "sha256": "c9a9234db42533396f1a25a5036711a9363213918faa1187a99e65ae616c78b4", + "sha256": "f0bed76a611cf637f400967119419ac503bb528123d294a8a6b149fdcd8cfabf", "type": "eql", - "version": 106 + "version": 107 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "min_stack_version": "8.9", @@ -977,16 +984,16 @@ "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.3", "rule_name": "User Account Creation", - "sha256": "bd9e8d97604e499b249740f537c152e6e886cd82a2d77ceda0bbd4ef99ac37b4", + "sha256": "e9425321d9364d0c69d31c985962e0e5af2b19bb9d6ccea2c92aec82e0f73f6d", "type": "eql", - "version": 106 + "version": 107 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.3", "rule_name": "Connection to Internal Network via Telnet", - "sha256": "aae5d1cb44fafff6fe643a706d5eef8d83794dfae46ea638507259cb2c9bb041", + "sha256": "1a9795116a97f7bc045cbda5a8af5e8e78f0d62a88cd641583e3838f293c26b6", "type": "eql", - "version": 105 + "version": 106 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "min_stack_version": "8.9", @@ -1007,9 +1014,9 @@ "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "min_stack_version": "8.3", "rule_name": "Potential Internal Linux SSH Brute Force Detected", - "sha256": "0b4cbcadf42c525059f293cf8894de62f587e228878dfc70d1d6aafdfebaa221", + "sha256": "38c57c420c15a1f0758f68c979f680379cd78121e64ea43be7600b11823ed5f6", "type": "eql", - "version": 8 + "version": 9 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { "min_stack_version": "8.3", @@ -1028,9 +1035,9 @@ "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "d5fac2c07f8912a7aeb5987420d21df972ba3bcfda92b5c66438a6f37625e973", + "sha256": "2c7b3afb5bcedf1734a00e47303d98eb4df820d760aee5553c8e9763cfa58d9e", "type": "eql", - "version": 109 + "version": 110 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "min_stack_version": "8.3", @@ -1077,16 +1084,16 @@ "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "09504eee0ca293aed720134b083bcf30791788c02f630b563bfb73e34fe17918", + "sha256": "9d74966200ab76215b5f75666d8a4991c2b0147b50e7786298a59b9b037dc303", "type": "eql", - "version": 105 + "version": 106 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "min_stack_version": "8.4", "rule_name": "Suspicious Inter-Process Communication via Outlook", - "sha256": "7ac0061e940b4f3f683e9552b00466fbce21ca52e1c3a8b5e155fffed0764c4d", + "sha256": "4c8c8473db95992186d566e79adf668d651878042f01dc8c4a1de75f8a44c347", "type": "eql", - "version": 4 + "version": 5 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.3", @@ -1098,16 +1105,16 @@ "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { "min_stack_version": "8.3", "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "1d7ffe0b0cb484baa86ed92a884c1b7c1ed28b7a8d3591393beaf14d5ffe7fc4", + "sha256": "03227f8f005fd0a6e2824b8615533828cdad806c0d69e6d5f11c0504f4ceb316", "type": "eql", - "version": 1 + "version": 2 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "e1abdaaaa56dcd60699f61e183b6ee3d637065363a4aef48e49785d0f3d52a12", + "sha256": "476840872bfeccaff488dd65134b6a82f2299b815ee751a661219204e8c1ad9a", "type": "query", - "version": 3 + "version": 4 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "min_stack_version": "8.3", @@ -1168,16 +1175,16 @@ "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.3", "rule_name": "Suspicious .NET Code Compilation", - "sha256": "94fec9b0c4fecdb1ba512be811459a1cae6d7efcac880fc5d63a308a8f87be8b", + "sha256": "38254e10c94b71503f642eb25ccf9bd0e66542f343d369ab1cfe7cc1e0d8729a", "type": "eql", - "version": 107 + "version": 108 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of Root Certificate", - "sha256": "f38629eb459ab9343b9f3748109d6c691baf729de86d85d83d10c0740baa869a", + "sha256": "8db003c9e7d9158d52c379347dee67ace799d72c640e8beaccdc4a3d26caf8f5", "type": "eql", - "version": 106 + "version": 107 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "min_stack_version": "8.9", @@ -1198,9 +1205,9 @@ "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.3", "rule_name": "Access of Stored Browser Credentials", - "sha256": "f8275d90cfe0ef660c6505002f3eb7a22afc1b4c189c9ba4e9f9dd4184dc1161", + "sha256": "3d1c5ae1b6b6134946ceb0fab3b028b7757a3cae9213e83e12d2ef7fb4af7498", "type": "eql", - "version": 104 + "version": 105 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "min_stack_version": "8.3", @@ -1212,9 +1219,9 @@ "208dbe77-01ed-4954-8d44-1e5751cb20de": { "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "1c23cc9b4544d51bbbd10ce33e915cb6276bf71aeedc24400651d0995cb17dcc", + "sha256": "a1c0793e46ef70df7a07d937496dac757813e319583a4835ca03b7889dc59aab", "type": "eql", - "version": 108 + "version": 109 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -1299,9 +1306,9 @@ "2339f03c-f53f-40fa-834b-40c5983fc41f": { "min_stack_version": "8.3", "rule_name": "Kernel Module Load via insmod", - "sha256": "4c816b9ebae8561e4197ef52689ef05de8036037dc74de66afdae2a9aa6a2845", + "sha256": "2cc6d7aa7add54ada5a4d8c00fdb52a0b87509638431999e633b74055b8c0f4a", "type": "eql", - "version": 106 + "version": 107 }, "2377946d-0f01-4957-8812-6878985f515d": { "min_stack_version": "8.9", @@ -1320,23 +1327,30 @@ "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", - "sha256": "7eb4bab3a9d22066a5b70d36c5d06224bd14bf207e4152a20a04bd323f5fc06a", + "sha256": "d8e20705353d3835109854dff70bf6bcec1d3cc3959cb9434fc53f2e46925c1b", "type": "eql", - "version": 105 + "version": 106 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "98913787308b752f32b96a1d2e394c59c7a0c880b2caa632f30c81842f2cb0c9", + "sha256": "707d343409c8eb1b73e83d906c6564b4401912393e9d157bd4913b267dd1c108", "type": "eql", - "version": 2 + "version": 3 + }, + "25d917c4-aa3c-4111-974c-286c0312ff95": { + "min_stack_version": "8.6", + "rule_name": "Network Activity Detected via Kworker", + "sha256": "135aee6821b8cd1ee41d9c054c4f355427b8352720b5463c6e68144a5f53830a", + "type": "new_terms", + "version": 1 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "15d66149f0f83ab636bbca6591b3cda98a98989d4e8cbca69c06725499d7fd2e", + "sha256": "e7d2c248c0ef9948b7461ecd30161e9e5fae46a1bd58ce87073cb10b5b354b85", "type": "eql", - "version": 3 + "version": 4 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "min_stack_version": "8.3", @@ -1348,9 +1362,9 @@ "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.3", "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "0f3875681feabc9889f6f06cf0687e0b3f367b347f46f58fe88448b97c69821c", + "sha256": "22c2959b31f776a92a435478b6ab0d09b9f9faaaee332d070e0e0a5236352c97", "type": "eql", - "version": 108 + "version": 109 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "min_stack_version": "8.3", @@ -1376,9 +1390,16 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "2a8ff80cbf124d75571a8831f389c7e67129f89c0f2d1b512133a48bbf0d3478", + "sha256": "3a7e860d0d7d4932d1765d9a9890853d23ee8dbe1726f151accf8ed96efd88c2", "type": "query", - "version": 3 + "version": 4 + }, + "2724808c-ba5d-48b2-86d2-0002103df753": { + "min_stack_version": "8.3", + "rule_name": "Attempt to Clear Kernel Ring Buffer", + "sha256": "e93a1e9fd50b7401c5d62def71f3729c535a1a070f8e42194e4a2a9bfe8843b4", + "type": "eql", + "version": 1 }, "272a6484-2663-46db-a532-ef734bf9a796": { "min_stack_version": "8.3", @@ -1418,9 +1439,9 @@ "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "900b6c0dcc73edd29b7f8b445d08d37da743dcd1e18c5a8cc4a545be1c9e4c72", + "sha256": "9d0bcbf7b54f9ec62e6ac93c6fc9afa7729ae93e9eda196e3470f9f2ce3c3131", "type": "eql", - "version": 107 + "version": 108 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "min_stack_version": "8.3", @@ -1432,9 +1453,9 @@ "28738f9f-7427-4d23-bc69-756708b5f624": { "min_stack_version": "8.3", "rule_name": "Suspicious File Changes Activity Detected", - "sha256": "29566bc20e44999833de4b93b85e993bbca41d4c16ca41f5fe01ea80ad52937a", + "sha256": "748d22c0d796641d48a1bc6cc42284615cf7f1682f6204efa1dc80e97ca715ac", "type": "eql", - "version": 6 + "version": 7 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", @@ -1445,9 +1466,9 @@ "28d39238-0c01-420a-b77a-24e5a7378663": { "min_stack_version": "8.3", "rule_name": "Sudo Command Enumeration Detected", - "sha256": "765e6c39bbdfecbbfd3ffa1a44b4838d06c295b53d4b73143316ec99c8b3550b", + "sha256": "7812955eb756c08f5d9f17dbf1d672b0f9a1587bf4d1f8fb36bbd42fab2a4a82", "type": "eql", - "version": 3 + "version": 4 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "min_stack_version": "8.9", @@ -1468,16 +1489,16 @@ "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "a6231a8bcd050f72676f997117e09ea1f8873a178971237eb2b54404906f0c95", + "sha256": "ee657966d36d8e1dcc396dedd56fee8e5c2f1fdc6d06e0ad9dd4b9c5bc655463", "type": "eql", - "version": 108 + "version": 109 }, "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.3", "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "13c2fcb9dbaf1339d3e3b7e5fa159bc1a2875aee235776f1bb13518d49a8d738", + "sha256": "583bcc5f3c4c54715db820cfd49175943c5c77bcf448a46843c29a7dfe8a1e0b", "type": "eql", - "version": 107 + "version": 108 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.6", @@ -1491,9 +1512,9 @@ } }, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "6f6f6175fa206cf7e0c3a47488388561ee39b49bc0b1f18f6baede4fe3ded355", + "sha256": "63b960b37cd4248376f81706924a1929775fa96a6eaf6575da361e96fafafc8b", "type": "new_terms", - "version": 208 + "version": 209 }, "29ef5686-9b93-433e-91b5-683911094698": { "min_stack_version": "8.6", @@ -1512,9 +1533,9 @@ "2a692072-d78d-42f3-a48a-775677d79c4e": { "min_stack_version": "8.3", "rule_name": "Potential Code Execution via Postgresql", - "sha256": "8dd9f5b2abfa297105040ebfc4e441af646a5bec20f8ee97a6856351c8e1f99b", + "sha256": "304872798cec74b70f3b39512a44006ab49849897e5b760c45f57663f6cbb753", "type": "eql", - "version": 4 + "version": 5 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "min_stack_version": "8.4", @@ -1535,30 +1556,30 @@ "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Grep", - "sha256": "01993ae1314c912204f7b87a0999c27cd2861f56a7a0b766dd0bbe4119dc0c9f", + "sha256": "60b8604133b04c233608035975acff3e5c7ffae33d7e6f65d97cca37326561a3", "type": "eql", - "version": 4 + "version": 5 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.3", "rule_name": "Adobe Hijack Persistence", - "sha256": "6c4da0a89fa984f5f93fd0fa33b26bc6bee17987271ce73792eb19e342bd9289", + "sha256": "d4540f314ef044ee0c2fbf1fbfe559d927eaadd79f9cedfbad924a877eb3a5ca", "type": "eql", - "version": 108 + "version": 109 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.3", "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "5d23ecdc51a103c5863a93a34aea633e2691b91c8dbeb2a3551c652bfc691f8f", + "sha256": "30fae5f472da92e741d6c44d0ad23b2c739fee3b3ccd38f73960e06567dda767", "type": "eql", - "version": 106 + "version": 107 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "min_stack_version": "8.3", "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "86de8c98200d07e566af71b1fa99113d43b1493e4faf47609359a69d1f0138b4", + "sha256": "6240a5e2945d67deadb4e2ae6462053f9659a0144f048bc91767c92e390ffe30", "type": "eql", - "version": 106 + "version": 107 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "min_stack_version": "8.6", @@ -1572,9 +1593,9 @@ } }, "rule_name": "Enumeration of Kernel Modules", - "sha256": "2fa255256633606f39637f99e60437fd03db8f4721370c5cefa5c65857661e01", + "sha256": "11cd32635c6cb009185cf4605d2b361f086b0699c8ac390eb8bf7fa0b988192a", "type": "new_terms", - "version": 206 + "version": 207 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.8", @@ -1588,16 +1609,16 @@ } }, "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "2c9cb831e23495341a51736efbfd144c71ae76cd1e9219fdc2078d70cdbc0407", + "sha256": "02194b622839ad66b2931225a725b2013f5ba1b1ae524083ede33369dc018840", "type": "eql", - "version": 209 + "version": 210 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { "min_stack_version": "8.3", "rule_name": "Potential SSH-IT SSH Worm Downloaded", - "sha256": "2235a3c31df521f4cbbff7cf12df793eb343d389777cc8851c382a1434bef647", + "sha256": "65f4f675acd03a58a2f89697fff8a4bd8c77099a91215437f4453ac89851caef", "type": "eql", - "version": 1 + "version": 2 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "min_stack_version": "8.3", @@ -1616,16 +1637,16 @@ "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.3", "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "00fd95465bfe881a5dfb2b30e171b6d3addca0be3abcb66e67427c52a8e540fe", + "sha256": "0d68982c3ad2c66fe584668a2a911d7ba89c1e7a8e876b33f359f2f58a1094d8", "type": "eql", - "version": 107 + "version": 108 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.3", "rule_name": "Potential Process Injection via PowerShell", - "sha256": "3921a45db23fa07aa23f52a05c6cc6645307b5795c62c52f1ab0e7119b93182b", + "sha256": "265f859057d32706bc44115c2b619366f405b94b82a1930e01559999ad451bc1", "type": "query", - "version": 108 + "version": 109 }, "2e311539-cd88-4a85-a301-04f38795007c": { "min_stack_version": "8.3", @@ -1644,9 +1665,9 @@ "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.3", "rule_name": "Creation of a Hidden Local User Account", - "sha256": "c682c5d7a2d90176791ea60cfc2d52a941a2c145e96c42c88a6802013e6d594e", + "sha256": "7def1140f5946506db0986d62813b2d07f78ddedf08032f5bb4d2e74b12db501", "type": "eql", - "version": 106 + "version": 107 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "min_stack_version": "8.3", @@ -1658,16 +1679,16 @@ "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "65b15ece2e91066379c4bf4c8646bde0a3f995c713d228332c5ef3af665e3c0d", + "sha256": "63a0240e890b59f4e0d8ef6057b38f2c59f013ac31f0899372ea40782b935ee2", "type": "query", - "version": 108 + "version": 109 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable Syslog Service", - "sha256": "bdea522d5730e3c4d4239717173a709ebc5ff118296edbcb70faeb3e62cdcc0d", + "sha256": "b5c037e4028ed9b2148058177b53b6f8cd416c2002692c954030a5797c8c08b9", "type": "eql", - "version": 107 + "version": 108 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "min_stack_version": "8.3", @@ -1679,9 +1700,9 @@ "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.3", "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "1e95c5544b74d84ae96e15fafa7f0ffb9e564fa1552c02adbdf2d0bb9e68e7a3", + "sha256": "4da6b62b7ec7cb25f041951db128ea15b7b77213f4dcd6d830e9a1d1f4d349ed", "type": "eql", - "version": 107 + "version": 108 }, "301571f3-b316-4969-8dd0-7917410030d3": { "min_stack_version": "8.9", @@ -1700,9 +1721,9 @@ "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "min_stack_version": "8.5", "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "7f96205f8ffdfb7be7c57a34dbdf149f99a13961e1477d17815ad48f85b7bdc0", + "sha256": "9648e6c27ae63c4d6b1419abbd96b927ee8834cb13bac73d2f3c36c874122c45", "type": "eql", - "version": 4 + "version": 5 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "min_stack_version": "8.3", @@ -1721,9 +1742,9 @@ "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.3", "rule_name": "Bypass UAC via Event Viewer", - "sha256": "2ca2ed5d2836beb7bbbfd48b039b171774baba1b8995a88ab16943fbbb170fa9", + "sha256": "daa92a1b6f43697ea1240f49a719d9b47291cfa4bfa6656460a9ede23b2d00e3", "type": "eql", - "version": 108 + "version": 109 }, "3202e172-01b1-4738-a932-d024c514ba72": { "min_stack_version": "8.3", @@ -1749,16 +1770,16 @@ "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.3", "rule_name": "Program Files Directory Masquerading", - "sha256": "f389c3e2a3f8696ba905bbf5f2e7cd9d651bba9bc241a8a4d1b2b38ae984e5a7", + "sha256": "9224ce80ac3a2d46b853cb988075ebe71f9cbbdc90695974a1bd7abe58726911", "type": "eql", - "version": 105 + "version": 106 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "dfea65085c4b690895eb691760b4a9025da59cecbf5c4ff242c26713ede0bb2c", + "sha256": "9c7b1be8cd662dea09651d051b6aedfa04b3380cfa9fcb294a5776f8f883980b", "type": "eql", - "version": 107 + "version": 108 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "min_stack_version": "8.9", @@ -1779,16 +1800,16 @@ "33a6752b-da5e-45f8-b13a-5f094c09522f": { "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Find", - "sha256": "f71d1a0fc2a3a9498c1c07bb8d19631c82ed04d6216b650b39cf5c767ccd0ea4", + "sha256": "e78c45bd7a967de7c4defaf1dd745c826bfec1fd5423a3925426ae981a8822ac", "type": "eql", - "version": 4 + "version": 5 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "min_stack_version": "8.3", "rule_name": "Remote File Download via PowerShell", - "sha256": "9a87c68d2c67e9d7c764bd3e0b48bc4c59f6ef3559661cf0ac814f61ec9bbab6", + "sha256": "38dc15a0612dfcb492d058cb2414f7cb66550cc57d1a90b28469f9a499391d7a", "type": "eql", - "version": 107 + "version": 108 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "min_stack_version": "8.8", @@ -1821,9 +1842,9 @@ "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.3", "rule_name": "Port Forwarding Rule Addition", - "sha256": "2ec830c30a80eba9d2bfb5dc78d0ce64e7eb8f66ea2f8266e666d077fa916852", + "sha256": "291793bdb267500bb51af75132d44acbe6c3514e74d3fac34ce187ef4cc58d43", "type": "eql", - "version": 107 + "version": 108 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "min_stack_version": "8.9", @@ -1835,9 +1856,9 @@ "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.3", "rule_name": "Unusual Parent-Child Relationship", - "sha256": "eb0fbd449489cc0545518f8343446262c27a6955ff5c0843713e629582eb112d", + "sha256": "f43b593fe851b23a69b109c4a9fd1e07aeb8374bab2d9c192ef74fc76cba8ec0", "type": "eql", - "version": 107 + "version": 108 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "min_stack_version": "8.3", @@ -1855,9 +1876,9 @@ "3688577a-d196-11ec-90b0-f661ea17fbce": { "min_stack_version": "8.3", "rule_name": "Process Started from Process ID (PID) File", - "sha256": "cafe78e9310f27ba8cdcfb8fbc318a1a2f55223679ea3d91c3a0877dd578b7d3", + "sha256": "954fc970c7c982de04f1ec41cdd8c4c8f00fe8b2bbc5507e42e9e255d9150c96", "type": "eql", - "version": 107 + "version": 108 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.3", @@ -1951,16 +1972,16 @@ "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.3", "rule_name": "Network Connection via Certutil", - "sha256": "c532585e329cfc2a78418e835c1c40593c75045ae9725cbc39486ac6a9236bde", + "sha256": "574966e6333af6f15b7e801105f1325ba602693577dd5b5c77c6d1821abdb360", "type": "eql", - "version": 107 + "version": 108 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "min_stack_version": "8.3", "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "04689f3ff304d7f32e7686e38a520a66df28fb8ee9d2e13149768a9667183188", + "sha256": "7838d2f36bacd85c4a8333291f41d0755a4918b3a06ea5b7d88eb8a7e29dd8fc", "type": "eql", - "version": 104 + "version": 105 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "min_stack_version": "8.3", @@ -2002,23 +2023,23 @@ "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "6f54ba0ae7f973881e6d519845715c8888960f217bdaffbbbcabf2ccd305c49f", + "sha256": "2d7c95cdf099081d29fe694938ae75a1e1e05d03d14e2314b91abcf074cb3d2a", "type": "eql", - "version": 104 + "version": 105 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.3", "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "fb96d295d12b3d405dc93ad509f792885c4e32bb760c7518b005755a6ad6acb4", - "type": "threshold", - "version": 107 + "sha256": "1feb23973523f2629afbcfd02fc9042a94493d897f520c7db2799fb1f9e27af7", + "type": "eql", + "version": 108 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "min_stack_version": "8.3", "rule_name": "Suspicious Module Loaded by LSASS", - "sha256": "5daa50c7701a3bf0e4c82229b8fb7696df740f0bf74dd874a9283b541715f970", + "sha256": "94f504dbd294572829f124578db222617f24279fa9d20443db1c7497f5f167a5", "type": "eql", - "version": 4 + "version": 5 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -2050,16 +2071,16 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "97b3141cf72282ca02c73091a527edf31e31d10d22d241e91c6d173bc1abd792", + "sha256": "373baf17283c276e152b141c68c56eee4698cd1a52b9fb64f8343325b5e7d7b0", "type": "eql", - "version": 107 + "version": 108 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", "rule_name": "NTDS or SAM Database File Copied", - "sha256": "691edf20cc218616ece6013dbbfe102d01c87c91cfd3bd49ea126eb3830c5982", + "sha256": "4ff0e24875bfb35972c6017f875f3f557a82affb8d01f26b1e841de629d3f418", "type": "eql", - "version": 107 + "version": 108 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "8.3", @@ -2071,9 +2092,9 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "ad925532e35677e84cb73970b142002377617338f4574eb6ca4dbd7bfcdb37a7", + "sha256": "d2820917e295f70cedcc97c012d7e6f4bfa4368d8a77e79023225614feb95c7a", "type": "query", - "version": 2 + "version": 3 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "min_stack_version": "8.9", @@ -2105,6 +2126,13 @@ "type": "eql", "version": 4 }, + "3e12a439-d002-4944-bc42-171c0dcb9b96": { + "min_stack_version": "8.3", + "rule_name": "Kernel Driver Load", + "sha256": "bf54a568cf07cb6372551ed2c315a350fd80ec33811327aa6c5473d64f5aa928", + "type": "eql", + "version": 1 + }, "3e3d15c6-1509-479a-b125-21718372157e": { "min_stack_version": "8.3", "rule_name": "Suspicious Emond Child Process", @@ -2122,9 +2150,9 @@ "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "34be040a61351672e5b29280ad568cf664732a1ab9ae5ac0b32bdb72b49f10f1", + "sha256": "09ed4561cb386a7b90520c318b820066f354c61f1b5e023d10563ad64a035c2b", "type": "eql", - "version": 106 + "version": 107 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "min_stack_version": "8.8", @@ -2159,16 +2187,16 @@ "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "2bc6f32144a2b110dfc14493dc5930b3aa2c23ca7d00b46924c2643ac2d73c45", + "sha256": "cb2bfaf035ed8f6cda1b9f14af8ef78a36f0984d1f3d5baaf375ba1bdfd833f2", "type": "eql", - "version": 2 + "version": 3 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "min_stack_version": "8.3", "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "511ca509d7faf58b68373d12932edd1aef607c53de1314647b3764b976fb35fe", + "sha256": "a99ea10f8baeb92b2c9e2c4363393f2718bab9daab338ce36617565d14e8a3c8", "type": "eql", - "version": 107 + "version": 108 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "min_stack_version": "8.3", @@ -2210,9 +2238,9 @@ } }, "rule_name": "Suspicious Modprobe File Event", - "sha256": "c6ccd9c0ba411da8142f15ca71dd04dca27e1ec82b527324439621b449f4812d", + "sha256": "adfdf5e7e2b042ce698eaca7b4100de49ad0b439725a5ae9ed2da41b4164de0c", "type": "new_terms", - "version": 103 + "version": 104 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "min_stack_version": "8.3", @@ -2224,9 +2252,9 @@ "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.3", "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "1de1e9aa9030d56c6c6629cd92e3ba65d61bfc9063b76ea2abe412899a224d3f", + "sha256": "88b7f3edd6dcf39eb51d9ad50f608aae26b1aaaff95adb1f19b6565abcf8d9e1", "type": "eql", - "version": 107 + "version": 108 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "min_stack_version": "8.3", @@ -2268,9 +2296,9 @@ "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.3", "rule_name": "Process Creation via Secondary Logon", - "sha256": "ede0c21a7bcb75d8f44e0d0a869533c261bd3c91323dd5eef691534aefb54675", + "sha256": "65781e6a82dfba3a861174decf22fa460a0930a12169646ca3d6d4aa7eaa7c6a", "type": "eql", - "version": 7 + "version": 8 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "min_stack_version": "8.3", @@ -2289,16 +2317,16 @@ "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { "min_stack_version": "8.3", "rule_name": "Linux User Added to Privileged Group", - "sha256": "3730f04f7a829d9ca0f149c00ebd1c6cd07226bad5915f6295d82656e40bf5f8", + "sha256": "8b01aed5f72d886c28700069c04c106550f8803094c43e8fb5f458bba3e843ff", "type": "eql", - "version": 4 + "version": 5 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.3", "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "c1524c8e450507403654a2f7bbdc7609ef590afe3fb8de408270d3c012559b54", + "sha256": "dd409ade4fd40ee77479589620573779b153ec9c46ba6ecd32a0b3878b417730", "type": "eql", - "version": 107 + "version": 108 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.3", @@ -2317,9 +2345,9 @@ "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.3", "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "3338f91573d9f2de9fec741a8de8feac5f2b0486ab6c185b94f5f37b938c89fc", + "sha256": "d1dc99f54476ef81bf7b7a1b8a5ea2e40a3c58ee6cad0f93459808bc06d3fae9", "type": "eql", - "version": 8 + "version": 9 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "min_stack_version": "8.3", @@ -2338,9 +2366,9 @@ "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.3", "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "576f44e57f57bcc5a260380c704c2c253b9f8fcefa472e5b4339b0e138c9112b", + "sha256": "87876e96cffd8fcaa7701a062020cde8d6ada8f48aeed13a7b7153b0274318f5", "type": "eql", - "version": 108 + "version": 109 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.3", @@ -2366,9 +2394,9 @@ "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through init.d Detected", - "sha256": "c231805a854c98302dcc5c774688217904e4960a000e193bb04158fac9a0b743", + "sha256": "bac9e6b18e0ec38e0b8930bb9402ed0d4c8000c06cacaaabaa388556a67dcb48", "type": "new_terms", - "version": 6 + "version": 7 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "min_stack_version": "8.8", @@ -2380,9 +2408,9 @@ "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.3", "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "264b7c418b25b248ad38bc172ac651d639a720a652fba044e02596419b889ef5", + "sha256": "b3e13c97d0c0bff23ce9255d93a0a60d4aed4d262d14236423927bff1458d583", "type": "eql", - "version": 108 + "version": 109 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -2400,9 +2428,9 @@ "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "99db297efd0e9e1c456c8eaddae105366196554aa82301813ee7a4aba19911cd", + "sha256": "639eb15abbef368443484e39fabea441656acc3ae63f1e516bcf0809870d0297", "type": "eql", - "version": 105 + "version": 106 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "min_stack_version": "8.6", @@ -2414,23 +2442,23 @@ "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell", - "sha256": "b10222772b435ef7d9cf4dfa4b50a492a7900cc176fdf11e901159c69d62d2b8", + "sha256": "63175dac732fef15d41d1dc2201b78948d69e4bb32c1409f60fb541ac7831b56", "type": "eql", - "version": 5 + "version": 6 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "1ffc6db4a92f04db97e68bfd6a7d7ce6b90f4b4ca3accb51924be0ed5ebbcd9e", + "sha256": "b4fb37e1e7527312d0819a95373e8bdd68e9b4b4f4cbfb074007c7fbe3cb736f", "type": "eql", - "version": 7 + "version": 8 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "min_stack_version": "8.3", "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "31b89667c022bf5310c60d364fc7c26136c4e66d8287d9bd7923dc18b558b647", + "sha256": "50e43811992464777ede6c447f47e0331e4022df0f013c9e69d644081c56d93a", "type": "eql", - "version": 104 + "version": 105 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "min_stack_version": "8.3", @@ -2456,9 +2484,9 @@ "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "min_stack_version": "8.3", "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "333fc1776029a4e23f0c6df62d3370c335760abb4aa501be982831e2e71341d7", + "sha256": "5b5bf047bef61d90083e4c43c267c4ec7b4769ca32b5928ea33b8ddd31fc7530", "type": "eql", - "version": 4 + "version": 5 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "min_stack_version": "8.4", @@ -2500,9 +2528,9 @@ "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "min_stack_version": "8.3", "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "42573412f6b2d0083dfd8c9fc5945f654cc818d4cea60939076a6cf5967a2b7d", + "sha256": "854656d39824472174625ba831a52a49485204da2450fdca9db0362d785b2ca6", "type": "eql", - "version": 3 + "version": 4 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "min_stack_version": "8.3", @@ -2514,16 +2542,16 @@ "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "min_stack_version": "8.3", "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", - "sha256": "c71a551642317ffccfbd85c414cc689e14d3a2deea09251aa8ac9895963bb204", + "sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982", "type": "eql", - "version": 5 + "version": 6 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.3", "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "d7c419a09a28e530daed1534d397eb968d8b4695f1798649928228865fe7f1bd", + "sha256": "a04f9f214a8657301ff6f4a703643d13ac53077379481968c70e4bf2cea816a6", "type": "eql", - "version": 106 + "version": 107 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "min_stack_version": "8.8", @@ -2549,23 +2577,23 @@ "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.3", "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "dccb06c47c184196bb7064a9ac9d5eaf589159eb7776ac44300650a960c9445c", + "sha256": "502fa24c53c1494b06d2a0ced551622a637c45233b440fc68dc1742cd299071b", "type": "eql", - "version": 105 + "version": 106 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.3", "rule_name": "PowerShell Share Enumeration Script", - "sha256": "0ad222085b8d696dd4df1055275c7fc6989064286734182865e772fbd8aac3c9", + "sha256": "8912807ab7734bcfcf236a07a04964d896253b8066febf03afd16256f013020e", "type": "query", - "version": 7 + "version": 8 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "min_stack_version": "8.3", "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "d4da085e36a4b1a471325f7c34f050486db0b5900302611bfda3c2d85305028b", + "sha256": "53f533ffdd9d2d9f7c1a5cba374de00d7db74d814cde9706d3750390086f3c78", "type": "eql", - "version": 4 + "version": 5 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "min_stack_version": "8.9", @@ -2593,30 +2621,30 @@ "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.3", "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "cdad95a52719987cf204d9063951cbe05b1e08a28f4d91b3cf8f5d5aa48800d2", + "sha256": "6bb389b8e69d040d951bc64627e254593b1ba372685398e81c21eb814dd51b62", "type": "eql", - "version": 108 + "version": 109 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "757d9270f22b3d376359ff570598911b4adcd81a9ca69970386248e414f5ba13", + "sha256": "1c8451ec310e430b6d2658e6aa679415e4b0556d560352b9d484325e46721c23", "type": "eql", - "version": 7 + "version": 8 }, "4ec47004-b34a-42e6-8003-376a123ea447": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Spawned from MOTD Detected", - "sha256": "ed16c35ba79c045b3ae6cd2406ac39e5ee143767a2f8ae4a0a8ac6fb738b16c3", + "sha256": "2e853ef0a4b3eea2270e8d8fc0910e0cfd526c79682e1776dbf7500c6d825341", "type": "eql", - "version": 6 + "version": 7 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.3", "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "05f50e5500930fb6e8ed1646e88db67b24a1430eb1fb589bb9976dd052f0f44d", + "sha256": "a1c46d81fd67c7642daa17b16bf816cde74efe2dfaee7d15579ef7111e42b7ee", "type": "eql", - "version": 107 + "version": 108 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.3", @@ -2644,9 +2672,9 @@ "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.3", "rule_name": "Execution via TSClient Mountpoint", - "sha256": "1717dbef17fd0507846473218f580ffdf11e5ba35497e2beb391d506d75289dd", + "sha256": "675fe51d000d7b660cd1a39a19d74d93f2ee7341be001e5ad5e10cd547cdf869", "type": "eql", - "version": 106 + "version": 107 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.3", @@ -2665,9 +2693,9 @@ "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "d098bba4900b382c6cd742182baba85a01b2337fbd4ff36da2bc9fdf6b408b7c", + "sha256": "6f0e1ffcea5865ac47fd6f0f59001b4cf947d26aefdeeb3eda27d545d84820e3", "type": "eql", - "version": 105 + "version": 106 }, "514121ce-c7b6-474a-8237-68ff71672379": { "min_stack_version": "8.3", @@ -2693,9 +2721,9 @@ "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", - "sha256": "4111de70c21f8c5461da2f1b30720b9621c857bc8526b1d4e71bcc108b95c928", + "sha256": "d6684969f3393c5d0071672900ffa3557f7b96875f0fb073ddf04801bf9fcb4f", "type": "eql", - "version": 3 + "version": 4 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "min_stack_version": "8.9", @@ -2716,9 +2744,9 @@ "52376a86-ee86-4967-97ae-1a05f55816f0": { "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "0076c9eafb579f6fb93d35d66309a205f3d0912a8b7a302ea2e917e5e04dd2f8", + "sha256": "24bd83686da07cb3f3459249f9eb34318aaa69517e06082b9df92f5456b93485", "type": "eql", - "version": 110 + "version": 111 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { "min_stack_version": "8.3", @@ -2763,9 +2791,9 @@ "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "min_stack_version": "8.6", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "1fcaecb0c8b60fb9a393726f18411473957d935a9676d2e345121e3f07f5c200", + "sha256": "a4ae81b9425df791d01fc8bf3060f56f1f40fc0dbdeeb4756b36b8f1562aead5", "type": "new_terms", - "version": 4 + "version": 5 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "min_stack_version": "8.9", @@ -2790,12 +2818,19 @@ "type": "query", "version": 102 }, + "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { + "min_stack_version": "8.10", + "rule_name": "Statistical Model Detected C2 Beaconing Activity", + "sha256": "852b52290a8f1d6864befff3b58e40a57c50f4a30a58d4415118a26871b6c013", + "type": "query", + "version": 1 + }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.3", "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "ddf1b60a6118bc0c50833a0f13cf88f3838ebcc8f0f60d42ad91bad81b07634d", + "sha256": "740a3469ba041ca4f12509b7a293c6506daa3b69237686b4d407c20e3300931e", "type": "eql", - "version": 107 + "version": 108 }, "53dedd83-1be7-430f-8026-363256395c8b": { "min_stack_version": "8.3", @@ -2821,16 +2856,16 @@ "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.3", "rule_name": "Network Logon Provider Registry Modification", - "sha256": "ad743cadda3e3dee154c726922e4f4e1ff0a7b26c8c350d7084d477e65e4a1ef", + "sha256": "576b851afcf1857641d4f721b18a5617a334cc07ab3d60220ac1a8c5fc5ecd46", "type": "eql", - "version": 105 + "version": 106 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.3", "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "bb2c6c314a9f328d7f500d24c4a54ed4f6aca50ffe834082341a97d3659c9902", + "sha256": "837622000e1ecb3a269462a17f996c294b62888bbbd19f9585ad12521b4326a3", "type": "query", - "version": 105 + "version": 106 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.3", @@ -2870,9 +2905,9 @@ "565d6ca5-75ba-4c82-9b13-add25353471c": { "min_stack_version": "8.3", "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "b9bee3578c8c5581f2c86ddb1bcb84c7929ed4d44a302adae4ec5a7ff74ed6a0", + "sha256": "56cdf3c97b7ed30414d2fc5ed2cdb95c0779392ef7347954cf3f3e6be61600e7", "type": "eql", - "version": 104 + "version": 105 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "min_stack_version": "8.3", @@ -2884,9 +2919,9 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.3", "rule_name": "PowerShell PSReflect Script", - "sha256": "8d62732e2d51a8e4d9e1d8705b48e82534ff622c316a9d2a217a2765ae84e988", + "sha256": "b61f13daa6709718b5efc18e44952a5b335d296a74a6958432dbc67304d4c731", "type": "query", - "version": 108 + "version": 109 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "min_stack_version": "8.6", @@ -2928,9 +2963,9 @@ "577ec21e-56fe-4065-91d8-45eb8224fe77": { "min_stack_version": "8.3", "rule_name": "PowerShell MiniDump Script", - "sha256": "c0d675ffa38a191db718cef276121a40567626d3b4c0fea4dd9edd038d2d216d", + "sha256": "35dd040100009d246bc9f9a4dceafd8567877a83869db407986601d55633e369", "type": "query", - "version": 106 + "version": 107 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "min_stack_version": "8.3", @@ -2942,23 +2977,23 @@ "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.3", "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "f0914d5ae89b3f5372c087cd0c5983df509da91941322047aaad22d445cfb577", + "sha256": "1f51a18c5b7294c2940d6c10a4cf3140689a2b6d361f967a6a5b091240ad4a7d", "type": "eql", - "version": 107 + "version": 108 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.3", "rule_name": "RDP Enabled via Registry", - "sha256": "a599e437dfc14b51f8ce6559e5595673b50429581388655e03d7999961ec6cf6", + "sha256": "ce293530acf459b922e5fc59532707e9f1aa5a0c2d302c835cc83e427a9937af", "type": "eql", - "version": 108 + "version": 109 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "min_stack_version": "8.3", "rule_name": "Zoom Meeting with no Passcode", - "sha256": "98a47d996a6d80939cb7222d643873b69ba45d90457a2cc0724ea08c3a889bbd", + "sha256": "bdc5d37d933591a9e749303f4d0da889d2fd76c0cc51bec4152b74f1518bd85e", "type": "query", - "version": 101 + "version": 102 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "min_stack_version": "8.3", @@ -2970,9 +3005,9 @@ "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "04c918e4a5b742f9df828e957a708565731d36df760ffbf94a8dc6f331539f7b", + "sha256": "304917eeb1af9702d87f54af173823bfcc8f3c5dd3212076b77290bce0667d28", "type": "eql", - "version": 108 + "version": 109 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "min_stack_version": "8.3", @@ -3014,16 +3049,16 @@ "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "21be01742858a1db7d297c338482f5a580a441699ca10d99874c0c9e24f50499", + "sha256": "124e2a2505d5c7c0a21c7253177b086db714b6d1ae3ba8ea59bbf20adf715237", "type": "eql", - "version": 106 + "version": 107 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Java", - "sha256": "78ec1a1157f2afe9c030908365e734669d12f566fd1992245244eb8def7d4314", + "sha256": "9aed8f99e318764fbd5eddbb31ec2b2f68e3d1f169f6b441ab560dd2a7a9e36f", "type": "eql", - "version": 4 + "version": 5 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "min_stack_version": "8.3", @@ -3042,16 +3077,16 @@ "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting", - "sha256": "cca11b1e320068fb951e6be8baba9a7f49cfef803b613bda1ccaea95922f3a00", + "sha256": "7fa5c6ec0c42f301e37556a06ef4523f6ce815cae9e248f5928dbf04495f7c47", "type": "query", - "version": 106 + "version": 107 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "min_stack_version": "8.3", "rule_name": "SUID/SGUID Enumeration Detected", - "sha256": "484f49639b052fc38d358f83984230e1a524fdb9d60f221668f8fe55b7485c50", + "sha256": "41cd9d8a7f6fb679feae8b8bfb68140693c08e8c276e33b6eeb919788312d60a", "type": "eql", - "version": 3 + "version": 4 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "min_stack_version": "8.3", @@ -3070,9 +3105,9 @@ "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.3", "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "6a00941904d85936d537193bcc28a4a4550b2df62bebd6ec46deb6e7479b87da", + "sha256": "4ef5a001820e5135ffd557947919a55c875cd3a75ed5f351507a7f3c9e06c77b", "type": "eql", - "version": 104 + "version": 105 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "min_stack_version": "8.9", @@ -3093,16 +3128,23 @@ "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.4", "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "1021f7351d5cc378ded4585010e7ba4b057a05fab6f8e42157c6facf422bf6ec", + "sha256": "6d5bf9fe5d4e6cc423f1a2c017576e9714f20baf6d4fa80d1bdf31e37e1e7267", "type": "new_terms", - "version": 7 + "version": 8 + }, + "5c81fc9d-1eae-437f-ba07-268472967013": { + "min_stack_version": "8.3", + "rule_name": "Segfault Detected", + "sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8", + "type": "query", + "version": 1 }, "5c895b4f-9133-4e68-9e23-59902175355c": { "min_stack_version": "8.6", "rule_name": "Potential Meterpreter Reverse Shell", - "sha256": "c29613a13876b018582e791f2843e3b12181e06c36266665efe4711c52945024", + "sha256": "a6d98ac9e83fe086450761623ed3be2ecb0ee7a1cc965b3334fe3f9e226a05f2", "type": "eql", - "version": 2 + "version": 3 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", @@ -3114,9 +3156,9 @@ "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "a4e1f03bf2a4863f8922d20b5ab31fc5fffea4c27e35c47e61634b492dba558e", + "sha256": "178b04d6fc23202ec48ba3400969daf969f8d4985439414241705f5d43766ae0", "type": "eql", - "version": 4 + "version": 5 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.3", @@ -3128,9 +3170,9 @@ "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.3", "rule_name": "User Added to Privileged Group", - "sha256": "3d850464bad4437221f6f350a9c2e8a26592a38e76229d1756195368d05aab2c", + "sha256": "7884adba746a934e4698623cb4c2553c24162fb3cb42176f7939bd3b0abb7ea5", "type": "eql", - "version": 107 + "version": 108 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.3", @@ -3142,16 +3184,16 @@ "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "min_stack_version": "8.3", "rule_name": "Persistence via Login or Logout Hook", - "sha256": "336c261b171bb4cfc280ac1c4170fc07388cd5b96c4674694bdc7108ccaf7b18", + "sha256": "5cd203eee04afdcba2fde9accdf21b565daaa0b4045828ae0000738b5bb25a43", "type": "eql", - "version": 104 + "version": 105 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "f99460b7128f713e96cead9f3d34cf8f19a3561e1e51d86f60ca99f765d7d93e", + "sha256": "ee93ccc7c656e52fd7841c8332e970ea5217ce16621e6044e8fe23e5c775ca70", "type": "eql", - "version": 105 + "version": 106 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "min_stack_version": "8.3", @@ -3220,9 +3262,9 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "123e32643dd7c3052f52ade724c9c93759749d28fdb592ffbdccec9ea688d1a2", + "sha256": "a2efc8419825dff241841f4cd67f7a4249150821200aa74a49a973b274ba1b66", "type": "query", - "version": 110 + "version": 111 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -3233,9 +3275,9 @@ "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "min_stack_version": "8.3", "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "ac85da0bd50146a9acd21f199d77bcce98ff857d768071bb894e26118b26a239", + "sha256": "0c65d784e165a4fcbc42ac4338574c946caae6bd23afccceeb079c4f7346a467", "type": "eql", - "version": 108 + "version": 109 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.3", @@ -3303,9 +3345,9 @@ "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "min_stack_version": "8.3", "rule_name": "Network Connection via Recently Compiled Executable", - "sha256": "b277d6162b8343013d1498f692467e7cec38348da2ba5058ed1fd1aebcc40eaf", + "sha256": "b50544cddecd269cc3a27814bdb19f3f1683fd8dcb3d2967588b2d38e487eb96", "type": "eql", - "version": 2 + "version": 3 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -3332,37 +3374,37 @@ "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "min_stack_version": "8.3", "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "40c37dec53eaaed25df091561d4f9e4a2c8417d1dc82cf070db4fe72793510d1", + "sha256": "4b0aa397b2a5a31b54907a49393ecd97e46a33ceedcd629218f8f7175ccb86b4", "type": "eql", - "version": 104 + "version": 105 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "min_stack_version": "8.5", "rule_name": "Suspicious Termination of ESXI Process", - "sha256": "2d5c0856617f70f9ed2e5835c40dec8304a2290370c5414745c806fde457e583", + "sha256": "0e3ded27dacf0a1e45129b4113f2ffeeff96888a708939d266d839584ea1431c", "type": "eql", - "version": 4 + "version": 5 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.3", "rule_name": "WebServer Access Logs Deleted", - "sha256": "b3eaab822d17ebdb4ba051295077d3b54352fe5c633183047aaa1169ff1732d5", + "sha256": "03195d08eb16678c89d37803e31e7a409256687ff2402dfe25c3d36759a3ee10", "type": "eql", - "version": 103 + "version": 104 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", - "sha256": "de1f883c87b1b49ce0932b95dd0ebaabede9c5334b6f18e2222c3fc3a5628bec", + "sha256": "fb115e87e89044c32e58806b7d33104eb2b1ee8f3db90054d8643f6d6804f05f", "type": "eql", - "version": 3 + "version": 4 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "4c82661472cef610b0a6a24cb6654b4f11869bf4401d656eaa68c78289f66302", + "sha256": "d7b20d3341cd184a82b2bd8a88373bc4fb3a7cf01c5073cb059c987420cf3d9a", "type": "eql", - "version": 108 + "version": 109 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "min_stack_version": "8.3", @@ -3381,9 +3423,9 @@ "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.3", "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "086eafbc984aa6480575297071ab4771019ea9eda87148c85e6f2eb40f7674f0", + "sha256": "971d5caa27171542c27406ef2aee1d385c7010cdc026d2ef226d4ea1346ffac4", "type": "query", - "version": 7 + "version": 8 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.10", @@ -3433,9 +3475,9 @@ "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "min_stack_version": "8.3", "rule_name": "High Number of Process Terminations", - "sha256": "21d744da94221fcbec162dddffe8794cefc8fd26321d770c472b47093b28a95a", + "sha256": "588f2aa6d820fea6e191906cb8791cee0b8a293222a681b6cc4ff1c3ff8f8ff6", "type": "threshold", - "version": 109 + "version": 110 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -3476,9 +3518,9 @@ "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.3", "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "6223d04f4e618351c760d259ecbc3d42c8da22daf8a9bd58497228d13304bab4", + "sha256": "cc263ea8f46aac31f4c4fc112a7dcd7ff453c89fa45066ec2569deff91b85ef5", "type": "eql", - "version": 106 + "version": 107 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "min_stack_version": "8.4", @@ -3522,9 +3564,9 @@ "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "0feac3bd75fcc2317ee0e9e91a7f2f35063c0c5a62b5c47076545998d3ac12ae", + "sha256": "cb8466c3025fb4f8c5556eb62e311c02c11b56950756e170960f6bb8c9684090", "type": "eql", - "version": 106 + "version": 107 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "min_stack_version": "8.9", @@ -3561,9 +3603,9 @@ "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "min_stack_version": "8.3", "rule_name": "Modification of Boot Configuration", - "sha256": "8d25051f7633a37c4b90403be6fcde6352db2dc292a62a2098620fafb843e26c", + "sha256": "a66226c5678227263920328ccc24dfca32a0620f02290922dff137101e01a7df", "type": "eql", - "version": 106 + "version": 107 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "min_stack_version": "8.9", @@ -3584,23 +3626,23 @@ "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.3", "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "d6efd876704aecbc61e32f00bc3fc87660de3486490102dee717f3cafeef34ee", + "sha256": "79a34adf5b2d2e77e4b9db0d019c6af379cfa51e10a016385e4127e496667530", "type": "eql", - "version": 106 + "version": 107 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.3", "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "2094e45cb6acf5514345f45de5980fa93856dbe2564c14cda824cfb92609fe9b", + "sha256": "482861108067248f10161a39651726c2df97b6d2e8b7c5952cded1053b172ac9", "type": "eql", - "version": 108 + "version": 109 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "min_stack_version": "8.3", "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "36f237a42a890a47fd41636119b3f4f6cb483699638fa0570dee4cc7ba1bdd6e", + "sha256": "f455bea3a4c14a782b77a9cdb3ec5213825e368ccbdf1c2a55bf0522cd28dca1", "type": "eql", - "version": 2 + "version": 3 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "min_stack_version": "8.6", @@ -3614,9 +3656,9 @@ } }, "rule_name": "Sensitive Files Compression", - "sha256": "2665a4bfaf61af8a5033e6aff2ce6950c77fc795eb6bba42b6b5064e84fa8841", + "sha256": "f67a0194e92a6a62746f2344bc677d6a37e9b34cbd8ea2bc5bf99dc15e4050d5", "type": "new_terms", - "version": 206 + "version": 207 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.3", @@ -3635,9 +3677,9 @@ "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "6c77473acf3dec0fc8fd9d0d2f4a0de620f5007008bf85e61fc224fa1087b63a", + "sha256": "fe55558d2f4c218f2fdfdca871cbaff991aabeb33b6622a44fdefd4d8ae81963", "type": "eql", - "version": 105 + "version": 106 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.3", @@ -3649,9 +3691,9 @@ "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "min_stack_version": "8.6", "rule_name": "Potential Privilege Escalation via CVE-2023-4911", - "sha256": "0a052fad94510f59c9efd5ffec0901831516c7ea937d86e3532157035d86466a", + "sha256": "d76c1108876f14e891d2625826f200b3eb225ace76c842c366b24949e9c28f73", "type": "eql", - "version": 2 + "version": 3 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.4", @@ -3677,9 +3719,9 @@ "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "min_stack_version": "8.3", "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "5049be04a29a5554df2ccf242d0b225a72316ad6e31acf19295f898d1ed96774", + "sha256": "4bcdfcf964b59e07e704d0ae1768231f6895fdeaf16019ec2530b3fd1e908b6a", "type": "eql", - "version": 104 + "version": 105 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.3", @@ -3691,9 +3733,9 @@ "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery using WMIC", - "sha256": "7400438cd326b5fa5137479c92eb2898c709c3338757a1f631cb718de551a551", + "sha256": "f6dfe76cfea61ba2324b275dcd960ad3daed43c02c2cddc708af6ef3f3937ae8", "type": "eql", - "version": 108 + "version": 109 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -3704,9 +3746,9 @@ "6ee947e9-de7e-4281-a55d-09289bdf947e": { "min_stack_version": "8.3", "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "9a958c72f2b71c12da6147cd83e0d798c1e114b362bd577b27f0f921b0a13465", + "sha256": "466d37f1b0c5665f804109f5ba5eeb6e361102da2c027522a5cc3ddec2a83be5", "type": "eql", - "version": 2 + "version": 3 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -3808,23 +3850,23 @@ } }, "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "72fea82152115abc97ea9e34b7e9bf40be8d5af11313625404f62dfcf5ca61e1", + "sha256": "ee370bb455e172738e8297e76bea0e3601dd176b407bb84768a2db8181e6ed4b", "type": "new_terms", - "version": 207 + "version": 208 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.3", "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "9f0f49705389e6d3d70937bb6c9f6947b3a18dfcae7e1cc504c66380348e68ad", + "sha256": "460b042ab7e9d150c7f94a033204c22f67fdfe53c7425fedf71ff3765653154e", "type": "eql", - "version": 111 + "version": 112 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.3", "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "d442a3b1c1b313c54f0bad14de16f98cd68ae8ada5e87c99e8c29aabe78f2d7f", + "sha256": "89ab2e24c739c528f048080597db9f446386a62730ba1e392eae623512e2ec6f", "type": "eql", - "version": 105 + "version": 106 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "min_stack_version": "8.3", @@ -3865,9 +3907,9 @@ "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.3", "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "6936c736181dd010bee7cff6349ca6fd1495ff2e37f3c814d03edcec4f025dcd", + "sha256": "9f5997c2b0fe4dada04cf6f3b344fbaddbe1f19800ee466dd053e2f7cb2879e5", "type": "eql", - "version": 107 + "version": 108 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.3", @@ -3902,9 +3944,9 @@ } }, "rule_name": "Suspicious Sysctl File Event", - "sha256": "cdae4cce31893b3eb3b3a3472011e11708a7c9e1fcf4410bb88e18a099a94361", + "sha256": "c8fa3c2ccaa18f3f2c9e8646cd67af9b2878616c81a2bc734f64af0e6f293d9d", "type": "new_terms", - "version": 103 + "version": 104 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "min_stack_version": "8.3", @@ -3946,44 +3988,44 @@ "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.3", "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "d2e53030dc005a302f0b5bb530360d58ce429809a0ed1827bc6d5b89de8b351e", + "sha256": "665e0cbf656dd660a585342d9ca129af8624f7d4926bd110ac065ffa8c2a1895", "type": "eql", - "version": 8 + "version": 9 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Shared Object File", - "sha256": "a3536eb13408e7fc538952bee75a1362e3be277b14f1edc18c2f63fda3f5f08c", + "sha256": "799b4669a8e13bfbb627ddec54045adfc695820ba3e46b6dd098a33d9bf72da8", "type": "eql", - "version": 107 + "version": 108 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "d839f2d7fbce2eec0bc89c413ad6e482595c60d724f25203e08424a6fd768cd2", + "sha256": "244ab9baa1c9c448b5266b5f61c1aa9a0a2ff4c56704e282a654e2a42221e5f3", "type": "eql", - "version": 104 + "version": 105 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "ee743b928b61e259c3e46fce5b16400121f6ef6affdc122ea1f47e9a199900ea", + "sha256": "2f44d242c4986efb3033aea6b16548ece740afab086c732a010c52b375b323ec", "type": "eql", - "version": 5 + "version": 6 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "df53ce37b5877a6a26f2e5b7d78d60000048e5eaaa3d152f9ead7ef84d700a19", + "sha256": "0a25436ab1e2f5bac3e48c5faeeda31383d3a1d24fa948ba070025f02583a311", "type": "eql", - "version": 107 + "version": 108 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.3", "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "863f7c79c8a07dbe9f74d5dd1ecb111219e82a3039c95ed6d56de800b2e13c69", + "sha256": "d09566023f3a3ae877ed4d879c94ce1f4165ef8c664e0ef6794d43385d49cccf", "type": "eql", - "version": 107 + "version": 108 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "min_stack_version": "8.3", @@ -4083,9 +4125,9 @@ "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.3", "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "4ac2004e028233a74da95a3da67e70091128c58db82ac8df61b7cdbc9b564671", + "sha256": "5b2bc83ca0b1db8a3ce856ff7e859f4fec413978c1f0ddcd4886820fe2585e16", "type": "query", - "version": 106 + "version": 107 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -4096,9 +4138,9 @@ "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "d77a6da669fbbb4406a59bd7061baf788f0f9fef20b43321c6fcfbb00a24690b", + "sha256": "37b23adf3530355a483eccca0d78d8bb47a4e3700e5cef77ef45018e2b92ecbb", "type": "eql", - "version": 3 + "version": 4 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -4125,9 +4167,9 @@ "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.3", "rule_name": "Windows Network Enumeration", - "sha256": "a02a471585a3b5aafa89be56f312db81bad278d8eafbf7463f73cfdebf9c80bb", + "sha256": "1393d48866e1f5b0f4b57ee571029deeb6d2324314b1a1f037389847bb510a15", "type": "eql", - "version": 108 + "version": 109 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.8", @@ -4141,16 +4183,16 @@ } }, "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "29e6369ddb5da23c00355cf063d8da8f8dc008a9cd28b2d2f6324d8b9618c53a", + "sha256": "f019fa7b9d9928dde2726f094f938de608d17db63b48a3250216ba18df59aa50", "type": "eql", - "version": 206 + "version": 207 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "min_stack_version": "8.3", "rule_name": "Tampering of Bash Command-Line History", - "sha256": "87fe7e562ce227a8493a541cc86e41d99ea61aaf827cce77b997f82c7a94c935", + "sha256": "85f902935229ecdf379a249362b9275a5392b2e83a4012e4302c874e93861074", "type": "eql", - "version": 103 + "version": 104 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "min_stack_version": "8.4", @@ -4207,9 +4249,9 @@ "7fb500fa-8e24-4bd1-9480-2a819352602c": { "min_stack_version": "8.6", "rule_name": "New Systemd Timer Created", - "sha256": "94cbc646d3a0879e403b786c2c25535db4aebbd67a3f041a8bf43b206462b8f2", + "sha256": "74881e97ab7721a1e539586fa0f192f38d25d7565c81928c9a8515daff525604", "type": "new_terms", - "version": 6 + "version": 7 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "min_stack_version": "8.6", @@ -4223,9 +4265,9 @@ } }, "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "bcfbab89662a36049bb509952b29602fc3e552bc91c4f6851b183c3881604f7b", + "sha256": "9328c54c32125014fec6bdbd75bf9d2b513fccfc86f1ea0a04e8ca44d8a6a097", "type": "new_terms", - "version": 103 + "version": 104 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "min_stack_version": "8.3", @@ -4287,9 +4329,9 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "2a512f65b3d174a8cea1e7d419378e4fb46c850bc7e3a514409f3093ae43dc92", + "sha256": "c3b7387b5dcfde107b183b9113a7218cc9cb00b15d06c8d637eee902809f04a3", "type": "query", - "version": 109 + "version": 110 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.3", @@ -4301,16 +4343,16 @@ "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.3", "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "761723a38f1f9d88a679524aa3ccd687c0cfc74e3b66a8bd2e62807a050d44ea", + "sha256": "9674dc1bd6cc5c17c8038a4e71b92f2737ef72aa1601bbf05b06fe0d5fb2136e", "type": "eql", - "version": 104 + "version": 105 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "min_stack_version": "8.3", "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "1dd8817884ca577039baba5ede3be91c85119efdb77f580810c95c223816ebcc", + "sha256": "11bd5d0b943d146c2e7e684fa4b128c4692eae1ef64172cc1e8969eeabddeb73", "type": "eql", - "version": 3 + "version": 4 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "min_stack_version": "8.3", @@ -4328,23 +4370,23 @@ "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "73d35f95e41d651a5e75315cd4b570345c8cc6334b9dec7db8adf08b57f52e30", + "sha256": "02f2a52e75f96bb21611dfd66db9eacbdc7bde77eb1e7da4a5934751321134cc", "type": "eql", - "version": 4 + "version": 5 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Transport Agent Install Script", - "sha256": "515f6e82dbcb3fd847170c6268af85216b517109cd597240c70908e1e6d0affb", + "sha256": "814b05ca584b27e70940b7b56b00e0a980f69f27a29a732faf88da9bab468c7a", "type": "query", - "version": 1 + "version": 2 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { "min_stack_version": "8.3", "rule_name": "Potential Upgrade of Non-interactive Shell", - "sha256": "3ab2c7dffde8d59a7f0d31f4f475c98f5325a94adb789cc4096286ae73e70e36", + "sha256": "851087e9141cd70c44f496078e66eaf761bf4622e80e942be61280452391a62e", "type": "eql", - "version": 1 + "version": 2 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.3", @@ -4356,9 +4398,9 @@ "850d901a-2a3c-46c6-8b22-55398a01aad8": { "min_stack_version": "8.3", "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "7e3d4366d0e82917ab82b493fb7f89d6c89013e0e9483692037c1e3264ebefff", + "sha256": "014fc8d0bc9296aba032766dc003316df6e0c776dd7afbd1eac19022bc646ba0", "type": "eql", - "version": 108 + "version": 109 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "8.6", @@ -4427,16 +4469,16 @@ "870aecc0-cea4-4110-af3f-e02e9b373655": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery via Grep", - "sha256": "39e477f562630dea0f3f3b68106d7c699a87d2ab0764247fc8bd0de442981f4f", + "sha256": "f4d2ea0ece674f039a63702423275a0d16239f282e580bcea41aaacbf1505ae0", "type": "eql", - "version": 106 + "version": 107 }, "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.3", "rule_name": "Enumeration of Administrator Accounts", - "sha256": "16de3139ef7299ea2fe5dc3a874629d2079e250e032b7f33ce0250a0b0e931e6", + "sha256": "faff9c1bc769a66960918e1a2f77f18910fbc478e2c1ab36d62656ed1756c01e", "type": "eql", - "version": 108 + "version": 109 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "min_stack_version": "8.9", @@ -4477,9 +4519,9 @@ "88817a33-60d3-411f-ba79-7c905d865b2a": { "min_stack_version": "8.3", "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "de3dc029c5f1bbfc9c187b002dd15ae68bcf1310360b2f17694e84ce55051314", + "sha256": "2440310a8c23cbde04e7ac92d579c678d852f3426d6349638199d49af0a46c85", "type": "eql", - "version": 104 + "version": 105 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "min_stack_version": "8.6", @@ -4493,16 +4535,16 @@ } }, "rule_name": "Potential Sudo Hijacking Detected", - "sha256": "90ab70272d3bdc85151e9bc2add9998f4819f17d13c282ae54e1b047602630e4", + "sha256": "23ef2c9b687dd9563523331067722ffb249e171d96bed0cb0aa2f444e2f69e54", "type": "new_terms", - "version": 103 + "version": 104 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.3", "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "81f56a2b806be5fd445f656c540705be59af15be47b97fc7289e0b70ab357fca", + "sha256": "fed96548137a4b9070b314d8dc25e74ad14c31c93a56277474da3a50d52a271b", "type": "eql", - "version": 105 + "version": 106 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -4513,9 +4555,9 @@ "897dc6b5-b39f-432a-8d75-d3730d50c782": { "min_stack_version": "8.3", "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "90b8b19f30fb314195c63df104ccdd6013d5b93cb7f2d2672bc0e0fdce6e53fc", + "sha256": "6bf3ed975864635c702041b46dc27221005da366c7bea70255734a81a64a71b6", "type": "eql", - "version": 107 + "version": 108 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.3", @@ -4534,9 +4576,9 @@ "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "min_stack_version": "8.3", "rule_name": "Suspicious Symbolic Link Created", - "sha256": "bd4e75d4bef5c733959b047c5466da2d7768bfe892c50c383b7d1d46240bcaf9", + "sha256": "4567be1709664ab3c6b7714b68a3da2e392c751aaba951f50336affeacd7e7b4", "type": "eql", - "version": 3 + "version": 4 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "min_stack_version": "8.3", @@ -4548,9 +4590,9 @@ "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "7b1e58c15587d23240b63b8dfd696aa8de530ddbf9be2c384db2620e9c9bd4ad", + "sha256": "ac475836b78129386282207de17ce5b3665934cc05cee7e2f8f2a225ad06962e", "type": "eql", - "version": 105 + "version": 106 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.10", @@ -4580,30 +4622,30 @@ } }, "rule_name": "Suspicious JAVA Child Process", - "sha256": "9bcba792d96bb90055853bbc119cff04fa2f40b46cd77ea9bab938ab61056074", + "sha256": "951a0bb72f0f5df1d2a10560cdc54d757d5fee1b3ee2c3156ea9728b05591a19", "type": "new_terms", - "version": 205 + "version": 206 }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { "min_stack_version": "8.3", "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "e79736c160e70b66e87aa690264e4ebe08b958d00a2d8178556525a57dae4323", + "sha256": "17f895c23f484acde825286a1ddc686df34874b11ab6f8fe31bb183d6ecb0277", "type": "eql", - "version": 2 + "version": 3 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.3", "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "cf5d70e346d64085f11501ee4ee6aae18cc9a72891310160318db69144acd12f", + "sha256": "4198ea79876c82869eb8f56696ccca913c64daa9e44e66fef25cf4092cf41029", "type": "eql", - "version": 105 + "version": 106 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "min_stack_version": "8.3", "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "b5ba453579b913af45987a4158da3836e9f6d5c089b322ed9b4feb5d3def09a6", + "sha256": "96398ef66e31c53fd65b2620d26184f54dca1cf241e0f8776db22fb848da94aa", "type": "eql", - "version": 106 + "version": 107 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "min_stack_version": "8.3", @@ -4622,9 +4664,9 @@ "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.3", "rule_name": "Unusual Child Process of dns.exe", - "sha256": "32ad67514f438b6e30f64bc4b7b4eb626be6582afadb55c240c2e4efe9b7cfcb", + "sha256": "50847b0a7904637d6c3c188fe6025061218aaea691f8e17e0eea0b75949cbdce", "type": "eql", - "version": 107 + "version": 108 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "min_stack_version": "8.3", @@ -4643,9 +4685,9 @@ "8cb84371-d053-4f4f-bce0-c74990e28f28": { "min_stack_version": "8.3", "rule_name": "Potential Successful SSH Brute Force Attack", - "sha256": "65f9ce05fea76a9a8692e1eab5ad90ab0904e79b28d0c1f077f5d0422c5a2098", + "sha256": "468af262f4fb45988c3072a2883f218b9b867218c50bfd7a910fdf553f88feda", "type": "eql", - "version": 8 + "version": 9 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "min_stack_version": "8.3", @@ -4664,9 +4706,9 @@ "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "bb4dbd0f9903378286cb13efb8f0898a00bf9c3255d58d6a58bd21da8997c9b5", + "sha256": "d10513c76a16d9b08cc676bb9c075b5cb14a570fc47bbc001974e164a33c7fde", "type": "eql", - "version": 106 + "version": 107 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "min_stack_version": "8.3", @@ -4719,9 +4761,9 @@ "90169566-2260-4824-b8e4-8615c3b4ed52": { "min_stack_version": "8.3", "rule_name": "Hping Process Activity", - "sha256": "bca55701a9d9f3c48b1f6d8df6d0672f880ea5e8f7b5252ada7c42af6458802c", + "sha256": "74d72e7e3dd68055c5ee97e48e346ba23e5f097eab561f664ba954586941ca4b", "type": "eql", - "version": 106 + "version": 107 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "min_stack_version": "8.9", @@ -4742,9 +4784,9 @@ "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "min_stack_version": "8.3", "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "41382d29e3c6849b93e948bd226cdb0679034847a9d11893198c735da08564ea", + "sha256": "5fd3c8920f816415b48c716e7a2374f0fd76b507f2f5d3669969829ede88cb01", "type": "eql", - "version": 104 + "version": 105 }, "90babaa8-5216-4568-992d-d4a01a105d98": { "min_stack_version": "8.3", @@ -4806,9 +4848,9 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "7fe6f04aad78c1165b56664a6e2b192a15c39a1166c3b1e24906d7ff5b91b1f0", + "sha256": "56cc019faadb8280664ecf10a42855016007af7f3413a2503ba3216c9b8307aa", "type": "query", - "version": 6 + "version": 7 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "min_stack_version": "8.3", @@ -4868,9 +4910,9 @@ "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.3", "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "7ee6e483fa2c41549ec9d26ae3a319f27efcef92d7ebfc4c9e232c80f50c28d0", + "sha256": "6b57124ee39f8300e5f18425933da9f3a453ac5c4b36f209412a6fe5dd615b60", "type": "eql", - "version": 106 + "version": 107 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.3", @@ -4951,9 +4993,9 @@ "959a7353-1129-4aa7-9084-30746b256a70": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "5290a21ce82c80c1c37b7d9e1f8cdddb44b22b0de1bb721928355e6338583e5f", + "sha256": "e78782a0cdbd987aa3010fccef02313ff6034a0bd881b5c21e14d0e2697e512d", "type": "query", - "version": 106 + "version": 107 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "min_stack_version": "8.8", @@ -4965,9 +5007,9 @@ "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.3", "rule_name": "File made Immutable by Chattr", - "sha256": "951d63b6557d5c3fb3f155e45999afcdd86791f7d830c26ba0ff9811f2ae0367", + "sha256": "c2ddd9f37a21375386f51998a552ce13bd1b9a8a140474192da60553fa322aba", "type": "eql", - "version": 108 + "version": 109 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.10", @@ -4988,23 +5030,23 @@ "96d11d31-9a79-480f-8401-da28b194608f": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through MOTD File Creation Detected", - "sha256": "6adb4dbd03b3b5ad0d5318c1e811e89f0c4c560f2c2cac1830b06b007134962c", + "sha256": "a65b4ea716da6e7c3ff70fae5abd7b6618963ba8e8e6f089bcf2d264bce4f23f", "type": "new_terms", - "version": 6 + "version": 7 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "min_stack_version": "8.3", "rule_name": "Access to Keychain Credentials Directories", - "sha256": "3a52620ed72c8ba4b60a75bb884dab068504e8759c80fb2a40d44961074ab786", + "sha256": "fe23aa5928440dd067c2f16b8a796d46a7480c4f130d91319cfcba852fce1f0d", "type": "eql", - "version": 104 + "version": 105 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "min_stack_version": "8.3", "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "0cd5c0bc7910d590183a34269f1482a68cc7c267f915cdd7cdb8c11894ee3d6d", + "sha256": "6e8d2549a28b15014cb6b7629b580649e27bef8496ddb32de9b5181c9dc480e4", "type": "eql", - "version": 4 + "version": 5 }, "97314185-2568-4561-ae81-f3e480e5e695": { "min_stack_version": "8.3", @@ -5068,9 +5110,9 @@ "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI Files", - "sha256": "cd7035a0017aa4b845f94e3aa665721e72fe1dc535c9cfb0867b4657d8a94ef3", + "sha256": "b87b60b05b9803f0259a56de2a7e627e99f798c1c705c13683be2ed8ce2cdfa0", "type": "eql", - "version": 4 + "version": 5 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -5162,9 +5204,9 @@ } }, "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "7fa3b7d91df0f6450cc6e044925c196edd851d9521299f034167bb892f7b39dc", + "sha256": "7c1bfb7ad5929a367b5f379a7dddffadf5d05a96b023c46d9f9dfc0f65c293ff", "type": "eql", - "version": 207 + "version": 208 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "8.3", @@ -5199,23 +5241,23 @@ } }, "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "353e07144858914694113a7e9d29ad53687500c1f60ed7c8b02d9c7cd634bad3", + "sha256": "25484718086d5b02486408a92befb4c3f5ad9114ca059168686f84ada6efb1c0", "type": "new_terms", - "version": 107 + "version": 108 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.3", "rule_name": "Suspicious Explorer Child Process", - "sha256": "51c78c6f9a1af947f778a0b2a2529d21600647e60786daa70a728174bf87c995", + "sha256": "c3d174846da93503bc0c6e8bad7457d78fd6407edb3c26126d26f77f0cfa641c", "type": "eql", - "version": 106 + "version": 107 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.3", "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "26cb627c3803eec6cbcf9455a27b56c29ea1f604049232bf2d38813ad0a4d87c", + "sha256": "61f8172cb58555796f4e21453eed4c63c104954b1dd8b0c1bc083e27d2cbb30c", "type": "eql", - "version": 106 + "version": 107 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "min_stack_version": "8.3", @@ -5227,16 +5269,16 @@ "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.3", "rule_name": "Persistence via WMI Event Subscription", - "sha256": "cb0771065ca25ee179d357d9e53676141cadf572ac31da5e1f00739f85cf36aa", + "sha256": "01291523553fdba38e5d3c7f1d2a822a56c6fecf2ae5081e5a3fcdd6421a827c", "type": "eql", - "version": 107 + "version": 108 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.3", "rule_name": "Hosts File Modified", - "sha256": "8f40a74de7484c5086f69c398cea506911f52935e23a27e3a229439cd5c239ce", + "sha256": "50338b66af75925ac6caab0efac8d88389c5fc35d36c0c79d9cf13e6c5216d4d", "type": "eql", - "version": 106 + "version": 107 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.3", @@ -5248,9 +5290,9 @@ "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.3", "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "594410ed9a140c2439264f3ef7b7bdefa77862b3865a95a2287437856a533db7", + "sha256": "7c85cda2ba8c616a49ecb284a9667fff21227a2b0dab8e6841784917cb0f5528", "type": "eql", - "version": 107 + "version": 108 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "min_stack_version": "8.4", @@ -5286,23 +5328,23 @@ } }, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "fb85a79f99efb89bc92c481ec8e21aae037df490635821d5df16cac9b83057fa", + "sha256": "49ff4c065b98857ff01ee88c9052d337d8e6a1c932b1e257d3a2022da734fa7f", "type": "new_terms", - "version": 206 + "version": 207 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "dbebd3797fdae528a8f432c6944ceb33a92b55466eaf7317a77173ea58b80423", + "sha256": "72663ce937cfe8297eab4c6f26dd8146c42d0a5c335c22dd556e6c6fda096a26", "type": "eql", - "version": 107 + "version": 108 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "8cbc8f08a554be1ad891d12df42a2e456602b21ce9cd4062d2c6428a80073296", + "sha256": "0d0e8c94d7ee081e8bc9cc4346749b06acc07871ad4b8e3506d6a50db76a8e8f", "type": "eql", - "version": 109 + "version": 110 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.3", @@ -5323,9 +5365,9 @@ } }, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "1f08334b425a0821c64aa8990f322f468a74567993e56ff39c7f39cfafb44380", + "sha256": "b6e512dc643a38fc0f3437b2ab9b8a2ab3d056ec85db592e39c41a9e5941c0a2", "type": "new_terms", - "version": 207 + "version": 208 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.3", @@ -5351,16 +5393,16 @@ "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "e2394c0d8724d9f2e57e47f5a50cbfa2d1645b0cf50c8bfce9ce10a202bcd28f", + "sha256": "374e0e8d1e934d5f1bfea0c8256c5ea2425f5bd9be8374f7728ce60d1545baa4", "type": "eql", - "version": 107 + "version": 108 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via DCSync", - "sha256": "dfd7fcad40d953ee8a27b0f8510db3d0cddfa4002ded1a896dbc248170dfb00a", + "sha256": "ce811f22916b00b56a6bdde9eeaa631f6ccf08130ad18edfb552d0205424c5b1", "type": "eql", - "version": 110 + "version": 111 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "min_stack_version": "8.6", @@ -5374,9 +5416,9 @@ } }, "rule_name": "File Permission Modification in Writable Directory", - "sha256": "ed6e7a8e67076b9fae1eb03416f9d82c7915364a8c9a99c7e4c881a6ce932693", + "sha256": "f9910945cb1925f34c18653ab7d5b0ab2d6ba8491db17ce29349b10dd5af8e4c", "type": "new_terms", - "version": 206 + "version": 207 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "min_stack_version": "8.9", @@ -5411,9 +5453,9 @@ "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Python cap_setuid", - "sha256": "410784f14d7bf622572e26d5b794f3a0c338a4e24485cc977afa183933cd6ba1", + "sha256": "34d3a3910421f8e47718cb1b17c6aba5121961b5615a4efd54311a63be1e1996", "type": "eql", - "version": 1 + "version": 2 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "min_stack_version": "8.3", @@ -5432,16 +5474,16 @@ "a1329140-8de3-4445-9f87-908fb6d824f4": { "min_stack_version": "8.3", "rule_name": "File Deletion via Shred", - "sha256": "6a172e2439d747140f251d1d0e83f556e72ae03725f37bc760d2d4d7649fdd03", + "sha256": "afbf43fb0d4ed4dc316833240730da4201b617ea02e60983d0ae60fa628e4926", "type": "query", - "version": 106 + "version": 107 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.3", "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "2a6a370e108c2703a6ecd9df127d8c0f1b6d7306fa6cc25b5c364095b1395a63", + "sha256": "3ff59549bc7312fb3e7d7ad2ef2c07ffa133897254e66a01276691c4242bfa47", "type": "eql", - "version": 104 + "version": 105 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.3", @@ -5467,23 +5509,23 @@ "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "cf164c11d3db4e9e02e907d5c0aef8c3c4aadaf05536b522bb73c9ab3bdb9560", + "sha256": "8f69f6ae427ea73eafb4cf848c309276fe9aca7580196ae73c4ab5c04f17f76d", "type": "eql", - "version": 106 + "version": 107 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "min_stack_version": "8.3", "rule_name": "Linux Group Creation", - "sha256": "ddc90b07b8915afee1601844439c2165c76171d61574db74efb13bca0d2783d8", + "sha256": "82a50a210890c906316f6d24693a3fc54e187dc59bfda67f20fee0bf8d3814e4", "type": "eql", - "version": 2 + "version": 3 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.3", "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "914a39f1d00e560fa0f28e8f67e57de3b2185f0ca422a7b395f419f567383cbe", + "sha256": "efe8131f73b131021b975ef3db9981aa32094d89390efd450ec9534e861bed51", "type": "eql", - "version": 106 + "version": 107 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "min_stack_version": "8.4", @@ -5504,23 +5546,23 @@ "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "min_stack_version": "8.3", "rule_name": "PowerShell Mailbox Collection Script", - "sha256": "af441eec9facc8c5fa2be399c6d3a1a2383c4e937ccfca40f8455f599c5d8a24", + "sha256": "3087ff625a0c9849ca67d67b189bdf8521aef5642122426e1c7503f7c6e0559d", "type": "query", - "version": 5 + "version": 6 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.3", "rule_name": "Execution via local SxS Shared Module", - "sha256": "45df842bf3fc84a101466bbe60825f7c421c1bb2a632e810a097e320eb227154", + "sha256": "afc5e36abc802e9089f1c9b9220fa3199749c285d95ab25286451b2cb0647fe0", "type": "eql", - "version": 105 + "version": 106 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "min_stack_version": "8.3", "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "47565477aafa65e36a393078e2728881f6776c4ab363e183c347d8b0e72f349f", + "sha256": "2022d77c3a450819dba114be131ab4d32b3cdcb7b5b4d5048884740fc9ffb12e", "type": "eql", - "version": 106 + "version": 107 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -5538,9 +5580,9 @@ "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { "min_stack_version": "8.6", "rule_name": "Potential Reverse Shell via UDP", - "sha256": "e730ecd8da8e472be98472039b0fe0d3367e75d284b97851b915bac433ec17c2", + "sha256": "5314fd78f655b74a006c62ee1eb2079163be8e0e9035bd70e879958302847147", "type": "eql", - "version": 2 + "version": 3 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "min_stack_version": "8.3", @@ -5575,23 +5617,23 @@ "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "min_stack_version": "8.5", "rule_name": "Threat Intel Windows Registry Indicator Match", - "sha256": "4c02e860e8200660cdd059bfaa155532f5b584f3325ac7ffbdafbebcefe5a234", + "sha256": "ad3072e4913ac770d5ec08abc3f4164ebaeadfceadf19007ec2c196a86be9022", "type": "threat_match", - "version": 3 + "version": 4 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Office Child Process", - "sha256": "1b6c475dbb4e03fa67ed24f68234e633e098831572aef47077e72f8dfe6957cb", + "sha256": "5aad9bb6f69714bb192aff73543dd6712d88a59758b870c26af66643e481fab7", "type": "eql", - "version": 108 + "version": 109 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "min_stack_version": "8.3", "rule_name": "Emond Rules Creation or Modification", - "sha256": "eaba66ce5e3e1670940bb55f81b29ea66ffea88a4e63f1c2485ba55bbb0b0487", + "sha256": "5059d25e53e20ecda5bd0bddff5f19aa0c90190e3c58cf6926c946c26f701839", "type": "eql", - "version": 104 + "version": 105 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "min_stack_version": "8.9", @@ -5603,16 +5645,16 @@ "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", - "sha256": "d2ecc2ccb29c2a4acf6790274133e976ad48787ab37bfdd12667ae6b58bfbc45", + "sha256": "39dc07aae00d71e5e210d726a51202807f31ce7e26afe10c19fb8a6d773e2537", "type": "eql", - "version": 107 + "version": 108 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "min_stack_version": "8.3", "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "913d17dd423ad4f09f41eb01380f802d3c2c209812a27e963fd5198d566bdb8d", + "sha256": "027498bcace88695c3b5e09df27735c8b2063701ea3b27328d0fb52f8c6533b7", "type": "eql", - "version": 106 + "version": 107 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "min_stack_version": "8.3", @@ -5624,9 +5666,9 @@ "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { "min_stack_version": "8.3", "rule_name": "Potential Malicious File Downloaded from Google Drive", - "sha256": "9e184df192757ad8e29a2cae60356352e84d9601bba380c446bbc4b64deb76c0", + "sha256": "7a0d22e648caa03cd127a00cad9baff4f242263c35d9ad59ab1c7a9fe46a321a", "type": "eql", - "version": 1 + "version": 2 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "min_stack_version": "8.9", @@ -5667,9 +5709,9 @@ "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.3", "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "7844ec8c0187f632d87cd6160ec6fbfa6968c5922e6a07bb3372475a6a1b5f31", + "sha256": "a4fa9c90990fb09a05cf7871a006a72eaebb98589699350427858c062146d05b", "type": "eql", - "version": 105 + "version": 106 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "min_stack_version": "8.3", @@ -5688,9 +5730,9 @@ "aa895aea-b69c-4411-b110-8d7599634b30": { "min_stack_version": "8.3", "rule_name": "System Log File Deletion", - "sha256": "14e5354aa44af54186285133c4a176bf18dd8b2c1dc22c1555bd658ca8aed767", + "sha256": "13abacac9bff946a2754663dce57296eb4b411ca308e66b45f82112bec190bdb", "type": "eql", - "version": 108 + "version": 109 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", @@ -5702,9 +5744,9 @@ "aab184d3-72b3-4639-b242-6597c99d8bca": { "min_stack_version": "8.5", "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "1532d5577abdf44288ebeb628cd80e676e02e99367876b31e9c46200d37d5e81", + "sha256": "67453761dd40533419f89a508cf05c8bf7e992831ad5f324e18f2b3b19929e59", "type": "threat_match", - "version": 4 + "version": 5 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", @@ -5730,9 +5772,9 @@ "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.3", "rule_name": "Suspicious WerFault Child Process", - "sha256": "0f822c4116038c91a881a8b8eda9017407457ea3498167dea425f66a161a9067", + "sha256": "6fc6cae28ebf0c75451af175b21022b2c33ceb781032192f90c20d91bd0ad2a8", "type": "eql", - "version": 108 + "version": 109 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "8.9", @@ -5753,16 +5795,16 @@ "ac8805f6-1e08-406c-962e-3937057fa86f": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Server", - "sha256": "48bea2e83f12194db4f91544236e97199adeadca828f332acc5c23da9f9d9206", + "sha256": "be83fd066d79be0ffae0c129953fb19a321244c86fd3c8fc46fa0f89905e3ac0", "type": "eql", - "version": 2 + "version": 3 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.3", "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "97beb0996e664075d6702369fd69d1ecd9b94f7d1bcbb93b2d51e49ebbe397b9", + "sha256": "f9fa4733a750754f6f49fbaeaf98e2523d57e77e5daba2e13bfc9c2d201f92aa", "type": "query", - "version": 106 + "version": 107 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "min_stack_version": "8.4", @@ -5804,9 +5846,9 @@ "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.3", "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "b154a1563dfafd9602e3c33dda6d0d75a294b8547da34bea70512edfeae98e01", + "sha256": "aab56ec768cc094769d54446314b0acd0757ae4db3a9da69e5099246b4710246", "type": "eql", - "version": 105 + "version": 106 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -5833,9 +5875,9 @@ "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.3", "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "8f2f24455938fb5ea09e3ec7060090a25a269b6678183d00e54a6414e2df8ebf", + "sha256": "ece2a16a9368d49618c91e7029dec21e11078bc4c3f43049efcc7a83009a327c", "type": "query", - "version": 108 + "version": 109 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "min_stack_version": "8.3", @@ -5847,9 +5889,9 @@ "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "min_stack_version": "8.3", "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "8cd17e47485c9d7340c14995dfe14cbab3158f5de2a29a64a2e8281e1236dc66", + "sha256": "20f29e024f8e2c4bfc4ab6a034eae6d65d6ea9e12e66e31fef4166c5db5a2ae4", "type": "eql", - "version": 108 + "version": 109 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "min_stack_version": "8.3", @@ -5868,16 +5910,16 @@ "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "min_stack_version": "8.6", "rule_name": "Shared Object Created or Changed by Previously Unknown Process", - "sha256": "aad1b5a33619e6512fe65f763c3bf7efc9340426847e9521aef7529ed7b820a1", + "sha256": "93e731444b08dd8f1dbc6e88f457ee9aacbf61c1f988464f84cf5db0e056ff51", "type": "new_terms", - "version": 4 + "version": 5 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "min_stack_version": "8.3", "rule_name": "Unusual User Privilege Enumeration via id", - "sha256": "c98963d7bd8d88e43392beedefd94e993beba6832757358cbd30700b542c64d8", + "sha256": "61d1e232e65d235e74fb2f09d2e3448d548edebd7ed582d6304475ea93299e0d", "type": "eql", - "version": 2 + "version": 3 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.3", @@ -5889,23 +5931,23 @@ "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "min_stack_version": "8.3", "rule_name": "Network Activity Detected via cat", - "sha256": "3efeb12f45b961fb82eedcf17858c557c07e762e46a219c0988da6b4f07502f2", + "sha256": "bc5df61663e521c91606721992cd7a8151188b39742d369c2537dabd15b0937d", "type": "eql", - "version": 2 + "version": 3 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", - "sha256": "0bf1a7ca2b5b8e549eb4f67bc0935b74f3f25e139397f7b67fa4657d5d14de9f", + "sha256": "b3876016cbc0e3a82a911ae80577053bb2c945e539ccb227a3ae520814c476ef", "type": "eql", - "version": 3 + "version": 4 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "min_stack_version": "8.3", "rule_name": "Timestomping using Touch Command", - "sha256": "ed8ed608b91ec1f89f10e2b4ef5ba1ca04884dc57c910b94f5f0b4cbb73021c2", + "sha256": "2079a604f3faff6cc6b6b781db98c42700096fb46d6944292c62c13c01a7810a", "type": "eql", - "version": 103 + "version": 104 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "min_stack_version": "8.3", @@ -5944,9 +5986,9 @@ "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "min_stack_version": "8.3", "rule_name": "Remote File Copy via TeamViewer", - "sha256": "078de5b8caba30df61a3bc9e859848f359bf7a766344430b00b2c2046ed17aa7", + "sha256": "5140f51472bb51e246f8a5076ee0138186c0db463f337c8cbc044bbede59a6bb", "type": "eql", - "version": 107 + "version": 108 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "min_stack_version": "8.3", @@ -5972,9 +6014,9 @@ "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.3", "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "aa283cd7566eebaa3e98d93024a7710926f4bb3dac4a46d97159d6377f7ee8ca", + "sha256": "2f2309ef87dbeb7c8500ffd750c33a466ec912231e35d601c99ed10b5254c68c", "type": "eql", - "version": 107 + "version": 108 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.3", @@ -6032,30 +6074,30 @@ "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via OverlayFS", - "sha256": "c7deb10ffa59d05fbac1583edf15b565628cec521edbceb803f9b15c91400b85", + "sha256": "03a4f6b34b5dd327671e71297f46ad0cedca4be702f6d4e86c8bd886bf03f510", "type": "eql", - "version": 3 + "version": 4 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Console History", - "sha256": "9f885fb22e236780df0b7209ca3b783bbbe19b69cd285ad32c8a24005ef089e7", + "sha256": "3887ad885e0ebf5e37828d1e8dde4d5183e83f831a2a4c6c6d00a77cb3d15e0c", "type": "eql", - "version": 107 + "version": 108 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "2a1696db25e3e2cd7578545491d669f6f258b52993267c6da8d5b2de3409c9b7", + "sha256": "ca11a431744e13425dc24b1f98000a04346735be332e41061ba730bbcf3eee37", "type": "eql", - "version": 107 + "version": 108 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "min_stack_version": "8.3", "rule_name": "Elastic Agent Service Terminated", - "sha256": "201dd81fbc35d779e3102c505a0546583887b43b606d36a68232641653d1ca02", + "sha256": "36bd8dcc31b17a81b4108c6de71cf9eda443039b95e0c299255c8a89f2e8499f", "type": "eql", - "version": 104 + "version": 105 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.3", @@ -6120,9 +6162,9 @@ "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "9514a809ca145d976ad76c91de53390221ffa8bde79020b93c643058eaccd223", + "sha256": "d902ba9e2e987d47b2388ca3a51d868c1807f2d5e0b5aa7dfc634c448c664986", "type": "eql", - "version": 105 + "version": 106 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.3", @@ -6141,16 +6183,16 @@ "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "c5173c7852d544188783ae8ad6360a27c4dc99276c45cd65516112c2f3a24d88", + "sha256": "4ae1fadfcda3b3eb16cd5ce038f967736e4b625bbc9a7296f347615d21d7725c", "type": "eql", - "version": 106 + "version": 107 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "min_stack_version": "8.3", "rule_name": "Chkconfig Service Add", - "sha256": "975875643c470662591b7f92890f341af3ec06aaec4d7462d89b555ab08b31ea", + "sha256": "ac46e57d571273c025c91e46c20c1f7c46db80b9f6a1e181de6ec4e267c91867", "type": "eql", - "version": 107 + "version": 108 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "min_stack_version": "8.3", @@ -6169,23 +6211,23 @@ "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "min_stack_version": "8.3", "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "50ce20970c0225897cbd6278da8c53629372100b61e456082a1018b045d9d8c3", + "sha256": "e7702b1cb759c6daf40a6f3464d984e9b0b59eb02c5ef8a4b805abddc598d678", "type": "query", - "version": 107 + "version": 108 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "24e7bf23a9b423f0ee788a5d588692dbf4cb7d5a9de672b20db27deb8f3d05fb", + "sha256": "b62ce757409f5b83483a6178edf83f96ca9f2694c59261960462d1d5aa5c823e", "type": "eql", - "version": 106 + "version": 107 }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.3", "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "c475fe418c9dd5c5b6a357004cecb0f77ec12520167b225d77dcb436eb1094fd", + "sha256": "268cf591802efa58ca8ccc81f92c143605f8684dccee5d40e37775cc905c1ff5", "type": "eql", - "version": 106 + "version": 107 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.3", @@ -6197,9 +6239,9 @@ "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.3", "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "4e20d0099e197e490805cd6edaf652e4b192b1c67cd120c9583905ac929dd623", + "sha256": "dc0a8c9cd0d7f0e1844a5c6402ab1504415faa41aec3f0ae1f68c80b0e74947d", "type": "eql", - "version": 105 + "version": 106 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "min_stack_version": "8.3", @@ -6313,9 +6355,9 @@ "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.3", "rule_name": "PowerShell Keylogging Script", - "sha256": "e5e42d67e73c95c6558439ae96e3515ae045a15b9cf9349190ccb7ce1a5c3258", + "sha256": "fa1f00b9443c5ad654f7b853629f4075bf14005339a418325a786b9efeba54ad", "type": "query", - "version": 110 + "version": 111 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { "min_stack_version": "8.3", @@ -6334,16 +6376,16 @@ "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "min_stack_version": "8.3", "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "95a277633a730cc76f1f3dd56678af752c6c0b11bd0eca7bf678452efce66786", + "sha256": "d760fb7f319139f03665f98df0dd2e9878098619330d3d740f424b742ed5a3e7", "type": "eql", - "version": 3 + "version": 4 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.3", "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "49544ad4d81ab915c9fd10546c551f9f16cd314bd11afeb39e1d8c2f92d61242", + "sha256": "46222aa552fbb0eb3445b6863d48086e14b83f540e63bf7f048bf0e645855756", "type": "eql", - "version": 106 + "version": 107 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "8.9", @@ -6362,9 +6404,9 @@ "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.3", "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "836e67e32ec8fe118f5d1934b55e659b1dbcfce76125cce36bdb3c0e1f8ab9bb", + "sha256": "729e64a5fe9596b9514a3e5a2b56e8374fb6079ec891f4b85681422fc07671e5", "type": "eql", - "version": 106 + "version": 107 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "min_stack_version": "8.9", @@ -6399,23 +6441,23 @@ "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.3", "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "48070e6a13563fdaf1cc968863fd1afaf4838e89682767a13af387858571ec00", + "sha256": "a96413f43b35602b04b7947dfc44ba77f545ed0130c1d7c09cae4116e51754f7", "type": "eql", - "version": 108 + "version": 109 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "9f7b054508c77d58f7d726725411dc517eef84d474347b3a8557ab84761eb842", + "sha256": "0afe2d906b4e49920bacb79b64404fb8d2ad10c938ab6066d1775c4498d2c1a1", "type": "eql", - "version": 104 + "version": 105 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "b703ff542262a1b01cce71377aa6ca313a15387e5c2b986a98d27924ecb2782f", + "sha256": "f03d327ae09793a9ec460b44da54cfc1c07d946b2d181da5ec77da0c5d2fa4aa", "type": "eql", - "version": 106 + "version": 107 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "min_stack_version": "8.3", @@ -6434,9 +6476,9 @@ "c125e48f-6783-41f0-b100-c3bf1b114d16": { "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI index.html File", - "sha256": "6ce01312cbd857003098b2b0753a1ec8356a09b109b020cdc2ab369082ffbf8c", + "sha256": "2acd7bb084fcacdbb12ec8d9c6a04121f2a5bfd99c81cd043158d03bd202e2fd", "type": "eql", - "version": 4 + "version": 5 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "min_stack_version": "8.9", @@ -6473,9 +6515,9 @@ "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.3", "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "10b03b0d2a557fd9f1db04ceba979e83c8291a46dd1430959c27531b5e55a74b", + "sha256": "e5ae5f0e597165278b0ee70abc0aaaf7bfa067cc6b731e26e4d4a9f8c130d70d", "type": "eql", - "version": 106 + "version": 107 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "min_stack_version": "8.3", @@ -6508,9 +6550,9 @@ "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.3", "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "a694c2c72d254cbfd29fbeb4d0893e558337476a755af6c851563a1014065d26", + "sha256": "331c14e73d76aebdcd4cac4d0fab69ddbb53ef866ef1a68f1868a3755733226f", "type": "eql", - "version": 104 + "version": 105 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "min_stack_version": "8.3", @@ -6522,16 +6564,16 @@ "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "min_stack_version": "8.3", "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "d375bc56966923722625e5df9e79b926dbeee902679aa6cb57b02a7dae9b0923", + "sha256": "43fcbbce0e30de8a963685bf58748b27635b19c08af085815f6fff113533bd37", "type": "eql", - "version": 106 + "version": 107 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "fe7c45ba7ffa9b0a75ac69678e899b81b70778bc9e472fa57463c14bb425caf5", + "sha256": "30182cfa6804a26e730d3c6e33a15816fbc229f1b76ba3b0a372388c91434099", "type": "eql", - "version": 104 + "version": 105 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "min_stack_version": "8.3", @@ -6557,9 +6599,9 @@ "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "0710403c8d618e71c165c7b8eb160bed4e6e439b9d9c904d9b5af9aa9be9588e", + "sha256": "ef18c4509361dc748c03f900e0cb04331a3870f4d37673c65632f7edcdc5fe80", "type": "eql", - "version": 106 + "version": 107 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "min_stack_version": "8.3", @@ -6571,9 +6613,9 @@ "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "9703a3f1e0ab87710ef683407452f9491a296fbb9fb21c1270d48f28039443a0", + "sha256": "98c498d667d0e19468ae624112a73bcd2a85d40b0caff39529b93ce06206aaaa", "type": "eql", - "version": 105 + "version": 106 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.3", @@ -6585,9 +6627,9 @@ "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "a6a7a57d9d9f53170aaca5b52e31fa5987b52d03287d461f35903e7a94f3c49e", + "sha256": "7e7ffc94375f810fc0ec2748a6a096644fcde37cdf4979fb00de46501a74f0c3", "type": "eql", - "version": 107 + "version": 108 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "min_stack_version": "8.3", @@ -6599,9 +6641,9 @@ "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.3", "rule_name": "Remote File Download via MpCmdRun", - "sha256": "cddefa7d53013d704fc6ae7740caee316c50acd79b1fc321a6f2f0b9120d905f", + "sha256": "576d3b6a56808d5c581e4f82d4571613bdb9f304eb4165c3d972990f968f7abf", "type": "eql", - "version": 107 + "version": 108 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -6667,9 +6709,9 @@ "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.3", "rule_name": "Unusual File Modification by dns.exe", - "sha256": "462a72ca87888591497bad05c41909f4b20b28e8be26d594546e563f178bd706", + "sha256": "29d7cf667acb99a68d444c3d61446d0b3ac071880d4ad6333c3be80645841c97", "type": "eql", - "version": 107 + "version": 108 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "min_stack_version": "8.3", @@ -6702,9 +6744,9 @@ "c85eb82c-d2c8-485c-a36f-534f914b7663": { "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "c9158b1c2fd25aec7b65a7112e5bd5234e1f16fe85d6cea011a2c447f8845de0", + "sha256": "4e2c160e8b311df59edc07d890988f42898b8ee8467760d2692204ecc13cdede", "type": "eql", - "version": 103 + "version": 104 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", @@ -6722,9 +6764,9 @@ "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "min_stack_version": "8.3", "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "d16c1571f4991e8257fc206ff4e66afbab3d14994c0b00534ab992bd948529be", + "sha256": "644224b9f3ebd8dc3b7a7d5b2fb1b90cd7142ffb1853bfa847346361c0e952d3", "type": "eql", - "version": 6 + "version": 7 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.3", @@ -6736,9 +6778,9 @@ "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.3", "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "a2dad54c59a4df7c89caa5e11af6d9425532fe82b26ef1c0588f4d7b835f71ec", + "sha256": "f98a75e410bae28c2958515cf867ad360c55e5628e4074ff04168355fe113ee6", "type": "eql", - "version": 107 + "version": 108 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "min_stack_version": "8.3", @@ -6764,9 +6806,9 @@ "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "min_stack_version": "8.4", "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "cbc3f42a7bcbc551c94f4915bbf898b210a4747c014608e39f4a2a12501d1682", + "sha256": "cb3e06584ef3df219502f541a38afdd93024219e4a99f76ed05857f3b96c5772", "type": "eql", - "version": 5 + "version": 6 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -6786,9 +6828,9 @@ } }, "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "5f9d6f9747305b2a9d59f1c2bb89ec12610c7490a57f1ccb24de236f42839d9b", + "sha256": "55ab77b10e0bcb868314e0a9c77ad2c6b64b6a3dc98daa287fc5d3318225afe1", "type": "new_terms", - "version": 210 + "version": 211 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.4", @@ -6911,9 +6953,9 @@ "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "min_stack_version": "8.3", "rule_name": "Kernel Module Removal", - "sha256": "7b92ec2e6a2290e49b0168c42351731b5a03508b59cbed4d0dd0127f6ab8ded1", + "sha256": "3389bde0d2034a85fbb3b9902602f9751c82b86ef92ede4fd68b2c2aaac43319", "type": "eql", - "version": 106 + "version": 107 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "min_stack_version": "8.3", @@ -6957,16 +6999,16 @@ "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.3", "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "cb505702842c62bf14d57f592e2da9b793b4232bb14db1dc07ce3ee3dca88d72", + "sha256": "fb56f30729c9d160477b06f02df315c4d6c9387007b670146b4c0060f556afce", "type": "query", - "version": 6 + "version": 7 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.3", "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "2abbf97e21f0197022ef274f0c7aaf1326d6645628f586e1bbc7e75dd4bf6dac", + "sha256": "e2c5ca3d894271fd19e6f8f2a1766756db89da4380da5f63313dd2f1843b9589", "type": "eql", - "version": 106 + "version": 107 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "min_stack_version": "8.3", @@ -7008,9 +7050,9 @@ "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "min_stack_version": "8.3", "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "33d3c47a50a64210f5b2ffc25ccdff6d5d37d16fc71e6dbbc5c13a18b6780cde", + "sha256": "63f22faabb2c7cdd85b0f0550ea39855fbcdbb14b96b274cd260a985e747a7a9", "type": "eql", - "version": 108 + "version": 109 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "min_stack_version": "8.3", @@ -7022,9 +7064,9 @@ "d00f33e7-b57d-4023-9952-2db91b1767c4": { "min_stack_version": "8.3", "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "400a4ff29714ab2561d2a413f2f404116f8fe1067cb678f32d05daa204ee8316", + "sha256": "a856106c03c826b7cc37c298845052a3d071b61fc13d0a7e32d11346c49983b3", "type": "eql", - "version": 7 + "version": 8 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "min_stack_version": "8.8", @@ -7036,16 +7078,16 @@ "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "c206dc61a4c2ae0d1f412a63bcffc413ce72bb6de4d4c86c670d3c066dd1662e", + "sha256": "283072265b8d9a5eb1ce5e409ca6923c251b01d80294784d68db0745ea03ff46", "type": "eql", - "version": 106 + "version": 107 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.3", "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "077587010e7e194ab3d20e99f290d4a9813931fa3a4c1f4bd01f8a875b0a274a", + "sha256": "486befefb895d04393ea8ab494e45aa9071d538f5f4afe5d9ac67aee4e990ac0", "type": "eql", - "version": 107 + "version": 108 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "min_stack_version": "8.3", @@ -7077,16 +7119,16 @@ "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.3", "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "52bed23a3a6e8d13a93def9f01fc3f4de6094c7cbd2b55eb10637d659a556dd1", + "sha256": "258220c18110c30e13d2bf5c9c5b47b97d2591c38e6a207624eaa1335b384462", "type": "eql", - "version": 107 + "version": 108 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Event Logs", - "sha256": "8ab63a4886ad2a72cbb3c1b616a3f462298f7cc74de154654064c96b035d343e", + "sha256": "8a73c10ef60c4773647f268027e24eae42f6ade586978349bdf9041116d0e531", "type": "eql", - "version": 108 + "version": 109 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "min_stack_version": "8.3", @@ -7149,16 +7191,16 @@ "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "min_stack_version": "8.3", "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "f5c2c64714e19cc3d5437f0039d3baa83ae9aa8fd5af5dcbd5b6655156c6e9af", + "sha256": "fe9f5628cc8de2846077446c09d501bd05f366c5f81e3900c513dfa420b6ff75", "type": "eql", - "version": 2 + "version": 3 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "sha256": "3c95ccf8f67a50f03ac411052a8a2da81d0483634ff43782835b20a2eee49275", + "sha256": "225b46731e54716469e060d028dc5a204d7dfeb3ec1062bc93ffdd4663f7acd1", "type": "eql", - "version": 3 + "version": 4 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.3", @@ -7222,9 +7264,9 @@ "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "min_stack_version": "8.3", "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "e19053836a709b816dc84ce8ced0ba8168ccd803d9c077141d35d3a0679f082f", + "sha256": "cc8a7869299dfb327b8a78d1709292c90e765523ecaed24698ec7fff46bb4440", "type": "eql", - "version": 7 + "version": 8 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "min_stack_version": "8.3", @@ -7236,16 +7278,16 @@ "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "min_stack_version": "8.3", "rule_name": "Modification of WDigest Security Provider", - "sha256": "80570780af03c2efcf7f4a9003e2c21b34eb66a062aaad55d9676514ffea140d", + "sha256": "0d92e00788578df71a3085d97bc9e16656ce1ab64a2d00cefd71d7ede7c98ce2", "type": "eql", - "version": 106 + "version": 107 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "min_stack_version": "8.3", "rule_name": "Command Execution via SolarWinds Process", - "sha256": "be781bb6c568f6e3338fe8a85423ad7b2bed67673e71befc92524a519bf29602", + "sha256": "75e96d95e76853c07370e086de891f29c8521f0570f5afbc6c674fb8ff2e13df", "type": "eql", - "version": 107 + "version": 108 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "min_stack_version": "8.3", @@ -7264,9 +7306,9 @@ "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "c44526d9a91a1fd72764e5afb5ad5c6a99415825884efde1516a72afc827756a", + "sha256": "135ce1e246c6be718c533d4528fb82c9d1798007fda71bb7aa4126f2766cff68", "type": "eql", - "version": 108 + "version": 109 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "min_stack_version": "8.3", @@ -7315,9 +7357,9 @@ "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "8442e8cbb922de0f547562302bde985f3e343662547902ae1b3ad81817991b14", + "sha256": "35cec24c6f40b74359e76b1c0b8b19ada3b0c73c18fdc5f92b4fc732bb168c40", "type": "eql", - "version": 107 + "version": 108 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.3", @@ -7384,9 +7426,9 @@ "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "min_stack_version": "8.3", "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "e4df76ec7b5df39c1969e559f1a6da83fa65a42ce5b7d0309e543137738e41d0", + "sha256": "48b2377c407c6fd267364cd6a28cedd0830236fe92ed4e08111591a7a77999b1", "type": "eql", - "version": 3 + "version": 4 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -7397,16 +7439,16 @@ "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { "min_stack_version": "8.3", "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "d42dea9b11a475bd84ac3a3f2a7556720a15eec56ff92168c87ed712e91e8908", + "sha256": "e947ad288f1da43e4a883eb9da07ee706c06e2905ae2445421e2280db1d72486", "type": "eql", - "version": 4 + "version": 5 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "068a220aff143f426d32e403fb68a377e120e375f657e84217c3eb4f399e543f", + "sha256": "6d5c7271ac35ece6b3d5ad727effafd19fad5b0e1fc68ca0ba309bbd0a1ca4c1", "type": "eql", - "version": 107 + "version": 108 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "min_stack_version": "8.9", @@ -7448,16 +7490,16 @@ "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.3", "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "573c9ca2dbe19f1a028b5b5819057f1cd784de1be52279fb1eb1b99bf3aa91a4", + "sha256": "1b4652f974e6422672d712e10f16590cdee1527efd0cc592e2cfacaf6ab10754", "type": "eql", - "version": 106 + "version": 107 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.3", "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "e1754aece5bca9de7f3a297a9ebcfde160a4c48fdba1042e55a503c43af3a487", + "sha256": "3fdd204c8b26e4dc4f20eaf80a88b4f37cd9093b77f365fbf505b27c37e500d7", "type": "query", - "version": 106 + "version": 107 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "min_stack_version": "8.6", @@ -7499,9 +7541,9 @@ "df6f62d9-caab-4b88-affa-044f4395a1e0": { "min_stack_version": "8.3", "rule_name": "Dynamic Linker Copy", - "sha256": "4c3f4b8b94c3abf50fada6c7104d6fcffb6126ad61920c98219b8ca2d1f7af00", + "sha256": "ad16600cea0282022eecee3a9321b3df7956ff9592e8c777caedaaf750b505c9", "type": "eql", - "version": 105 + "version": 106 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "min_stack_version": "8.4", @@ -7542,9 +7584,9 @@ "e052c845-48d0-4f46-8a13-7d0aba05df82": { "min_stack_version": "8.3", "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "0cb624873a820339db88e27f6c934f951767b06b5fa612ba655162ddac81044c", + "sha256": "b59881ecde4fbb260ada06f008c2bf8ff29a1dd8964b75ba7e4aab3e5d1cfbe2", "type": "query", - "version": 105 + "version": 106 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.3", @@ -7625,9 +7667,9 @@ "e19e64ee-130e-4c07-961f-8a339f0b8362": { "min_stack_version": "8.3", "rule_name": "Connection to External Network via Telnet", - "sha256": "ecd74e5b4a0d9320b567ccff15b0551b10812d52a6a99e120eb4e09dc3c70a70", + "sha256": "20d3c6c6a6f6513706a2ebd8383166c55e2c6bbe55be87a27695bc4d93937453", "type": "eql", - "version": 105 + "version": 106 }, "e1db8899-97c1-4851-8993-3a3265353601": { "min_stack_version": "8.9", @@ -7639,9 +7681,9 @@ "e2258f48-ba75-4248-951b-7c885edf18c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "c283a96f0e6778b4047079842cb8724e31caef3444301c6475256a53b012ee57", + "sha256": "f0e1450bcee3627ea25c3f1149f19e23d974096a93f38f4fcb2f8b1f3cbf4760", "type": "eql", - "version": 4 + "version": 5 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "min_stack_version": "8.3", @@ -7653,9 +7695,9 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.3", "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "8c840abd0eed39efbf4517ceb247d5a1e29c14df891f7fc68b9c8ca19af732fa", + "sha256": "f96c27d17387a29f3c9e0a76e761e50f58980ca2e8c5c47c750c1112b007a612", "type": "query", - "version": 109 + "version": 110 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "min_stack_version": "8.9", @@ -7690,9 +7732,9 @@ "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "f4aa9648ae148430d56ec66b1b05383eff95f446f9d746fa618a5fd5d74b932d", + "sha256": "66e388663b228b2c8dd94c6fd5c4d2747293af0ad3223e8467b6dff513bfce19", "type": "eql", - "version": 108 + "version": 109 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "min_stack_version": "8.3", @@ -7704,9 +7746,9 @@ "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.3", "rule_name": "Process Activity via Compiled HTML File", - "sha256": "71b3674d3f5ae08be304fa711dd538194ebb2c5624de5518b705a973ce44764b", + "sha256": "3e2a12fecf522267ef3afeb66114c8854824c72cc1d0e2ae4f0f4bc3a2308f70", "type": "eql", - "version": 107 + "version": 108 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "min_stack_version": "8.9", @@ -7734,16 +7776,16 @@ "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "db6c8cc00bdbaf0ddb428a155db94ed7c9f288d60b6f199fab061f577a7bd7f4", + "sha256": "5c04199205cb13930875dbab67b50a81f6de209289212579901c2a02bec11afe", "type": "eql", - "version": 104 + "version": 105 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "min_stack_version": "8.3", "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "47990704fcf218a068f07339d376b36fe1ff72c831754b08f0dffed5768cc04d", + "sha256": "2e2da840f77c57538857f88568962b68c7ed2da6036ccc86ed73e23d95b97f90", "type": "eql", - "version": 107 + "version": 108 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.10", @@ -7771,9 +7813,9 @@ "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.3", "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "ff07330e7b280ebe26aff63e3c933ca68bc9e57095f06822a1ce1a766f8aa2d4", + "sha256": "714940633134a4900fd804da4e9b3e223c9d3ff128f229f7a46599938fe9322d", "type": "query", - "version": 108 + "version": 109 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "min_stack_version": "8.4", @@ -7830,9 +7872,9 @@ "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "min_stack_version": "8.3", "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "077f0a7711bbf837f2e67231c713061aab1388e7194845c2724884baba2fcba8", + "sha256": "1732013a4ba605cabe48c7b619ab0091ebe06309b90dd143c75a2212213833bf", "type": "eql", - "version": 104 + "version": 105 }, "e7075e8d-a966-458e-a183-85cd331af255": { "min_stack_version": "8.3", @@ -7881,9 +7923,9 @@ "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "9dabc489226c779aadc8aebd27fd06248863464f8c3eb77f8e3e65ea9de31581", + "sha256": "332682a3600cb59f9e5416f1a36782dd5b2cd5140ad2365e794fe319c8057d6a", "type": "eql", - "version": 5 + "version": 6 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "min_stack_version": "8.9", @@ -7911,9 +7953,9 @@ "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.3", "rule_name": "Installation of Security Support Provider", - "sha256": "05e809fb643c5c0b932f08cf325d5b980c1be26c2322a33497bf7931a54612bb", + "sha256": "8547cdc3808d7f235d3d0abae6b3718604a0f5fd3b25275e55649bcb89548514", "type": "eql", - "version": 105 + "version": 106 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.3", @@ -7934,9 +7976,9 @@ } }, "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "b2bf47b2d754b97d1201f5d927c49421ceb71609ac667f07c240495f839cd6be", + "sha256": "db2a5674e261bc84e14f1523a5864fc02bf8d27e779d4bd8b3ef5e0f8c2a77d8", "type": "new_terms", - "version": 103 + "version": 104 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.10", @@ -7980,9 +8022,9 @@ "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.3", "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "0932a11d1af761dc69c880afac16d9f8543316e5b003ac9c7f31d6a1b903eb5b", + "sha256": "3f3eec9bc3511f8a7b04c2ea53960d28e2c4cc9c1919b4ac0415627e28f49b80", "type": "eql", - "version": 108 + "version": 109 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "min_stack_version": "8.3", @@ -8057,16 +8099,16 @@ "eb44611f-62a8-4036-a5ef-587098be6c43": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "4fd30c5b6cde137af4b4bfbe6147e6b9b22ee92011d517f81f11bfd501ecd62d", + "sha256": "801852a3300f7b11b19c32b8f4151194247eb06f60814b531d70187da14da0a1", "type": "query", - "version": 1 + "version": 2 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "19a8d98813f7227deaf511c0d633facc03ce98eca134cbf0ad8d95277312d2bd", + "sha256": "f2b652ded44a6da7a65d03f5aeb3b74b8f9790089a0d1c2e3346e02ff70f66af", "type": "query", - "version": 108 + "version": 109 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "min_stack_version": "8.3", @@ -8078,30 +8120,30 @@ "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of SELinux", - "sha256": "039692bcb30d46067fc586c4ebcd04997a968d5c426694130fea5aeb0a48d46b", + "sha256": "67e5d80d98a14e59513c76c67d9e7b585867dfa1bd03bc7fe57b4e529040abcf", "type": "query", - "version": 106 + "version": 107 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.3", "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "cc34ad5743714d022bd3d06b3eef95da4715d5b72e531c4235b17576ba88d2d5", + "sha256": "76c37cc7a589fe10dfaa88f6b7b661dea40b32593c1b666971619610af0593c6", "type": "eql", - "version": 106 + "version": 107 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "min_stack_version": "8.3", "rule_name": "IIS HTTP Logging Disabled", - "sha256": "160ed3a375dcc3e55e6117241ad6a6bc1ef32411c7d4a0d406c968aeeb017680", + "sha256": "4bf7615c712ba6551f11469f116ac403329d8282ac9506d5ccd5b57da83c51b6", "type": "eql", - "version": 106 + "version": 107 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "min_stack_version": "8.3", "rule_name": "Process Execution from an Unusual Directory", - "sha256": "7ef91946b0330f608783b4afaf455fe3bb69d40331bd9be9573e1e1b3b9429d2", + "sha256": "1d657da119ea7a4f4925fb9854f9b300a165f2e51b196233358018c3c2c34b10", "type": "eql", - "version": 106 + "version": 107 }, "ec604672-bed9-43e1-8871-cf591c052550": { "min_stack_version": "8.8", @@ -8150,9 +8192,9 @@ "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.3", "rule_name": "AdFind Command Activity", - "sha256": "b3773d30c5a81754f182b5e16112b660ce51afc7217b471c07c135c92343561e", + "sha256": "8a1027b9ad2f5361439241c61ece4bf8059f137a0718d154612fc6bc4e1582b6", "type": "eql", - "version": 107 + "version": 108 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.10", @@ -8173,23 +8215,23 @@ "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.3", "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "2879ba6dedb4672f2a2edf42d9b51a445ad7e87deafca2d3e115c225361d1e52", + "sha256": "7e36739ca38d86c13233d562ec0ff5e3019b17cd4efe9373ee963d0412184cbd", "type": "eql", - "version": 107 + "version": 108 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "min_stack_version": "8.3", "rule_name": "Linux User Account Creation", - "sha256": "a543b60be5b2a1233c9fb7a049c1556d3cf7a3df31ba9a09fd4e7f1b427e5109", + "sha256": "13b3b537fd8a6d150005572a86b138310ddc48a6341f26efff995090c828b47f", "type": "eql", - "version": 2 + "version": 3 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Print Spooler Child Process", - "sha256": "2bd1115d1a41b7a4ddd1ec2a4b7dac55b76173ff8ff1e3df92775705269ba0c6", + "sha256": "1b81a42027a994ad37e3fd6a68e0cca9c1f3620c0ec4479d34cc05a33c94986c", "type": "eql", - "version": 104 + "version": 105 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "min_stack_version": "8.3", @@ -8207,30 +8249,30 @@ "eea82229-b002-470e-a9e1-00be38b14d32": { "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "05d0abb50bae439b769843646d3b7295eef4a0bc5c024cf9798ecf355acd3575", + "sha256": "9893771c796bd09dcc8f046fd8356942e6cdc5159da8de8a23d418df3220c216", "type": "eql", - "version": 104 + "version": 105 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "min_stack_version": "8.3", "rule_name": "BPF filter applied using TC", - "sha256": "d3b6a041bc5f899f14ba0e350fbb36350e02d5800b1751b2bff3950a02bab9e4", + "sha256": "0ea652ae4056c21deda839089e82be5e8d139fe2a4d663b1c351ea38f5373b52", "type": "eql", - "version": 106 + "version": 107 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "fa04606235d591a3a18f27ac11497e0b0b3c0db64ac9d3cdae52dac5bebb9ca1", + "sha256": "b484fef67869242e81d258aa6dd2f985dce79cf7ac6f49d81e8d62e1b34d69aa", "type": "eql", - "version": 4 + "version": 5 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.3", "rule_name": "Whoami Process Activity", - "sha256": "a5131bae94678610d7c365c497f62c084b0c6c3c2954fada880c3531d5e342e9", + "sha256": "69d5354c891fc163e1c5ade3bb65daff48c54108062356e2608bbe10b4bc33dd", "type": "eql", - "version": 107 + "version": 108 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "min_stack_version": "8.9", @@ -8249,9 +8291,9 @@ "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "min_stack_version": "8.3", "rule_name": "Suspicious HTML File Creation", - "sha256": "7ab8c378ff7083c1a6c05954e86861bc3ea942fa39a3e3ae31cdc225509315d7", + "sha256": "b3a8f746278cc301f6dc58d9f527dea32590a6d76cef0455b4f613d70e2d67a6", "type": "eql", - "version": 104 + "version": 105 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.10", @@ -8272,9 +8314,9 @@ "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "min_stack_version": "8.3", "rule_name": "Attempt to Remove File Quarantine Attribute", - "sha256": "6433cb81a632852cd17a4e72400aca36cfc55a5f7dcd8826f139d7a029c91097", + "sha256": "d7bdcd2de9485c0496e83b118d9a4206a6bb8b4d6a4708797dc89b42403f753a", "type": "eql", - "version": 104 + "version": 105 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "min_stack_version": "8.3", @@ -8293,9 +8335,9 @@ "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "min_stack_version": "8.3", "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "9472c913dfa8869854d45e63066366097bc76d22561deba5f0332c0e764850d5", + "sha256": "9879db0ee4eb6fa5d55af57657d48ec0820bae075840304cdd6e403fc3ab1a1f", "type": "eql", - "version": 5 + "version": 6 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "min_stack_version": "8.4", @@ -8314,16 +8356,16 @@ "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "f296c42702e111663ae6795fba27be54503e7ec2e1c6a433a0f3cf3ff1c376b6", + "sha256": "e9d5cd6f343029ce8db6fae1ac69791d81d0079795f15c27d2b04cae4d5692b5", "type": "eql", - "version": 105 + "version": 106 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.3", "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "5b99a39e1fe7e357d865152fc9bddaf95dbcdef3438bbdd9a2de4b9ef6351120", + "sha256": "401bf25e8e77ccc790d62c63f3b09edebad5cd9b70eac15912db6aaa46127d58", "type": "eql", - "version": 107 + "version": 108 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.3", @@ -8335,9 +8377,9 @@ "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Creation", - "sha256": "ddf5498423537a85ccdbb7552f2986e755918e505b195b2aa3e6c58ab2825bc0", + "sha256": "c5245d22a0267264ade24de174cf1032b9c68466730cc42d6e58734984ae0c96", "type": "eql", - "version": 106 + "version": 107 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "min_stack_version": "8.9", @@ -8386,30 +8428,30 @@ "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "min_stack_version": "8.5", "rule_name": "Threat Intel URL Indicator Match", - "sha256": "f8210c3d8a13d1354dfe9c14053034eafc71b8bef3477f9e8e7279672ce95601", + "sha256": "15e6c5f162e68e3e99d55f3e56f8e12ff21a337b3225df19df18e23d5223c734", "type": "threat_match", - "version": 3 + "version": 4 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "min_stack_version": "8.6", "rule_name": "Potential curl CVE-2023-38545 Exploitation", - "sha256": "397ef632c840d0922b83d252b5b41db9cbaa48dbded3e4274d7b714ea636231b", + "sha256": "ad7d073b51e1fa98d9af62232945217608d7cb3996a06e33226a4dcd83b222ef", "type": "eql", - "version": 2 + "version": 3 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "292a400f924bdf495a355385c16ff53e68f9f3339a16f03722da0a67d20439f9", + "sha256": "3532dcb1643708a0b5c5e2ae8f0674579cbb77fe60a022151328d4b38fbb72dd", "type": "eql", - "version": 105 + "version": 106 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.3", "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "26b40ddcaa37e8f078da5fbfc2a20a67103717af9bed0188b9002a14836ffe5a", + "sha256": "d98a7e83fa24ec297e90f61de9d4e6781cfc0ba17dc00049f79130145d7ab7c7", "type": "query", - "version": 108 + "version": 109 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -8420,16 +8462,16 @@ "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "min_stack_version": "8.3", "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "7c8538ccb98edd565c3e77089791a93f35d6fe22c6f6622b1b5830797dfce87b", + "sha256": "ddced9a0cc70d7a97aff4223b6abe5ed8faf61be30e7e56fbc87b2d124b9e693", "type": "eql", - "version": 3 + "version": 4 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.3", "rule_name": "Windows Script Executing PowerShell", - "sha256": "137fe700650e80f99c3e810ffa7887f243a69e3fd36267afd3685955e5b3a7e4", + "sha256": "98f9b2395052ffc073feec29bc55c3952eae38faa5304ab59098692287a2995e", "type": "eql", - "version": 107 + "version": 108 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "min_stack_version": "8.8", @@ -8455,9 +8497,9 @@ "f5c005d3-4e17-48b0-9cd7-444d48857f97": { "min_stack_version": "8.3", "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "05f3189fe09c5f5c72a44871e7af8a36a085d5f5642ee65deed333c490888820", + "sha256": "7fb454ea923d4be1c53da0fce33be447e1856c41f237f0cbea512aec928fa237", "type": "eql", - "version": 1 + "version": 2 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.9", @@ -8469,9 +8511,9 @@ "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "min_stack_version": "8.3", "rule_name": "Masquerading Space After Filename", - "sha256": "b8733fd0fd4e27a60869420a23f949e588a94ab43ebbc2bacdcb58250c6a82bb", + "sha256": "c008022dcc942aac497e03a345678d4351f22bd37f8df7b55687be5b5ed9ce43", "type": "eql", - "version": 4 + "version": 5 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "min_stack_version": "8.3", @@ -8483,9 +8525,9 @@ "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "min_stack_version": "8.3", "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "23aef572b50810af907ee7bd6ef6657623f6592f933f9406a58dda38ccecb9d2", + "sha256": "48ce252c07058d2ee1ca0800d2b1fecbe03128d07992d41375ca0c03b6a48f48", "type": "eql", - "version": 107 + "version": 108 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.3", @@ -8541,16 +8583,16 @@ "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.3", "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "afb59ffb04d13b21e0f2cff08ed6f27c27dde808d3cb5b84a5eb3ddb2d566665", + "sha256": "cba0ef209d381391715a1d4cc32407099e0cc2826fad303f04e46cf39d3effb6", "type": "eql", - "version": 108 + "version": 109 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "0e07c2995af6088f4c7f371ce44780cab7ffe75d215408752857ac720cea0465", + "sha256": "eaf1fe196b0fd766b9dd3e92a9dea8ee67510efe613dff0483b398abdcf91389", "type": "eql", - "version": 105 + "version": 106 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "min_stack_version": "8.3", @@ -8562,9 +8604,9 @@ "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.3", "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "11ff5b48af4c6fe451b2ce1623b1cb2cb5bb35007bef94018597f897219a10af", + "sha256": "902e8a91c828264acc25b9b1ef81880b919f5739fef7a59cc8b1af766f54d38b", "type": "eql", - "version": 107 + "version": 108 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "min_stack_version": "8.3", @@ -8576,9 +8618,9 @@ "f95972d3-c23b-463b-89a8-796b3f369b49": { "min_stack_version": "8.3", "rule_name": "Ingress Transfer via Windows BITS", - "sha256": "f58b2bc6df6119dd19b628c293c7dff6ea595e65b39223cf2d0dde59b882b15f", + "sha256": "2b0bea22a5bf532f9af15d9ab5ed07db310010798335f52475ceb9d0292017b0", "type": "eql", - "version": 4 + "version": 5 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "min_stack_version": "8.3", @@ -8590,9 +8632,9 @@ "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "min_stack_version": "8.3", "rule_name": "Privileged Account Brute Force", - "sha256": "f5252571a3884a621635498b85bfdf070a396d30be00c83e6336d0c4e91979e7", + "sha256": "36afec4fdbf0b0dbe5dd5f33cf28d0866a711012c96115ea0e205eb6bd791364", "type": "eql", - "version": 7 + "version": 8 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.10", @@ -8613,23 +8655,23 @@ "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.3", "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "56bfc5a88cfcdbba392ce9e25d0e7838831cac7440f8ef2a35107b6257261115", + "sha256": "07cb5a601ba090bd310db66dc7a01f3be28530f661533672dc80eae9361219ca", "type": "eql", - "version": 105 + "version": 106 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "min_stack_version": "8.3", "rule_name": "Potential External Linux SSH Brute Force Detected", - "sha256": "fac6f9cee3f43e0193ffc987c11e25fd31bc52cf43af80e9cfabc8dc453c1812", + "sha256": "218530cac5856894e6aa5cd3de9220598341cf39e21207726a8736e796656132", "type": "eql", - "version": 4 + "version": 5 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "91a2395bf7620588ccb74be3c35e5550521b5efb2e5268f5e5f700def971d705", + "sha256": "0614d99e192ebf727ca5211629665791841cb5b9db109bf11e3b8d8c67d84491", "type": "eql", - "version": 5 + "version": 6 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.3", @@ -8641,9 +8683,9 @@ "fac52c69-2646-4e79-89c0-fd7653461010": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of AppArmor", - "sha256": "af928c417577e8cc0260d0553a69112ffe4cce0432ff7dd3e11a6bf0e6c446d1", + "sha256": "34fdcfc5bff48dc2d657a33d95b6f8a56e38e5110fad29d01863329e1f5e1f68", "type": "eql", - "version": 2 + "version": 3 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "min_stack_version": "8.4", @@ -8693,9 +8735,9 @@ "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "d82de3a511d6f9d1fdacc568ea1f4f13dcb5c7b1923e37472627edad3bc0e244", + "sha256": "695672533f96849fc04744a44bb0c3d2c8ad763e56b29d8e9df74708aa58ec0e", "type": "eql", - "version": 106 + "version": 107 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -8706,9 +8748,9 @@ "fd4a992d-6130-4802-9ff8-829b89ae801f": { "min_stack_version": "8.3", "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "4b954791de8751f010850822c06e03453a0570b6d49480dce1b58cd1a05b269d", + "sha256": "1b6fb7fa94a0e738049d247dc04b6264f0be47b0bcd5ad5a93807de37e0d5f67", "type": "eql", - "version": 106 + "version": 107 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.3", @@ -8729,9 +8771,9 @@ } }, "rule_name": "Svchost spawning Cmd", - "sha256": "2cf4b3a4a92c5be889a51b4f1d51c3eab77327b7bf883a2a045d1571d8779e4b", + "sha256": "7848efd45bcbe0c34fac7bba24931d7f0cafe07c08a91af0e478d23d723a0bfd", "type": "new_terms", - "version": 207 + "version": 208 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "min_stack_version": "8.3", @@ -8743,30 +8785,30 @@ "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "min_stack_version": "8.3", "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", - "sha256": "590ac86e1af3b8706e4cb2a69e8fdd314724e77dbb5799e8fb98370ce40c9e58", + "sha256": "5429be9bfc7f82918122fa6dcc5088a9f5934fa0b93cd24eecb1b3a33e52a053", "type": "eql", - "version": 2 + "version": 3 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "5c50aaa0928ecab2b1476d973bb4bfb90d78dd9e2448e1aaa8c61daa32ddedce", + "sha256": "752821996ecca2eaeacb9d0694eea57ddf1ed278ab32ceecfa6fd0514f9a16d6", "type": "query", - "version": 1 + "version": 2 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "7e932f33b6e1585cd992ffb8d0c475283c7c7d9e5f8480d9858165a716090f61", + "sha256": "233aae2af8866a118d0080a5d695beef8bddfb17bf9788964055df0f6cfdad5b", "type": "query", - "version": 2 + "version": 3 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.3", "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "a8eff42378039fb19f5db47284f5c0fc7ac55a01a9ec1c5d9b1a664f91fff887", + "sha256": "c96941a5ebb42e39bd2527bcfd0d2be708992dbdf722a7622a1642525b235ddd", "type": "eql", - "version": 107 + "version": 108 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "min_stack_version": "8.3", @@ -8785,9 +8827,9 @@ "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "min_stack_version": "8.3", "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "eb594f40b846f2e27c3ac05de62f5c78c771164a6d579245e5e4c27990e1c049", + "sha256": "df7ad57c972d298da6bf985f44b45cc04e2ebac358b7aa99a0662df6ab2d550b", "type": "eql", - "version": 105 + "version": 106 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "min_stack_version": "8.3", @@ -8806,16 +8848,16 @@ "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "min_stack_version": "8.6", "rule_name": "Cron Job Created or Changed by Previously Unknown Process", - "sha256": "b1a94af889b3bd5f19d461f40cf67ebb70a8c9c19383c1c6b821e829e49477e8", + "sha256": "dcc745dbac15e8073ffc6bb416dd3a2f1b170e3ea46bfb1c41085cf82a6f009e", "type": "new_terms", - "version": 5 + "version": 6 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "min_stack_version": "8.7", "rule_name": "LSASS Process Access via Windows API", - "sha256": "592b792af644dd525e7bb61b8ba69a59219b797775997301b8ca62e5e71e03bd", + "sha256": "1b7ddc7981baef1561c102347f23a1168fd3023c338e394cc8ed2956864b7ffb", "type": "eql", - "version": 4 + "version": 5 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "min_stack_version": "8.3", @@ -8834,8 +8876,8 @@ "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "min_stack_version": "8.3", "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "7f5618048d9c9a947da0f5e7789a02590652382297e9fc2355be088f7eb8a2bf", + "sha256": "0e051f6a89e0dd3e32af0d2331b7ab799d7e1f852849859f6cab82b3b5d8b4d9", "type": "eql", - "version": 3 + "version": 4 } } \ No newline at end of file