diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 52ef7c49b..01bdb3672 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -159,6 +159,13 @@ "type": "eql", "version": 108 }, + "054db96b-fd34-43b3-9af2-587b3bd33964": { + "min_stack_version": "8.6", + "rule_name": "Potential Persistence Through Systemd-udevd", + "sha256": "e8095cdee7458ed504ab6072b4d91c7d572d159b7f95965cb8b93a5fc4c1ed32", + "type": "new_terms", + "version": 1 + }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.3", "rule_name": "Microsoft IIS Service Account Password Dumped", @@ -232,9 +239,9 @@ "07639887-da3a-4fbf-9532-8ce748ff8c50": { "min_stack_version": "8.3", "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "b801d28bb5398fb531f21cecefae0f3c21b0d7b4c675fc8349ccf4448e7a2b7c", + "sha256": "092ecb6ac6f1197744e2e114398553fa810674561481b66f9665c3ed95ff0017", "type": "eql", - "version": 1 + "version": 2 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "min_stack_version": "8.3", @@ -317,9 +324,9 @@ "09443c92-46b3-45a4-8f25-383b028b258d": { "min_stack_version": "8.3", "rule_name": "Process Termination followed by Deletion", - "sha256": "3eef996ce0b596a8c36e90f7b072702cf85d200f1a9683ab6d81d18bf69ed5d1", + "sha256": "ee3f7d78630d4adbddf7402565e30e9e5b09adbfb02eaed22e884dfd5429bc8e", "type": "eql", - "version": 107 + "version": 108 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -444,9 +451,9 @@ "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "a66ec71c96a9c0d09c09ad1d94067327b19e7db5411461bda17ce482fff03de5", + "sha256": "0f8793b32099bcedee8142d49e3265c81daa7a103fd8a4005b61e56aeeb487f4", "type": "eql", - "version": 107 + "version": 108 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "min_stack_version": "8.3", @@ -465,9 +472,9 @@ "0e79980b-4250-4a50-a509-69294c14e84b": { "min_stack_version": "8.3", "rule_name": "MsBuild Making Network Connections", - "sha256": "704d15579a6028b995cfd93bc3a2d782e75c41c656cdcc7c5673f782b70396b5", + "sha256": "a1bf29b67c9d4b591676101ae899db1fa607402bfd59d1ea37a30c02d751f9b3", "type": "eql", - "version": 105 + "version": 106 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "min_stack_version": "8.6", @@ -580,9 +587,9 @@ "11dd9713-0ec6-4110-9707-32daae1ee68c": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "1c0bf38efb6972def16721d8a6cdfa4657dcd306a120b1f283193fbf9adf6574", + "sha256": "9e7a7c40caec4ca683ed1aad64cea12a7f3d4fae3015ca523b447c1a93362aa4", "type": "query", - "version": 9 + "version": 10 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.3", @@ -654,9 +661,9 @@ } }, "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "be2beac962529968b937bc8b019d5fd86147ea3a835ac837709352145e20bdfb", + "sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec", "type": "query", - "version": 202 + "version": 203 }, "12cbf709-69e8-4055-94f9-24314385c27e": { "min_stack_version": "8.4", @@ -670,9 +677,9 @@ } }, "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "aced9ff9e762b1884af066530083db98a9ccfeb24195d8f89c6344ca22a77d00", + "sha256": "e48fb5d94222f67fbea19233c7fea01163d00908c3844df80f9e36d5e87ad7b7", "type": "query", - "version": 202 + "version": 203 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { "min_stack_version": "8.3", @@ -748,16 +755,16 @@ } }, "rule_name": "Kubernetes User Exec into Pod", - "sha256": "2b3001e30acc01d9f64cf5554b3ca2ea3e9bcb22df0ef756717434b46b95919d", + "sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9", "type": "query", - "version": 202 + "version": 203 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "02cd614602c0740f432c413ad474d41900748740202d7ffd5f6103b3096ff544", + "sha256": "4b1eec485af47d33737ca5c571fb0460f4b65037669ab0dbabe9bac5698770dd", "type": "eql", - "version": 105 + "version": 106 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "min_stack_version": "8.3", @@ -776,9 +783,9 @@ "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.3", "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "ba1b29894e3714a467099698c2a7111489b3e522d59f5b61ad2f7d791d5adf30", + "sha256": "42bf489fc1a03321f0d5b7eb330f6afaf2d64dfea7d2e5afdc041c2ed1b084bc", "type": "eql", - "version": 108 + "version": 109 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "min_stack_version": "8.3", @@ -876,9 +883,9 @@ "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "min_stack_version": "8.6", "rule_name": "New Systemd Service Created by Previously Unknown Process", - "sha256": "a1c8a579032003cb718a31611540b8552f7995938b5042e9fa19a6b59d7b8e34", + "sha256": "400131c604d2387a643233aeae981ecf85b248f90b0914a4b349e1ed55ddce84", "type": "new_terms", - "version": 6 + "version": 7 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.3", @@ -988,6 +995,13 @@ "type": "eql", "version": 107 }, + "1b0b4818-5655-409b-9c73-341cac4bb73f": { + "min_stack_version": "8.4", + "rule_name": "Process Created with a Duplicated Token", + "sha256": "108c96892c8db5e48adb3729e9a21cf75d35c098e4739cc055042e86fbeddccb", + "type": "eql", + "version": 1 + }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.3", "rule_name": "Connection to Internal Network via Telnet", @@ -1035,9 +1049,9 @@ "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "2c7b3afb5bcedf1734a00e47303d98eb4df820d760aee5553c8e9763cfa58d9e", + "sha256": "1b168626a13b010e11e758702eb6d895a779be9163e0265089d56c852cd438b6", "type": "eql", - "version": 110 + "version": 111 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "min_stack_version": "8.3", @@ -1063,9 +1077,9 @@ "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "min_stack_version": "8.10", "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "3ad26713290c41884722d25cf2fee14ada4dfd908e0a162454e983458948145c", + "sha256": "50473966980c6830aa4b12aa9acafafacf8d3e86b508832e498777b302fd9b54", "type": "query", - "version": 1 + "version": 2 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.3", @@ -1147,9 +1161,9 @@ "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "min_stack_version": "8.3", "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "c337c7433541d6bf75e616d8dc86c568517d3347e447eebff25c5aa98637d74f", + "sha256": "90ed2f95452d78c897f5ff0a9109393db93bf7b6131cf7ab1f265ec52a86a3f1", "type": "query", - "version": 6 + "version": 7 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "min_stack_version": "8.3", @@ -1168,9 +1182,9 @@ "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.3", "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "6005266947232b8c8285b53252c0a3aceb08713658436d0aa268fd92aaa462f0", + "sha256": "8ec035184478d2650916a571216dd1d6f03c7c0eaac4a894f81390ff1663c2bd", "type": "eql", - "version": 108 + "version": 109 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "min_stack_version": "8.3", @@ -1189,9 +1203,9 @@ "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of Root Certificate", - "sha256": "8db003c9e7d9158d52c379347dee67ace799d72c640e8beaccdc4a3d26caf8f5", + "sha256": "c2204e192d86865e713663390b2fb1c3859f2871ce24908f5899475a741571c4", "type": "eql", - "version": 107 + "version": 108 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "min_stack_version": "8.9", @@ -1246,9 +1260,9 @@ "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "min_stack_version": "8.4", "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", - "sha256": "ec8d63e382350e56393f2ddda05cf6e288ce88da4ee9c9d5976adaff99779885", + "sha256": "8b83d7d20910ac09b5cd9f7b2e96a38f9b03f38f314ecf1f779637906818161b", "type": "new_terms", - "version": 2 + "version": 3 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "min_stack_version": "8.3", @@ -1327,9 +1341,9 @@ "24401eca-ad0b-4ff9-9431-487a8e183af9": { "min_stack_version": "8.3", "rule_name": "New GitHub Owner Added", - "sha256": "360c844a728a8074f32947d9ad6d1b26d414b7aafe87847d5b92dc546b8931f5", + "sha256": "839fb4e1ecdfcb2be6949ac45bfd11ec72c4ccee48cff00ef05e661a7fc1c6a3", "type": "eql", - "version": 1 + "version": 2 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", @@ -1570,9 +1584,9 @@ } }, "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "ac1d0b24c8b4fdd50c135a7ecd4193f9584cb7fdc8d82531c70122b5826e9a5c", + "sha256": "2704808ccae32f5b44395171db755258b7e7a248df4bab32a33cddb2ac181df0", "type": "query", - "version": 202 + "version": 203 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "min_stack_version": "8.5", @@ -1728,9 +1742,9 @@ "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.3", "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "4da6b62b7ec7cb25f041951db128ea15b7b77213f4dcd6d830e9a1d1f4d349ed", + "sha256": "1db13a5ac155b6497736f067e6755417f99f9cf5b5245f36c2b96437eebc703c", "type": "eql", - "version": 108 + "version": 109 }, "301571f3-b316-4969-8dd0-7917410030d3": { "min_stack_version": "8.9", @@ -1798,9 +1812,9 @@ "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.3", "rule_name": "Program Files Directory Masquerading", - "sha256": "9224ce80ac3a2d46b853cb988075ebe71f9cbbdc90695974a1bd7abe58726911", + "sha256": "06de85209a1b0dde5bc8b4f17f289dac52ac59beb2bb0e35c4dec8c8c2a29cb5", "type": "eql", - "version": 106 + "version": 107 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.3", @@ -1835,9 +1849,9 @@ "33f306e8-417c-411b-965c-c2812d6d3f4d": { "min_stack_version": "8.3", "rule_name": "Remote File Download via PowerShell", - "sha256": "38dc15a0612dfcb492d058cb2414f7cb66550cc57d1a90b28469f9a499391d7a", + "sha256": "0843453e23fff6268308485d859e6668867b85c5cf0ed912c931d28d040ca4f7", "type": "eql", - "version": 108 + "version": 109 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "min_stack_version": "8.8", @@ -2000,9 +2014,9 @@ "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.3", "rule_name": "Network Connection via Certutil", - "sha256": "574966e6333af6f15b7e801105f1325ba602693577dd5b5c77c6d1821abdb360", + "sha256": "ff32cd3ea3d3f5aa49fb8c8bcc7368b8211ee44bcad1809ab55e3874291c4274", "type": "eql", - "version": 108 + "version": 109 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "min_stack_version": "8.3", @@ -2157,9 +2171,9 @@ "3e12a439-d002-4944-bc42-171c0dcb9b96": { "min_stack_version": "8.3", "rule_name": "Kernel Driver Load", - "sha256": "bf54a568cf07cb6372551ed2c315a350fd80ec33811327aa6c5473d64f5aa928", + "sha256": "b59ce0343e153ae461c5fccc6dd6aa3b6f38eff17a3960852a0a1b9c9dc88e3b", "type": "eql", - "version": 1 + "version": 2 }, "3e3d15c6-1509-479a-b125-21718372157e": { "min_stack_version": "8.3", @@ -2549,9 +2563,9 @@ "4a4e23cf-78a2-449c-bac3-701924c269d3": { "min_stack_version": "8.3", "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "599489e4a0c4b02a7717d928a5881b6281d1362970adb1074d5362a33c45444b", + "sha256": "42113dd49a2b2df45e90301ac64feac172a5fe2d5ae21baddb22e62943b28082", "type": "query", - "version": 104 + "version": 105 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "min_stack_version": "8.3", @@ -2706,10 +2720,10 @@ }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "min_stack_version": "8.10", - "rule_name": "Multiple Okta Users with the Same Device Token Hash", - "sha256": "0cabbcb4f30f4ce25d1efd6d385f10b02ca0ef7cc2d8bac313e45e83abdfa175", + "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", + "sha256": "9f8682da0707ca62f5537007eb440a25605c097964d7acb1ab228c8c773845ca", "type": "threshold", - "version": 1 + "version": 2 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.3", @@ -2746,6 +2760,13 @@ "type": "query", "version": 104 }, + "51a09737-80f7-4551-a3be-dac8ef5d181a": { + "min_stack_version": "8.3", + "rule_name": "Tainted Out-Of-Tree Kernel Module Load", + "sha256": "906a021911de5e8f4437da9087e7b52974e5ae6d5decb416ebc494866bf4ecc9", + "type": "query", + "version": 1 + }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with MMC", @@ -2756,9 +2777,9 @@ "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", - "sha256": "d6684969f3393c5d0071672900ffa3557f7b96875f0fb073ddf04801bf9fcb4f", + "sha256": "32d05a814889ee60dc87a1d8bfd9ccde871f528b806978fcd7a8e999fac7d565", "type": "eql", - "version": 4 + "version": 5 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "min_stack_version": "8.9", @@ -2923,6 +2944,13 @@ "type": "machine_learning", "version": 1 }, + "5610b192-7f18-11ee-825b-f661ea17fbcd": { + "min_stack_version": "8.10", + "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", + "sha256": "19f2524462a1935f7bd77fa31385a7dbf59740b36cd1da2d0ac2166624973870", + "type": "eql", + "version": 1 + }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.3", "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", @@ -3126,9 +3154,9 @@ "5b18eef4-842c-4b47-970f-f08d24004bde": { "min_stack_version": "8.3", "rule_name": "Suspicious which Enumeration", - "sha256": "fc50e7f8c6f1d7485f6a164637556906c3e3711d037759cf0c017826a110f6f3", + "sha256": "7d7caddbf4b4d96f05ac6949cb45758377a5e3bf4b700ccf482055409ec6f2c2", "type": "eql", - "version": 2 + "version": 3 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "min_stack_version": "8.3", @@ -3177,9 +3205,9 @@ "5c895b4f-9133-4e68-9e23-59902175355c": { "min_stack_version": "8.6", "rule_name": "Potential Meterpreter Reverse Shell", - "sha256": "a6d98ac9e83fe086450761623ed3be2ecb0ee7a1cc965b3334fe3f9e226a05f2", + "sha256": "9a1e8c65a29391713f609dcbd4a1305713e9a2c306af2f32b6a83dfce192b63b", "type": "eql", - "version": 3 + "version": 4 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", @@ -3294,6 +3322,13 @@ "type": "eql", "version": 106 }, + "61766ef9-48a5-4247-ad74-3349de7eb2ad": { + "min_stack_version": "8.3", + "rule_name": "Interactive Logon by an Unusual Process", + "sha256": "57a629aaa1c6c8e3211d86871c40fb1532a1b8041321a4a49e09bf2207ddd1d7", + "type": "eql", + "version": 1 + }, "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", @@ -3345,23 +3380,23 @@ "63c05204-339a-11ed-a261-0242ac120002": { "min_stack_version": "8.4", "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", - "sha256": "50e22b963b23fb875f4790d08f86ff42ef3c0647bb9ea73d6230249f92d02ec3", + "sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab", "type": "query", - "version": 5 + "version": 6 }, "63c056a0-339a-11ed-a261-0242ac120002": { "min_stack_version": "8.4", "rule_name": "Kubernetes Denied Service Account Request", - "sha256": "0d948643de064e41761d52de2aea9c64ef42324b59c2d35ab8ccd34d42d83d7c", + "sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86", "type": "query", - "version": 4 + "version": 5 }, "63c057cc-339a-11ed-a261-0242ac120002": { "min_stack_version": "8.4", "rule_name": "Kubernetes Anonymous Request Authorized", - "sha256": "7d2f16e497a23db9bcca2a28f3bc86267549a56ba9b988342b1973abd885d7e7", + "sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd", "type": "query", - "version": 5 + "version": 6 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "min_stack_version": "8.3", @@ -3409,9 +3444,9 @@ } }, "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "a392535f193c9bb4f607ca018da754d0d2fe756881ddd68726caccca6568ce2a", + "sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e", "type": "query", - "version": 202 + "version": 203 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "min_stack_version": "8.3", @@ -3437,16 +3472,16 @@ "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", - "sha256": "fb115e87e89044c32e58806b7d33104eb2b1ee8f3db90054d8643f6d6804f05f", + "sha256": "846fa5c4e35ad6a575c527857f8f08531770497ebfbd1e5c44038c9711e941fe", "type": "eql", - "version": 4 + "version": 5 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "d7b20d3341cd184a82b2bd8a88373bc4fb3a7cf01c5073cb059c987420cf3d9a", + "sha256": "7745782aa933ea91dbfdffeaa535df98d4ba5d6b908c75cabba52d20958e79d4", "type": "eql", - "version": 109 + "version": 110 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "min_stack_version": "8.3", @@ -3869,9 +3904,9 @@ "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "min_stack_version": "8.3", "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "df0ebfd519ecbb1f865b556e10ebd19af3fedf23da2afa856e1eed3b78f786eb", + "sha256": "cdd0f600e28fdd26a6c761618ed095d7b9956e2064103ee046847872afd934fe", "type": "eql", - "version": 105 + "version": 106 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "min_stack_version": "8.3", @@ -3883,9 +3918,9 @@ "7164081a-3930-11ed-a261-0242ac120002": { "min_stack_version": "8.4", "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", - "sha256": "bf6e413b1a7554ae0a50a51c3ffd97289d9c856bfa37a5bbd049676b408e9b78", + "sha256": "86bf8bc61640a49c610c81cef5cb6bd417d85a5160637971eb56c908af7a3bec", "type": "query", - "version": 3 + "version": 4 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "min_stack_version": "8.6", @@ -3949,9 +3984,9 @@ "72ed9140-fe9d-4a34-a026-75b50e484b17": { "min_stack_version": "8.6", "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", - "sha256": "76e9e3a24fb77bafe1b7f5cf3730c4024c32f045d85de9b0857bae7a8716b2df", + "sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9", "type": "new_terms", - "version": 1 + "version": 2 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.3", @@ -4030,9 +4065,9 @@ } }, "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "eb3c017dfadc69b9ca322bd0fa4ac6795b89d7c3ac31f0050aa79171995b9df2", + "sha256": "beed3f7f4d2a86f155bd96e2903ded43fe8eb75d27f85650778e44bdf7e50982", "type": "query", - "version": 202 + "version": 203 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.3", @@ -4083,6 +4118,13 @@ "type": "query", "version": 102 }, + "7787362c-90ff-4b1a-b313-8808b1020e64": { + "min_stack_version": "8.6", + "rule_name": "UID Elevation from Previously Unknown Executable", + "sha256": "2730756601b3e9c3122bb97458b0f9f58e407913123e9572e2cac648e4ebab2a", + "type": "new_terms", + "version": 1 + }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "min_stack_version": "8.3", "rule_name": "Adversary Behavior - Detected - Elastic Endgame", @@ -4272,6 +4314,13 @@ "type": "query", "version": 100 }, + "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Kworker UID Elevation", + "sha256": "f6a376457e527734ea6ad8afb21d2c54e93b221f1f2bf986041ff905f2baaf67", + "type": "eql", + "version": 1 + }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.3", "rule_name": "Suspicious WMIC XSL Script Execution", @@ -4632,9 +4681,9 @@ "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "min_stack_version": "8.10", "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "3f33c3e7817f1f2970238c916629c2827ae0b7b46a7c0152797aba33b835fa4b", + "sha256": "8700bb27ff54ad56343421ba6fac2f451fb22a01e93bf557ae17c9bf71d3bc7d", "type": "eql", - "version": 1 + "version": 2 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "min_stack_version": "8.3", @@ -5019,9 +5068,9 @@ "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { "min_stack_version": "8.3", "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "547b20764fecd9340dbe641b6df4e4839c47770cd894673ee65364b20061959a", + "sha256": "3eeb11e2e94049e8d1119a4cafd05b0fe2188371b6cfa8a38d62535f57df784f", "type": "eql", - "version": 4 + "version": 5 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "min_stack_version": "8.4", @@ -5146,9 +5195,9 @@ } }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "9671afcc66dbc58a275066f23ee0484f9b8819dbeccdde28660354c790ae9387", + "sha256": "b5fcc4e747c548c7f941007c4c619f12ac40c55649e2cb4c8fdf0cba578433ed", "type": "eql", - "version": 208 + "version": 209 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.3", @@ -5186,9 +5235,9 @@ "980b70a0-c820-11ed-8799-f661ea17fbcc": { "min_stack_version": "8.4", "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", - "sha256": "a1197c00ba4334f0b61b5d4d3d8a5295997d4ea0558e29bae8140f3a5043e319", + "sha256": "bca34a9cc93d913e9dd7b38378787f84bffb714c7a1ff0e76fe33c0b81cce627", "type": "eql", - "version": 2 + "version": 3 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { "min_stack_version": "8.3", @@ -5318,9 +5367,9 @@ "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "min_stack_version": "8.3", "rule_name": "GitHub Owner Role Granted To User", - "sha256": "152428a8434461254fd0550779e5f2ff7b906cf27f44936e520219c6c117b748", + "sha256": "a16bdb7510672df6f37801d5358499f1a79cde453022a2a3f424c450d519def1", "type": "eql", - "version": 1 + "version": 2 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.3", @@ -5544,9 +5593,9 @@ "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "6c6d99f8d895a01d02dd4c824f549d027faf0fcd9e4164f5f15841495f797400", + "sha256": "824c61e43e5e5a716f7c86a9bae768ce4ad3d3da5d6151920028b34c4e163889", "type": "eql", - "version": 4 + "version": 5 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "min_stack_version": "8.3", @@ -5636,9 +5685,9 @@ "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { "min_stack_version": "8.6", "rule_name": "Potential Reverse Shell via UDP", - "sha256": "5314fd78f655b74a006c62ee1eb2079163be8e0e9035bd70e879958302847147", + "sha256": "164f4808f9233c0316265e8ac731e74784cc410587f5710bdd9f8f72fff7c7c3", "type": "eql", - "version": 3 + "version": 4 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "min_stack_version": "8.3", @@ -5956,6 +6005,13 @@ "type": "eql", "version": 2 }, + "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { + "min_stack_version": "8.3", + "rule_name": "Suspicious File Creation via Kworker", + "sha256": "4d4e79da63198cef34c6daa28263e65a117d300b3526620cda6075a9a6532a45", + "type": "eql", + "version": 1 + }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", @@ -6070,9 +6126,9 @@ "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.3", "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "2f2309ef87dbeb7c8500ffd750c33a466ec912231e35d601c99ed10b5254c68c", + "sha256": "1febba999144c11d4eda1df90ed6dea43965b2967e98e431fd00fd7678d5f6ab", "type": "eql", - "version": 108 + "version": 109 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.3", @@ -6246,9 +6302,9 @@ "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "min_stack_version": "8.3", "rule_name": "Chkconfig Service Add", - "sha256": "ac46e57d571273c025c91e46c20c1f7c46db80b9f6a1e181de6ec4e267c91867", + "sha256": "c6ecd8ef206d0f32e3bc9b72cf1a808affd09aa72bd8443c3a359bf000480e3f", "type": "eql", - "version": 108 + "version": 109 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "min_stack_version": "8.3", @@ -6295,9 +6351,9 @@ "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.3", "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "dc0a8c9cd0d7f0e1844a5c6402ab1504415faa41aec3f0ae1f68c80b0e74947d", + "sha256": "8942d1f095059286fecf8c197b44e975598fc9beee88d0e296402f027b3c4e35", "type": "eql", - "version": 106 + "version": 107 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "min_stack_version": "8.3", @@ -6339,9 +6395,9 @@ "bbd1a775-8267-41fa-9232-20e5582596ac": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "41d271a7a3e18ee8bdec67895870a01f5bc3f8801a58b29bcba5ba615179f139", + "sha256": "f4f0da241f45040111a47879928011d3b90da922010348154b5cb1c44d2f24ee", "type": "query", - "version": 102 + "version": 103 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "min_stack_version": "8.9", @@ -6432,9 +6488,9 @@ "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "min_stack_version": "8.3", "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "d760fb7f319139f03665f98df0dd2e9878098619330d3d740f424b742ed5a3e7", + "sha256": "a104d57c93d224bbb66c4c3ec0155970728973744f4f6e5f064a97439c0e12ca", "type": "eql", - "version": 4 + "version": 5 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.3", @@ -6697,9 +6753,9 @@ "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.3", "rule_name": "Remote File Download via MpCmdRun", - "sha256": "576d3b6a56808d5c581e4f82d4571613bdb9f304eb4165c3d972990f968f7abf", + "sha256": "142247d62f7891a9ca33735f3b0dccfb8715548c603ac42fda40d37b4d391fe7", "type": "eql", - "version": 108 + "version": 109 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -6758,9 +6814,9 @@ } }, "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "c36b22463e66e69ad7dbd01c7e79c4adb82bf1f6ca122c7a45c071c4029f298b", + "sha256": "276c33d57b4e3046ff3bf3eab838110627d9f8d9214a01036a62561084c6073a", "type": "query", - "version": 202 + "version": 203 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.3", @@ -6927,9 +6983,9 @@ "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "min_stack_version": "8.10", "rule_name": "Multiple Okta Client Addresses for a Single User Session", - "sha256": "95e6787fdbd7768c2066b060596b45e20e11a64d5e238abe96679290fbbf2469", + "sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5", "type": "threshold", - "version": 1 + "version": 2 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "min_stack_version": "8.9", @@ -7148,9 +7204,9 @@ "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.3", "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "486befefb895d04393ea8ab494e45aa9071d538f5f4afe5d9ac67aee4e990ac0", + "sha256": "1a8f93e1420657bde476d44178510fe68b66e44c5329c320ca9cad7c4a0a46aa", "type": "eql", - "version": 108 + "version": 109 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "min_stack_version": "8.3", @@ -7427,9 +7483,9 @@ "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "2102e91dda480a20979378bce1f9ce3243b54439c2ac1961ad795862fe956692", + "sha256": "45983ba4145383efb62f613aaf8c96bb987077029f26ba1392ed5a802713ee0b", "type": "eql", - "version": 6 + "version": 7 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "min_stack_version": "8.9", @@ -7620,9 +7676,9 @@ } }, "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "1f4c0ae9dd783f3b83ac46047885d443bd3d578a6f76c1eb3211780b7b2e3876", + "sha256": "b912b62e03d307861dc557cdbfc8fe17d54f7b8a394fee4ec9e46e4539393622", "type": "query", - "version": 202 + "version": 203 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", @@ -7677,9 +7733,9 @@ "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "min_stack_version": "8.3", "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "b30b5b205b4d258de4072197ae2f131b0716891f4297ffc36e6a2549b7ca66fc", + "sha256": "e1ed4e0365edf2d5b5f63fc4a633c8d5520823cbb25d79826c9bde9fb5648a6a", "type": "eql", - "version": 1 + "version": 2 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "min_stack_version": "7.16", @@ -7788,9 +7844,9 @@ "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "0897fefd02654839585af75de63a6c8ed5041e6659933458ff58f29327d6c410", + "sha256": "c6f1cf145ff3b061a79e8ace80cc5733fae16573c3ddb49f83073f52ee86ad31", "type": "eql", - "version": 4 + "version": 5 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.3", @@ -7973,9 +8029,9 @@ "8.3": { "max_allowable_version": 104, "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "ab002c02bd96a6d77776ccb1b5fe96cb19d8ee3fa408b8c5853d7a4580f3fc18", + "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Suspicious WMI Event Subscription Created", @@ -8211,9 +8267,9 @@ "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "min_stack_version": "8.3", "rule_name": "Process Execution from an Unusual Directory", - "sha256": "1d657da119ea7a4f4925fb9854f9b300a165f2e51b196233358018c3c2c34b10", + "sha256": "76315bba25abe84b119f44de4c1b6c4f33fdc53d08a5ea67631b6f821c288236", "type": "eql", - "version": 107 + "version": 108 }, "ec604672-bed9-43e1-8871-cf591c052550": { "min_stack_version": "8.8", @@ -8285,9 +8341,9 @@ "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.3", "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "7e36739ca38d86c13233d562ec0ff5e3019b17cd4efe9373ee963d0412184cbd", + "sha256": "b08b05384865af516f9051b9fda7a2e86423e826268d86119d94bed51a40ae68", "type": "eql", - "version": 108 + "version": 109 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "min_stack_version": "8.3", @@ -8297,11 +8353,20 @@ "version": 3 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Okta FastPass Phishing Detection", + "sha256": "ec087af423a304d3b2f85af7926ba24f67f6207424c00d258a6e350a6721c932", + "type": "query", + "version": 3 + } + }, "rule_name": "Okta FastPass Phishing Detection", - "sha256": "8270e1a274c3fc9549fd1c6e7a45f05f1bffa07a9b5f4f416074649a7a48b303", + "sha256": "7957913d2c6870b3555352c9d5fff8bfa7ff001d9caf6ea1db026023c46d044c", "type": "query", - "version": 2 + "version": 103 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.3", @@ -8361,9 +8426,9 @@ "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.3", "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "2e8062644461fe200b2c0e86e1ea8526c11447b53e129b6096fffef03a70986d", + "sha256": "2c5262665887e553b48f7df98f3d614aefdf59b44a481d0ec6f946a75ba61cab", "type": "eql", - "version": 105 + "version": 106 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "min_stack_version": "8.3", @@ -8477,9 +8542,9 @@ "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "min_stack_version": "8.4", "rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", - "sha256": "4c7e78b131d1198b5114a869eb0b7caafc11536152cd2368abfdd62ff264472f", + "sha256": "bf31263ee7b3dd377aad879072d95f3cfa5f487f3db9f91e6d47822700c554c9", "type": "eql", - "version": 3 + "version": 4 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "min_stack_version": "8.9", @@ -8557,6 +8622,13 @@ "type": "eql", "version": 2 }, + "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { + "min_stack_version": "8.3", + "rule_name": "Rare SMB Connection to the Internet", + "sha256": "9a94f4d8101faf26b2c6b27adeca58352ce001eed85ee4b6bbb0bdf460045ec5", + "type": "new_terms", + "version": 1 + }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "min_stack_version": "8.3", "rule_name": "WRITEDAC Access on Active Directory Object", @@ -8574,9 +8646,9 @@ "f5c005d3-4e17-48b0-9cd7-444d48857f97": { "min_stack_version": "8.3", "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "7fb454ea923d4be1c53da0fce33be447e1856c41f237f0cbea512aec928fa237", + "sha256": "39e23b5edd4a250cfcefb9fd66eebd1876f9a408c1ca69902bad707c1ccfa236", "type": "eql", - "version": 2 + "version": 3 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.9", @@ -8862,9 +8934,9 @@ "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "min_stack_version": "8.3", "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", - "sha256": "5429be9bfc7f82918122fa6dcc5088a9f5934fa0b93cd24eecb1b3a33e52a053", + "sha256": "9e0d8bd2ea5e365a73509a4d11f7cf61209d79e01d70d9fe086c66b920dde083", "type": "eql", - "version": 3 + "version": 4 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.3", @@ -8925,9 +8997,9 @@ "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "min_stack_version": "8.6", "rule_name": "Cron Job Created or Changed by Previously Unknown Process", - "sha256": "dcc745dbac15e8073ffc6bb416dd3a2f1b170e3ea46bfb1c41085cf82a6f009e", + "sha256": "616a82f9d56e96eca039a36156317b57f3ad06c109ee04f3772e1acd1fb66457", "type": "new_terms", - "version": 6 + "version": 7 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "min_stack_version": "8.7",