security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3319)

Browse Source 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2023-12-12 13:23:14 -05:00
committed by GitHub
parent 631f8841ad
commit a39a52360a
1 changed files with 210 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+210 -138
View File
@@ -159,6 +159,13 @@
"type": "eql",
"version": 108
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through Systemd-udevd",
"sha256": "e8095cdee7458ed504ab6072b4d91c7d572d159b7f95965cb8b93a5fc4c1ed32",
"type": "new_terms",
"version": 1
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.3",
"rule_name": "Microsoft IIS Service Account Password Dumped",
@@ -232,9 +239,9 @@
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"min_stack_version": "8.3",
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "b801d28bb5398fb531f21cecefae0f3c21b0d7b4c675fc8349ccf4448e7a2b7c",
"sha256": "092ecb6ac6f1197744e2e114398553fa810674561481b66f9665c3ed95ff0017",
"type": "eql",
"version": 1
"version": 2
},
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"min_stack_version": "8.3",
@@ -317,9 +324,9 @@
"09443c92-46b3-45a4-8f25-383b028b258d": {
"min_stack_version": "8.3",
"rule_name": "Process Termination followed by Deletion",
"sha256": "3eef996ce0b596a8c36e90f7b072702cf85d200f1a9683ab6d81d18bf69ed5d1",
"sha256": "ee3f7d78630d4adbddf7402565e30e9e5b09adbfb02eaed22e884dfd5429bc8e",
"type": "eql",
"version": 107
"version": 108
},
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
@@ -444,9 +451,9 @@
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"min_stack_version": "8.3",
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "a66ec71c96a9c0d09c09ad1d94067327b19e7db5411461bda17ce482fff03de5",
"sha256": "0f8793b32099bcedee8142d49e3265c81daa7a103fd8a4005b61e56aeeb487f4",
"type": "eql",
"version": 107
"version": 108
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"min_stack_version": "8.3",
@@ -465,9 +472,9 @@
"0e79980b-4250-4a50-a509-69294c14e84b": {
"min_stack_version": "8.3",
"rule_name": "MsBuild Making Network Connections",
"sha256": "704d15579a6028b995cfd93bc3a2d782e75c41c656cdcc7c5673f782b70396b5",
"sha256": "a1bf29b67c9d4b591676101ae899db1fa607402bfd59d1ea37a30c02d751f9b3",
"type": "eql",
"version": 105
"version": 106
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"min_stack_version": "8.6",
@@ -580,9 +587,9 @@
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "1c0bf38efb6972def16721d8a6cdfa4657dcd306a120b1f283193fbf9adf6574",
"sha256": "9e7a7c40caec4ca683ed1aad64cea12a7f3d4fae3015ca523b447c1a93362aa4",
"type": "query",
"version": 9
"version": 10
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"min_stack_version": "8.3",
@@ -654,9 +661,9 @@
}
},
"rule_name": "Kubernetes Suspicious Self-Subject Review",
"sha256": "be2beac962529968b937bc8b019d5fd86147ea3a835ac837709352145e20bdfb",
"sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec",
"type": "query",
"version": 202
"version": 203
},
"12cbf709-69e8-4055-94f9-24314385c27e": {
"min_stack_version": "8.4",
@@ -670,9 +677,9 @@
}
},
"rule_name": "Kubernetes Pod Created With HostNetwork",
"sha256": "aced9ff9e762b1884af066530083db98a9ccfeb24195d8f89c6344ca22a77d00",
"sha256": "e48fb5d94222f67fbea19233c7fea01163d00908c3844df80f9e36d5e87ad7b7",
"type": "query",
"version": 202
"version": 203
},
"12de29d4-bbb0-4eef-b687-857e8a163870": {
"min_stack_version": "8.3",
@@ -748,16 +755,16 @@
}
},
"rule_name": "Kubernetes User Exec into Pod",
"sha256": "2b3001e30acc01d9f64cf5554b3ca2ea3e9bcb22df0ef756717434b46b95919d",
"sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9",
"type": "query",
"version": 202
"version": 203
},
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "02cd614602c0740f432c413ad474d41900748740202d7ffd5f6103b3096ff544",
"sha256": "4b1eec485af47d33737ca5c571fb0460f4b65037669ab0dbabe9bac5698770dd",
"type": "eql",
"version": 105
"version": 106
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"min_stack_version": "8.3",
@@ -776,9 +783,9 @@
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "ba1b29894e3714a467099698c2a7111489b3e522d59f5b61ad2f7d791d5adf30",
"sha256": "42bf489fc1a03321f0d5b7eb330f6afaf2d64dfea7d2e5afdc041c2ed1b084bc",
"type": "eql",
"version": 108
"version": 109
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"min_stack_version": "8.3",
@@ -876,9 +883,9 @@
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Service Created by Previously Unknown Process",
"sha256": "a1c8a579032003cb718a31611540b8552f7995938b5042e9fa19a6b59d7b8e34",
"sha256": "400131c604d2387a643233aeae981ecf85b248f90b0914a4b349e1ed55ddce84",
"type": "new_terms",
"version": 6
"version": 7
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.3",
@@ -988,6 +995,13 @@
"type": "eql",
"version": 107
},
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
"min_stack_version": "8.4",
"rule_name": "Process Created with a Duplicated Token",
"sha256": "108c96892c8db5e48adb3729e9a21cf75d35c098e4739cc055042e86fbeddccb",
"type": "eql",
"version": 1
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"min_stack_version": "8.3",
"rule_name": "Connection to Internal Network via Telnet",
@@ -1035,9 +1049,9 @@
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Creation in /etc for Persistence",
"sha256": "2c7b3afb5bcedf1734a00e47303d98eb4df820d760aee5553c8e9763cfa58d9e",
"sha256": "1b168626a13b010e11e758702eb6d895a779be9163e0265089d56c852cd438b6",
"type": "eql",
"version": 110
"version": 111
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"min_stack_version": "8.3",
@@ -1063,9 +1077,9 @@
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "3ad26713290c41884722d25cf2fee14ada4dfd908e0a162454e983458948145c",
"sha256": "50473966980c6830aa4b12aa9acafafacf8d3e86b508832e498777b302fd9b54",
"type": "query",
"version": 1
"version": 2
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.3",
@@ -1147,9 +1161,9 @@
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"min_stack_version": "8.3",
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "c337c7433541d6bf75e616d8dc86c568517d3347e447eebff25c5aa98637d74f",
"sha256": "90ed2f95452d78c897f5ff0a9109393db93bf7b6131cf7ab1f265ec52a86a3f1",
"type": "query",
"version": 6
"version": 7
},
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"min_stack_version": "8.3",
@@ -1168,9 +1182,9 @@
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "6005266947232b8c8285b53252c0a3aceb08713658436d0aa268fd92aaa462f0",
"sha256": "8ec035184478d2650916a571216dd1d6f03c7c0eaac4a894f81390ff1663c2bd",
"type": "eql",
"version": 108
"version": 109
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"min_stack_version": "8.3",
@@ -1189,9 +1203,9 @@
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "8db003c9e7d9158d52c379347dee67ace799d72c640e8beaccdc4a3d26caf8f5",
"sha256": "c2204e192d86865e713663390b2fb1c3859f2871ce24908f5899475a741571c4",
"type": "eql",
"version": 107
"version": 108
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"min_stack_version": "8.9",
@@ -1246,9 +1260,9 @@
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
"sha256": "ec8d63e382350e56393f2ddda05cf6e288ce88da4ee9c9d5976adaff99779885",
"sha256": "8b83d7d20910ac09b5cd9f7b2e96a38f9b03f38f314ecf1f779637906818161b",
"type": "new_terms",
"version": 2
"version": 3
},
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"min_stack_version": "8.3",
@@ -1327,9 +1341,9 @@
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"min_stack_version": "8.3",
"rule_name": "New GitHub Owner Added",
"sha256": "360c844a728a8074f32947d9ad6d1b26d414b7aafe87847d5b92dc546b8931f5",
"sha256": "839fb4e1ecdfcb2be6949ac45bfd11ec72c4ccee48cff00ef05e661a7fc1c6a3",
"type": "eql",
"version": 1
"version": 2
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.3",
@@ -1570,9 +1584,9 @@
}
},
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
"sha256": "ac1d0b24c8b4fdd50c135a7ecd4193f9584cb7fdc8d82531c70122b5826e9a5c",
"sha256": "2704808ccae32f5b44395171db755258b7e7a248df4bab32a33cddb2ac181df0",
"type": "query",
"version": 202
"version": 203
},
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
"min_stack_version": "8.5",
@@ -1728,9 +1742,9 @@
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"min_stack_version": "8.3",
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "4da6b62b7ec7cb25f041951db128ea15b7b77213f4dcd6d830e9a1d1f4d349ed",
"sha256": "1db13a5ac155b6497736f067e6755417f99f9cf5b5245f36c2b96437eebc703c",
"type": "eql",
"version": 108
"version": 109
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"min_stack_version": "8.9",
@@ -1798,9 +1812,9 @@
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"min_stack_version": "8.3",
"rule_name": "Program Files Directory Masquerading",
"sha256": "9224ce80ac3a2d46b853cb988075ebe71f9cbbdc90695974a1bd7abe58726911",
"sha256": "06de85209a1b0dde5bc8b4f17f289dac52ac59beb2bb0e35c4dec8c8c2a29cb5",
"type": "eql",
"version": 106
"version": 107
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.3",
@@ -1835,9 +1849,9 @@
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via PowerShell",
"sha256": "38dc15a0612dfcb492d058cb2414f7cb66550cc57d1a90b28469f9a499391d7a",
"sha256": "0843453e23fff6268308485d859e6668867b85c5cf0ed912c931d28d040ca4f7",
"type": "eql",
"version": 108
"version": 109
},
"342f834b-21a6-41bf-878c-87d116eba3ee": {
"min_stack_version": "8.8",
@@ -2000,9 +2014,9 @@
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Certutil",
"sha256": "574966e6333af6f15b7e801105f1325ba602693577dd5b5c77c6d1821abdb360",
"sha256": "ff32cd3ea3d3f5aa49fb8c8bcc7368b8211ee44bcad1809ab55e3874291c4274",
"type": "eql",
"version": 108
"version": 109
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"min_stack_version": "8.3",
@@ -2157,9 +2171,9 @@
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"min_stack_version": "8.3",
"rule_name": "Kernel Driver Load",
"sha256": "bf54a568cf07cb6372551ed2c315a350fd80ec33811327aa6c5473d64f5aa928",
"sha256": "b59ce0343e153ae461c5fccc6dd6aa3b6f38eff17a3960852a0a1b9c9dc88e3b",
"type": "eql",
"version": 1
"version": 2
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"min_stack_version": "8.3",
@@ -2549,9 +2563,9 @@
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"min_stack_version": "8.3",
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
"sha256": "599489e4a0c4b02a7717d928a5881b6281d1362970adb1074d5362a33c45444b",
"sha256": "42113dd49a2b2df45e90301ac64feac172a5fe2d5ae21baddb22e62943b28082",
"type": "query",
"version": 104
"version": 105
},
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"min_stack_version": "8.3",
@@ -2706,10 +2720,10 @@
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Users with the Same Device Token Hash",
"sha256": "0cabbcb4f30f4ce25d1efd6d385f10b02ca0ef7cc2d8bac313e45e83abdfa175",
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "9f8682da0707ca62f5537007eb440a25605c097964d7acb1ab228c8c773845ca",
"type": "threshold",
"version": 1
"version": 2
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.3",
@@ -2746,6 +2760,13 @@
"type": "query",
"version": 104
},
"51a09737-80f7-4551-a3be-dac8ef5d181a": {
"min_stack_version": "8.3",
"rule_name": "Tainted Out-Of-Tree Kernel Module Load",
"sha256": "906a021911de5e8f4437da9087e7b52974e5ae6d5decb416ebc494866bf4ecc9",
"type": "query",
"version": 1
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement with MMC",
@@ -2756,9 +2777,9 @@
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "d6684969f3393c5d0071672900ffa3557f7b96875f0fb073ddf04801bf9fcb4f",
"sha256": "32d05a814889ee60dc87a1d8bfd9ccde871f528b806978fcd7a8e999fac7d565",
"type": "eql",
"version": 4
"version": 5
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"min_stack_version": "8.9",
@@ -2923,6 +2944,13 @@
"type": "machine_learning",
"version": 1
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "19f2524462a1935f7bd77fa31385a7dbf59740b36cd1da2d0ac2166624973870",
"type": "eql",
"version": 1
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"min_stack_version": "8.3",
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
@@ -3126,9 +3154,9 @@
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"min_stack_version": "8.3",
"rule_name": "Suspicious which Enumeration",
"sha256": "fc50e7f8c6f1d7485f6a164637556906c3e3711d037759cf0c017826a110f6f3",
"sha256": "7d7caddbf4b4d96f05ac6949cb45758377a5e3bf4b700ccf482055409ec6f2c2",
"type": "eql",
"version": 2
"version": 3
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"min_stack_version": "8.3",
@@ -3177,9 +3205,9 @@
"5c895b4f-9133-4e68-9e23-59902175355c": {
"min_stack_version": "8.6",
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "a6d98ac9e83fe086450761623ed3be2ecb0ee7a1cc965b3334fe3f9e226a05f2",
"sha256": "9a1e8c65a29391713f609dcbd4a1305713e9a2c306af2f32b6a83dfce192b63b",
"type": "eql",
"version": 3
"version": 4
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"min_stack_version": "8.3",
@@ -3294,6 +3322,13 @@
"type": "eql",
"version": 106
},
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"min_stack_version": "8.3",
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "57a629aaa1c6c8e3211d86871c40fb1532a1b8041321a4a49e09bf2207ddd1d7",
"type": "eql",
"version": 1
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
@@ -3345,23 +3380,23 @@
"63c05204-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
"sha256": "50e22b963b23fb875f4790d08f86ff42ef3c0647bb9ea73d6230249f92d02ec3",
"sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab",
"type": "query",
"version": 5
"version": 6
},
"63c056a0-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Denied Service Account Request",
"sha256": "0d948643de064e41761d52de2aea9c64ef42324b59c2d35ab8ccd34d42d83d7c",
"sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86",
"type": "query",
"version": 4
"version": 5
},
"63c057cc-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Anonymous Request Authorized",
"sha256": "7d2f16e497a23db9bcca2a28f3bc86267549a56ba9b988342b1973abd885d7e7",
"sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd",
"type": "query",
"version": 5
"version": 6
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"min_stack_version": "8.3",
@@ -3409,9 +3444,9 @@
}
},
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
"sha256": "a392535f193c9bb4f607ca018da754d0d2fe756881ddd68726caccca6568ce2a",
"sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e",
"type": "query",
"version": 202
"version": 203
},
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"min_stack_version": "8.3",
@@ -3437,16 +3472,16 @@
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "fb115e87e89044c32e58806b7d33104eb2b1ee8f3db90054d8643f6d6804f05f",
"sha256": "846fa5c4e35ad6a575c527857f8f08531770497ebfbd1e5c44038c9711e941fe",
"type": "eql",
"version": 4
"version": 5
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "d7b20d3341cd184a82b2bd8a88373bc4fb3a7cf01c5073cb059c987420cf3d9a",
"sha256": "7745782aa933ea91dbfdffeaa535df98d4ba5d6b908c75cabba52d20958e79d4",
"type": "eql",
"version": 109
"version": 110
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"min_stack_version": "8.3",
@@ -3869,9 +3904,9 @@
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"min_stack_version": "8.3",
"rule_name": "Persistence via WMI Standard Registry Provider",
"sha256": "df0ebfd519ecbb1f865b556e10ebd19af3fedf23da2afa856e1eed3b78f786eb",
"sha256": "cdd0f600e28fdd26a6c761618ed095d7b9956e2064103ee046847872afd934fe",
"type": "eql",
"version": 105
"version": 106
},
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"min_stack_version": "8.3",
@@ -3883,9 +3918,9 @@
"7164081a-3930-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
"sha256": "bf6e413b1a7554ae0a50a51c3ffd97289d9c856bfa37a5bbd049676b408e9b78",
"sha256": "86bf8bc61640a49c610c81cef5cb6bd417d85a5160637971eb56c908af7a3bec",
"type": "query",
"version": 3
"version": 4
},
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"min_stack_version": "8.6",
@@ -3949,9 +3984,9 @@
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
"sha256": "76e9e3a24fb77bafe1b7f5cf3730c4024c32f045d85de9b0857bae7a8716b2df",
"sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9",
"type": "new_terms",
"version": 1
"version": 2
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"min_stack_version": "8.3",
@@ -4030,9 +4065,9 @@
}
},
"rule_name": "Kubernetes Pod Created With HostIPC",
"sha256": "eb3c017dfadc69b9ca322bd0fa4ac6795b89d7c3ac31f0050aa79171995b9df2",
"sha256": "beed3f7f4d2a86f155bd96e2903ded43fe8eb75d27f85650778e44bdf7e50982",
"type": "query",
"version": 202
"version": 203
},
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"min_stack_version": "8.3",
@@ -4083,6 +4118,13 @@
"type": "query",
"version": 102
},
"7787362c-90ff-4b1a-b313-8808b1020e64": {
"min_stack_version": "8.6",
"rule_name": "UID Elevation from Previously Unknown Executable",
"sha256": "2730756601b3e9c3122bb97458b0f9f58e407913123e9572e2cac648e4ebab2a",
"type": "new_terms",
"version": 1
},
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"min_stack_version": "8.3",
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
@@ -4272,6 +4314,13 @@
"type": "query",
"version": 100
},
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Kworker UID Elevation",
"sha256": "f6a376457e527734ea6ad8afb21d2c54e93b221f1f2bf986041ff905f2baaf67",
"type": "eql",
"version": 1
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WMIC XSL Script Execution",
@@ -4632,9 +4681,9 @@
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "3f33c3e7817f1f2970238c916629c2827ae0b7b46a7c0152797aba33b835fa4b",
"sha256": "8700bb27ff54ad56343421ba6fac2f451fb22a01e93bf557ae17c9bf71d3bc7d",
"type": "eql",
"version": 1
"version": 2
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"min_stack_version": "8.3",
@@ -5019,9 +5068,9 @@
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"min_stack_version": "8.3",
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "547b20764fecd9340dbe641b6df4e4839c47770cd894673ee65364b20061959a",
"sha256": "3eeb11e2e94049e8d1119a4cafd05b0fe2188371b6cfa8a38d62535f57df784f",
"type": "eql",
"version": 4
"version": 5
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -5146,9 +5195,9 @@
}
},
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "9671afcc66dbc58a275066f23ee0484f9b8819dbeccdde28660354c790ae9387",
"sha256": "b5fcc4e747c548c7f941007c4c619f12ac40c55649e2cb4c8fdf0cba578433ed",
"type": "eql",
"version": 208
"version": 209
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.3",
@@ -5186,9 +5235,9 @@
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"sha256": "a1197c00ba4334f0b61b5d4d3d8a5295997d4ea0558e29bae8140f3a5043e319",
"sha256": "bca34a9cc93d913e9dd7b38378787f84bffb714c7a1ff0e76fe33c0b81cce627",
"type": "eql",
"version": 2
"version": 3
},
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
"min_stack_version": "8.3",
@@ -5318,9 +5367,9 @@
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"min_stack_version": "8.3",
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "152428a8434461254fd0550779e5f2ff7b906cf27f44936e520219c6c117b748",
"sha256": "a16bdb7510672df6f37801d5358499f1a79cde453022a2a3f424c450d519def1",
"type": "eql",
"version": 1
"version": 2
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"min_stack_version": "8.3",
@@ -5544,9 +5593,9 @@
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"min_stack_version": "8.3",
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "6c6d99f8d895a01d02dd4c824f549d027faf0fcd9e4164f5f15841495f797400",
"sha256": "824c61e43e5e5a716f7c86a9bae768ce4ad3d3da5d6151920028b34c4e163889",
"type": "eql",
"version": 4
"version": 5
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"min_stack_version": "8.3",
@@ -5636,9 +5685,9 @@
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"min_stack_version": "8.6",
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "5314fd78f655b74a006c62ee1eb2079163be8e0e9035bd70e879958302847147",
"sha256": "164f4808f9233c0316265e8ac731e74784cc410587f5710bdd9f8f72fff7c7c3",
"type": "eql",
"version": 3
"version": 4
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"min_stack_version": "8.3",
@@ -5956,6 +6005,13 @@
"type": "eql",
"version": 2
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Creation via Kworker",
"sha256": "4d4e79da63198cef34c6daa28263e65a117d300b3526620cda6075a9a6532a45",
"type": "eql",
"version": 1
},
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
@@ -6070,9 +6126,9 @@
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "2f2309ef87dbeb7c8500ffd750c33a466ec912231e35d601c99ed10b5254c68c",
"sha256": "1febba999144c11d4eda1df90ed6dea43965b2967e98e431fd00fd7678d5f6ab",
"type": "eql",
"version": 108
"version": 109
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"min_stack_version": "8.3",
@@ -6246,9 +6302,9 @@
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"min_stack_version": "8.3",
"rule_name": "Chkconfig Service Add",
"sha256": "ac46e57d571273c025c91e46c20c1f7c46db80b9f6a1e181de6ec4e267c91867",
"sha256": "c6ecd8ef206d0f32e3bc9b72cf1a808affd09aa72bd8443c3a359bf000480e3f",
"type": "eql",
"version": 108
"version": 109
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"min_stack_version": "8.3",
@@ -6295,9 +6351,9 @@
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "dc0a8c9cd0d7f0e1844a5c6402ab1504415faa41aec3f0ae1f68c80b0e74947d",
"sha256": "8942d1f095059286fecf8c197b44e975598fc9beee88d0e296402f027b3c4e35",
"type": "eql",
"version": 106
"version": 107
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"min_stack_version": "8.3",
@@ -6339,9 +6395,9 @@
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"min_stack_version": "8.3",
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
"sha256": "41d271a7a3e18ee8bdec67895870a01f5bc3f8801a58b29bcba5ba615179f139",
"sha256": "f4f0da241f45040111a47879928011d3b90da922010348154b5cb1c44d2f24ee",
"type": "query",
"version": 102
"version": 103
},
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
"min_stack_version": "8.9",
@@ -6432,9 +6488,9 @@
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"min_stack_version": "8.3",
"rule_name": "Potential Pspy Process Monitoring Detected",
"sha256": "d760fb7f319139f03665f98df0dd2e9878098619330d3d740f424b742ed5a3e7",
"sha256": "a104d57c93d224bbb66c4c3ec0155970728973744f4f6e5f064a97439c0e12ca",
"type": "eql",
"version": 4
"version": 5
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"min_stack_version": "8.3",
@@ -6697,9 +6753,9 @@
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "576d3b6a56808d5c581e4f82d4571613bdb9f304eb4165c3d972990f968f7abf",
"sha256": "142247d62f7891a9ca33735f3b0dccfb8715548c603ac42fda40d37b4d391fe7",
"type": "eql",
"version": 108
"version": 109
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
@@ -6758,9 +6814,9 @@
}
},
"rule_name": "Kubernetes Privileged Pod Created",
"sha256": "c36b22463e66e69ad7dbd01c7e79c4adb82bf1f6ca122c7a45c071c4029f298b",
"sha256": "276c33d57b4e3046ff3bf3eab838110627d9f8d9214a01036a62561084c6073a",
"type": "query",
"version": 202
"version": 203
},
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"min_stack_version": "8.3",
@@ -6927,9 +6983,9 @@
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Client Addresses for a Single User Session",
"sha256": "95e6787fdbd7768c2066b060596b45e20e11a64d5e238abe96679290fbbf2469",
"sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5",
"type": "threshold",
"version": 1
"version": 2
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"min_stack_version": "8.9",
@@ -7148,9 +7204,9 @@
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"min_stack_version": "8.3",
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "486befefb895d04393ea8ab494e45aa9071d538f5f4afe5d9ac67aee4e990ac0",
"sha256": "1a8f93e1420657bde476d44178510fe68b66e44c5329c320ca9cad7c4a0a46aa",
"type": "eql",
"version": 108
"version": 109
},
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"min_stack_version": "8.3",
@@ -7427,9 +7483,9 @@
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"min_stack_version": "8.3",
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "2102e91dda480a20979378bce1f9ce3243b54439c2ac1961ad795862fe956692",
"sha256": "45983ba4145383efb62f613aaf8c96bb987077029f26ba1392ed5a802713ee0b",
"type": "eql",
"version": 6
"version": 7
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"min_stack_version": "8.9",
@@ -7620,9 +7676,9 @@
}
},
"rule_name": "Kubernetes Pod Created With HostPID",
"sha256": "1f4c0ae9dd783f3b83ac46047885d443bd3d578a6f76c1eb3211780b7b2e3876",
"sha256": "b912b62e03d307861dc557cdbfc8fe17d54f7b8a394fee4ec9e46e4539393622",
"type": "query",
"version": 202
"version": 203
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"rule_name": "Unusual Process Execution - Temp",
@@ -7677,9 +7733,9 @@
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"min_stack_version": "8.3",
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "b30b5b205b4d258de4072197ae2f131b0716891f4297ffc36e6a2549b7ca66fc",
"sha256": "e1ed4e0365edf2d5b5f63fc4a633c8d5520823cbb25d79826c9bde9fb5648a6a",
"type": "eql",
"version": 1
"version": 2
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"min_stack_version": "7.16",
@@ -7788,9 +7844,9 @@
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"min_stack_version": "8.3",
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "0897fefd02654839585af75de63a6c8ed5041e6659933458ff58f29327d6c410",
"sha256": "c6f1cf145ff3b061a79e8ace80cc5733fae16573c3ddb49f83073f52ee86ad31",
"type": "eql",
"version": 4
"version": 5
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.3",
@@ -7973,9 +8029,9 @@
"8.3": {
"max_allowable_version": 104,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "ab002c02bd96a6d77776ccb1b5fe96cb19d8ee3fa408b8c5853d7a4580f3fc18",
"sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a",
"type": "eql",
"version": 5
"version": 6
}
},
"rule_name": "Suspicious WMI Event Subscription Created",
@@ -8211,9 +8267,9 @@
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"min_stack_version": "8.3",
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "1d657da119ea7a4f4925fb9854f9b300a165f2e51b196233358018c3c2c34b10",
"sha256": "76315bba25abe84b119f44de4c1b6c4f33fdc53d08a5ea67631b6f821c288236",
"type": "eql",
"version": 107
"version": 108
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"min_stack_version": "8.8",
@@ -8285,9 +8341,9 @@
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"min_stack_version": "8.3",
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "7e36739ca38d86c13233d562ec0ff5e3019b17cd4efe9373ee963d0412184cbd",
"sha256": "b08b05384865af516f9051b9fda7a2e86423e826268d86119d94bed51a40ae68",
"type": "eql",
"version": 108
"version": 109
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"min_stack_version": "8.3",
@@ -8297,11 +8353,20 @@
"version": 3
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "ec087af423a304d3b2f85af7926ba24f67f6207424c00d258a6e350a6721c932",
"type": "query",
"version": 3
}
},
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "8270e1a274c3fc9549fd1c6e7a45f05f1bffa07a9b5f4f416074649a7a48b303",
"sha256": "7957913d2c6870b3555352c9d5fff8bfa7ff001d9caf6ea1db026023c46d044c",
"type": "query",
"version": 2
"version": 103
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.3",
@@ -8361,9 +8426,9 @@
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "2e8062644461fe200b2c0e86e1ea8526c11447b53e129b6096fffef03a70986d",
"sha256": "2c5262665887e553b48f7df98f3d614aefdf59b44a481d0ec6f946a75ba61cab",
"type": "eql",
"version": 105
"version": 106
},
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"min_stack_version": "8.3",
@@ -8477,9 +8542,9 @@
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application",
"sha256": "4c7e78b131d1198b5114a869eb0b7caafc11536152cd2368abfdd62ff264472f",
"sha256": "bf31263ee7b3dd377aad879072d95f3cfa5f487f3db9f91e6d47822700c554c9",
"type": "eql",
"version": 3
"version": 4
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"min_stack_version": "8.9",
@@ -8557,6 +8622,13 @@
"type": "eql",
"version": 2
},
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
"min_stack_version": "8.3",
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "9a94f4d8101faf26b2c6b27adeca58352ce001eed85ee4b6bbb0bdf460045ec5",
"type": "new_terms",
"version": 1
},
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"min_stack_version": "8.3",
"rule_name": "WRITEDAC Access on Active Directory Object",
@@ -8574,9 +8646,9 @@
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"min_stack_version": "8.3",
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "7fb454ea923d4be1c53da0fce33be447e1856c41f237f0cbea512aec928fa237",
"sha256": "39e23b5edd4a250cfcefb9fd66eebd1876f9a408c1ca69902bad707c1ccfa236",
"type": "eql",
"version": 2
"version": 3
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.9",
@@ -8862,9 +8934,9 @@
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"min_stack_version": "8.3",
"rule_name": "System Binary Copied and/or Moved to Suspicious Directory",
"sha256": "5429be9bfc7f82918122fa6dcc5088a9f5934fa0b93cd24eecb1b3a33e52a053",
"sha256": "9e0d8bd2ea5e365a73509a4d11f7cf61209d79e01d70d9fe086c66b920dde083",
"type": "eql",
"version": 3
"version": 4
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.3",
@@ -8925,9 +8997,9 @@
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"min_stack_version": "8.6",
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
"sha256": "dcc745dbac15e8073ffc6bb416dd3a2f1b170e3ea46bfb1c41085cf82a6f009e",
"sha256": "616a82f9d56e96eca039a36156317b57f3ad06c109ee04f3772e1acd1fb66457",
"type": "new_terms",
"version": 6
"version": 7
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"min_stack_version": "8.7",