diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 40d95969b..670e52b1a 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -39,9 +39,9 @@ "0136b315-b566-482f-866c-1d8e2477ba16": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "3801a06e2eb380734652847208adb12ceb5e1bb394da148a047b8a25afe3bc17", + "sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f", "type": "query", - "version": 102 + "version": 103 }, "015cca13-8832-49ac-a01b-a396114809f6": { "min_stack_version": "8.9", @@ -120,9 +120,9 @@ "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "f0f075e54cb17ce304f0d93b12277a29c7b1454d8bec5c05615e31fc6ebee725", + "sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573", "type": "query", - "version": 102 + "version": 103 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "min_stack_version": "8.3", @@ -190,9 +190,9 @@ "054db96b-fd34-43b3-9af2-587b3bd33964": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through Systemd-udevd", - "sha256": "db11dd77c2e7a28b415f709d5c6a4c2f50d6639fac4480ca35e0ccdddd837c96", + "sha256": "f62fb7313ec0d7a280a370adae0caf8ba65410a71d6574ade7ab588a95963763", "type": "new_terms", - "version": 2 + "version": 3 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.3", @@ -211,9 +211,9 @@ "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "min_stack_version": "8.3", "rule_name": "Tainted Kernel Module Load", - "sha256": "096c4047e2d5c332df1556e653b387ff45bc20f504f8a4b0a6b48151a55674ed", + "sha256": "f667ec2eb15d89e90cf9ae3a10a6976e2b6d29d27d4638c580872961d8ceacf8", "type": "query", - "version": 2 + "version": 3 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "min_stack_version": "8.3", @@ -465,9 +465,9 @@ "0ce6487d-8069-4888-9ddd-61b52490cebc": { "min_stack_version": "8.3", "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "2dfc5642c7eff9f946739bbe4289e5bd8fe6f4374a492ed1fc5215e7b6e721ff", + "sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746", "type": "query", - "version": 102 + "version": 103 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "min_stack_version": "8.3", @@ -500,9 +500,9 @@ "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "min_stack_version": "8.3", "rule_name": "SharePoint Malware File Upload", - "sha256": "e32858e7a0449a506cfe595eabf2e1e82954cf683de287c05d0bf7295253c579", + "sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393", "type": "query", - "version": 102 + "version": 103 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "min_stack_version": "8.3", @@ -1091,9 +1091,9 @@ "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "min_stack_version": "8.3", "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "bf4b6f557cbd3c0c009d3f0aa39401b563a920b2ed64f0d20ef86c9a95fc5e45", + "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", "type": "query", - "version": 106 + "version": 107 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", @@ -1481,9 +1481,9 @@ "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "min_stack_version": "8.3", "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "ab30e15051fb603800f933ba9b3f6539ac75a662fd2dfcbe66c8f7121c7608a9", + "sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633", "type": "threshold", - "version": 103 + "version": 104 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.3", @@ -1495,16 +1495,16 @@ "2724808c-ba5d-48b2-86d2-0002103df753": { "min_stack_version": "8.3", "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "ab06e0853ec7a2402c68a2aa0ced95e3fcaca432ce6fbd3fa620af718b998b19", + "sha256": "effa27b5c3262001b53cad02b8704357c550fc2a33d2186bd1412e8b631859ff", "type": "eql", - "version": 2 + "version": 3 }, "272a6484-2663-46db-a532-ef734bf9a796": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "fbfde864c7e1f31e7fcfef374c9517e890a58223969f83a4c15fee6afb623353", + "sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e", "type": "query", - "version": 102 + "version": 103 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.3", @@ -1523,16 +1523,16 @@ "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "94685626f0a0ed06951084baeb71eae9ec250c07e2ccd46be608e1f1321d5726", + "sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56", "type": "query", - "version": 102 + "version": 103 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.3", "rule_name": "Account Password Reset Remotely", - "sha256": "a3ad12d5f9099c09f319bd8673a640d823bd711b02d7db6ac84e83966963cfc2", + "sha256": "bd56a7406f9eb92ed5ae5f56f3b907b56ac2f13892cb6f81d1fc8810651fbedb", "type": "eql", - "version": 108 + "version": 109 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", @@ -1735,9 +1735,9 @@ "2de10e77-c144-4e69-afb7-344e7127abd0": { "min_stack_version": "8.3", "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "6aafdc4d1c33f41d82f7a067cce68c407f9cc905aa5f0bcee8e8a3626f89a88e", + "sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46", "type": "threshold", - "version": 103 + "version": 104 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "min_stack_version": "8.3", @@ -1847,9 +1847,9 @@ "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "min_stack_version": "8.5", "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "c5d4a3001d7351c602369af6c986ac059de87c9b83a9217a63faaacf66a54a0f", + "sha256": "41a17a81e7dbbf1e337709a394e0be029ac4d83690a5bae894f24d09e5939b60", "type": "eql", - "version": 6 + "version": 7 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "min_stack_version": "8.3", @@ -2030,9 +2030,9 @@ "3728c08d-9b70-456b-b6b8-007c7d246128": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious File Edit", - "sha256": "0f9b9c003bc39253a948a9da6d7c5b5263d9d1dc3c73abf730550e6c0c3ff687", + "sha256": "ad661308418ae98d99acfbe93160fc7b79bd560af7e212b8b2d582ca93665254", "type": "eql", - "version": 3 + "version": 4 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "min_stack_version": "8.9", @@ -2269,9 +2269,9 @@ "3e12a439-d002-4944-bc42-171c0dcb9b96": { "min_stack_version": "8.3", "rule_name": "Kernel Driver Load", - "sha256": "943b3b49ddeb5d7f3cedcc5cd924db6f3c7c44435aa3913ee577e89925ae0651", + "sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc", "type": "eql", - "version": 3 + "version": 4 }, "3e3d15c6-1509-479a-b125-21718372157e": { "min_stack_version": "8.3", @@ -2313,9 +2313,9 @@ "3efee4f0-182a-40a8-a835-102c68a4175d": { "min_stack_version": "8.3", "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", - "sha256": "6f5fb726f163898f2ca5b0b8de75a346cda8451de239adb986ada4f3128b4c67", + "sha256": "3ee6a597bfe462c8b9132d7ca83768025a28634b18c009db462cb0c3bd7bfe39", "type": "threshold", - "version": 103 + "version": 104 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { "min_stack_version": "8.3", @@ -2596,9 +2596,9 @@ "48819484-9826-4083-9eba-1da74cd0eaf2": { "min_stack_version": "8.6", "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", - "sha256": "fadad966a91f932ed17c91f28dccd142d23d55cd4ae7ea7c57bdd1571b0c95ea", + "sha256": "25daf6eb0539fcc0694b22088a27dd0f67fcba06669cc69450e34b994cc642ea", "type": "new_terms", - "version": 1 + "version": 2 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "min_stack_version": "8.3", @@ -2724,9 +2724,9 @@ "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "min_stack_version": "8.3", "rule_name": "ProxyChains Activity", - "sha256": "b6d4b380b3738c08ae7418cf9bf2094fea2128d43315465e741e17fb6bf6c361", + "sha256": "57ef2c8bafe0c644017773b4793d326d1eaa88d8b6cc8a764ce142cbd468a448", "type": "eql", - "version": 2 + "version": 3 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "min_stack_version": "8.9", @@ -2868,9 +2868,9 @@ "514121ce-c7b6-474a-8237-68ff71672379": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "a5c1852e0f0b5d54d522bc9d34146368b3966050fdbb0b514ad8a5c883a865c3", + "sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87", "type": "query", - "version": 102 + "version": 103 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "min_stack_version": "8.3", @@ -2882,9 +2882,9 @@ "51a09737-80f7-4551-a3be-dac8ef5d181a": { "min_stack_version": "8.3", "rule_name": "Tainted Out-Of-Tree Kernel Module Load", - "sha256": "906a021911de5e8f4437da9087e7b52974e5ae6d5decb416ebc494866bf4ecc9", + "sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa", "type": "query", - "version": 1 + "version": 2 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.3", @@ -3201,9 +3201,9 @@ "5930658c-2107-4afc-91af-e0e55b7f7184": { "min_stack_version": "8.3", "rule_name": "O365 Email Reported by User as Malware or Phish", - "sha256": "6f1117902fd841998a715673511a3831fe99e7a953113854fd094e8aaf57d935", + "sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef", "type": "query", - "version": 102 + "version": 103 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "min_stack_version": "8.9", @@ -3280,9 +3280,9 @@ "5b18eef4-842c-4b47-970f-f08d24004bde": { "min_stack_version": "8.3", "rule_name": "Suspicious which Enumeration", - "sha256": "7d7caddbf4b4d96f05ac6949cb45758377a5e3bf4b700ccf482055409ec6f2c2", + "sha256": "69d468e7d20c3791c53b93dada74a299db61b105a4bc22ed3b5e08711a47bfd7", "type": "eql", - "version": 3 + "version": 4 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "min_stack_version": "8.3", @@ -3417,9 +3417,9 @@ "5e552599-ddec-4e14-bad1-28aa42404388": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "4e4a262b9c4e5ab8a6ad524df85e1f6b13bdcae8c45ccea1db5bb31e2acd028f", + "sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838", "type": "query", - "version": 102 + "version": 103 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -3444,9 +3444,9 @@ "60f3adec-1df9-4104-9c75-b97d9f078b25": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "0886a8d4f32a069d4f64c2559bfc5d527f4a2d24045aab00ae97f1de9ad9efb7", + "sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9", "type": "query", - "version": 102 + "version": 103 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "min_stack_version": "8.3", @@ -3625,10 +3625,10 @@ }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "min_stack_version": "8.3", - "rule_name": "Linux Secret Dumping via GDB", - "sha256": "69b91af7c13fbc10668c950da9d070e9350d6f40ae5115d828703884de988e06", + "rule_name": "Linux Process Hooking via GDB", + "sha256": "b3318b7675f46ff6010f0b14354de0fc80b653f22835e38f76217b88dc3ab892", "type": "eql", - "version": 1 + "version": 2 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.3", @@ -3663,9 +3663,9 @@ "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "min_stack_version": "8.3", "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "cac04714049b7a004fe00585d8cc3e351f442896feb07e367f5e3406853f595d", + "sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb", "type": "query", - "version": 102 + "version": 103 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.10", @@ -3712,9 +3712,9 @@ "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "min_stack_version": "8.3", "rule_name": "New or Modified Federation Domain", - "sha256": "c12b7d94ddd9ac7a54891cd86831775b8622d2c0681fcaf612e2842bed646cf6", + "sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8", "type": "query", - "version": 102 + "version": 103 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.10", @@ -3857,9 +3857,9 @@ "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "min_stack_version": "8.3", "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "7cf65464523d24beeac567cd5b9693fec22ad30bbfe4cb108c18b3cfc557ca40", + "sha256": "2442d8e0afa98b686eab3bcb1903abd546f86596652f60691f6efdfd621713e3", "type": "eql", - "version": 5 + "version": 6 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "min_stack_version": "8.6", @@ -4109,9 +4109,9 @@ "721999d0-7ab2-44bf-b328-6e63367b9b29": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "065cd0cc51b5457baa9bc37901045907810e07d074eef16982399654fae10302", + "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", "type": "query", - "version": 102 + "version": 103 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.10", @@ -4771,9 +4771,9 @@ "88671231-6626-4e1b-abb7-6e361a171fbb": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "bb6703bc49a5b12297b62e2aa1b7a9e5f01ce6108eabbd1d541ec655dd35ac50", + "sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66", "type": "query", - "version": 102 + "version": 103 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "min_stack_version": "8.3", @@ -5338,9 +5338,9 @@ "97314185-2568-4561-ae81-f3e480e5e695": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "5e3900d8aa0de4868a0980ccd44983433b4f857bddf099cf73275a57e5145c8f", + "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", "type": "query", - "version": 102 + "version": 103 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "min_stack_version": "8.3", @@ -5445,9 +5445,9 @@ "98995807-5b09-4e37-8a54-5cae5dc932d7": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "a8d4e67d87194878313ca642bb0cfef0c9fc3750c6cf26a8b74eeac52d8a0c9e", + "sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c", "type": "query", - "version": 102 + "version": 103 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "min_stack_version": "8.9", @@ -6001,9 +6001,9 @@ "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "6414cc66c7c80d4240492b269f8c591d61734d2cec368c51642c367fcb0a0fda", + "sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2", "type": "query", - "version": 102 + "version": 103 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "min_stack_version": "8.4", @@ -6110,9 +6110,9 @@ "ac8805f6-1e08-406c-962e-3937057fa86f": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Server", - "sha256": "8c1fcd1ccc01b7c092eac3e49fb246f3f883093d07485ca2528b0212e66d1421", + "sha256": "34b6716c496b1178e904c674b9e693a568ca3f5cc14b35679edfebdcbe819cb1", "type": "eql", - "version": 4 + "version": 5 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.3", @@ -6322,9 +6322,9 @@ "b2951150-658f-4a60-832f-a00d1e6c6745": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "0e2607bb68d167a217bd28be737c707eb6729cb8c449efd2f3c45064ba35fb07", + "sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf", "type": "query", - "version": 102 + "version": 103 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "min_stack_version": "8.3", @@ -6612,9 +6612,9 @@ "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "min_stack_version": "8.3", "rule_name": "OneDrive Malware File Upload", - "sha256": "4f273dae13ee4bb9564a60c6771439fc10cd7f3357de2aa65839ff10d4cde814", + "sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa", "type": "query", - "version": 102 + "version": 103 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "min_stack_version": "8.3", @@ -6626,9 +6626,9 @@ "bbd1a775-8267-41fa-9232-20e5582596ac": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "f4f0da241f45040111a47879928011d3b90da922010348154b5cb1c44d2f24ee", + "sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3", "type": "query", - "version": 103 + "version": 104 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "min_stack_version": "8.9", @@ -7156,9 +7156,9 @@ "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "fdddb91dc8eaf01e3cca5626ab5e3b2c4ef51e15a8544385057399574b3d9b3b", + "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", "type": "query", - "version": 102 + "version": 103 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "min_stack_version": "8.4", @@ -7562,9 +7562,9 @@ "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "min_stack_version": "8.3", "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "ce07cc502120394f374d4b4f5e5f706cfe97c593a8d2e56b9d4e8800acffad99", + "sha256": "a52643d7321caf85380a4ed6148bef35c8425b00082a0ae6d7b352f82ecb391b", "type": "eql", - "version": 4 + "version": 5 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "min_stack_version": "8.3", @@ -7649,9 +7649,9 @@ "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "3fa1ccf28083380bbb7d71135b1b5ab0753f90d5fde3ecdeda2cb4ffc6ae81aa", + "sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91", "type": "query", - "version": 102 + "version": 103 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "min_stack_version": "8.3", @@ -7670,9 +7670,9 @@ "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "4a8ffe50aa43eaf2654ac6a51517203a86c2951828434a1cb60bb435707c5a6b", + "sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d", "type": "query", - "version": 102 + "version": 103 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { "min_stack_version": "8.3", @@ -7824,9 +7824,9 @@ "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { "min_stack_version": "8.3", "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "2dec4f8780da5987b36ab32a471d2c70a5eaee968d608b8ce70ea52290021878", + "sha256": "e5650e2474aae5fab08118c262adeb299cbaee2b02a70d5ffec40097ada719ca", "type": "eql", - "version": 6 + "version": 7 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.3", @@ -7889,9 +7889,9 @@ "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.3", "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "0f2e6ac845f8b90178b87d34179c8221ebb916e5b879e1acba116f2bc751ead8", + "sha256": "9e0b0fb6936bd328d5d7b6e23154e6cc371ebce8171a2047be0575e8763fbace", "type": "eql", - "version": 108 + "version": 109 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "min_stack_version": "8.6", @@ -8006,9 +8006,9 @@ "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "min_stack_version": "8.3", "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "e1ed4e0365edf2d5b5f63fc4a633c8d5520823cbb25d79826c9bde9fb5648a6a", + "sha256": "0893951b70d630aef74cd34abc894e0ab6951ccac37a819c449f7b459f1a4eb5", "type": "eql", - "version": 2 + "version": 3 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "min_stack_version": "7.16", @@ -8533,9 +8533,9 @@ "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of SELinux", - "sha256": "23a5f7e32120fdb45c8175f8b7d7466b7f576e9d71127c5cbf486776602a7d54", + "sha256": "4b41664ac4de90d5a6911bca73f92933f49cf46f25ba5c3e4852456e8bece7ba", "type": "eql", - "version": 108 + "version": 109 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.3", @@ -8568,9 +8568,9 @@ "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "ccb7629ab98a47b76d488ad0234349226bd54d20ba68a72bfa6d504471d57576", + "sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df", "type": "query", - "version": 102 + "version": 103 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "min_stack_version": "8.3", @@ -8905,9 +8905,9 @@ "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "min_stack_version": "8.3", "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "ddced9a0cc70d7a97aff4223b6abe5ed8faf61be30e7e56fbc87b2d124b9e693", + "sha256": "cfb1b743b6fa0a445ac73256b1e736171185b9c296f9d73efac25b538d64ea02", "type": "eql", - "version": 4 + "version": 5 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.3", @@ -9147,9 +9147,9 @@ "fac52c69-2646-4e79-89c0-fd7653461010": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of AppArmor", - "sha256": "4f8a4b5f58afc63fe8e1fef64b1f0f5ed48bce8b895a9f80afb8ff33e8f74f3e", + "sha256": "59fdb01847d36f82c27f340f9e7aaa3aeef098f8f2eb04f77cc178331a36c8e1", "type": "eql", - "version": 4 + "version": 5 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "min_stack_version": "8.4", @@ -9347,9 +9347,9 @@ "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "e247dbb68f81f5c55155bea1dd2a757717bdc740b8259a933165e5a612d3cdb7", + "sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88", "type": "query", - "version": 102 + "version": 103 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "min_stack_version": "8.3",