security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 7.13,7.14,7.15,7.16 (#1659)

Browse Source 
* Locked versions for releases: 7.13,7.14,7.15,7.16
This commit is contained in:
github-actions[bot]
2021-12-10 19:06:19 -09:00
committed by GitHub
parent 7978b3cc9e
commit a33de6bfb8
1 changed files with 133 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
etc/version.lock.json
+133 -49
View File
@@ -27,8 +27,8 @@
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "4da266f820dc2dba8ed78416db2ea4cad6a8260dacad0552bcfa4f25601a61f8",
"version": 1
"sha256": "dc5c89b6a2667693fbe1a725c957ad2bc11c124768f3a668613ba10a77780f91",
"version": 2
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"rule_name": "Dumping Account Hashes via Built-In Commands",
@@ -170,6 +170,12 @@
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
"version": 8
},
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"min_stack_version": "7.14.0",
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "ff67dcfa3dda984af29cc41ece885de00bd48128fed28a3a8ef4e298d83e43b8",
"version": 1
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"rule_name": "Privilege Escalation via Root Crontab File Modification",
"sha256": "2149a008d62b8e6a983abd178158948e2c370183a4e070931806ebd07b620ec7",
@@ -207,8 +213,8 @@
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "637411a6c598e26e6158b7f367b37e4ef4c20c2f833cb4adaa2d9866c2662e3b",
"version": 1
"sha256": "6937bd14a24a894d160dfabe3efe0d868b8952a006578c810d3d7b0492c31680",
"version": 2
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
@@ -288,8 +294,8 @@
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"rule_name": "Component Object Model Hijacking",
"sha256": "210931fff44cff26ff1c6fbb8d16c525ce7956382fb200a989335df36b12c628",
"version": 4
"sha256": "8ca91c7053d3f30c2c76188da11648bbc94aa5c68e2288ceaee0e6d942535fcf",
"version": 5
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"rule_name": "Unusual Windows Username",
@@ -371,6 +377,11 @@
"sha256": "0e87841dc0e6587203b2e298d78fa79c2d4f1aaff4b20d4407ef3c04734ae5ce",
"version": 5
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"rule_name": "Azure Kubernetes Rolebindings Created",
"sha256": "0edd2adb2012b1367353ef756b0ec88867a5ed19d5dc243f991845cf5b9d9e2a",
"version": 1
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "3d74f5205bbde325b86c72bf634ffba8648e208a314cff8e74be0aed2836eede",
@@ -486,6 +497,11 @@
"sha256": "2fde8b5429bcf1a32d15d54f96a2386179c681a0bc3e5eca71ac09eaa51272ad",
"version": 4
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
"sha256": "fec04f92c2b0f57675047b2adea17e89769476a9e131eb9ce8330f4e46399d8c",
"version": 1
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "f0d04d20b2c11a0ebe206fe8773ea13430da51c1da73a9cf755fd344fa983d15",
@@ -511,6 +527,11 @@
"sha256": "7f4f776206e7ea26e377cf5665556bb3d6268796fc06023b7b85d58502783e2b",
"version": 4
},
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"rule_name": "Account Password Reset Remotely",
"sha256": "9a0279c4a36e65635f36ce3bd7807cbffb2a10c01b5b6fed1a3eb1292c15e53a",
"version": 1
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"rule_name": "Net command via SYSTEM account",
"sha256": "9edf6f050f8563bcf0dbd301c61100d160969829b5cbdbd7c90872555d44ea25",
@@ -541,6 +562,11 @@
"sha256": "71c8450638f4fe25ff585483564b55ea9fa82c2e4bf431ada7dd963a5b4c5e22",
"version": 3
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "b94f034710f0bd4a1c9a3ba74dec7f2dcd74ac6997dd532f8a2fc96eb2589faa",
"version": 1
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"rule_name": "Adobe Hijack Persistence",
"sha256": "b855256f23054ec5025f78c2ec0ddd70e36ef7b16856700f208936300525f544",
@@ -548,8 +574,8 @@
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "59e30d612d785a22cb0a99026698ee8ff597cefc2ab1a3cd8d01ca5e6985f7e7",
"version": 4
"sha256": "381882b7e3fc0c078a4a643809c5fcf7a923054acfd931ac251c6ac4e67edb36",
"version": 5
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"rule_name": "Enumeration of Kernel Modules",
@@ -558,8 +584,8 @@
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "5d595819fe049ce10fa799193a82bd3116314dd79ee4210f7c7d8a212ba9e3ed",
"version": 1
"sha256": "c3726db2dfd855db109944def0676bf91e1eba2881adaf2f1f0f76b2ae14e555",
"version": 2
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
@@ -571,6 +597,11 @@
"sha256": "2fe8c86abbc5b90c04c50b2d75bc279a82b4ca5b5b9075830ede2cb576e81d8a",
"version": 5
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "138fe1b7a99e1fd40f2db4ca5086754aa15d9dadff790a9a0a03cc783b71f003",
"version": 1
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
"sha256": "85ef581fbbbf8ee9caeac93bf4e6a8fb80e01ff41ddc66b44474e8ddd9c66954",
@@ -588,8 +619,8 @@
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "e68aefbfc6d43274cb4fa313f901a07211b61c7d4d811cc31ce5437e560cb59d",
"version": 1
"sha256": "fc6e63e3e6c873bd2ccac6ea93c2965d107641d4c739c682f6ad19f74d4eeb40",
"version": 2
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
@@ -802,6 +833,11 @@
"sha256": "3f2d95fdb79cb6ca4c56f1becabbe1d57288b6104b0b40f17398e3fde07651bf",
"version": 3
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "0f67bb4b3fbdb804594a8f6c72163a50c7a0560738746a8eace419e2b80c81ab",
"version": 1
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "963f664114823b11c4a4728f07135d64b207cc28e9181a0ed1536682458cec56",
@@ -820,8 +856,8 @@
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "1a31a209ac2dc61fc7c8c6ece800b34a05c2a7ca6b9332ec6d5313d7e3a65f01",
"version": 1
"sha256": "24caaad3fea11b7693bad4ee11a32119b0f6804af45f39ac7ded0499c0fa6694",
"version": 2
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"rule_name": "EggShell Backdoor Execution",
@@ -1076,8 +1112,8 @@
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"rule_name": "PowerShell MiniDump Script",
"sha256": "e99fcc191c502e6e853476e7aa2eef7868fdd29f92242f4d4db3bdfe699ac8da",
"version": 1
"sha256": "b999bfa6dc8a8d8f14e743eb6e0302ca11572bd4796276fd7435bb8053c8a539",
"version": 2
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"rule_name": "Deleting Backup Catalogs with Wbadmin",
@@ -1201,8 +1237,8 @@
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "734b426e6b6947606499e358609b75c1f06ecf347a66b708fd1455d184c21e09",
"version": 1
"sha256": "45ec69750e919eff495ec3f4ce1f96597c51759b9130ed238b82dcdc5888ed6a",
"version": 2
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
@@ -1422,8 +1458,8 @@
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "4a2b21872c0267aedbc3dbf6d88a10753da1aa493cd5448e9750533eb910965a",
"version": 1
"sha256": "7ab2fe8714a0ef0afab2f9ec17d92b5d4a579c7fd7714746d068e6348868ee7c",
"version": 2
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
@@ -1461,6 +1497,11 @@
"sha256": "244f9ef115052b03ab17b53de02594d6fb2a47a66970b7f34db63659f0d9ea3f",
"version": 1
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "e2370178900d74daa4cadcb8b42f646efd2ea3f2c73c59f9638366f249e0c5b9",
"version": 1
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "fcd8c3219898d5276945fcee501c6a589d1e17e99b96a7360a30c6d982f3c614",
@@ -1563,8 +1604,8 @@
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"rule_name": "Azure Kubernetes Pods Deleted",
"sha256": "30f7f19037deab72b77711c89ef4f18d1a0bb75ba9c8630a083f0924b0c63ba4",
"version": 1
"sha256": "7a29d3e80ad2758ed25d1b794fbce0c90c7f6a54c67017cd7fc1f8a4a7f9fad0",
"version": 2
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"min_stack_version": "7.13.0",
@@ -1599,8 +1640,8 @@
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "aca795e6520b728e599ac3a7fa2a422977a761deaf06ec388ae6179558bb139b",
"version": 1
"sha256": "ef8a2abe81a1b39e1ef54fd252e39f1c165f1e40827a338b7252b6a77874aec7",
"version": 2
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
@@ -1648,9 +1689,9 @@
"version": 4
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Suspicious JAR Child Process",
"sha256": "f867a33f075bc6c694cdabdd8d3c234f1347100900b32459c1fc7debf7ca03c1",
"version": 2
"rule_name": "Suspicious JAVA Child Process",
"sha256": "9d7875876529960496ced859248197da593afad28edd3ffe08e5d2c0af4119ed",
"version": 3
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "7.13.0",
@@ -1665,8 +1706,8 @@
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"rule_name": "Azure Kubernetes Events Deleted",
"sha256": "56a399415e6ff6a2730f6a81d02a44c3a24fb42ae359dced1da1514f2025f119",
"version": 1
"sha256": "af0bd091d52ef5b33b45a680f0a56654284f464970538a56c69571223491fcb1",
"version": 2
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
@@ -1685,8 +1726,8 @@
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "00940a7616f5a429eb7e75d4322a135cfeab187e3ac06d31dc6a9c2e22c41bf0",
"version": 6
"sha256": "33de74bdefea7d1b2dad684d309c2eb9374ad0936d168a1b3fbb74680c12c7c4",
"version": 7
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"rule_name": "Azure Automation Runbook Deleted",
@@ -1730,8 +1771,8 @@
},
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
"rule_name": "GCP Virtual Private Cloud Route Creation",
"sha256": "55f215d9e78466b8958e9c1981654985a3610f13bb53a13f0f89df25fd14f4e8",
"version": 5
"sha256": "a8934713ab65c577a096044395867098064056126c593d47d0d0f441f6d961f1",
"version": 6
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"rule_name": "AWS WAF Access Control List Deletion",
@@ -1858,6 +1899,11 @@
"sha256": "07c9c8e38e3443ff00955fbdcfd03ed0b67974906d56679ed5f34fa34826a709",
"version": 3
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "e56e3d4a7c4dd9ad1938a2f2aa18a9b023a50edf3d216d227fb9ee24d2b73571",
"version": 1
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"min_stack_version": "7.14.0",
"rule_name": "Spike in Failed Logon Events",
@@ -1969,6 +2015,11 @@
"sha256": "f593f43ce7a9f78b7f49de94fbed61766e76d7721abd4ccc86f7b6f4f8edcb4f",
"version": 7
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "03bdeac5057893f51610fb230139686e35a436d905b7465555966dcfe1769fa9",
"version": 1
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"rule_name": "GCP Virtual Private Cloud Route Deletion",
"sha256": "7b3b1690df6c6b2ede0ea186a352d58f47717c62493f9e48c34776123c3f6d3b",
@@ -1981,8 +2032,8 @@
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "4b004411a23d95460c99778056af5c0bf65e9404ee913dddfeff6531645ce9e0",
"version": 1
"sha256": "6f78fd32e25cee20e54d68955f70146f8fef6c8a9a407838c98a204075d706b2",
"version": 2
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"rule_name": "Execution via local SxS Shared Module",
@@ -2126,8 +2177,8 @@
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "ca85c0740fb6ecc80e4569850b9ad398eadc3087d861ca27edfd5f53d47ce216",
"version": 1
"sha256": "ba03ecde11ee9756cf4bc61082aacb53ef480e292542908388652d2925356984",
"version": 2
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
@@ -2204,6 +2255,11 @@
"sha256": "c2e6159b2299edf22ee885dfe16c66885739f453c602cca8929190fd39417dac",
"version": 6
},
"b5877334-677f-4fb9-86d5-a9721274223b": {
"rule_name": "Clearing Windows Console History",
"sha256": "7019e4bc7049a79eaaa17917e400a2267ed18d60a47401930de10ac006e4c426",
"version": 1
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "a009ff3ab4c85e8aed1731545a96eb1a380cf0927bdbc9a6838aae79a83803e0",
@@ -2305,6 +2361,11 @@
"sha256": "660c3b64b35ea795bb74c9eb7b6b3b83154cd7b2eafd8eacd053cb30c89785e1",
"version": 5
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"rule_name": "PowerShell Keylogging Script",
"sha256": "6de3949ae76af02e913b9d9e042f0c9be3954889ba3313023c533e1976fa86cf",
"version": 1
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "21294393322c72a5945721897592b4efd0dc6745d42a1d6a33492120398d13fb",
@@ -2317,8 +2378,8 @@
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"rule_name": "AWS RDS Snapshot Restored",
"sha256": "07509e55592cb8d9c556bc4038e78c154131b583db68dafe661e3aaaab36b406",
"version": 1
"sha256": "e31fbf67365ca48acc62bfbf2ca2a9142619b731cf83aa45a72024fb8ab72d73",
"version": 2
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
@@ -2395,6 +2456,11 @@
"sha256": "88bf63fa5666b708286c1c057c13d9395886468103724aaf6336f5715d4fdc31",
"version": 5
},
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "149405dd2024aad261ec86a37585f075c5015e970b659ce9a3c4767e414494b0",
"version": 1
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"rule_name": "Installation of Custom Shim Databases",
"sha256": "81788cf9d61ad308d13bca2f9882ffce48353414414d4bd05235253088b8407b",
@@ -2729,9 +2795,9 @@
"version": 6
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module Indicator Match",
"sha256": "3799b7164988714cc94fc0fb9be852b8335673a9b5d93699b8378426840de9c4",
"version": 3
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
"version": 4
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"rule_name": "Volume Shadow Copy Deletion via WMIC",
@@ -2784,9 +2850,17 @@
"version": 5
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"min_stack_version": "7.16.0",
"previous": {
"7.13.0": {
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "de0b525b55b31026d29a5a835b5e420d95ceaa8d6c6f7e377c3b2cdae2064fdf",
"version": 3
}
},
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "f182f841954adaa9009a1b62d0b98506f864adc4d7ab93e8467f26ada0f518d0",
"version": 2
"version": 4
},
"e0f36de1-0342-453d-95a9-a068b257b053": {
"rule_name": "Azure Event Hub Deletion",
@@ -2814,6 +2888,11 @@
"sha256": "604e329a73f5f711f4d8aeb944976f58a8d5a993388062231c925fe211be1b91",
"version": 2
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "94f3ca8052551b024507d2e9bb51c49b7efecf2ea678d4bc1978a5b414e586ae",
"version": 1
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"rule_name": "AWS Management Console Root Login",
"sha256": "94dcf7938345325b7cca64d3a410cffbb9e2503ddb509afb63a9721087a0b906",
@@ -2841,8 +2920,8 @@
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "53753455f7a7da08d4ed29d6563630e2a7b77ebfb0330af09b5b52a8a6f800c1",
"version": 6
"sha256": "130151f602969550133acea2f7f0a293ceb2a61df7dd0bddab3e6b0e33f57247",
"version": 7
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
@@ -3089,6 +3168,11 @@
"sha256": "9675f6c2d6b7bc26b770ed6f8bb5668058bb865b782423786a1ebb70bf5de797",
"version": 9
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "5508f0b8c9ae59dbe1d7a20d8147f51eb24fc9d562b290be27f28256e143428c",
"version": 1
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "cc34e136a98a0c3da501db77e87e4418a36d9fa1a9af7f2809b0e876a0685baa",
@@ -3171,8 +3255,8 @@
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"rule_name": "Suspicious CertUtil Commands",
"sha256": "a9355d7b7c316691fcd6fa8cb53a27ba316ae71ea6c79e21e908ff3ee5302dda",
"version": 9
"sha256": "122b3b7f61d4146ddcd3551328c63fd1c56f01dad1616d83022d2265375ce1ac",
"version": 10
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"rule_name": "Svchost spawning Cmd",
@@ -3181,8 +3265,8 @@
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "b52c0b3b61c361bd48462ab2432ba1e1689286e1e3022c5580108b09dacfe55e",
"version": 8
"sha256": "20fa3931651c3cd2a65942d63e382bf5e5a7faf3f3274c700fcea9cdcb94e099",
"version": 9
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",