From a33de6bfb8a544adef44f9f6ca76c2e81ebb0734 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 10 Dec 2021 19:06:19 -0900 Subject: [PATCH] Lock versions for releases: 7.13,7.14,7.15,7.16 (#1659) * Locked versions for releases: 7.13,7.14,7.15,7.16 --- etc/version.lock.json | 182 ++++++++++++++++++++++++++++++------------ 1 file changed, 133 insertions(+), 49 deletions(-) diff --git a/etc/version.lock.json b/etc/version.lock.json index 5a32f07ac..7ac5bee41 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -27,8 +27,8 @@ }, "02a4576a-7480-4284-9327-548a806b5e48": { "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "4da266f820dc2dba8ed78416db2ea4cad6a8260dacad0552bcfa4f25601a61f8", - "version": 1 + "sha256": "dc5c89b6a2667693fbe1a725c957ad2bc11c124768f3a668613ba10a77780f91", + "version": 2 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "rule_name": "Dumping Account Hashes via Built-In Commands", @@ -170,6 +170,12 @@ "sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be", "version": 8 }, + "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { + "min_stack_version": "7.14.0", + "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "sha256": "ff67dcfa3dda984af29cc41ece885de00bd48128fed28a3a8ef4e298d83e43b8", + "version": 1 + }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", "sha256": "2149a008d62b8e6a983abd178158948e2c370183a4e070931806ebd07b620ec7", @@ -207,8 +213,8 @@ }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "637411a6c598e26e6158b7f367b37e4ef4c20c2f833cb4adaa2d9866c2662e3b", - "version": 1 + "sha256": "6937bd14a24a894d160dfabe3efe0d868b8952a006578c810d3d7b0492c31680", + "version": 2 }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", @@ -288,8 +294,8 @@ }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", - "sha256": "210931fff44cff26ff1c6fbb8d16c525ce7956382fb200a989335df36b12c628", - "version": 4 + "sha256": "8ca91c7053d3f30c2c76188da11648bbc94aa5c68e2288ceaee0e6d942535fcf", + "version": 5 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "rule_name": "Unusual Windows Username", @@ -371,6 +377,11 @@ "sha256": "0e87841dc0e6587203b2e298d78fa79c2d4f1aaff4b20d4407ef3c04734ae5ce", "version": 5 }, + "1c966416-60c1-436b-bfd0-e002fddbfd89": { + "rule_name": "Azure Kubernetes Rolebindings Created", + "sha256": "0edd2adb2012b1367353ef756b0ec88867a5ed19d5dc243f991845cf5b9d9e2a", + "version": 1 + }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "3d74f5205bbde325b86c72bf634ffba8648e208a314cff8e74be0aed2836eede", @@ -486,6 +497,11 @@ "sha256": "2fde8b5429bcf1a32d15d54f96a2386179c681a0bc3e5eca71ac09eaa51272ad", "version": 4 }, + "26edba02-6979-4bce-920a-70b080a7be81": { + "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", + "sha256": "fec04f92c2b0f57675047b2adea17e89769476a9e131eb9ce8330f4e46399d8c", + "version": 1 + }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "f0d04d20b2c11a0ebe206fe8773ea13430da51c1da73a9cf755fd344fa983d15", @@ -511,6 +527,11 @@ "sha256": "7f4f776206e7ea26e377cf5665556bb3d6268796fc06023b7b85d58502783e2b", "version": 4 }, + "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { + "rule_name": "Account Password Reset Remotely", + "sha256": "9a0279c4a36e65635f36ce3bd7807cbffb2a10c01b5b6fed1a3eb1292c15e53a", + "version": 1 + }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Net command via SYSTEM account", "sha256": "9edf6f050f8563bcf0dbd301c61100d160969829b5cbdbd7c90872555d44ea25", @@ -541,6 +562,11 @@ "sha256": "71c8450638f4fe25ff585483564b55ea9fa82c2e4bf431ada7dd963a5b4c5e22", "version": 3 }, + "291a0de9-937a-4189-94c0-3e847c8b13e4": { + "rule_name": "Enumeration of Privileged Local Groups Membership", + "sha256": "b94f034710f0bd4a1c9a3ba74dec7f2dcd74ac6997dd532f8a2fc96eb2589faa", + "version": 1 + }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", "sha256": "b855256f23054ec5025f78c2ec0ddd70e36ef7b16856700f208936300525f544", @@ -548,8 +574,8 @@ }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "59e30d612d785a22cb0a99026698ee8ff597cefc2ab1a3cd8d01ca5e6985f7e7", - "version": 4 + "sha256": "381882b7e3fc0c078a4a643809c5fcf7a923054acfd931ac251c6ac4e67edb36", + "version": 5 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", @@ -558,8 +584,8 @@ }, "2dd480be-1263-4d9c-8672-172928f6789a": { "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "5d595819fe049ce10fa799193a82bd3116314dd79ee4210f7c7d8a212ba9e3ed", - "version": 1 + "sha256": "c3726db2dfd855db109944def0676bf91e1eba2881adaf2f1f0f76b2ae14e555", + "version": 2 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "O365 Excessive Single Sign-On Logon Errors", @@ -571,6 +597,11 @@ "sha256": "2fe8c86abbc5b90c04c50b2d75bc279a82b4ca5b5b9075830ede2cb576e81d8a", "version": 5 }, + "2e29e96a-b67c-455a-afe4-de6183431d0d": { + "rule_name": "Potential Process Injection via PowerShell", + "sha256": "138fe1b7a99e1fd40f2db4ca5086754aa15d9dadff790a9a0a03cc783b71f003", + "version": 1 + }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", "sha256": "85ef581fbbbf8ee9caeac93bf4e6a8fb80e01ff41ddc66b44474e8ddd9c66954", @@ -588,8 +619,8 @@ }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "e68aefbfc6d43274cb4fa313f901a07211b61c7d4d811cc31ce5437e560cb59d", - "version": 1 + "sha256": "fc6e63e3e6c873bd2ccac6ea93c2965d107641d4c739c682f6ad19f74d4eeb40", + "version": 2 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", @@ -802,6 +833,11 @@ "sha256": "3f2d95fdb79cb6ca4c56f1becabbe1d57288b6104b0b40f17398e3fde07651bf", "version": 3 }, + "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { + "rule_name": "Suspicious Process Creation CallTrace", + "sha256": "0f67bb4b3fbdb804594a8f6c72163a50c7a0560738746a8eace419e2b80c81ab", + "version": 1 + }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", "sha256": "963f664114823b11c4a4728f07135d64b207cc28e9181a0ed1536682458cec56", @@ -820,8 +856,8 @@ }, "416697ae-e468-4093-a93d-59661fa619ec": { "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "1a31a209ac2dc61fc7c8c6ece800b34a05c2a7ca6b9332ec6d5313d7e3a65f01", - "version": 1 + "sha256": "24caaad3fea11b7693bad4ee11a32119b0f6804af45f39ac7ded0499c0fa6694", + "version": 2 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", @@ -1076,8 +1112,8 @@ }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "rule_name": "PowerShell MiniDump Script", - "sha256": "e99fcc191c502e6e853476e7aa2eef7868fdd29f92242f4d4db3bdfe699ac8da", - "version": 1 + "sha256": "b999bfa6dc8a8d8f14e743eb6e0302ca11572bd4796276fd7435bb8053c8a539", + "version": 2 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", @@ -1201,8 +1237,8 @@ }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "734b426e6b6947606499e358609b75c1f06ecf347a66b708fd1455d184c21e09", - "version": 1 + "sha256": "45ec69750e919eff495ec3f4ce1f96597c51759b9130ed238b82dcdc5888ed6a", + "version": 2 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -1422,8 +1458,8 @@ }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "4a2b21872c0267aedbc3dbf6d88a10753da1aa493cd5448e9750533eb910965a", - "version": 1 + "sha256": "7ab2fe8714a0ef0afab2f9ec17d92b5d4a579c7fd7714746d068e6348868ee7c", + "version": 2 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", @@ -1461,6 +1497,11 @@ "sha256": "244f9ef115052b03ab17b53de02594d6fb2a47a66970b7f34db63659f0d9ea3f", "version": 1 }, + "76ddb638-abf7-42d5-be22-4a70b0bf7241": { + "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", + "sha256": "e2370178900d74daa4cadcb8b42f646efd2ea3f2c73c59f9638366f249e0c5b9", + "version": 1 + }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "fcd8c3219898d5276945fcee501c6a589d1e17e99b96a7360a30c6d982f3c614", @@ -1563,8 +1604,8 @@ }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Pods Deleted", - "sha256": "30f7f19037deab72b77711c89ef4f18d1a0bb75ba9c8630a083f0924b0c63ba4", - "version": 1 + "sha256": "7a29d3e80ad2758ed25d1b794fbce0c90c7f6a54c67017cd7fc1f8a4a7f9fad0", + "version": 2 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "7.13.0", @@ -1599,8 +1640,8 @@ }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "aca795e6520b728e599ac3a7fa2a422977a761deaf06ec388ae6179558bb139b", - "version": 1 + "sha256": "ef8a2abe81a1b39e1ef54fd252e39f1c165f1e40827a338b7252b6a77874aec7", + "version": 2 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -1648,9 +1689,9 @@ "version": 4 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { - "rule_name": "Suspicious JAR Child Process", - "sha256": "f867a33f075bc6c694cdabdd8d3c234f1347100900b32459c1fc7debf7ca03c1", - "version": 2 + "rule_name": "Suspicious JAVA Child Process", + "sha256": "9d7875876529960496ced859248197da593afad28edd3ffe08e5d2c0af4119ed", + "version": 3 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "7.13.0", @@ -1665,8 +1706,8 @@ }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Events Deleted", - "sha256": "56a399415e6ff6a2730f6a81d02a44c3a24fb42ae359dced1da1514f2025f119", - "version": 1 + "sha256": "af0bd091d52ef5b33b45a680f0a56654284f464970538a56c69571223491fcb1", + "version": 2 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", @@ -1685,8 +1726,8 @@ }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "00940a7616f5a429eb7e75d4322a135cfeab187e3ac06d31dc6a9c2e22c41bf0", - "version": 6 + "sha256": "33de74bdefea7d1b2dad684d309c2eb9374ad0936d168a1b3fbb74680c12c7c4", + "version": 7 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", @@ -1730,8 +1771,8 @@ }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "55f215d9e78466b8958e9c1981654985a3610f13bb53a13f0f89df25fd14f4e8", - "version": 5 + "sha256": "a8934713ab65c577a096044395867098064056126c593d47d0d0f441f6d961f1", + "version": 6 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", @@ -1858,6 +1899,11 @@ "sha256": "07c9c8e38e3443ff00955fbdcfd03ed0b67974906d56679ed5f34fa34826a709", "version": 3 }, + "9960432d-9b26-409f-972b-839a959e79e2": { + "rule_name": "Potential Credential Access via LSASS Memory Dump", + "sha256": "e56e3d4a7c4dd9ad1938a2f2aa18a9b023a50edf3d216d227fb9ee24d2b73571", + "version": 1 + }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "7.14.0", "rule_name": "Spike in Failed Logon Events", @@ -1969,6 +2015,11 @@ "sha256": "f593f43ce7a9f78b7f49de94fbed61766e76d7721abd4ccc86f7b6f4f8edcb4f", "version": 7 }, + "a16612dd-b30e-4d41-86a0-ebe70974ec00": { + "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", + "sha256": "03bdeac5057893f51610fb230139686e35a436d905b7465555966dcfe1769fa9", + "version": 1 + }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", "sha256": "7b3b1690df6c6b2ede0ea186a352d58f47717c62493f9e48c34776123c3f6d3b", @@ -1981,8 +2032,8 @@ }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "4b004411a23d95460c99778056af5c0bf65e9404ee913dddfeff6531645ce9e0", - "version": 1 + "sha256": "6f78fd32e25cee20e54d68955f70146f8fef6c8a9a407838c98a204075d706b2", + "version": 2 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", @@ -2126,8 +2177,8 @@ }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "ca85c0740fb6ecc80e4569850b9ad398eadc3087d861ca27edfd5f53d47ce216", - "version": 1 + "sha256": "ba03ecde11ee9756cf4bc61082aacb53ef480e292542908388652d2925356984", + "version": 2 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", @@ -2204,6 +2255,11 @@ "sha256": "c2e6159b2299edf22ee885dfe16c66885739f453c602cca8929190fd39417dac", "version": 6 }, + "b5877334-677f-4fb9-86d5-a9721274223b": { + "rule_name": "Clearing Windows Console History", + "sha256": "7019e4bc7049a79eaaa17917e400a2267ed18d60a47401930de10ac006e4c426", + "version": 1 + }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "a009ff3ab4c85e8aed1731545a96eb1a380cf0927bdbc9a6838aae79a83803e0", @@ -2305,6 +2361,11 @@ "sha256": "660c3b64b35ea795bb74c9eb7b6b3b83154cd7b2eafd8eacd053cb30c89785e1", "version": 5 }, + "bd2c86a0-8b61-4457-ab38-96943984e889": { + "rule_name": "PowerShell Keylogging Script", + "sha256": "6de3949ae76af02e913b9d9e042f0c9be3954889ba3313023c533e1976fa86cf", + "version": 1 + }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "21294393322c72a5945721897592b4efd0dc6745d42a1d6a33492120398d13fb", @@ -2317,8 +2378,8 @@ }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS Snapshot Restored", - "sha256": "07509e55592cb8d9c556bc4038e78c154131b583db68dafe661e3aaaab36b406", - "version": 1 + "sha256": "e31fbf67365ca48acc62bfbf2ca2a9142619b731cf83aa45a72024fb8ab72d73", + "version": 2 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", @@ -2395,6 +2456,11 @@ "sha256": "88bf63fa5666b708286c1c057c13d9395886468103724aaf6336f5715d4fdc31", "version": 5 }, + "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { + "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", + "sha256": "149405dd2024aad261ec86a37585f075c5015e970b659ce9a3c4767e414494b0", + "version": 1 + }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", "sha256": "81788cf9d61ad308d13bca2f9882ffce48353414414d4bd05235253088b8407b", @@ -2729,9 +2795,9 @@ "version": 6 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { - "rule_name": "Threat Intel Filebeat Module Indicator Match", - "sha256": "3799b7164988714cc94fc0fb9be852b8335673a9b5d93699b8378426840de9c4", - "version": 3 + "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", + "sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095", + "version": 4 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", @@ -2784,9 +2850,17 @@ "version": 5 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { + "min_stack_version": "7.16.0", + "previous": { + "7.13.0": { + "rule_name": "Whitespace Padding in Process Command Line", + "sha256": "de0b525b55b31026d29a5a835b5e420d95ceaa8d6c6f7e377c3b2cdae2064fdf", + "version": 3 + } + }, "rule_name": "Whitespace Padding in Process Command Line", "sha256": "f182f841954adaa9009a1b62d0b98506f864adc4d7ab93e8467f26ada0f518d0", - "version": 2 + "version": 4 }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deletion", @@ -2814,6 +2888,11 @@ "sha256": "604e329a73f5f711f4d8aeb944976f58a8d5a993388062231c925fe211be1b91", "version": 2 }, + "e26f042e-c590-4e82-8e05-41e81bd822ad": { + "rule_name": "Suspicious .NET Reflection via PowerShell", + "sha256": "94f3ca8052551b024507d2e9bb51c49b7efecf2ea678d4bc1978a5b414e586ae", + "version": 1 + }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", "sha256": "94dcf7938345325b7cca64d3a410cffbb9e2503ddb509afb63a9721087a0b906", @@ -2841,8 +2920,8 @@ }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "53753455f7a7da08d4ed29d6563630e2a7b77ebfb0330af09b5b52a8a6f800c1", - "version": 6 + "sha256": "130151f602969550133acea2f7f0a293ceb2a61df7dd0bddab3e6b0e33f57247", + "version": 7 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", @@ -3089,6 +3168,11 @@ "sha256": "9675f6c2d6b7bc26b770ed6f8bb5668058bb865b782423786a1ebb70bf5de797", "version": 9 }, + "f63c8e3c-d396-404f-b2ea-0379d3942d73": { + "rule_name": "Windows Firewall Disabled via PowerShell", + "sha256": "5508f0b8c9ae59dbe1d7a20d8147f51eb24fc9d562b290be27f28256e143428c", + "version": 1 + }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "cc34e136a98a0c3da501db77e87e4418a36d9fa1a9af7f2809b0e876a0685baa", @@ -3171,8 +3255,8 @@ }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Suspicious CertUtil Commands", - "sha256": "a9355d7b7c316691fcd6fa8cb53a27ba316ae71ea6c79e21e908ff3ee5302dda", - "version": 9 + "sha256": "122b3b7f61d4146ddcd3551328c63fd1c56f01dad1616d83022d2265375ce1ac", + "version": 10 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", @@ -3181,8 +3265,8 @@ }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "b52c0b3b61c361bd48462ab2432ba1e1689286e1e3022c5580108b09dacfe55e", - "version": 8 + "sha256": "20fa3931651c3cd2a65942d63e382bf5e5a7faf3f3274c700fcea9cdcb94e099", + "version": 9 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation",