From a06dc65acd3050f62c463578c035d7411cd9019e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 16 Nov 2021 00:31:27 -0900 Subject: [PATCH] Lock versions for releases: 7.13,7.14,7.15,7.16 (#1619) * Locked versions for releases: 7.13,7.14,7.15,7.16 (cherry picked from commit f0f3b83eab34b1a9133d6c3bf2f4d4985dfada94) --- etc/deprecated_rules.json | 5 + etc/version.lock.json | 234 +++++++++++++++++++++++++++----------- 2 files changed, 172 insertions(+), 67 deletions(-) diff --git a/etc/deprecated_rules.json b/etc/deprecated_rules.json index 8e0f87b5f..305c15b92 100644 --- a/etc/deprecated_rules.json +++ b/etc/deprecated_rules.json @@ -9,6 +9,11 @@ "rule_name": "PowerShell spawning Cmd", "stack_version": "7.14.0" }, + "119c8877-8613-416d-a98a-96b6664ee73a5": { + "deprecation_date": "2021/08/02", + "rule_name": "AWS RDS Snapshot Export", + "stack_version": "7.13" + }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "deprecation_date": "2021/04/15", "rule_name": "User Discovery via Whoami", diff --git a/etc/version.lock.json b/etc/version.lock.json index 446d1d032..5a32f07ac 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -12,8 +12,8 @@ }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", - "sha256": "606d4f374fc98e99bd86c9ef062bb48f416b10951ed6138c0ff817fabd8c9ed6", - "version": 9 + "sha256": "54fc1dc508daf749ca6a92dfd20fc62e6715527a8aeb14a2c8fcc627d1606105", + "version": 10 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Microsoft 365 User Restricted from Sending Email", @@ -195,6 +195,11 @@ "sha256": "f7a9a22c1a88de514cbe1dae2e20a6e83de0000461b15d949b649704273c9498", "version": 4 }, + "119c8877-8613-416d-a98a-96b6664ee73a": { + "rule_name": "AWS RDS Snapshot Export", + "sha256": "03dc719901ede4c776db56acbb5acf4106c348b9dd70cd6ec496d0d734175124", + "version": 1 + }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", "sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0", @@ -368,13 +373,13 @@ }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "06b2b27914185928fcafb1a80db136dde43ea01d646bc66e4f3cdf6beea7a469", - "version": 2 + "sha256": "3d74f5205bbde325b86c72bf634ffba8648e208a314cff8e74be0aed2836eede", + "version": 3 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", - "sha256": "a0716e9b819c5dc12e825c123a907de9b2a6b20f3dcf5191faa43f33a5acdc6f", - "version": 2 + "sha256": "db68a6ddeb9ff20f43c047dcd1de97515eb952ee0c23b9d232e35a0786a7b71c", + "version": 3 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", @@ -493,8 +498,8 @@ }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "ec3c481e92364c4fad7260840ea8ce1c35fe40bdaf781b7bcff726ac436e1bf9", - "version": 2 + "sha256": "39f270dbc3e0b1d4c31b5bec7ee74a66f9bf12b4d37023562cf649f4e232e779", + "version": 3 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", @@ -533,8 +538,8 @@ }, "2917d495-59bd-4250-b395-c29409b76086": { "rule_name": "Webshell Detection: Script Process Child of Common Web Processes", - "sha256": "c1adfb252308887a5bdac88b3edc8eae5c11fe737a019a177fe777aa1197348d", - "version": 2 + "sha256": "71c8450638f4fe25ff585483564b55ea9fa82c2e4bf431ada7dd963a5b4c5e22", + "version": 3 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", @@ -543,14 +548,19 @@ }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "ef62ccfe4455d54403f9578bd22ca980ef2a88b8d715172adbb52ae4437c23af", - "version": 3 + "sha256": "59e30d612d785a22cb0a99026698ee8ff597cefc2ab1a3cd8d01ca5e6985f7e7", + "version": 4 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", "sha256": "f78114d6df86b5c2843abb41b8c64f807f94962e9ac46f1e19b5775d401ce38b", "version": 6 }, + "2dd480be-1263-4d9c-8672-172928f6789a": { + "rule_name": "Suspicious Process Access via Direct System Call", + "sha256": "5d595819fe049ce10fa799193a82bd3116314dd79ee4210f7c7d8a212ba9e3ed", + "version": 1 + }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "O365 Excessive Single Sign-On Logon Errors", "sha256": "4bc52c3a4d918cc293e0ac2f21ad95122031ace364c0445d22a4f6b3279dadab", @@ -571,6 +581,16 @@ "sha256": "73d4fb8598a974e4c18b6e713228bdddad082fccbb5b41ead57a9a8a31c0d429", "version": 2 }, + "2f0bae2d-bf20-4465-be86-1311addebaa3": { + "rule_name": "GCP Kubernetes Rolebindings Created or Patched ", + "sha256": "7610e908f43c07edb189e630d82850923bd31af83e007f3db90a5d6bd62e4536", + "version": 1 + }, + "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { + "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", + "sha256": "e68aefbfc6d43274cb4fa313f901a07211b61c7d4d811cc31ce5437e560cb59d", + "version": 1 + }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", "sha256": "dfe5b7e2dfdfef3b551d95c11686821ad9a6ac5e23d9c1fdf901d716bc7969e6", @@ -639,8 +659,8 @@ }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", - "sha256": "0b1eb863c256967c4d2aa9423f1df47ac3ac3cf7a5c3db98660a488f516e07cb", - "version": 2 + "sha256": "0eea43805ecd683b5a20d92763182a589a053f2b3f85e7cd328ff4697555f1a3", + "version": 3 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Telnet Port Activity", @@ -742,6 +762,11 @@ "sha256": "c4676a3d068513cb10f5aa0250eff137b1a106243c2fcd7d9b1d6297c293ed1c", "version": 11 }, + "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { + "rule_name": "Azure Full Network Packet Capture Detected", + "sha256": "78613742979e36a993f52ef1a7a4fb1de7e286ed4c5e52fe24eac7726f4173e8", + "version": 1 + }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", "sha256": "1e6bcd8c9bc347e916e73bbf5adc8c3bc7b5951a8bd471197b2bd3ef22e72921", @@ -956,8 +981,8 @@ }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "fb6874177f1e3a261c4b67085479793e4423e4be78be5169af97ea5299426828", - "version": 3 + "sha256": "7630fc43d6168922d8fd4af707b3c7778f38e7800a563e631c6d332e7022d42a", + "version": 4 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", @@ -984,6 +1009,11 @@ "sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c", "version": 4 }, + "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { + "rule_name": "AWS EFS File System or Mount Deleted", + "sha256": "0634f98a6b3f7c0ce986b597cdb1efff2a43bb76cb00fedea4c3e8ffedc035dd", + "version": 1 + }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deletion", "sha256": "8ba5acc8850e486039277d2da8132a4203da644e6a12e3b500bb67629678dff7", @@ -1039,6 +1069,16 @@ "sha256": "adb1c5873c29391a82b5763b8006396d122797154d046175018644669e6855c8", "version": 6 }, + "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { + "rule_name": "Azure Virtual Network Device Modified or Deleted", + "sha256": "bf510c9aa685e115cc351c4a543b89bd5d3376f7a3956412e65e90b5411aeb17", + "version": 1 + }, + "577ec21e-56fe-4065-91d8-45eb8224fe77": { + "rule_name": "PowerShell MiniDump Script", + "sha256": "e99fcc191c502e6e853476e7aa2eef7868fdd29f92242f4d4db3bdfe699ac8da", + "version": 1 + }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "868ffb9b45e3d8236b93e72b26814071dc1f1d6f1594fc54b97abc6be9f3d242", @@ -1056,8 +1096,8 @@ }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Lateral Tool Transfer", - "sha256": "7f2b4f3a2547ecc9c00623f5a23e27e68065769490004d0852a4cadfd8c1821d", - "version": 2 + "sha256": "837e80276905c148e4debb9b11b169a1b05bfc70fd046da13a7bb9ae8b2ea042", + "version": 3 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", @@ -1106,8 +1146,8 @@ }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "842d45e42d2842a379682b8f9f17bd6a6a77b11af24ff95081b42a10300da7e5", - "version": 3 + "sha256": "64a269e25fae2964d9e1cb61115089d57eebcbdbc1b822cf41ecfc490977e15a", + "version": 4 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "rule_name": "User Added to Privileged Group in Active Directory", @@ -1159,6 +1199,11 @@ "sha256": "9284b390c8c7e73e77a69f2d0e2900f6b6ef1e04caca2806f594f3695bc65b86", "version": 7 }, + "61ac3638-40a3-44b2-855a-985636ca985e": { + "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", + "sha256": "734b426e6b6947606499e358609b75c1f06ecf347a66b708fd1455d184c21e09", + "version": 1 + }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", "sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea", @@ -1166,13 +1211,13 @@ }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "77491c98fb172a33ef724d96f7b9d6d9ef5991aa0e86270846cbc5691167ddec", - "version": 3 + "sha256": "76323de0ef3251b57c93619ffbeb7dfd3363e839a589f393ff44c2f9d86cd92c", + "version": 4 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", - "sha256": "ef677da1d6e146d9608c74c535a574cde65a061bdf6949d119c91faea44f90ac", - "version": 8 + "sha256": "480b35158e6bde86c97da264cbbc89e51301efc810ebfc8913739b428152b2b5", + "version": 9 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", @@ -1257,8 +1302,8 @@ }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "b9385a20316c74f2f19353aa236f9c1afb3313df732395e9136cc020f037ef7f", - "version": 4 + "sha256": "e36b6e5cdc71883b3829db49b0ec46d102f02be1c7afb892e4b2a95c72a8b5fa", + "version": 5 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", @@ -1287,8 +1332,8 @@ }, "6aace640-e631-4870-ba8e-5fdda09325db": { "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "d714ce0962a7c7e2f1dae1aec682f7b98138ca47d060f0b89d06599a5821b4d2", - "version": 5 + "sha256": "1ba40e93a9dd9329c966e27d0d95d4f4629eda849b5480dcacf1c03f0fe4a350", + "version": 6 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", @@ -1317,8 +1362,8 @@ }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "0062c2a192b58a69c17b50f78563e312da63225ef34decdd44a2246a7afba5fb", - "version": 3 + "sha256": "f7c950372b5e9243c9d6de8b572a1f564290aa2b0f790831d501d5b3a2b460b0", + "version": 4 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "rule_name": "Security Software Discovery using WMIC", @@ -1516,6 +1561,11 @@ "sha256": "f77cf6a6f9ef86b2152b36bf3811485d39bf9c62dcaa02fb0df6c2233cdc8019", "version": 1 }, + "83a1931d-8136-46fc-b7b9-2db4f639e014": { + "rule_name": "Azure Kubernetes Pods Deleted", + "sha256": "30f7f19037deab72b77711c89ef4f18d1a0bb75ba9c8630a083f0924b0c63ba4", + "version": 1 + }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "7.13.0", "rule_name": "Suspicious PowerShell Engine ImageLoad", @@ -1547,6 +1597,11 @@ "sha256": "2f6700f791dd256057e4282a89b038cb5296e4c8c37b48776db059141f394a7b", "version": 4 }, + "87594192-4539-4bc4-8543-23bc3d5bd2b4": { + "rule_name": "AWS EventBridge Rule Disabled or Deleted", + "sha256": "aca795e6520b728e599ac3a7fa2a422977a761deaf06ec388ae6179558bb139b", + "version": 1 + }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", "sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7", @@ -1564,8 +1619,8 @@ }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "8dfd5e2b37ef8b8c3e3be8bd7022b8a3d2af58a7ae8bc173a1fee6ee39108392", - "version": 3 + "sha256": "57953cee8db2f39ea676b8cb8ebd4419d0e6147dc1c12c4750e5995b0d7794fa", + "version": 4 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Command Prompt Network Connection", @@ -1608,6 +1663,11 @@ "sha256": "ebcb01477dc704bdeee0d1db6985b13879e9151e5552f29028517978eda2b2f0", "version": 2 }, + "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { + "rule_name": "Azure Kubernetes Events Deleted", + "sha256": "56a399415e6ff6a2730f6a81d02a44c3a24fb42ae359dced1da1514f2025f119", + "version": 1 + }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", "sha256": "b6d7ad4ee2f11ab3ed8aa4bcee08a462a4b3aa3790ae27abd86cee6d921e3283", @@ -1620,8 +1680,8 @@ }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", - "sha256": "8881269746a6601e50ebc55a0e0dc108792345a2a7dbcce70e37edbe01a18a97", - "version": 3 + "sha256": "cab3788fbfcefb5b2d4e6f079053f5ba19197d35730d9544a8bd0dce2ef4a1bb", + "version": 4 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", @@ -1640,8 +1700,8 @@ }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "f15afff68492c854090384c5c1e745704d316f3ef9b8687ba2b9e19a1731addb", - "version": 3 + "sha256": "0ca71ba980d30920612bc3871064629dccd38832867566b7c179934bb0bf1803", + "version": 4 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", @@ -1693,6 +1753,11 @@ "sha256": "b15eabc6db99f314e02c8cd2d1afdd5f9b52301be4089503c91cd48a51740b98", "version": 4 }, + "93075852-b0f5-4b8b-89c3-a226efae5726": { + "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", + "sha256": "e3474858022371a4edaaa39fd660b12f67e6c649bdb7e5c38ee4d4d567776a4d", + "version": 1 + }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", "sha256": "05ff439f67984de234a47b20f014bdbbcef5f63a6cb769333c50dc9f71995478", @@ -1725,8 +1790,8 @@ }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", - "sha256": "bdf58af9de2ec55b8d3374f97e3777ebf9b7188990501623ebe9928d176f1b7f", - "version": 4 + "sha256": "e26d4edde4870c10ccebc081c4ee7c5fc5606da903cb53da92b76f355be04871", + "version": 5 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", @@ -1748,10 +1813,15 @@ "sha256": "bf46beb44ae071c1d51a5e3d5f2bb6fc6556087aaebec176dcacc2534e974560", "version": 5 }, + "979729e7-0c52-4c4c-b71e-88103304a79f": { + "rule_name": "AWS SAML Activity", + "sha256": "becac153f02e4578bcfc536ff9635c9e75cbcab41684051300d2f271d1352bd0", + "version": 1 + }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "rule_name": "Suspicious Zoom Child Process", - "sha256": "2c8a2e1781948610289bc5637ff2bbbee23e344a460ef0b4835f4e2e057a61cf", - "version": 4 + "sha256": "939b366f86b602d26bc22bbeaed26cfdf9465352e186f0b0034f0c2b0b1d0bae", + "version": 5 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -1816,8 +1886,8 @@ }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "rule_name": "Hosts File Modified", - "sha256": "4a0f91bdde24a42c4deee1abf27d87df4617f314a20aeea716275c663bc0d9fc", - "version": 5 + "sha256": "3c3588d174cd600f65ee7d3050915a5831b1bd182e27561d3615c7f77973846b", + "version": 6 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "rule_name": "Command Shell Activity Started via RunDLL32", @@ -1831,8 +1901,8 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "57f0f8cb76a41fe58206cf95a8341b2e94f9d9c211e39811cac0f95721b09fa1", - "version": 9 + "sha256": "87c20cfb4ea3953543c6011959936c3cdc29ec7b103b20edb95253055c27fde1", + "version": 10 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", @@ -1891,8 +1961,8 @@ }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "22617dc74d926a2a732c42e67b1196e6cf972b743bf69db18de1e3c7686299a2", - "version": 3 + "sha256": "d7a9f13cd241a8a41a9b8a0fa534b662929f57162382e173dc2a99ab49da8a8a", + "version": 4 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", @@ -1909,6 +1979,11 @@ "sha256": "c9bf1fe195602f505c43eda209be7267cf3997e49d86773f719a0a4300d70db8", "version": 1 }, + "a22a09c2-2162-4df0-a356-9aacbeb56a04": { + "rule_name": "DNS-over-HTTPS Enabled via Registry", + "sha256": "4b004411a23d95460c99778056af5c0bf65e9404ee913dddfeff6531645ce9e0", + "version": 1 + }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", "sha256": "fee8b8d1d56be16d7fe1a0de049286cf7095506b3bf9cc39d48e18ea8fbfd356", @@ -1991,8 +2066,8 @@ }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "rule_name": "Remotely Started Services via RPC", - "sha256": "8a094bcec3f04942226308fbf29d09e5658a58269cd508cf13370f18f211a00d", - "version": 2 + "sha256": "54bef8370cf390fe72e2b52304b62e21884c0c7179d4c13410639871004ac20b", + "version": 3 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", @@ -2049,6 +2124,11 @@ "sha256": "8b04328630ae74389a2b77d23700d2bfd3900c6008bf0aa9654c2432b427b9c9", "version": 5 }, + "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { + "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", + "sha256": "ca85c0740fb6ecc80e4569850b9ad398eadc3087d861ca27edfd5f53d47ce216", + "version": 1 + }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", "sha256": "ae34300bc6a31dec04ee9e3edfda886d660fef5b4b5b11ac17e87b1c12629a2b", @@ -2061,8 +2141,8 @@ }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Creation", - "sha256": "ff34f929f7deef7c202a29aa90c2643c58e0478eda70efe49120e5d1ab63ad3e", - "version": 8 + "sha256": "1991289eb30b8232cdc4f6c197a93050601db6490831884cb41669e3c91b1f0c", + "version": 9 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", @@ -2235,6 +2315,11 @@ "sha256": "992fc3eb2005070d0a2eb094b89e093b57426cbe863e2c35c946265fb8f0d23c", "version": 2 }, + "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { + "rule_name": "AWS RDS Snapshot Restored", + "sha256": "07509e55592cb8d9c556bc4038e78c154131b583db68dafe661e3aaaab36b406", + "version": 1 + }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "2e2cc6d275afd2b0ad2082fc64d16ff251c7b91b0ad5370583bc7fb460166ee5", @@ -2398,8 +2483,8 @@ }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "fe8467442755a077a9833057c8622fec49bb3aaa321e8231a45db4f6769c2a63", - "version": 1 + "sha256": "611d2771b89ee0ba4bddee2fe900cec60a79a0b9a76e4428365fb04bfbec58f3", + "version": 2 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", @@ -2478,8 +2563,8 @@ }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "823c4ff1be037943b66d709e61e0133600e0c2e6b13b4c3a62a446c5122f298e", - "version": 5 + "sha256": "c3ab50eea009a6df031ff727cb6f5ab3e6699ab059766dd11702e0e67ae8522a", + "version": 6 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", @@ -2518,8 +2603,8 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "6045641eb94c7fd8b0837e3aee0d9d4f2c876cf7ef5caab2d04c079dc11dd562", - "version": 10 + "sha256": "ecbbc7859552c8437157063f812772cb9577843591fc62608079300e3210e66a", + "version": 11 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", @@ -2607,6 +2692,11 @@ "sha256": "1b8e9ea27c151d2de3fd5c94f0ff8de14098ccc0348a81ac3a39dc28f0dd118f", "version": 6 }, + "d79c4b2a-6134-4edd-86e6-564a92a933f9": { + "rule_name": "Azure Blob Permissions Modification", + "sha256": "0a8db0c43b681d84156a42b60ab5ecd8fe9caf71f2bc01c51a9c768bf9d901e6", + "version": 1 + }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "min_stack_version": "7.14.0", "rule_name": "Spike in Logon Events", @@ -2625,8 +2715,8 @@ }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "c166e8d3145309bbf8fb2f0a8940d6e32de698c63c1e0da088b8451223cda272", - "version": 1 + "sha256": "c564a84bd80412505c6c368bbaa4901157515871a4dca9ef8642fad1cdbdf2e1", + "version": 2 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Multi-Factor Authentication Disabled for an Azure User", @@ -2640,8 +2730,8 @@ }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module Indicator Match", - "sha256": "4aee4e7612e01f652dd5bc52ec84e6202f180ab4525080a71e3da0201e4a67d1", - "version": 2 + "sha256": "3799b7164988714cc94fc0fb9be852b8335673a9b5d93699b8378426840de9c4", + "version": 3 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", @@ -2703,6 +2793,11 @@ "sha256": "64e549b8b5703062cd3bd1677df0e23c99eb1a924b818a819267abdbd5248488", "version": 5 }, + "e12c0318-99b1-44f2-830c-3a38a43207ca": { + "rule_name": "AWS Route Table Created", + "sha256": "99e6091a7fa21fe0e7bf5add82d9f9b8fb1e4a87b7faabd8aacc8786e0f5886e", + "version": 1 + }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", "sha256": "7de7854de44a80b0bd2a2a0197d6ebb3213a89c8f2f2257284f1948d008f4760", @@ -2736,8 +2831,13 @@ }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", - "sha256": "bc0cdfb0670f89d77aae9839c681a4e26499830163210bbe8ce929b5c426c68f", - "version": 9 + "sha256": "b4768d0f8f0ed9689db41b8f284dda3bc646f7b85d32b60293e82285d6dfa9fc", + "version": 10 + }, + "e3c27562-709a-42bd-82f2-3ed926cced19": { + "rule_name": "AWS Route53 private hosted zone associated with a VPC", + "sha256": "e55bea74533e2fc5765e72b6d225511d1cfe053d9489dd81361da331c5c57f85", + "version": 1 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", @@ -2971,8 +3071,8 @@ }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", - "sha256": "ed25b43fb38cbc23d92775bb0284a9fd055dd53d8824bcda78d2c9ffdc8428c5", - "version": 2 + "sha256": "627242cc631e03be3dd2bf3eb1450a9307dfa129ca22c999bda6e5f91f9cb8ef", + "version": 3 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", @@ -3016,8 +3116,8 @@ }, "f81ee52c-297e-46d9-9205-07e66931df26": { "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "7eb3227762aa2a2cf9d9d514b28b2ef6a40eb2c254654b39a93385f44593bf02", - "version": 1 + "sha256": "ec14e52e83826d9560d3fd5517acd8ea8328d2ee89f66fdfdc679bc2843e2eb3", + "version": 2 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", @@ -3094,4 +3194,4 @@ "sha256": "d1a7cbc54b4f8910cb9a43b7d0d568b13418ca9fce205a9fbdcc2396a3baf618", "version": 5 } -} +} \ No newline at end of file