security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 7.13,7.14,7.15,7.16 (#1619)

Browse Source 
* Locked versions for releases: 7.13,7.14,7.15,7.16

(cherry picked from commit f0f3b83eab)
This commit is contained in:
github-actions[bot]
2021-11-16 00:31:27 -09:00
parent a50bd1ae15
commit a06dc65acd
2 changed files with 172 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files
etc/deprecated_rules.json
+5
View File
@@ -9,6 +9,11 @@
"rule_name": "PowerShell spawning Cmd",
"stack_version": "7.14.0"
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"deprecation_date": "2021/08/02",
"rule_name": "AWS RDS Snapshot Export",
"stack_version": "7.13"
},
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
"deprecation_date": "2021/04/15",
"rule_name": "User Discovery via Whoami",
etc/version.lock.json
+167 -67
View File
@@ -12,8 +12,8 @@
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"rule_name": "System Shells via Services",
"sha256": "606d4f374fc98e99bd86c9ef062bb48f416b10951ed6138c0ff817fabd8c9ed6",
"version": 9
"sha256": "54fc1dc508daf749ca6a92dfd20fc62e6715527a8aeb14a2c8fcc627d1606105",
"version": 10
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"rule_name": "Microsoft 365 User Restricted from Sending Email",
@@ -195,6 +195,11 @@
"sha256": "f7a9a22c1a88de514cbe1dae2e20a6e83de0000461b15d949b649704273c9498",
"version": 4
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "03dc719901ede4c776db56acbb5acf4106c348b9dd70cd6ec496d0d734175124",
"version": 1
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
@@ -368,13 +373,13 @@
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "06b2b27914185928fcafb1a80db136dde43ea01d646bc66e4f3cdf6beea7a469",
"version": 2
"sha256": "3d74f5205bbde325b86c72bf634ffba8648e208a314cff8e74be0aed2836eede",
"version": 3
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "a0716e9b819c5dc12e825c123a907de9b2a6b20f3dcf5191faa43f33a5acdc6f",
"version": 2
"sha256": "db68a6ddeb9ff20f43c047dcd1de97515eb952ee0c23b9d232e35a0786a7b71c",
"version": 3
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"rule_name": "External IP Lookup from Non-Browser Process",
@@ -493,8 +498,8 @@
},
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "ec3c481e92364c4fad7260840ea8ce1c35fe40bdaf781b7bcff726ac436e1bf9",
"version": 2
"sha256": "39f270dbc3e0b1d4c31b5bec7ee74a66f9bf12b4d37023562cf649f4e232e779",
"version": 3
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"rule_name": "GCP Firewall Rule Modification",
@@ -533,8 +538,8 @@
},
"2917d495-59bd-4250-b395-c29409b76086": {
"rule_name": "Webshell Detection: Script Process Child of Common Web Processes",
"sha256": "c1adfb252308887a5bdac88b3edc8eae5c11fe737a019a177fe777aa1197348d",
"version": 2
"sha256": "71c8450638f4fe25ff585483564b55ea9fa82c2e4bf431ada7dd963a5b4c5e22",
"version": 3
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"rule_name": "Adobe Hijack Persistence",
@@ -543,14 +548,19 @@
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "ef62ccfe4455d54403f9578bd22ca980ef2a88b8d715172adbb52ae4437c23af",
"version": 3
"sha256": "59e30d612d785a22cb0a99026698ee8ff597cefc2ab1a3cd8d01ca5e6985f7e7",
"version": 4
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"rule_name": "Enumeration of Kernel Modules",
"sha256": "f78114d6df86b5c2843abb41b8c64f807f94962e9ac46f1e19b5775d401ce38b",
"version": 6
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "5d595819fe049ce10fa799193a82bd3116314dd79ee4210f7c7d8a212ba9e3ed",
"version": 1
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "4bc52c3a4d918cc293e0ac2f21ad95122031ace364c0445d22a4f6b3279dadab",
@@ -571,6 +581,16 @@
"sha256": "73d4fb8598a974e4c18b6e713228bdddad082fccbb5b41ead57a9a8a31c0d429",
"version": 2
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"rule_name": "GCP Kubernetes Rolebindings Created or Patched ",
"sha256": "7610e908f43c07edb189e630d82850923bd31af83e007f3db90a5d6bd62e4536",
"version": 1
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "e68aefbfc6d43274cb4fa313f901a07211b61c7d4d811cc31ce5437e560cb59d",
"version": 1
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "dfe5b7e2dfdfef3b551d95c11686821ad9a6ac5e23d9c1fdf901d716bc7969e6",
@@ -639,8 +659,8 @@
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"rule_name": "Remote File Download via PowerShell",
"sha256": "0b1eb863c256967c4d2aa9423f1df47ac3ac3cf7a5c3db98660a488f516e07cb",
"version": 2
"sha256": "0eea43805ecd683b5a20d92763182a589a053f2b3f85e7cd328ff4697555f1a3",
"version": 3
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"rule_name": "Telnet Port Activity",
@@ -742,6 +762,11 @@
"sha256": "c4676a3d068513cb10f5aa0250eff137b1a106243c2fcd7d9b1d6297c293ed1c",
"version": 11
},
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
"rule_name": "Azure Full Network Packet Capture Detected",
"sha256": "78613742979e36a993f52ef1a7a4fb1de7e286ed4c5e52fe24eac7726f4173e8",
"version": 1
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "1e6bcd8c9bc347e916e73bbf5adc8c3bc7b5951a8bd471197b2bd3ef22e72921",
@@ -956,8 +981,8 @@
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "fb6874177f1e3a261c4b67085479793e4423e4be78be5169af97ea5299426828",
"version": 3
"sha256": "7630fc43d6168922d8fd4af707b3c7778f38e7800a563e631c6d332e7022d42a",
"version": 4
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"rule_name": "AWS GuardDuty Detector Deletion",
@@ -984,6 +1009,11 @@
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
"version": 4
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "0634f98a6b3f7c0ce986b597cdb1efff2a43bb76cb00fedea4c3e8ffedc035dd",
"version": 1
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"rule_name": "Azure Diagnostic Settings Deletion",
"sha256": "8ba5acc8850e486039277d2da8132a4203da644e6a12e3b500bb67629678dff7",
@@ -1039,6 +1069,16 @@
"sha256": "adb1c5873c29391a82b5763b8006396d122797154d046175018644669e6855c8",
"version": 6
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"rule_name": "Azure Virtual Network Device Modified or Deleted",
"sha256": "bf510c9aa685e115cc351c4a543b89bd5d3376f7a3956412e65e90b5411aeb17",
"version": 1
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"rule_name": "PowerShell MiniDump Script",
"sha256": "e99fcc191c502e6e853476e7aa2eef7868fdd29f92242f4d4db3bdfe699ac8da",
"version": 1
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "868ffb9b45e3d8236b93e72b26814071dc1f1d6f1594fc54b97abc6be9f3d242",
@@ -1056,8 +1096,8 @@
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"rule_name": "Lateral Tool Transfer",
"sha256": "7f2b4f3a2547ecc9c00623f5a23e27e68065769490004d0852a4cadfd8c1821d",
"version": 2
"sha256": "837e80276905c148e4debb9b11b169a1b05bfc70fd046da13a7bb9ae8b2ea042",
"version": 3
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"rule_name": "AWS CloudTrail Log Created",
@@ -1106,8 +1146,8 @@
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "842d45e42d2842a379682b8f9f17bd6a6a77b11af24ff95081b42a10300da7e5",
"version": 3
"sha256": "64a269e25fae2964d9e1cb61115089d57eebcbdbc1b822cf41ecfc490977e15a",
"version": 4
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"rule_name": "User Added to Privileged Group in Active Directory",
@@ -1159,6 +1199,11 @@
"sha256": "9284b390c8c7e73e77a69f2d0e2900f6b6ef1e04caca2806f594f3695bc65b86",
"version": 7
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "734b426e6b6947606499e358609b75c1f06ecf347a66b708fd1455d184c21e09",
"version": 1
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
@@ -1166,13 +1211,13 @@
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "77491c98fb172a33ef724d96f7b9d6d9ef5991aa0e86270846cbc5691167ddec",
"version": 3
"sha256": "76323de0ef3251b57c93619ffbeb7dfd3363e839a589f393ff44c2f9d86cd92c",
"version": 4
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"rule_name": "Network Connection via Signed Binary",
"sha256": "ef677da1d6e146d9608c74c535a574cde65a061bdf6949d119c91faea44f90ac",
"version": 8
"sha256": "480b35158e6bde86c97da264cbbc89e51301efc810ebfc8913739b428152b2b5",
"version": 9
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"rule_name": "Anomalous Process For a Linux Population",
@@ -1257,8 +1302,8 @@
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "b9385a20316c74f2f19353aa236f9c1afb3313df732395e9136cc020f037ef7f",
"version": 4
"sha256": "e36b6e5cdc71883b3829db49b0ec46d102f02be1c7afb892e4b2a95c72a8b5fa",
"version": 5
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"rule_name": "AWS CloudWatch Log Group Deletion",
@@ -1287,8 +1332,8 @@
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "d714ce0962a7c7e2f1dae1aec682f7b98138ca47d060f0b89d06599a5821b4d2",
"version": 5
"sha256": "1ba40e93a9dd9329c966e27d0d95d4f4629eda849b5480dcacf1c03f0fe4a350",
"version": 6
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression",
@@ -1317,8 +1362,8 @@
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "0062c2a192b58a69c17b50f78563e312da63225ef34decdd44a2246a7afba5fb",
"version": 3
"sha256": "f7c950372b5e9243c9d6de8b572a1f564290aa2b0f790831d501d5b3a2b460b0",
"version": 4
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"rule_name": "Security Software Discovery using WMIC",
@@ -1516,6 +1561,11 @@
"sha256": "f77cf6a6f9ef86b2152b36bf3811485d39bf9c62dcaa02fb0df6c2233cdc8019",
"version": 1
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"rule_name": "Azure Kubernetes Pods Deleted",
"sha256": "30f7f19037deab72b77711c89ef4f18d1a0bb75ba9c8630a083f0924b0c63ba4",
"version": 1
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"min_stack_version": "7.13.0",
"rule_name": "Suspicious PowerShell Engine ImageLoad",
@@ -1547,6 +1597,11 @@
"sha256": "2f6700f791dd256057e4282a89b038cb5296e4c8c37b48776db059141f394a7b",
"version": 4
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "aca795e6520b728e599ac3a7fa2a422977a761deaf06ec388ae6179558bb139b",
"version": 1
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
@@ -1564,8 +1619,8 @@
},
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "8dfd5e2b37ef8b8c3e3be8bd7022b8a3d2af58a7ae8bc173a1fee6ee39108392",
"version": 3
"sha256": "57953cee8db2f39ea676b8cb8ebd4419d0e6147dc1c12c4750e5995b0d7794fa",
"version": 4
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"rule_name": "Command Prompt Network Connection",
@@ -1608,6 +1663,11 @@
"sha256": "ebcb01477dc704bdeee0d1db6985b13879e9151e5552f29028517978eda2b2f0",
"version": 2
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"rule_name": "Azure Kubernetes Events Deleted",
"sha256": "56a399415e6ff6a2730f6a81d02a44c3a24fb42ae359dced1da1514f2025f119",
"version": 1
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
"sha256": "b6d7ad4ee2f11ab3ed8aa4bcee08a462a4b3aa3790ae27abd86cee6d921e3283",
@@ -1620,8 +1680,8 @@
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
"sha256": "8881269746a6601e50ebc55a0e0dc108792345a2a7dbcce70e37edbe01a18a97",
"version": 3
"sha256": "cab3788fbfcefb5b2d4e6f079053f5ba19197d35730d9544a8bd0dce2ef4a1bb",
"version": 4
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
@@ -1640,8 +1700,8 @@
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "f15afff68492c854090384c5c1e745704d316f3ef9b8687ba2b9e19a1731addb",
"version": 3
"sha256": "0ca71ba980d30920612bc3871064629dccd38832867566b7c179934bb0bf1803",
"version": 4
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"rule_name": "GCP Service Account Deletion",
@@ -1693,6 +1753,11 @@
"sha256": "b15eabc6db99f314e02c8cd2d1afdd5f9b52301be4089503c91cd48a51740b98",
"version": 4
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
"sha256": "e3474858022371a4edaaa39fd660b12f67e6c649bdb7e5c38ee4d4d567776a4d",
"version": 1
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"rule_name": "Sudoers File Modification",
"sha256": "05ff439f67984de234a47b20f014bdbbcef5f63a6cb769333c50dc9f71995478",
@@ -1725,8 +1790,8 @@
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"rule_name": "Remote Scheduled Task Creation",
"sha256": "bdf58af9de2ec55b8d3374f97e3777ebf9b7188990501623ebe9928d176f1b7f",
"version": 4
"sha256": "e26d4edde4870c10ccebc081c4ee7c5fc5606da903cb53da92b76f355be04871",
"version": 5
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"rule_name": "Attempt to Create Okta API Token",
@@ -1748,10 +1813,15 @@
"sha256": "bf46beb44ae071c1d51a5e3d5f2bb6fc6556087aaebec176dcacc2534e974560",
"version": 5
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"rule_name": "AWS SAML Activity",
"sha256": "becac153f02e4578bcfc536ff9635c9e75cbcab41684051300d2f271d1352bd0",
"version": 1
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"rule_name": "Suspicious Zoom Child Process",
"sha256": "2c8a2e1781948610289bc5637ff2bbbee23e344a460ef0b4835f4e2e057a61cf",
"version": 4
"sha256": "939b366f86b602d26bc22bbeaed26cfdf9465352e186f0b0034f0c2b0b1d0bae",
"version": 5
},
"97f22dab-84e8-409d-955e-dacd1d31670b": {
"rule_name": "Base64 Encoding/Decoding Activity",
@@ -1816,8 +1886,8 @@
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"rule_name": "Hosts File Modified",
"sha256": "4a0f91bdde24a42c4deee1abf27d87df4617f314a20aeea716275c663bc0d9fc",
"version": 5
"sha256": "3c3588d174cd600f65ee7d3050915a5831b1bd182e27561d3615c7f77973846b",
"version": 6
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"rule_name": "Command Shell Activity Started via RunDLL32",
@@ -1831,8 +1901,8 @@
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "57f0f8cb76a41fe58206cf95a8341b2e94f9d9c211e39811cac0f95721b09fa1",
"version": 9
"sha256": "87c20cfb4ea3953543c6011959936c3cdc29ec7b103b20edb95253055c27fde1",
"version": 10
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"rule_name": "Microsoft Build Engine Started by a System Process",
@@ -1891,8 +1961,8 @@
},
"a13167f1-eec2-4015-9631-1fee60406dcf": {
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "22617dc74d926a2a732c42e67b1196e6cf972b743bf69db18de1e3c7686299a2",
"version": 3
"sha256": "d7a9f13cd241a8a41a9b8a0fa534b662929f57162382e173dc2a99ab49da8a8a",
"version": 4
},
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"rule_name": "File Deletion via Shred",
@@ -1909,6 +1979,11 @@
"sha256": "c9bf1fe195602f505c43eda209be7267cf3997e49d86773f719a0a4300d70db8",
"version": 1
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "4b004411a23d95460c99778056af5c0bf65e9404ee913dddfeff6531645ce9e0",
"version": 1
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"rule_name": "Execution via local SxS Shared Module",
"sha256": "fee8b8d1d56be16d7fe1a0de049286cf7095506b3bf9cc39d48e18ea8fbfd356",
@@ -1991,8 +2066,8 @@
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"rule_name": "Remotely Started Services via RPC",
"sha256": "8a094bcec3f04942226308fbf29d09e5658a58269cd508cf13370f18f211a00d",
"version": 2
"sha256": "54bef8370cf390fe72e2b52304b62e21884c0c7179d4c13410639871004ac20b",
"version": 3
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"rule_name": "Remote Execution via File Shares",
@@ -2049,6 +2124,11 @@
"sha256": "8b04328630ae74389a2b77d23700d2bfd3900c6008bf0aa9654c2432b427b9c9",
"version": 5
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "ca85c0740fb6ecc80e4569850b9ad398eadc3087d861ca27edfd5f53d47ce216",
"version": 1
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "ae34300bc6a31dec04ee9e3edfda886d660fef5b4b5b11ac17e87b1c12629a2b",
@@ -2061,8 +2141,8 @@
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"rule_name": "Local Scheduled Task Creation",
"sha256": "ff34f929f7deef7c202a29aa90c2643c58e0478eda70efe49120e5d1ab63ad3e",
"version": 8
"sha256": "1991289eb30b8232cdc4f6c197a93050601db6490831884cb41669e3c91b1f0c",
"version": 9
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"rule_name": "Timestomping using Touch Command",
@@ -2235,6 +2315,11 @@
"sha256": "992fc3eb2005070d0a2eb094b89e093b57426cbe863e2c35c946265fb8f0d23c",
"version": 2
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"rule_name": "AWS RDS Snapshot Restored",
"sha256": "07509e55592cb8d9c556bc4038e78c154131b583db68dafe661e3aaaab36b406",
"version": 1
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "2e2cc6d275afd2b0ad2082fc64d16ff251c7b91b0ad5370583bc7fb460166ee5",
@@ -2398,8 +2483,8 @@
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "fe8467442755a077a9833057c8622fec49bb3aaa321e8231a45db4f6769c2a63",
"version": 1
"sha256": "611d2771b89ee0ba4bddee2fe900cec60a79a0b9a76e4428365fb04bfbec58f3",
"version": 2
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
@@ -2478,8 +2563,8 @@
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "823c4ff1be037943b66d709e61e0133600e0c2e6b13b4c3a62a446c5122f298e",
"version": 5
"sha256": "c3ab50eea009a6df031ff727cb6f5ab3e6699ab059766dd11702e0e67ae8522a",
"version": 6
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"rule_name": "Cobalt Strike Command and Control Beacon",
@@ -2518,8 +2603,8 @@
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"rule_name": "Clearing Windows Event Logs",
"sha256": "6045641eb94c7fd8b0837e3aee0d9d4f2c876cf7ef5caab2d04c079dc11dd562",
"version": 10
"sha256": "ecbbc7859552c8437157063f812772cb9577843591fc62608079300e3210e66a",
"version": 11
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting",
@@ -2607,6 +2692,11 @@
"sha256": "1b8e9ea27c151d2de3fd5c94f0ff8de14098ccc0348a81ac3a39dc28f0dd118f",
"version": 6
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"rule_name": "Azure Blob Permissions Modification",
"sha256": "0a8db0c43b681d84156a42b60ab5ecd8fe9caf71f2bc01c51a9c768bf9d901e6",
"version": 1
},
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
"min_stack_version": "7.14.0",
"rule_name": "Spike in Logon Events",
@@ -2625,8 +2715,8 @@
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "c166e8d3145309bbf8fb2f0a8940d6e32de698c63c1e0da088b8451223cda272",
"version": 1
"sha256": "c564a84bd80412505c6c368bbaa4901157515871a4dca9ef8642fad1cdbdf2e1",
"version": 2
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
@@ -2640,8 +2730,8 @@
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module Indicator Match",
"sha256": "4aee4e7612e01f652dd5bc52ec84e6202f180ab4525080a71e3da0201e4a67d1",
"version": 2
"sha256": "3799b7164988714cc94fc0fb9be852b8335673a9b5d93699b8378426840de9c4",
"version": 3
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"rule_name": "Volume Shadow Copy Deletion via WMIC",
@@ -2703,6 +2793,11 @@
"sha256": "64e549b8b5703062cd3bd1677df0e23c99eb1a924b818a819267abdbd5248488",
"version": 5
},
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
"rule_name": "AWS Route Table Created",
"sha256": "99e6091a7fa21fe0e7bf5add82d9f9b8fb1e4a87b7faabd8aacc8786e0f5886e",
"version": 1
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"rule_name": "AWS RDS Cluster Creation",
"sha256": "7de7854de44a80b0bd2a2a0197d6ebb3213a89c8f2f2257284f1948d008f4760",
@@ -2736,8 +2831,13 @@
},
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "bc0cdfb0670f89d77aae9839c681a4e26499830163210bbe8ce929b5c426c68f",
"version": 9
"sha256": "b4768d0f8f0ed9689db41b8f284dda3bc646f7b85d32b60293e82285d6dfa9fc",
"version": 10
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "e55bea74533e2fc5765e72b6d225511d1cfe053d9489dd81361da331c5c57f85",
"version": 1
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"rule_name": "Ransomware - Prevented - Elastic Endgame",
@@ -2971,8 +3071,8 @@
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "ed25b43fb38cbc23d92775bb0284a9fd055dd53d8824bcda78d2c9ffdc8428c5",
"version": 2
"sha256": "627242cc631e03be3dd2bf3eb1450a9307dfa129ca22c999bda6e5f91f9cb8ef",
"version": 3
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
@@ -3016,8 +3116,8 @@
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "7eb3227762aa2a2cf9d9d514b28b2ef6a40eb2c254654b39a93385f44593bf02",
"version": 1
"sha256": "ec14e52e83826d9560d3fd5517acd8ea8328d2ee89f66fdfdc679bc2843e2eb3",
"version": 2
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
@@ -3094,4 +3194,4 @@
"sha256": "d1a7cbc54b4f8910cb9a43b7d0d568b13418ca9fce205a9fbdcc2396a3baf618",
"version": 5
}
}
}