From a64b6a39a7b14f94b74da3f9f43f90c5dfe7cd76 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 12 Mar 2025 19:02:53 +0530 Subject: [PATCH] Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4531) --- detection_rules/etc/deprecated_rules.json | 5 + detection_rules/etc/version.lock.json | 2226 +++++++++++---------- pyproject.toml | 2 +- 3 files changed, 1226 insertions(+), 1007 deletions(-) diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index 294048efb..86741c17a 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -119,6 +119,11 @@ "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", "stack_version": "8.6" }, + "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { + "deprecation_date": "2025/03/04", + "rule_name": "Potential Cross Site Scripting (XSS)", + "stack_version": "8.12" + }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "deprecation_date": "2023/11/02", "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 53df69ca9..aedc3c115 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -28,22 +28,22 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "853c0119b884740c18884bf5ff39f6f2ed3a5fa2edac34c1664737716be93587", + "sha256": "8cd037720adc468e6c21ea2add4914a716d1fa7f3ffb7542a3196bf05c40a420", "type": "eql", - "version": 115 + "version": 116 }, "8.13": { "max_allowable_version": 313, "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "95d6bda6c85aa51a099bee8f81f8ca363afbd0a32c6243308b42ca2e6acbcbf7", + "sha256": "148b877fd8c02c9338683afb02175ecd6f5cae155844fb6eb12205e1a4bfaf4b", "type": "eql", - "version": 215 + "version": 216 } }, "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "d0e504df5a08de7cc03083586e584341e9e476f9a9f5e9a525b4412d81faee74", + "sha256": "b3a3605004e2c4a6c948a89b070b0ee2a28e33958a603a1c06e4bcf9dfa1553d", "type": "eql", - "version": 315 + "version": 316 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.14", @@ -51,22 +51,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "System Shells via Services", - "sha256": "234ca1d03d9490f694e58e4e930034af44bc5607d0b3d9b618220e2c43f63709", + "sha256": "94047c055fb327e889a977deaf20ab8494f8d7c817d09a9039eecead9f00ec21", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 413, "rule_name": "System Shells via Services", - "sha256": "053a24a7c772b51aa6c4cacaaf2b60d644b999d648117254f85fb9550c02b7d1", + "sha256": "2b030c8d49b750ea50e794ec65195cccb5c668d04a6eb1c0e9f00bd274fe1289", "type": "eql", - "version": 315 + "version": 316 } }, "rule_name": "System Shells via Services", - "sha256": "3c7e037d08a986cffce89446616f2c30c98c4f0c30ab9560f83af5f3f4ae76dc", + "sha256": "c6c35ad0725cb2e48652c4674ae470c1adbbbdccbd396fa2c586f2edae14028e", "type": "eql", - "version": 416 + "version": 417 }, "0049cf71-fe13-4d79-b767-f7519921ffb5": { "rule_name": "System Binary Path File Permission Modification", @@ -74,6 +74,12 @@ "type": "eql", "version": 3 }, + "00546494-5bb0-49d6-9220-5f3b4c12f26a": { + "rule_name": "Uncommon Destination Port Connection by Web Server", + "sha256": "5c43e4b67433d9c17dcf3ec0723c08adddc753da5e15b8db551590e207c5d0b1", + "type": "eql", + "version": 1 + }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", "sha256": "084af080fe0d6182cf5ea6c48b232167996f3eead720253e885568afa89e5afa", @@ -94,9 +100,9 @@ }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { "rule_name": "Potential Network Scan Detected", - "sha256": "34e2dab204ed0dfc0784ed2fa9de784ec3368627b54a2052bb170264f47c7b05", + "sha256": "5f3a83500924433610b33b689f87387a563f69eb5121b6ebac645d00b7944040", "type": "threshold", - "version": 9 + "version": 10 }, "017de1e4-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", @@ -133,9 +139,9 @@ } }, "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "dbcb6ee16e0332c0f9e3c35385be6f5264364abf46e4cfa8504e52f66afc3999", + "sha256": "415830680cf9d50d3845dbb66278e1153b189e660304ba0a15ca8d3d5f47ed5d", "type": "eql", - "version": 208 + "version": 209 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { "min_stack_version": "8.13", @@ -199,15 +205,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "a07d1cef609011df0d31be52648a89dcf9ffdad1282b8910ccba67298c5c15a1", + "sha256": "4c5ca4a33be28031ab32a084760e988f017a7edd84cc8c08f314f52d3873cb50", "type": "threshold", - "version": 112 + "version": 113 } }, "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "4ba341e47ade2acd985606544787c92e19701acffaf9c287fd5689ac401c7368", + "sha256": "7bb30e533a5784e8b443498afc2acd04fa726e74eec86a301107c57c0e73a4fd", "type": "threshold", - "version": 212 + "version": 213 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { "rule_name": "Potential Memory Seeking Activity", @@ -232,10 +238,10 @@ "version": 104 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { - "rule_name": "SSH Process Launched From Inside A Container", - "sha256": "6948774242c4260c8922dc9fb5cf20d83968255d9cb7b32e14ecc3ec3d9e9a0f", + "rule_name": "Deprecated - SSH Process Launched From Inside A Container", + "sha256": "db16c791683827ffea8705d7c3c3a3c8793db69d1e421f594a01616cf7fb7509", "type": "eql", - "version": 4 + "version": 5 }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { "rule_name": "Potential Network Scan Executed From Host", @@ -324,15 +330,15 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "b50fa9f171fe0197eb2ebc36ca1e71976b33fd5b0e5ae691bd8757f0a5433e7e", + "sha256": "05e330c5bc7ed2ce8eebca407e464236f706e834abd2347c5e29222915cb9919", "type": "eql", - "version": 114 + "version": 115 } }, "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "b2f9992729bc05c1ad61753e6a581826cfdbf50a5cfe644cf620c534e0ee0add", + "sha256": "3f61af7fb95a6f56f3d8b10f22c2543e1500a295cedb05240385a644cfb3960c", "type": "eql", - "version": 214 + "version": 215 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.14", @@ -391,15 +397,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "System Time Discovery", - "sha256": "6c4426a3866d01d267968dd2a284598d30d2c3b9e9c7caa7cc6ed10ec46ec261", + "sha256": "33fe7970c008c5046403b819e98a65e6552a9579cc28562fe551e9ec75fcf0ef", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "System Time Discovery", - "sha256": "91c3723d6e06feb5696fb366c36fe16394766a895529e478dcfcc8ccbaddc71f", + "sha256": "cf15b2bf8ac5ddd54fcb4f2ccedb51733cf85512ca197097fe3c7ab31f87755a", "type": "eql", - "version": 110 + "version": 111 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "rule_name": "Unusual Remote File Size", @@ -413,22 +419,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "826697069ae29aadaacdd84897a741e47446903296eba95adab0ba771cfdbe5a", + "sha256": "d70040688d2d40faca05dc65ea89f7b7cb6dc34b2c978f2fc33e67f843a5c79f", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "042f24758999dd875c2a6d26e28f71851c30b509b0ea5f898455dd21afc4bc81", + "sha256": "bff4aae78a241e310a292c793fba005814a975476eba89387b3301217986255b", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "dec496b372a0c9557658a4e9e0df8160dac454df7fd61ff83f0ab2d0eecfcbd1", + "sha256": "e7a8862a024f6ea8a346b16441845118d570aebb01a849748f0c3d313172edae", "type": "eql", - "version": 210 + "version": 211 }, "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": { "min_stack_version": "8.13", @@ -452,15 +458,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Potential Evasion via Filter Manager", - "sha256": "fe0b271cf1660d839ba9c04e3ae7c6a2ae6bfc5ba80b354d7aa2ebf8ba75db6b", + "sha256": "af64a92d30ef699c25bf08f37822770635ec2e44be940f17de9cf25ba519f602", "type": "eql", - "version": 114 + "version": 115 } }, "rule_name": "Potential Evasion via Filter Manager", - "sha256": "cb388e3a30c4e77292f3c6ffde5fabc2aa388f8affa6756cf70e1b8442d61a30", + "sha256": "990f986bae1d4f295042fd090a380cd0d6f3d7b8850dd78cf6d5b4e2ffe7d8f0", "type": "eql", - "version": 214 + "version": 215 }, "06f3a26c-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", @@ -475,22 +481,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "a22920bafaad8e23ba5d6eebfc838d200a2d39ff0987bc849ff03110e9fe7ba3", + "sha256": "9f32696b9fa2e1510dd9d329776fa82b31d56c88665b21f900724188a3fb1f33", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "75622c12c2b3910b87a6b069b747a11dd444908ee4ed676472e167c4347fb1b4", + "sha256": "b22d6b7ab9817cd0a492a0bb23fa58aefc0460b88dea57ffc84c6cda058950b9", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "69ba5e2f0de8ccc7766ab1484193e28e740b07a10fcb6f6f37899158d8f1dd24", + "sha256": "36865a14b607cf48b5cdfcf52bd07a4c37c6a89038d1230ec983ac280ad050ce", "type": "eql", - "version": 312 + "version": 313 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { "min_stack_version": "8.13", @@ -698,15 +704,15 @@ "8.12": { "max_allowable_version": 212, "rule_name": "User account exposed to Kerberoasting", - "sha256": "219b0df8371df6ea7c07119bc2f066c86112814dc9620531ceb2ad40ea8c9cc0", + "sha256": "f4161c7c3cb1aa92b083eb597fae4114d218aee981cb01a13851e639a4dea970", "type": "query", - "version": 113 + "version": 114 } }, "rule_name": "User account exposed to Kerberoasting", - "sha256": "ebe574808b30bc1075a58cef2f874bdd05f42e8a24777f0a63b52a2120faa70c", + "sha256": "ebd85ca66aad316c0f9ca0890392b1bf3c4c86c58b9b097f3079dd6dbc0a6dee", "type": "query", - "version": 214 + "version": 215 }, "0b76ad27-c3f3-4769-9e7e-3237137fdf06": { "rule_name": "Systemd Shell Execution During Boot", @@ -742,15 +748,15 @@ "8.13": { "max_allowable_version": 101, "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "7ffa76bdd42de95fc9de0514beb379f3022d2480038fc89512a38dc061cf24e9", + "sha256": "651c708c609fb7785a9f1776142e6f473de4466714636ff521fc42e5e303c8f0", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "e00123eeed5a9592b8d966a72a4ad924189880c7010e544d25d5026d9accd309", + "sha256": "f3895557013bb677c666836d9909116795173df120b18f2792b6aa20cbe69580", "type": "eql", - "version": 105 + "version": 106 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", @@ -793,22 +799,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Peripheral Device Discovery", - "sha256": "d9d7783a57c30c4bb51fcc2f714e5ac5db80978cf14629962b24be7503ee539b", + "sha256": "0ba61428f49133210022937f1edfd3ba9e42329cb91126ff0465644e23fc62ce", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Peripheral Device Discovery", - "sha256": "e9e92aa8e1ad67d6a76c1d863117e5661cf826a76f886d086ccb881e82884a23", + "sha256": "61ae1ba97794982369c44f00a1f32eec466cb30eb538a026250b2146313d688c", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Peripheral Device Discovery", - "sha256": "5c9eb5418f67e5344018b20070d77c09629e1a8fd55f8bdf09e6f4d8e14b8d43", + "sha256": "61263ade531000457423d75f215e58ba78b6b5cfd11f5e95bf5fca9d5d77c526", "type": "eql", - "version": 311 + "version": 312 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "rule_name": "Deprecated - Threat Intel Indicator Match", @@ -886,6 +892,13 @@ "type": "query", "version": 207 }, + "0e524fa6-eed3-11ef-82b4-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "M365 OneDrive Excessive File Downloads with OAuth Token", + "sha256": "f6f434f76330ba923e4d55b62e92891d98a21706ca8bd0b47bd9811566a8c497", + "type": "esql", + "version": 1 + }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", "sha256": "59e29ccc3ac8165891a2e84b728fb276eaf024e4adc86f129eed888139ef37bc", @@ -904,16 +917,16 @@ } }, "rule_name": "MsBuild Making Network Connections", - "sha256": "dcb595ba973117d787c324d67e3c1089fbb00fd94c18e02e68348da2cbca9297", + "sha256": "1d7d425a4b556f2c948c50f0b1dfd888045fc7023dbe3fbad411dbb83d420c0e", "type": "eql", - "version": 211 + "version": 212 }, "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { "min_stack_version": "8.14", "rule_name": "Sensitive Audit Policy Sub-Category Disabled", - "sha256": "6cc9d9a4fbb39e93e41deb9292f97dde010faa4b55b759e788d4ee53bad3fa1b", + "sha256": "36d53d03849de22fb24be66156f15194ce07ace1ab38974701e6b69efe28551e", "type": "query", - "version": 3 + "version": 4 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", @@ -1183,15 +1196,15 @@ "8.13": { "max_allowable_version": 202, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "dee24546d469b37c7b76c8f8f173a6c83c366cb49c0b9576f370a0bd5511952c", + "sha256": "dcb9f8fce25461a848fe06439c08665629219e3abdd01025c5555abb22bc059d", "type": "eql", - "version": 104 + "version": 105 } }, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "782eb2c51362b3ee9cdf7131c0a816f7635452ff4f82263c5b890f72cd09baf8", + "sha256": "6650390a0ab837875b873ec9ee59ab4afc35d94df7e4e550ab6e853cccd6b929", "type": "eql", - "version": 205 + "version": 206 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.14", @@ -1199,22 +1212,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "98f99aa122e1e624b3e09c6ba6ef60f17fad0fb85c2a0312908fa83888d30adf", + "sha256": "8a50a6a6f107f05960872b508ca599e3ced73c94f3e91ba756d516d1fb627486", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "655e84527e938f302b438d0661911d1fc0c26eb040707b8dadc870b71b09621e", + "sha256": "a2f0c592a53ec30b958e963921770be01cdef012944bea22ae236d2713cd09b4", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "e64945c3198ab598f7b7fbb252d2af8e1130443ca01fb4b04ab121f6bdea367e", + "sha256": "f257b59519a3f70f969db80deb185a3cf39536af5b3c532c376b9108da677c08", "type": "eql", - "version": 315 + "version": 316 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.14", @@ -1394,15 +1407,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "5a835be130b2d7d504bdf643f6c5b59025ee40eea781463a3ad0526d0dcdea26", + "sha256": "5590dc04999fc927242cf1926db4e2333087ea2de5e17c69677fa0ce42a76e5b", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "14ea5e0fd126666fbc1f42f74fc27465bd18827b6a4a7aa6eb91a8a20c82dea1", + "sha256": "48a21cf9c0af5dfe2bfe8c63b5a363ce108759818d65d6b3413ecbd1d0492b71", "type": "eql", - "version": 212 + "version": 213 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.14", @@ -1410,22 +1423,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "0cc6051b059f0a4c23d62a16a546d261c5bbbf67a3446bf0fb2712619334c81f", + "sha256": "59e37cb962abea6a86b2a9384e1f08d2d036cdf4ab29173bc0d6e344af013204", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 312, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "47c62d0707a97119096476193b3bbf9c24f7265594587011d87a5248a4d6a588", + "sha256": "d4a8b5bcd2a0a91c59da2511a57220c6075e93ea8e02ea1bbd8d32ce14c24f90", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "affead342a3622a946986ec040beb993b0e5c27fe2442af4d4cdd70cce50f419", + "sha256": "ceac041df0548aca97242dafdaeb9c690d4d47ac4073a6393c65e651869946b4", "type": "eql", - "version": 315 + "version": 316 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", @@ -1434,10 +1447,10 @@ "version": 109 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { - "rule_name": "Potential Container Escape via Modified release_agent File", - "sha256": "6227f5574f6e391b1d85763a35113b7299b3d0a278820a3c90fe8d5758de412d", + "rule_name": "Deprecated - Potential Container Escape via Modified release_agent File", + "sha256": "4c00679776f9e7ead043ed786b01f9db2e6d2ea968ba62ad170841e5c21c3f3a", "type": "eql", - "version": 2 + "version": 3 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", @@ -1457,9 +1470,9 @@ } }, "rule_name": "File Creation Time Changed", - "sha256": "a4b5224b6210e6ae22a3b2aae8187bd48cbb3c7b41926bda9a2a48c0528de974", + "sha256": "96cb410b392f1a8774e854637ac35223c3f06af1886b4805a50b9337a05c3290", "type": "eql", - "version": 106 + "version": 107 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", @@ -1485,15 +1498,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "30c1e02f8b5df888465f9f773cce6911948dbf981fe5e6478cf53dad158c8671", + "sha256": "3cc36b41be0eac9cd7741554fb1bd65a80c0a77275abb17d58fd202b42c25c6b", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "3a76496d25961498c7105d4962f1c5a68168264eadc61c4c51b20c602177f4d8", + "sha256": "f0b9ffa215ff2cbd2e2a889ada8e94883b25b009557f7f572ffacebd45b15863", "type": "eql", - "version": 211 + "version": 212 }, "1719ee47-89b8-4407-9d55-6dff2629dd4c": { "rule_name": "Persistence via a Windows Installer", @@ -1629,22 +1642,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "f368ae24273f75a97331eb4294db2df1c387c497dada5ace32520098feaef4f0", + "sha256": "12f1a83fb96e68e2440fc75a664bb40ec93c873078e8e95f4e7ada4d552370dc", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 200, "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "e90219da2c60953e27bc20e62830dafd75772d2db35bbd32f51b8d0a4c6dc954", + "sha256": "af9a371780c9a5d15b340de55265c36733b80ec3bd7ae69c38546b2bf617a8bf", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "2e6ff66e9a80e9b1753f07eb7bd19334a9803978510c2c2154280ebcb66cb4c8", + "sha256": "35522252e970985ab70a0f4b89c64a7985895c75db81381345559495693ccc8e", "type": "eql", - "version": 202 + "version": 203 }, "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { "rule_name": "Simple HTTP Web Server Connection", @@ -1713,10 +1726,10 @@ "version": 5 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { - "rule_name": "Suspicious Network Tool Launched Inside A Container", - "sha256": "68a2c9ed8a46b384ecb2a355df2a4634cbf081463794ed6e93931901277da031", + "rule_name": "Deprecated - Suspicious Network Tool Launched Inside A Container", + "sha256": "b35cf28e6c98f67ce2f60eee9fda257649fbc1f6217dbdf63219e032d521c28a", "type": "eql", - "version": 3 + "version": 4 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Azure Application Credential Modification", @@ -1730,22 +1743,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Execution of COM object via Xwizard", - "sha256": "62babd726ae5a985d3dd9add1aabacf93bb5c8787ad3486f8ca9d1ae675d7ec4", + "sha256": "f6391e8f5b0619d0a9d9c44f7eb9fd4ee84d804dce2a33222731c4d7f110975b", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 309, "rule_name": "Execution of COM object via Xwizard", - "sha256": "9826caa22a613e9fdde9bae7324fb6f400cce7a89819041bbb709563fe470c21", + "sha256": "8e04dc1449042764a07c9fc2051bf7a5c8d58e05bafa41e5eaa68ca6baeada51", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Execution of COM object via Xwizard", - "sha256": "414ae5d1c777554706e77fcf698fa405ce9159905c53e47449683ff8b606b8d6", + "sha256": "c65c9419a9ac1a778ae51ad7d033bd3775009b43563844b80f984ff2f2f64e45", "type": "eql", - "version": 313 + "version": 314 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", @@ -1759,22 +1772,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "User Account Creation", - "sha256": "51fbad167264e7d23b84626ae0142b5735da83770e53dbafaf844c6266b1f9b7", + "sha256": "1046be8b577da52ec4ae4f06bcbf7ac7e32232c0e2d407916cb0474c8add7849", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "User Account Creation", - "sha256": "0f3e13b35064dbdad29e0f2b80895fc844346955c595402ce66bd632d1e1e524", + "sha256": "142471dd697b20805b6879a80f98136fb3c2b5519aa353e6f1ff95700a4f0b04", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "User Account Creation", - "sha256": "9af12b0253eeb5e99e162b69240851ba05f9a54cc8abecb25c973288e57cf7e5", + "sha256": "3b110982e7dcff42742a98ac233650c6dc58347d5faf2db2f46a849fb45b1bb2", "type": "eql", - "version": 311 + "version": 312 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "rule_name": "Process Created with a Duplicated Token", @@ -1939,22 +1952,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "94f7d66b79180d0ba45c617e24e4cb3a00c1489fb51b504d7aeffe8001d10959", + "sha256": "56bbd2e4cd59a4c2cde86cbbbfcd9e0afc33c8305d71bab718500435d3a78c7e", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "c994e0389ac555c93a42a57df8ea2b97d510399c33eb3f11de809c2018c44686", + "sha256": "34fb9c8b0fd50e111ac85f4594d6ea57df7c600c03164d83b6e2485114ad49ce", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "675020877e0f237ac091e0142a7db019267d1f73af9366cc520a9f7d27bac85e", + "sha256": "07df6892a87587ca8babc6706f4c0106779b8517b3fef2294f5eb30ea9491d7b", "type": "eql", - "version": 312 + "version": 313 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "rule_name": "Suspicious Inter-Process Communication via Outlook", @@ -2022,15 +2035,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Creation of a DNS-Named Record", - "sha256": "24a5cc160724e80ee85572da35813e258fcb55ef5b077894b4a649d8fbd6f1e9", + "sha256": "4955aaefda636b2420e5116875b69def93dd7fd67397cb2a0322de00b946b0fc", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Creation of a DNS-Named Record", - "sha256": "bd366149e20faa5b5e9ad60b298c1ad8f63002ee1451b7ee55e6c101547e6979", + "sha256": "601853c2f6f8d5d47352dae612917238325b67762d8659f901e4a21c832d90f1", "type": "eql", - "version": 104 + "version": 105 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "min_stack_version": "8.14", @@ -2082,9 +2095,9 @@ } }, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "89dad03842e0833b63ac6d38d5cf8f2712f22e296b4390309b10f471ab78fc07", + "sha256": "440ef66551ac7e38e741b7fefff772fab1e8807ba1d7129dacdf19a382fd06ad", "type": "query", - "version": 112 + "version": 113 }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "min_stack_version": "8.13", @@ -2099,15 +2112,22 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Unusual Process Execution on WBEM Path", - "sha256": "5e69bca88bf1a332578110580989822ab6a36beaee0c2a1278161135f3785eb8", + "sha256": "c0c0dc9d02782e6a4e0945d5a4067d3508deaeed48634ba3aa3bce892de5a9c4", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Unusual Process Execution on WBEM Path", - "sha256": "13b48a7591f9b468f310bbdcd36b045d671d36396a0d86129881eb16289c32fa", + "sha256": "d89337c9d0ba87570647603b26f42ac3171fd6d9640b10b178348bff7117b07e", "type": "eql", - "version": 104 + "version": 105 + }, + "1fa350e0-0aa2-4055-bf8f-ab8b59233e59": { + "min_stack_version": "8.13", + "rule_name": "High Number of Egress Network Connections from Unusual Executable", + "sha256": "d9e8a7e51aa77ead7ce1ea1fea343c35fdb7aa4cc92450f6ebad5433afbc53de", + "type": "esql", + "version": 1 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", @@ -2143,22 +2163,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "6f9e237253c1d533e1dceaf4f673182fa86dcb4f04539ecb15a9f0dadb01047a", + "sha256": "acfdd598b6015547f15e05e3ee2dd61dec13a52e09ccef1f154e133678cb2e8a", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 310, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "87f7a5cdc22d29da0c8cd7bc438e5e735e064c81584577cd34b46d510dccbe08", + "sha256": "891281c4090da3be8a47c99999198fb67201bc47da9b753cd8cdf6b2107a4f86", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "b697c5f18da0dedf8adabf369e59016a5fd9e362cb43d0434c14e7f8b63d93b8", + "sha256": "2c8e7933b55726a6bd967fa3c6e4ecaa207c4acd5574f5970995d8bc9b341746", "type": "eql", - "version": 313 + "version": 314 }, "202829f6-0271-4e88-b882-11a655c590d4": { "min_stack_version": "8.13", @@ -2240,15 +2260,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "633c67422491d16a2f3773ed98d16e1beb6d9369dcdf7edf264b8350e008ae33", + "sha256": "c71196cfccc34b4c3d768cc7220422fdaf2d6163c21dc2b1f3c8d1616a87dfb9", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "12383abd03ed18e19cc6e38a242cfe6ef50687fab36db30ce2d216216b538b16", + "sha256": "72f43c85a5250cea55570cba448f42de38ff7b2fb9730edd8f6a78a7cc05fd4a", "type": "eql", - "version": 212 + "version": 213 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -2258,9 +2278,9 @@ }, "210d4430-b371-470e-b879-80b7182aa75e": { "rule_name": "Mofcomp Activity", - "sha256": "eef05c9d6268c618653406ebb0048636315857414a69dad77fdebfdc5f04707d", + "sha256": "018833f79c00b6d515e06c22cbe67163ed3e39765697b70a83dbba6a933d13e3", "type": "eql", - "version": 6 + "version": 7 }, "2112ecce-cd34-11ef-873f-f661ea17fbcd": { "rule_name": "SNS Topic Message Publish by Rare User", @@ -2276,9 +2296,9 @@ }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", - "sha256": "ae4d37f61191761fb59911def2d9d39ebedf6f1dd02bd3d22bca816328750af3", + "sha256": "83511d6659289dc4e5a568143d268908603bf739947cd0d971cfb051a85451b7", "type": "new_terms", - "version": 6 + "version": 7 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "min_stack_version": "8.14", @@ -2495,15 +2515,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "a91ee3996b61c4f76e5010d94738862b0c66cc3ab4c1ab802cc609b442a00947", + "sha256": "54a0ad6f86ecdf068b1aae65f14d158a4f15e61b09a082762d2bd3413455bd6d", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "90fe252d7b42afbb9ffb9e3eeb16fca2bf847ec91789821d1fd7a25399a5a1bc", + "sha256": "2985960617b321f48dd8601a1a8803bca75bb670250579ab023076cccb62abbd", "type": "eql", - "version": 104 + "version": 105 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Container Access Level Modification", @@ -2530,15 +2550,15 @@ "8.13": { "max_allowable_version": 310, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "4daca120672fa56fe87a520d2babba093bc294cc504bef5119b188d48173faa7", + "sha256": "04cf4724c581ce8d3a98423140537e39f236a8e0f13794cde43219b0cab63273", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "62371061d0455aa0c946f5512e06573f49e1e88b64995595af69a37cfc14651b", + "sha256": "8a1961e72e2bd40e50a0aa2d9798a0fddb3d6b24b4c0d0272eacefc88d9bb15c", "type": "eql", - "version": 313 + "version": 314 }, "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { "min_stack_version": "8.13", @@ -2547,6 +2567,12 @@ "type": "esql", "version": 2 }, + "267dace3-a4de-4c94-a7b5-dd6c0f5482e5": { + "rule_name": "Successful SSH Authentication from Unusual SSH Public Key", + "sha256": "57a89e53c08841ce4215ee3302b31a874353bbf9ea14737e9788165df500f4d0", + "type": "new_terms", + "version": 1 + }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "min_stack_version": "8.13", "previous": { @@ -2663,15 +2689,15 @@ "8.12": { "max_allowable_version": 215, "rule_name": "Account Password Reset Remotely", - "sha256": "4c5bf771c55b8c874282ea178599a0885a460a0a2f93008e1ce3b37eeca9ae40", + "sha256": "fb5aa2394d8110f0ee46049a6b1ecea7a58a015560ea9e83bc0a7189668b9a9e", "type": "eql", - "version": 117 + "version": 118 } }, "rule_name": "Account Password Reset Remotely", - "sha256": "56605872558fe05e912719802d071ff5ecbb63e38f64a87c8e829ced69d9b961", + "sha256": "137bd2d87af18453725653508901c2d8ad9bbb67598c3aab9cb61849bdd9e991", "type": "eql", - "version": 217 + "version": 218 }, "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { "min_stack_version": "8.13", @@ -2776,22 +2802,22 @@ "8.12": { "max_allowable_version": 213, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "8fbc91f17e1079c6d25358d51370483f648279f3ad8e892d2a679df03c969ec2", + "sha256": "d0e818d0f2ad9ea6d298e000b8823c6f9fae9d4ba58fd7d4a769d192a825bb7d", "type": "eql", - "version": 115 + "version": 116 }, "8.13": { "max_allowable_version": 313, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "d77ce672bc5fc2088fafb1b6633cb2f5955b7939b1d1302b5c2da31c8d336950", + "sha256": "25a8a5e36180af284b27b2a98e81479ace44455516f3093491003f1c052b247d", "type": "eql", - "version": 215 + "version": 216 } }, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "d8fad9d3a7b3d3b175b9bfac15436fde23c180087fd9a61d05bbbdd70434ef3f", + "sha256": "89b1b7dceaff3f36997ec337f2d8cef3fe495d208678da2825e4ed3ce0e5ea3e", "type": "eql", - "version": 316 + "version": 317 }, "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.14", @@ -2799,22 +2825,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609", + "sha256": "28c64115f2234bf5d1fecf8825b0c7f3345d8785463039b6e20726ad83f4fae9", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 414, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "a8eb3f78278925242ed765acb2a2d0e95ccd361a73e67ba655fb6137b82acfb7", + "sha256": "086feb5b95a941af5edb6a8cda1844381dc9266800897730bb4c7360a6c48c51", "type": "eql", - "version": 315 + "version": 316 } }, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "e685ec880f93003d916f83c558301d788cc0671883fab6eebc79fe744f7c4c2b", + "sha256": "69c08ef4a5f787e70fccfd3ec58af92bb9dc8c37e8c0371220c0a70bf79f5b7f", "type": "eql", - "version": 416 + "version": 417 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.14", @@ -2822,15 +2848,15 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "ca1675b3254c032d02eb36a19399f23707b98c5db2ccfb585fd8047fe45e718c", + "sha256": "74bf38098dbce95a0c1c95412e8fba9a3f5532a02c1838b1198a971eed59d253", "type": "new_terms", - "version": 213 + "version": 214 } }, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "5ac18ed0a46ab76604bf76b574a4dd4d177cff97fabf4ba50cf58d2559cf6ba3", + "sha256": "f4a3fd4093cb4ee803a7b1fde1a972683e35233b3065923dc59ac148914fd788", "type": "new_terms", - "version": 416 + "version": 417 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "min_stack_version": "8.15", @@ -2934,22 +2960,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "b95385a7d952e6ebfbd2f2ae7bbe30b6d5de147c62e65cd3d41cef860b2b13b1", + "sha256": "fda9500da0b3d309b22466c14a3b99bc7b486e029d19035500b51c712c4d337d", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "035b963e8b20d330a6df9c8b7bf1ff3812c17492b17c6f32dea5100d031289e9", + "sha256": "bd55b8a641caefe82fd1e124f00f3332b0b81d8efddbe594a1a73415c0a5d41f", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "ba6ccf2fd7102484bab3ab16542b8c07903d577a967904103c08bbfde581d055", + "sha256": "e69123e81346af8a6014260f65776c0326786a0019351371eba62067fb23d7e9", "type": "eql", - "version": 313 + "version": 314 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "min_stack_version": "8.14", @@ -2973,22 +2999,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Potential Foxmail Exploitation", - "sha256": "9f86eac400e2faa31c8268ac8e848b69881a1f1609f46197976260493af312d7", + "sha256": "fa4198db44ca8125dc5157ed58f08cb85ded4ed4fdd90a197bd108a4788e7bb9", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 200, "rule_name": "Potential Foxmail Exploitation", - "sha256": "6d21068759a60e2fe7b6b07091cfa26e48f2b6c2a2cf16239f5aff16aa3e6819", + "sha256": "3b3410ec8a78d817be6bc0002e08c1aecc291c587a8e5049c46ba2a0ffca42e8", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Potential Foxmail Exploitation", - "sha256": "deaa9f94ff0d77ec297bbe56228d604d0ec8ff93168338d0fe56ea6586be9b37", + "sha256": "91d807d619d392937f23f7570110f1a16024dea7638053710bbe2c380ba68794", "type": "eql", - "version": 203 + "version": 204 }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "min_stack_version": "8.14", @@ -2996,22 +3022,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "ca696785db9d072b73354981c190cb3612631aff9bfb21a7e71087839979c28f", + "sha256": "da7b8fc9196d2268f214a0e688fb4743c4aaac83e91d448cac7edb41ecb0cc4d", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 200, "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "db70fff6a4d8ac90ee2307787ac0d09653001e7019f4ef1014397d5d28e28264", + "sha256": "da8bbc8a8b7835679b590b3422fc6c384b3818f963248606c077e274ea185f00", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Command and Scripting Interpreter via Windows Scripts", - "sha256": "0f14291a9a4bfdb07c95473002beefcd90774b98afcf9d8e07c0e2c3ce47a9b2", + "sha256": "3ddbfa8f343a66c1a88ceece0f1578b6413e48d8e9866070c72412b45e29c6d3", "type": "eql", - "version": 202 + "version": 203 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", @@ -3063,29 +3089,29 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "a1f96c64b24f9a8b3741efd7057dd191f2cfe328e4418e21fa2861f4943345b0", + "sha256": "a2a8c353c9789286a12acad9ac5ef3f78e625e7f76155b7f8fabe49323aa8e5c", "type": "eql", - "version": 10 + "version": 11 }, "8.13": { "max_allowable_version": 208, "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "6f66a2c4f0eb285877ec1976337925c992b5644474d9a8292c702802bd961c34", + "sha256": "8f884c1870437488658be0d2e627b6979914c5073df0908b2386a2d64a3b4140", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "edaa7c97d52183cb2ff7b10553ab33fbdcfc197d78bc07cda7f29633f878e4e6", + "sha256": "8791e7fb1a6be5e42e542ffbff43107f655cb9129d6d372da900d9d185d90c16", "type": "eql", - "version": 211 + "version": 212 }, "2e0051cb-51f8-492f-9d90-174e16b5e96b": { "min_stack_version": "8.14", "rule_name": "Potential File Transfer via Curl for Windows", - "sha256": "6557b61c306bf5be34401d54dd293dc893f43c1ecd05c5705ad94ca2967878ff", + "sha256": "a4dac855d53d9474f8e5110cd803cc954889544153b5054d8a1d6efef103d335", "type": "eql", - "version": 1 + "version": 2 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.14", @@ -3125,15 +3151,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Accessing Outlook Data Files", - "sha256": "a0b1ea8add4c4ec61339a2fcb49fe3d78db9aafb5f670e041383d82edaedb473", + "sha256": "e16b755ef96474eeeb8efab6ae108f1e9420b53cd1d79d3e822dc3215788f7a9", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Accessing Outlook Data Files", - "sha256": "cbd45fc062e5bcef6a93a19f9d01b6f8d1fcd038fff47b19a5adb99569cdd378", + "sha256": "37fe2693dac2a707118e828ab9b2e21018b8028366804f4304ff2122f53d546b", "type": "eql", - "version": 105 + "version": 106 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "min_stack_version": "8.15", @@ -3324,22 +3350,22 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "1d5b8b66ae45d9bcba982bcee8dc4994d4cedb7541738eda36dfb8de2accfb0c", + "sha256": "26c302e48a82a4c71b95bbacfe998d079412e39f679f834e69fae5d875669849", "type": "eql", - "version": 115 + "version": 116 }, "8.13": { "max_allowable_version": 313, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "27eb461382f469f2615f24a2887acc73df8bdfbe582d3d31d321bcefcaa5d201", + "sha256": "5421bd89d5aebebf2cfa8655a02e73854e34caf836d61a4b91097c5a5fd752a3", "type": "eql", - "version": 215 + "version": 216 } }, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "50e3fed73bd4705f76f78df40640d810c310f3acc21468d1246f910127187f4c", + "sha256": "79da03cd16b3fe390ba1bcbf7210a4e75e1160924c4eaa555b1886746c2b8e38", "type": "eql", - "version": 316 + "version": 317 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", @@ -3378,22 +3404,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Program Files Directory Masquerading", - "sha256": "17788893fc6510e7f611de6c1046d1c0a8ebb5937ac675d96d8555b98ed4b9c8", + "sha256": "606536c8d6bfe0e947e3e259b6e852bc054d4d698047726f4d5c75b729bf55e1", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 310, "rule_name": "Program Files Directory Masquerading", - "sha256": "dd7609c7ed75762383c65d441706b5cec4f6760974567894ea5e4b08fb80603f", + "sha256": "7a4d10f9a885c140e679ea9b1395f36c0013153e988bda9aadef3631ee490db6", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Program Files Directory Masquerading", - "sha256": "5e2521c495505730bc747cae7beaef82e123e96c4fa6dfcc7530e8d63d3640a6", + "sha256": "16bc5626deef5e54395b10b7f90e3c0e85fffdc658d81ccd2d12a5cc6e59d03d", "type": "eql", - "version": 313 + "version": 314 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "Microsoft 365 Portal Login from Rare Location", @@ -3407,22 +3433,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172", + "sha256": "0c5ba486bee0cc0f0fe8315f14137e5a0062539cbb92e1a748fe09f9371887c7", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 414, "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "52d170ebae7e61e5c4726ce76d29b5b2e9d7026e32a550e9d5012f02f0e50f8d", + "sha256": "1aefbec4935b19811f4b8ec91466a3726ac0e9ceff35b20a76571ede0a753046", "type": "eql", - "version": 315 + "version": 316 } }, "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "647dc0c3fd2b8dffd212c282c77861aaa9c16dc0a23e442c48d168eb333f8ae7", + "sha256": "b1e1ffa2ffa385597f3e15523743b90d7750dbd78db3790213585db3f9c79dc3", "type": "eql", - "version": 416 + "version": 417 }, "3302835b-0049-4004-a325-660b1fba1f67": { "min_stack_version": "8.13", @@ -3469,10 +3495,10 @@ "version": 111 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { - "rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container", - "sha256": "8c1e8fd8134b90d32749366fb7d20b184a823a0e5e341af7b44f61679905bd6b", + "rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container", + "sha256": "fbb2b779a78b5d6c820b04c3db01f7bca19d53f3c2c2c32db2ab7af5b15e09c6", "type": "eql", - "version": 2 + "version": 3 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { "min_stack_version": "8.13", @@ -3550,22 +3576,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Unusual Parent-Child Relationship", - "sha256": "fdf30a404fcf1f457a3530ba76e543daad00de78c6c30a18ca40f103beb6caf2", + "sha256": "d1997aecd63bdf78d6a33f57d17ebd466ad6d7b59bc5c9eec9d99fa339cc883b", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 312, "rule_name": "Unusual Parent-Child Relationship", - "sha256": "19bed7ae3eefe2b9f8d9f9cbd99efbff32206937e70a162d1491cd54c108c103", + "sha256": "a7bf02c5ce9115c129f0c257b37f8d3759ee1de5c93e961c678bc6ca1e5ac53e", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Unusual Parent-Child Relationship", - "sha256": "8c2faa0a772b773b9aa59da52cd46c6984b6271a148639ba16b293ccddce14a5", + "sha256": "63739523a9c101ce0f6304534a8a20f2b7177870efdfb4f8342beec9b6d01ca9", "type": "eql", - "version": 315 + "version": 316 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", @@ -3776,22 +3802,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "6000c31bea360c0d9b1d37463b62aaa348ae174cd150d753a365830bfab75447", + "sha256": "fc1b169b413a359de4934f4cdf8bca79458b0cd5efd1a93bba0b8a05aba10b7d", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "d12e9ea8b95150ad9d1665a105aed34e99914c20b08bab4f9397c47f325e4c10", + "sha256": "24c29c38a11dbe12d6e222a3d69e4c47f41ad46b16d07ca3a63daba9ca761f6d", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "d871f50940eccfb6ba880998b63207b59ad3a087325d70f116c2cd1933b25a2b", + "sha256": "b6849461e18e497a4263083d82b749167b7e60058fe7cf9b90db792dfedbc744", "type": "eql", - "version": 311 + "version": 312 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "rule_name": "Suspicious Module Loaded by LSASS", @@ -3821,6 +3847,13 @@ "type": "query", "version": 100 }, + "3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": { + "min_stack_version": "8.14", + "rule_name": "WDAC Policy File by an Unusual Process", + "sha256": "640dfc022ddd5eeadf5bb3e60d197db1c475d8e6f2e672c0eb61b1c5390c98b8", + "type": "eql", + "version": 1 + }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", "sha256": "32d8adf51c1b7880e73d4cdb4e6b9e4a748807c35a66aea5866abec659490bd6", @@ -3884,22 +3917,34 @@ "8.12": { "max_allowable_version": 213, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "9156d62db12466eaacc5c148af5205afdccba699bacc8d950d5d34aa5b2df532", + "sha256": "e7e2e6f51e3b146d38491ba00f4d5be16be218fd4df4c1722005f294e0748e60", "type": "eql", - "version": 115 + "version": 116 }, "8.13": { "max_allowable_version": 313, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "dd1b2492ffdf8c527d2d87c4912e2cf19379fed1f522ba7e4db9fcee5d00d046", + "sha256": "99608742b50911e3c5274d4ce68d799cf51f8ea8f82fb9244218fdf266a5cdbd", "type": "eql", - "version": 215 + "version": 216 } }, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "d19835254ddf472acf6a543dbe42f0a508febba6db3f7f41149edfda7b57673b", + "sha256": "14fa291c0e479222e6175385f35702531994795946c66295ddec4f95b50845db", "type": "eql", - "version": 316 + "version": 317 + }, + "3c216ace-2633-4911-9aac-b61d4dc320e8": { + "rule_name": "SSH Authorized Keys File Deletion", + "sha256": "6a7e18a2fabb5285a089765d9d4c16de1592997eecb27bac79bf2be84bbd55d3", + "type": "eql", + "version": 1 + }, + "3c3f65b8-e8b4-11ef-9511-f661ea17fbce": { + "rule_name": "AWS SNS Topic Created by Rare User", + "sha256": "c43f75e8638f5a0adbbaa3444549c88d148284a440eada3b2984073e0d6a5f24", + "type": "new_terms", + "version": 1 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", @@ -3935,22 +3980,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "2b9c1287e301ff5273bf46bd4bc28af19a2c2e647f220ca8e0852fb643de0ebc", + "sha256": "9a8b7d4f395146c067ba15784a025d26856d4595658268dfb01fcc8117120808", "type": "eql", - "version": 4 + "version": 5 }, "8.13": { "max_allowable_version": 201, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "cb777b967e2bef0af6adc011736d39ada2837c23d819ee51dde816731fa5a898", + "sha256": "a9449e758953000ec34ebacbf23f4b51f7f9a60c0a82c08b8aa837d7b750e77a", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "f87fa55947db415ecfae1427203360803e4bb8d727b1e46383b1f6478f252bf5", + "sha256": "7537070f3775a1dff89d78c8ef5ae633d97e6cd0a32180d83b000540270ab29c", "type": "eql", - "version": 204 + "version": 205 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.14", @@ -3970,9 +4015,9 @@ }, "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { "rule_name": "AWS SNS Email Subscription by Rare User", - "sha256": "0845930f3f6cca07e769a39389e06a1fea6d273cfaf4c9470cd1a04c34b9c947", + "sha256": "751ec873aa2cdd759af5f845488173565785844485becbea7a597d5e5b5586bc", "type": "new_terms", - "version": 2 + "version": 3 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", @@ -3992,9 +4037,9 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "c0609df66a0848dc19f078200819edba894a861449ad572c19d8eef041240566", + "sha256": "179cea119143b4ac449008db8f5bce05e743da299c57ecb9c2599d4ad223cefe", "type": "eql", - "version": 8 + "version": 9 }, "8.13": { "max_allowable_version": 206, @@ -4027,28 +4072,34 @@ "type": "eql", "version": 4 }, + "3e528511-7316-4a6e-83da-61b5f1c07fd4": { + "rule_name": "Remote File Creation in World Writeable Directory", + "sha256": "36213518f2d51d0a8ca479b72244b5e7b65ac993cf744418fe69792d88c2f825", + "type": "eql", + "version": 1 + }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.14", "previous": { "8.12": { "max_allowable_version": 210, "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "5e547726d704a4301dc4615b98d9b7ad1f182d5cc3aedce53b9b6b8185aa41eb", + "sha256": "abfd83fc5f72d9b12cc92cb190d7f4e9f759d7e1b048db54399447345f56c2f1", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "5185ebda64142769dbcbdea022b195c73dfdfaa284fe60c4447cf57b4ce31119", + "sha256": "0b2a37b4cf28a7d2b8c35dd53c83291ceed82fe166e96bbe2678a2eb1c0b20f3", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "767b7b4563a4fb94ee651353066ae8d1b66db8074cbafea2af6ee54fa111fb1f", + "sha256": "1468f7e6e831e3af972a832a3504553bafb48b5b69afdfa59403fbbc96d1ad85", "type": "eql", - "version": 313 + "version": 314 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "min_stack_version": "8.14", @@ -4105,9 +4156,9 @@ "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { "min_stack_version": "8.14", "rule_name": "Command Execution via ForFiles", - "sha256": "a07d79ae3c7704e2254a7b3acfbb61cb39794537180723d6f351c719ecbba5e4", + "sha256": "30f1410a357c558927f5cce5f2d9674c0e66b3fcd0ccdfed460da52ae466ff4a", "type": "eql", - "version": 1 + "version": 2 }, "3fac01b2-b811-11ef-b25b-f661ea17fbce": { "min_stack_version": "8.13", @@ -4148,6 +4199,13 @@ "type": "machine_learning", "version": 108 }, + "4021e78d-5293-48d3-adee-a70fa4c18fab": { + "min_stack_version": "8.13", + "rule_name": "Potential Azure OpenAI Model Theft", + "sha256": "30578c829bb5b7d12461cb21a6ff53be883d722a8abb7fd76096995c7d54f268", + "type": "esql", + "version": 1 + }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { "min_stack_version": "8.13", "previous": { @@ -4205,9 +4263,9 @@ } }, "rule_name": "Unix Socket Connection", - "sha256": "afdba8db5676ef375dc06883ea62a82b9410044f332d00db802aaaa84b3793e3", + "sha256": "2352b712067a95cbd788c45281d87669b418cd69b48f3cb97e10284c5d8b2777", "type": "eql", - "version": 105 + "version": 106 }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.14", @@ -4215,22 +4273,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "eb0e17bd095fd38ddf2c2ed71f1364ac981fb062c0fae437dd381d62debc8747", + "sha256": "78c5895b416222839fc4b6839d36612b1a0f0e27a9024d52f91607da235123e1", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 311, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "158669641e518716cc54cccf172ae7f2a1640c5c56d8a13c1bfb3ec8b1099c39", + "sha256": "0f1715445403c50fbe30f1278c990d21dcd72f121bf8a03d91d63ff14c00a19d", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "291b11e58bc1c7474e180f4367210eb8d6c53f5f2d722ba277a503097991353d", + "sha256": "311c4b3abd771bf6dbbf76f79d3b9fa882b6979c0298c1d842b6c8a780fa4117", "type": "eql", - "version": 314 + "version": 315 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { "min_stack_version": "8.13", @@ -4268,17 +4326,17 @@ "version": 107 }, "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { - "rule_name": "Mount Launched Inside a Privileged Container", - "sha256": "b1264c8dba37013a036a37be5f2224231f056b698da7eacb55869127c98aa729", - "type": "eql", - "version": 2 - }, - "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { - "rule_name": "Interactive Exec Command Launched Against A Running Container", - "sha256": "ccaeaaf1218304a670c49ca863e898fd726c57156474f56613921232d21d71a2", + "rule_name": "Deprecated - Mount Launched Inside a Privileged Container", + "sha256": "9599b657201d226cccb73d627949385bb21c69eb6e7c4554c43014a63a681978", "type": "eql", "version": 3 }, + "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { + "rule_name": "Deprecated - Interactive Exec Command Launched Against A Running Container", + "sha256": "0f61633254922e0ebf567567b6aa39f07580e86d34cd1cb9240a2c1ce7ce5034", + "type": "eql", + "version": 4 + }, "428e9109-dc13-4ae9-84cb-100464d4c6fa": { "rule_name": "Login via Unusual System User", "sha256": "98d6ad1428c6a1aa6239bfa75936d88f18749d6fb33d148792889108ee6f792a", @@ -4314,15 +4372,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Process Creation via Secondary Logon", - "sha256": "91d70e5b1107013dad8be7bae393bcca1047e1bba36313312bcf1ab8865abe14", + "sha256": "f79e046cbbec23da583f5a9a5ff0c2359af0a92b60efb6da01790d90fefb9cb9", "type": "eql", - "version": 11 + "version": 12 } }, "rule_name": "Process Creation via Secondary Logon", - "sha256": "0a1002224da121ca30f21a8dd641d8128a10f7113c132713aafe7cb287e82fec", + "sha256": "0f366e14695fce4131d2de09a7d46f8a0d1e897bd78444ef5ed8bbce30a30770", "type": "eql", - "version": 111 + "version": 112 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "rule_name": "Unusual Login Activity", @@ -4403,15 +4461,15 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "e05edd0663a23b3dc3d0dd5f2131a31dd196f6d5357755443093cbb8bf3ea29c", + "sha256": "4ed1c92271f971ccdfb787166f5469edc64084f2b7ec98c1c9f03fa7103e1f23", "type": "eql", - "version": 12 + "version": 13 } }, "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "5fe1ae3d15fd72cc199a3ad6e01a42350d17065a06bc1bb2e3dc03455fe8b873", + "sha256": "d952fa6126823aa4795c6d47b481559663ee4641dff520e86f387180decc8a2b", "type": "eql", - "version": 112 + "version": 113 }, "453183fa-f903-11ee-8e88-f661ea17fbce": { "rule_name": "Route53 Resolver Query Log Configuration Deleted", @@ -4437,15 +4495,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Windows Event Logs Cleared", - "sha256": "5b47360215d43475d7848120c7ed6f96afd5484ad1f0c017dae282578f91ae27", + "sha256": "03df4c9ba83974ad56a692f1e48ad01c5afbc399f016252d9a8f5d25442ad9c5", "type": "query", - "version": 111 + "version": 112 } }, "rule_name": "Windows Event Logs Cleared", - "sha256": "868e3d06e6043e63111eb21f96849df3002b2a0f958afc5c12e623b3a3dcff8f", + "sha256": "b2877be463d6d3476c7945fcff9d4b10cbba5ff4847f04b747a59dad96a73e1b", "type": "query", - "version": 211 + "version": 212 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.14", @@ -4469,22 +4527,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "40e7e669f1d9642518565d307ffc5b75f32bc59dbc783bf57db3e2375b38c647", + "sha256": "500d6f2d6faa250fea7e87e78ccb4ffc1ac323562a22fb542e4733f33c5e1d59", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 312, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "e08df69ea36b56a927183010b7fbfe8e60d6c949a5489a3cfc82b7e9f45a3af0", + "sha256": "2283343e54f8b80901fdb4a190d1faa1cf29da2306750a4c22671e80269315d3", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "7546574a8ca4d5b8c758c17fb1658b2b1abbed196bd8d2090721d8efac0ec65d", + "sha256": "d1654db54f8a2c7e763a7c7d1fb20d71cf19355115ae479352db7b977682a0a7", "type": "eql", - "version": 315 + "version": 316 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.14", @@ -4492,22 +4550,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "9220e8499f32c72c36f2717e2499061f06a342f3e277f61283527351218c1329", + "sha256": "9738558986f5eefce14d8f415a984acc7980e6eaf9211b61fbccbcf8814b2e06", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 309, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "a2c4ebd5c69128fb78c6779664f8db208871ddc836b4b5854a0cd479429cd1af", + "sha256": "571e3e39632376096348e94fd2d4b9cd15f049eaae21f99650d562ec0140e695", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "3b0c27765337c2d89b8c6b82102d1f32fda82841806112bc4ac4d54c7d5ec5be", + "sha256": "cbae5504e94c8d135be970e202b61d75493807ca03a926f3422e7f3913e1bddd", "type": "eql", - "version": 312 + "version": 313 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", @@ -4532,10 +4590,10 @@ "version": 115 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { - "rule_name": "Sensitive Files Compression Inside A Container", - "sha256": "dc24c07ba236a3bb8628763095daaad91b96ba4e6d7905cb1ef854665513ea6c", + "rule_name": "Deprecated - Sensitive Files Compression Inside A Container", + "sha256": "c45335d0cf5b97ef7c4f655e919b98f962426de4d8347ffb18ce6bbfea13bd98", "type": "eql", - "version": 3 + "version": 4 }, "476267ff-e44f-476e-99c1-04c78cb3769d": { "min_stack_version": "8.13", @@ -4559,15 +4617,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "db3a65169012dac186a9754967eed11718d796fb3ef2dd13f033532b7c786a40", + "sha256": "1715a0e265def59183c4652ae4742b17cc3578a5d1132831b499ce28f0c7c4a2", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "de0bde89f44173a386cd38d4dd5c6e02a3fba6f877fd803f6e7e9108d609dc51", + "sha256": "4fc3777d4378758cdba6f0626f707192e45e0bb4eabaa43407e35f914e7d6dcb", "type": "eql", - "version": 212 + "version": 213 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -4587,22 +4645,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "cd78c0361c8ca0f7334582409bb0bd2d14c582ec978c231bc26932cbd1a614e2", + "sha256": "60cb1aafa8d037f564143057fa316c87b326346f698ec418f9301fe073ccfc7c", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "a1ebcfed8cf45331acadbd7adebe5f1eb37206754cdedcbe980c8b27bf0fd178", + "sha256": "b3690c2cb340baf77c176fc9260e8a138d3d86d5be1255fea5db6edd29d029c5", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "ed365c174fdf3dc7616909685c4dc4cafc7d521448ef6e96bb2b224ee25fdf54", + "sha256": "5be642a84f9f578e4f7ca280227774f6649786fd9f505fd832b741d7e28a6005", "type": "eql", - "version": 312 + "version": 313 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", @@ -4622,15 +4680,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "787f60363fc9c42dd87f5774f5a6f219c201d492323d12dcfc3ec5d06acd4d02", + "sha256": "d3b2f8128fcad0de701a9aa48b9d8f5259837ff59505a81935bc2e5b6d3f3c38", "type": "eql", - "version": 11 + "version": 12 } }, "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "db4dd0177df2c0fbba77ba531c3f6f51c0724b44ea31fd2e84ca4cf2536f6b5f", + "sha256": "d2585f969107cc9ae78709ef7ed7d0086a142fd32b9378b3306633fb87466cc5", "type": "eql", - "version": 111 + "version": 112 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", @@ -4690,15 +4748,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "35cd1983ce5cf5a7d22b79416e565bed4c3f3295030450046ee07050ee83efb1", + "sha256": "d6a6479c0c7905bb1f2dd6b93ad2e973b02944bfa46b720e228d49bb15ccb7ec", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "3b1deb0f2c414f72a2ff2c171c83290554600ba4b5b4b8dc7eabcfcc34a7bb19", + "sha256": "c6d9fdb39c7405bc9de7c5d374c70044f34ef32a788ca37046a79a6db321127f", "type": "eql", - "version": 107 + "version": 108 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", @@ -4740,28 +4798,28 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "d18f0d4efc2ad5ade11890ab3e5f0a54d4521162528adffcd92bd7c037fb44de", + "sha256": "5f73d21d945760cc5f0e2e9e4f3a20183956cd20ac5963505a49fc7c29dd290a", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "e5e62d3b1a1f58eb079ca908f55105df68b2471d48e53122d47ec5b74afbb1cc", + "sha256": "71f49bcedcd05061a38576f6d9093f3b6b397fb89b780ddaeeb881c146979a84", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "b538b62cec3fc16a06ef51cdb6f2a711aa479c82326a61862a3ac9a90238e17a", + "sha256": "b8fb9ee22e08968e0dc38a4a7821aa9e0f623a492d275bc8d7f3e825532b5f56", "type": "eql", - "version": 312 + "version": 313 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { - "rule_name": "Container Workload Protection", - "sha256": "b58a5fb3b121b08852cc186827479ae739d8b155cf8c9d12dbd17fa70d9fd74c", + "rule_name": "Deprecated - Container Workload Protection", + "sha256": "411897304d67f1f8954d01b12bd234c002308f5cb7c284cc8edc8e86398b5506", "type": "query", - "version": 5 + "version": 6 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "min_stack_version": "8.13", @@ -4864,22 +4922,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "fb9bb254f0e60ed51d8d4e297aad53df545a43f086e4549a1c1f54743463a299", + "sha256": "214f871b4ac72ba8d644b997c7991d4b88cfc32320409761af37fcb8717ce0a7", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "9ba7f7cc43f484c307334745f27743ee4979e2df65bd1bec89add2c10051d0d3", + "sha256": "d6cd69282faee07d4379290d7a9b450bf5743e257e64562c47f8cb180ad3e5f4", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "982de592a7f2da640ff2a6006445d12e52090a1180b225e2f943c386641236c7", + "sha256": "449e14f8848eac71399cc23c1b6669e220569f25f071fa022f970e5fc8a87f9b", "type": "eql", - "version": 314 + "version": 315 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.14", @@ -4887,15 +4945,15 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "f68db77a65c50c4489742ca308f8beef345bcd834e6782fd47c79d47c4cb7af9", + "sha256": "a850bf83897d0291d578f2f0ac69c11ed4288d5da688c63475e863bfc7edebc4", "type": "eql", - "version": 12 + "version": 13 } }, "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "b8743c73288c176d82f7c326f655ad546ca945eaabe141bf1da60e5f045481a0", + "sha256": "751b70e5b7717328b4dd47712a45f968eae280094169a92ef83343b306e70e8d", "type": "eql", - "version": 112 + "version": 113 }, "4ec47004-b34a-42e6-8003-376a123ea447": { "min_stack_version": "8.13", @@ -4919,22 +4977,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "759a649928bcc0a0a2cfa9af0084ced15bad00665e20e163f96e50d748c6cf97", + "sha256": "706691106e2a013f1cf173681567fcb4f84c44db8406ee24fd96b866d5d17888", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "63a4cc656038a44374eeed199a47a67bcf261940a890689a6fe62a4fb2a51010", + "sha256": "dbce5c4fe73c141fb1017f8304b12ad1eef85b8956b21b7d8ab9fe9470bdf390", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "8a21c3a283a81db1aaea226e6ea8bcd2fae151cba2095929d13d00d0ae28b537", + "sha256": "2f2d1d989113eef4a198eec72d1cba340c3aa89886d5461b653e7969b9e4a186", "type": "eql", - "version": 313 + "version": 314 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.14", @@ -4994,22 +5052,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "02b2a3c16d505ff7b41a860c6ba3587cf4376a57a4dfb1d8af17d0620d4dea7f", + "sha256": "9ff2cb9dd5ea847ba0e865edd15a145b5015f7bfd5601d9a07a3ad7c4aa13b0c", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 310, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "186e25b241af067c22b65d97a6746b5a72b63e2aad403893a00ef3b7d39b1982", + "sha256": "b2c9ec4c6421a7af0b6c97d70741ef5f1274b2a973dde460f3469cb59b8a37d4", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "133dd8bfb660f0ac4114ee86831af289b29876b1e47d9868ae4380002e493545", + "sha256": "43a1d4bda6d39e5c7941b832e24b922e10f38531c3c5d2b9b8f55bdfe0b0d99d", "type": "eql", - "version": 314 + "version": 315 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "min_stack_version": "8.15", @@ -5046,15 +5104,15 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Windows System Information Discovery", - "sha256": "bb14ae17071b97cd7b9fe8499c6dcdda0096740071a0341b6782765f3d928155", + "sha256": "17e4aea652e17a149717afe81d8d917e26f0dbd3d4cad9923c0e7cb71eac92e7", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Windows System Information Discovery", - "sha256": "547b5b46dd9bf2cdc0c7e62cb41182704197c47de44f9c2f95a3cd12548ddce0", + "sha256": "3fbcb0954df0fd52c7091bdf8c13448b46dcbafa7fd29d10fba35297879b48f5", "type": "eql", - "version": 108 + "version": 109 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { "min_stack_version": "8.13", @@ -5246,22 +5304,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "189fc5da545a292982fe7c5e2d385b615084e5e802f77adec7944ec327009f12", + "sha256": "33313501aab3ebd4c97177b9d2f9462691e4c62a10efc4c19fc3417517abfbcf", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "139f8bfa2c8cbb9183a5192c82ba2adb3fd3f23f81086fb9874e23cdbe7580fd", + "sha256": "c1564d323c28e030be7c14bef921f65cc3c1eaa43178ee7dae1db64c56d0f89b", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "f7c792ee12ea5e1c289da3010faa0241087a72374e2a07e9744490d2d732a0f6", + "sha256": "dae0c8a08f768305b1aa9ad113a02db0438a7c0d22a4aa8088f1a3568300c6a6", "type": "eql", - "version": 313 + "version": 314 }, "53dedd83-1be7-430f-8026-363256395c8b": { "min_stack_version": "8.14", @@ -5269,15 +5327,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "72677413c70aa85a2e7dedc6fd503e8b8a5d600f704cc1d1be1b63bb8f82b67b", + "sha256": "83eb2f905a505910e8693162369ba3f7e06a7c2f331aa002af5bb31379c6e46d", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "f031d67ed436433e67086abdfa538113a953bfbf725e3aface9fc9c4cdaeab6a", + "sha256": "9ef3f604c40a90763ae7818ac31b2169a1d0f2b10c955d5bb5df363016648099", "type": "eql", - "version": 106 + "version": 107 }, "53ef31ea-1f8a-493b-9614-df23d8277232": { "rule_name": "Pluggable Authentication Module (PAM) Source Download", @@ -5339,15 +5397,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "339bd5dfcc9715aebb297d9e0f1c984616bf99c0dd887935f7b94a77c4b1889d", + "sha256": "24bc059a551799ed770e0ee2992748c8016fcfa722ee640541fdedaa89f5f742", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "d727778c418f5ff259d819e6c8c56cd07c2f086ea12d877c3379792b549ba948", + "sha256": "b10f3813eb60fb8a4796ca8688b2974490c44a482dfe032445b15a89e06b3e21", "type": "eql", - "version": 212 + "version": 213 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.14", @@ -5406,9 +5464,9 @@ } }, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "a19bb50cba9f9f404a82703239d5f7c37e59ce956e04da03adddfd9a4dfab224", + "sha256": "24cd1a2e88464e024bd2f2db03af2a5c5a1557c9233a84b3fa95a40d618a5b48", "type": "eql", - "version": 206 + "version": 207 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.14", @@ -5416,15 +5474,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "4a4e70e7f50105c48f29f32d7d234cfa9538813b06309ce72c3dcd4a7a21a3e2", + "sha256": "844fb3c0e49c833039ab4433243235fa41c2d67fe700084b9c97c8c5d547ccf1", "type": "query", - "version": 108 + "version": 109 } }, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "2b4e8ce5e2579fc3644b048d0eefd8b6c9e8ae17c0eb9201191933d58be50dfa", + "sha256": "030111f201bee8e956cb3823673b4ed80b1ede153ea729464affed575da4b983", "type": "query", - "version": 208 + "version": 209 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "rule_name": "Potential Admin Group Account Addition", @@ -5545,22 +5603,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "26f2805142740943d3a337737f94aa2adb368dc09f37ec38fe749edf716118e2", + "sha256": "6165559b4653bf1ee1706a1331a547f918100b0ced5790793d5e5ba4d729ede0", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "0a123f7c9ac032b20d904a897c3925725aba31f988722148f34fcec998d5ad9d", + "sha256": "26274955479837e6e770a906ce9ccdae8b70df5dbfa218c458061353440320d2", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "ed7c60dc12bdfa2d20edceb1eae21c05458b5885ec3be1eff755ceba3fab866e", + "sha256": "dbac24b6bdcc3636908b11a2fea993e83836aa3541740fc494bfcba3de51d345", "type": "eql", - "version": 314 + "version": 315 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.14", @@ -5757,6 +5815,12 @@ "type": "eql", "version": 109 }, + "5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d": { + "rule_name": "Successful SSH Authentication from Unusual User", + "sha256": "40fa48cc277baa4a3bf1d1a7c0327ead2b79f87965fcfbf584cacd0e22728e2f", + "type": "new_terms", + "version": 1 + }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", "sha256": "54ef71a878f44875c6c8792e51f8923f0cf6fc9dec2a549fbb841a11d2161f25", @@ -5793,6 +5857,12 @@ "type": "eql", "version": 2 }, + "5bdad1d5-5001-4a13-ae99-fa8619500f1a": { + "rule_name": "Base64 Decoded Payload Piped to Interpreter", + "sha256": "505425e6327e3d05dcc6caf8246b1db4d9218e3e065c0571752e1a4d08415418", + "type": "eql", + "version": 1 + }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "89f33201ad4d76858ce52afe371130935c8d2f202139ea266bd17c9ac2488519", @@ -5805,6 +5875,12 @@ "type": "eql", "version": 5 }, + "5c495612-9992-49a7-afe3-0f647671fb60": { + "rule_name": "Successful SSH Authentication from Unusual IP Address", + "sha256": "f0dcd082877a3b41e9e087c850fc3181ea1567d69e335d54002b6dea98c19574", + "type": "new_terms", + "version": 1 + }, "5c602cba-ae00-4488-845d-24de2b6d8055": { "min_stack_version": "8.14", "previous": { @@ -5827,15 +5903,15 @@ "8.12": { "max_allowable_version": 112, "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "e8f2e9d239fe934d39d2496d41056a475a491501fc1284c105d1ec26357a2106", + "sha256": "7183be4ca315578faaa377e9a60195ad188e37db8da8a104b351536251c77267", "type": "new_terms", - "version": 13 + "version": 14 } }, "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "d4accae05fecc5956c2caf27bab5e9eb13b871713c8855c25c6a47bd44a0d2be", + "sha256": "fbe46096710062783651447c684d4a0479eccefab66ff761ebd9bfef6428eff8", "type": "new_terms", - "version": 114 + "version": 115 }, "5c81fc9d-1eae-437f-ba07-268472967013": { "rule_name": "Segfault Detected", @@ -5909,15 +5985,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "User Added to Privileged Group", - "sha256": "d38fab04d93fbbb1473131509d9b6cd0bd610885369860d4fbc428e46abb34de", + "sha256": "70bef882918b9abe618227f6f577a2900d5d565d841c12e47a5347e679d614d3", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "User Added to Privileged Group", - "sha256": "249e80a94140cb17cb1bbbd22fcf7b01c9c149e0bb082822fc0cbec1322f4413", + "sha256": "ed8120399b57c0837fa2a1b39a25528509b6f5683cb379f1e4fa6e37f0133c19", "type": "eql", - "version": 211 + "version": 212 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.14", @@ -5960,9 +6036,9 @@ } }, "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "3b3ccd623ad35abe21a31e6f429265fff80ee4bb1cb27b4ca7360e556282bea8", + "sha256": "9ea148fb05f1ad8bad2d0c5e98ede34ed27187dca9e159ef7197a3c8afe8882d", "type": "eql", - "version": 210 + "version": 211 }, "5d676480-9655-4507-adc6-4eec311efff8": { "min_stack_version": "8.14", @@ -6033,22 +6109,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Potential File Download via a Headless Browser", - "sha256": "07bc7d436acd1fee6bb5095ececc82cea05e2662cc4170c6c4101acad12bd670", + "sha256": "4d8ace1351c9ae35691f8b6021a49e99b73411ceef1141b2991a256639c06fc2", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, "rule_name": "Potential File Download via a Headless Browser", - "sha256": "19a1d06007326123108f50fbfe0508ef28d7ef131ac3e5df567dbdc47aa6ff7a", + "sha256": "5bd523abcb57834d143196bb1efad15e311915b353c6a8159fabd756bae168b3", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Potential File Download via a Headless Browser", - "sha256": "8a9e091c55b5692d8d0032f78a5e51ffa80b4380ff50f18e6b2b25ad5830ba41", + "sha256": "8fdd339fa138d8d7b032a8bc819f24702be2d259fc4e97147f80ae3ab81d8bae", "type": "eql", - "version": 203 + "version": 204 }, "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { "rule_name": "Docker Escape via Nsenter", @@ -6112,15 +6188,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "aa2c30439a09a0821ce30bb48e9a7ded35e0cd590c0acbca87390d10683bc5cc", + "sha256": "132f771ca6058156fbc2c515ad591010a1372d2130f37e7a4b0526d53e0d792f", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "1813675633a8a8db3f036f1276035eb83d74c80d29e7e67aa2bf1099ab057778", + "sha256": "1b2b6ec043b9c401900e0918a2fb67d9490780c167321cd5734b6bdd6147069d", "type": "eql", - "version": 105 + "version": 106 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.14", @@ -6150,15 +6226,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "61e5e9cb9893a7e21a7314d6953f624a9d9e7e05e283ac34d508735fddcf87b7", + "sha256": "2df55d0ae697d20c47f22d5c616f9c06bb6c4c9fbac2aebb282caa3d9f7e4e1b", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "3b4775c89f9910cc69fdfc6e3ba815ed3da59f85eae5f23cfba94d923518152d", + "sha256": "d6c2af1422e393b85f9523ce6397c2b4b28e15dfb8af6ee48a91d496db20160e", "type": "eql", - "version": 213 + "version": 214 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "min_stack_version": "8.15", @@ -6221,15 +6297,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "09003a6823150f57bc5b81c6c0599e50317ea46ebabc44f362e8adf0ca9a0b62", + "sha256": "7d8a44d4634bce7a7e5cbf983f840157836ac6945cc140dda1a4f4a3b3b0717d", "type": "query", - "version": 111 + "version": 112 } }, "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "e764eb540d541d1ccc31e720f48a1e6fd28f31e8d274886aaece979496502235", + "sha256": "0a9b61cf366ce557e1ff625d9c47759506bc34f141b9ebf3602cf3e96b781ef0", "type": "eql", - "version": 213 + "version": 214 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", @@ -6440,15 +6516,15 @@ "8.12": { "max_allowable_version": 112, "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "71980b7e4a7ca43713bfa72cd0160821533b13c24e3fa1d0e645a42eec4f8512", + "sha256": "a2b0e85ea8b810a2ed22188f8d14303a6077c51b2edeaf8e5f5007a0c9644381", "type": "query", - "version": 14 + "version": 15 } }, "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "1b9b6777a50eef6af6496d2bc9338d04c6b74efbbc726b1cae58177d40ed8b92", + "sha256": "23fbdf47b000d9debd0a1f9c2fff328a61097abfdc687038b0f05997e55b3dca", "type": "query", - "version": 114 + "version": 115 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.15", @@ -6578,22 +6654,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "d89ab2b28fdd4a4d0ad8ce943d5b320e1978c3ccde5d83d44424b7aa9e1bea55", + "sha256": "fb1c6b89350f0562319e1eaccabc46a2a855fb936516da145a6c640de6692808", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "6c476da86e9b4676c87675514ef346fe09280a8911de64c826ab5696fc9a515c", + "sha256": "8ef4dbaed0d772335a6ecbc53e69cdd287bf9e163b38772bcb8865cc4488b8a5", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "eb1bb445ec3e2abbd15d674c1b44e5304446e52f281eb18ca65cb039745c82de", + "sha256": "78ed8e3ec78e07b57adeb31da14d9a43326b9262e57f55869c0c2faa91708238", "type": "eql", - "version": 313 + "version": 314 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", @@ -6629,15 +6705,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "5af182ae30ce25b660aec32433ead1ec5bb2caa3ebb06fc72801ac367d19014a", + "sha256": "3f6e6dde427189d7e561da47cb689604201870715612cc80e8bc8f4247d1a7c6", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "e7daf2e718a482222bdf0efce8b58bd0b54b5ad6697d3b9c492962fd802e79a8", + "sha256": "40a07077d685e3bd7b6fb4cd8efdaeb95c30a8b4ecd82ce33d742d4269742948", "type": "eql", - "version": 103 + "version": 104 }, "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { "rule_name": "AWS RDS DB Snapshot Created", @@ -6692,22 +6768,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Modification of Boot Configuration", - "sha256": "47544b67e85088392633e552971d8cc2b2ae0beadfdbd26d254c16d5c94b8672", + "sha256": "ccaafef97b4bdf8ae36b9c2337353a7b352d18f0aeb421cddbace9a8b130b15e", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Modification of Boot Configuration", - "sha256": "84b303918d680f78c54255bfee90e9c6b45ad43925858f14ee5a3670c8dec812", + "sha256": "6d87681179c69071fef468569680dec1534f711bc8955e8b6bd0c7c1f1865e61", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Modification of Boot Configuration", - "sha256": "191ff5cfc3df060d64cd80442331785e547236bc47cde601d473c2839019123c", + "sha256": "319d1711a4cf9b2d08557794a1e701ac31b3fddfd811565218a3292242b453ac", "type": "eql", - "version": 311 + "version": 312 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", @@ -6766,22 +6842,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a", + "sha256": "9c37ce484fd50f922517f40b9bd1a5a55b402537ccb8f7e8f0b06c3b83261bf7", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 415, "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "f59e6b0937b1a1ec0da32d1ced5e54224ce51ff3c12f6ef795d4c46104d824ce", + "sha256": "7c60b373a1ff43f76c7bd51cf35948ea0b81fc7b62b8615816088d88f52bd9b9", "type": "eql", - "version": 316 + "version": 317 } }, "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "f630ebc0372153fafb100d4dba68e9a37b8c2997eead17632bd5df3bed2843b4", + "sha256": "28e4dd54ff6cf9610c2e7f5c8963ff1fb97cfa3c8d66f651ac36754556828b43", "type": "eql", - "version": 417 + "version": 418 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "min_stack_version": "8.13", @@ -6799,6 +6875,13 @@ "type": "eql", "version": 109 }, + "6b341d03-1d63-41ac-841a-2009c86959ca": { + "min_stack_version": "8.13", + "rule_name": "Potential Port Scanning Activity from Compromised Host", + "sha256": "74d1c8ea528608283c391f89ec9ff4dde0f4b2322eaa210dd37ca0602055b311", + "type": "esql", + "version": 1 + }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", "sha256": "09e49424ce202fe6c5b9e7f31510da79059a0617231c4c0022d2c1825ff55f8c", @@ -6811,21 +6894,21 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "35a97fde08022de5eb9913eb1b86dc35df3e225ffdf4871c7880402ab13a1c20", + "sha256": "574bda4d46d48399ba9e29a6e639b33f8f103bb7c85f9e7c935581bb3c63ca37", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "60d1fc76b949a4e86b9d41bd1ed2f51acc26f54957efb24581f61db6c674ab23", + "sha256": "29d396b355d7151b61a62895b2862782dd3172ec6fc4a54b25fcdd98c3adb3c1", "type": "eql", - "version": 209 + "version": 210 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { - "rule_name": "Container Management Utility Run Inside A Container", - "sha256": "d66c939dc799f05fd9549a603ff1d567af4287f8a2e3c0cde5dac918e7575c8e", + "rule_name": "Deprecated - Container Management Utility Run Inside A Container", + "sha256": "dd5a08e03197da48709653f75417252ff3f50846d7c1925b2b9a6880fd5489cc", "type": "eql", - "version": 3 + "version": 4 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.14", @@ -6916,15 +6999,15 @@ "8.12": { "max_allowable_version": 107, "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "sha256": "b287f162d06d726f7736822c18f2a4f4f45ee9e83f43e4e42155e3584e43c1e6", + "sha256": "3e70cb8e8c6dafe24f60de10cdfcbe05df8d323ef0caf42790714990ebee78c0", "type": "new_terms", - "version": 8 + "version": 9 } }, "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "sha256": "a8bbd1a9cdafc77c48549535f3b93376cad74a043e69ead9323c875d7feb04d9", + "sha256": "5c822663f4adb4fbe774488dea9f1151737198a06f47eee9a57d3a0cb174fc52", "type": "new_terms", - "version": 108 + "version": 109 }, "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "rule_name": "Loadable Kernel Module Configuration File Creation", @@ -6954,15 +7037,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "AdminSDHolder Backdoor", - "sha256": "f665de1ecacdaa7b1c6b0556304063dac3048aada63e8f6ef7a725068e85f087", + "sha256": "43aaf38f234d7186a1f9dca4f91a364e5afa675e3cade497946daf63f3b20ada", "type": "query", - "version": 111 + "version": 112 } }, "rule_name": "AdminSDHolder Backdoor", - "sha256": "eae617d40bb78ff247049dfa080cc2aa3aa6f67036c79af83b3d0c573bb1375e", + "sha256": "6e6ec5cdbeea619a81df6a042f482c3b30c3e7c536872c640acea2464572e55d", "type": "query", - "version": 211 + "version": 212 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", @@ -6992,15 +7075,15 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Security Software Discovery using WMIC", - "sha256": "c320306a1610f531069193dac0fa021f55391c66d46b5d296b5e2c380817fd31", + "sha256": "6d179ca370610d0b32e8d97afeb4610e7efea1ad82eefdd0c4d5eeca33d29549", "type": "eql", - "version": 114 + "version": 115 } }, "rule_name": "Security Software Discovery using WMIC", - "sha256": "46ce350a70ad18636cde452bd1c45f325da59e8b2412b135766d037a3944a288", + "sha256": "1eabbe231f6dd025a57eddc91f5f0ab86ba82b348af4ccf02cfd3cd114f7a38b", "type": "eql", - "version": 214 + "version": 215 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -7030,15 +7113,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "03eb5f7517e61382f1036b5beee21a7d1de836f457cada365be4b8aa39f93045", + "sha256": "525d8781dc9e163d70a8889b89be269f79c5df5c44403c7e5d713b19ce001c82", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "5cf116ca583a54c21dd2db7e27f62fa234832620236dd9cf062d0599afa18a12", + "sha256": "0bf67b434c4aa3cd9d1f354605959c5e1dffd1040f5cfa17fe20664cb2be546c", "type": "eql", - "version": 103 + "version": 104 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -7065,9 +7148,9 @@ } }, "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "4b4aaaf8565e177b55da43b3b76e40c256d8df646f804b5548be8f9f4eb95a02", + "sha256": "0168ef278b5ef3a471dd2b3d744d6a2a4c8e112b32f5c1af1e5c6c82a07c9a54", "type": "new_terms", - "version": 206 + "version": 207 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", @@ -7238,22 +7321,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "14c220c965f94f3d24b674b86ed86d9a0e093a00d8bb6fc8eb670488981b443a", + "sha256": "172c7bb001f289281c519a30ba17e66fad2c3a149e5493bc5d33d6253730f818", "type": "eql", - "version": 4 + "version": 5 }, "8.13": { "max_allowable_version": 202, "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "f6fa075f0e990cc2ced9697647d10fa16903bdde80c50a403c2f4bc7b78d7a0b", + "sha256": "3c672bb24b9e07004c8a40ebed60ab266f23360a5ff613994eb639fc5d98b97a", "type": "eql", - "version": 104 + "version": 105 } }, "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "e129818b4075375d23aede5312cbcac6b1a4b64ce749202fd8a924cdb2ed5a06", + "sha256": "06f872b67e1eb6c769298d8362435abcb5d3cbec2d6484e626e95d8d0eebaa6e", "type": "eql", - "version": 204 + "version": 205 }, "7318affb-bfe8-4d50-a425-f617833be160": { "rule_name": "Potential Execution of rc.local Script", @@ -7344,15 +7427,15 @@ "8.12": { "max_allowable_version": 111, "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "e27879646a752098196f7a4c79196676252e70f55aa7d52e91c8571fcf426996", + "sha256": "4d4b321e49dadb001df32d6acd71103bd41b71124f92b855ea4335c99dfa105a", "type": "eql", - "version": 13 + "version": 14 } }, "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "53ab74d6acf45ef59942b5dd19e0d71f5ca14ae4de1da8c6090b4507887d6e22", + "sha256": "a481e442047e2b0adc22745dfd2fcc05baaec9637cbbde9e2dc5b3b8f7eb0c67", "type": "eql", - "version": 113 + "version": 114 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.13", @@ -7382,9 +7465,9 @@ } }, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "79ae7e59e1d03bbcfec778070f91b178ec05f43c08636a10bbffb05ee2bca01a", + "sha256": "e1e295f294c6b07c1e080468d6318856c5ebf7271e5bac171df35c63b4086c15", "type": "eql", - "version": 207 + "version": 208 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "rule_name": "Potential Reverse Shell via Suspicious Child Process", @@ -7398,22 +7481,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "fd323ccf6885bb8208a092bc4453726707a9556bc41e3a2427bcd38bbe67cb2a", + "sha256": "bb7f0c41faf746a3298480bfc47800f229539f64b5ce87b3bf40574b2c3dca0a", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 413, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "fa7f0992aba0bdd414251ed673752a12db4ec5e47f27f027e5183b546920abc8", + "sha256": "55e82b40384974580c7b1d4cba55767c941680a4032a373ba1346ff812d0eb3f", "type": "eql", - "version": 315 + "version": 316 } }, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "3de8678662d78c511880c3dfa795b3d501c299cd3f22598f42b4c97f2d48685f", + "sha256": "7b98f60a9095e9ab2e48250d69832e4648e68f34c1d3245986714e9962af987c", "type": "eql", - "version": 416 + "version": 417 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.14", @@ -7421,22 +7504,29 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "d62e2b76d88602e0cdbf18894a79c5eb6e97d94b79daf465cf55f42a2afa7bb4", + "sha256": "e5462ca4e56f7f3ff1144cc8980d76abdfa350e122d9e02fdbc203194900825b", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 312, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "31b16b50f6ddada62eb767b0e6eb1ff02c6a155e2618729dbc807defff6abe0a", + "sha256": "fa3eab2d298379b76f9013f4e96b00f215f422400565f4e592daaa3453aec8ed", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "82829ceebd92fbe5abb27cc5e4f5139731a0b337c7f1a8e09ed51ba9d883cc63", + "sha256": "92e73275ccad86dd30136bc621226630dc7342e41bd2362a9687ce807ef9be5d", "type": "eql", - "version": 315 + "version": 316 + }, + "77122db4-5876-4127-b91b-6c179eb21f88": { + "min_stack_version": "8.13", + "rule_name": "Potential Malware-Driven SSH Brute Force Attempt", + "sha256": "4afa072ed68e90305237cd0f8aa0ab67f7a60db42826cb74af1abf9bc161cfa2", + "type": "esql", + "version": 1 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "User Added as Owner for Azure Application", @@ -7458,9 +7548,9 @@ }, "781f8746-2180-4691-890c-4c96d11ca91d": { "rule_name": "Potential Network Sweep Detected", - "sha256": "4ceee9e70e8a80b75777d30ad1e8c71d873d3e5672bd2ab984e40111c6505c38", + "sha256": "8a5ac1cfde0137bfe0b77af8bf27366b13743380010886e1e856396bd10d0f3a", "type": "threshold", - "version": 10 + "version": 11 }, "78390eb5-c838-4c1d-8240-69dd7397cfb7": { "min_stack_version": "8.13", @@ -7502,22 +7592,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "0005a9a8a6ef5e1175a1455632c00ea760e3a9af4094ad1ac870f68df926d254", + "sha256": "beba3270fb78600264fbe41ac386fb2d7c7f6877563ed96e2b7ca2778bbd1b7f", "type": "eql", - "version": 4 + "version": 5 }, "8.13": { "max_allowable_version": 304, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "3ce0e176a839d12ad331e3842627d3025bbd3ab4ab14d6bd3cc4b7647b783d93", + "sha256": "29f77275c99c2a00e8878dc18a7448e25ad430cce3bdf957ce1ae1307622ea8a", "type": "eql", - "version": 207 + "version": 208 } }, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "d898e75beef6831e445cc1fc945041edc9b598e291f5ad76dc7bbe7b040eb79c", + "sha256": "efd692c82b20a2d4682c25d2683573ec65e8729402445a561baac25768ee5d1a", "type": "eql", - "version": 308 + "version": 309 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", @@ -7572,28 +7662,34 @@ "type": "eql", "version": 5 }, + "79e7291f-9e3b-4a4b-9823-800daa89c8f9": { + "rule_name": "Linux User Account Credential Modification", + "sha256": "5a7f10051702f5e7d5df4a9ef87c46469937ea744d94bdaafe32fc0a69a892ee", + "type": "eql", + "version": 1 + }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "min_stack_version": "8.14", "previous": { "8.12": { "max_allowable_version": 108, "rule_name": "Potential File Transfer via Certreq", - "sha256": "0ab2916bfd0a5de67b88a693cf85292e73b61538b72dbdc008f37e561b662f86", + "sha256": "c1f7d50618580187b015a4aadd76a9e484eb5bb8ce8143e052cb8118a678c4d1", "type": "eql", - "version": 10 + "version": 11 }, "8.13": { "max_allowable_version": 208, "rule_name": "Potential File Transfer via Certreq", - "sha256": "f6cb3500aef0219e60d7a68529a59b0a83d53dc2a4be380f92e62fd0223d44b4", + "sha256": "11dc705c82fee3ada817dbe4ff1e934ddeb2ba159d164dbb5a0048d92bc04d6b", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Potential File Transfer via Certreq", - "sha256": "e1897e626658e3fe3b447488817112191c5a960deaee23c8b957ef58ee977d91", + "sha256": "0622888a853c207510e5f9385fd4b78d4d47616cd4c3bc8b7fdb9e5bbd0260b3", "type": "eql", - "version": 211 + "version": 212 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.14", @@ -7601,15 +7697,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "4644f2023e8d78c8af11d80cefe47e3b0fb58668952193d57ec1d6bc11df7e4e", + "sha256": "42853b04a39893088bdb0ebf5c479305c2f34e5352c3ccfa65ef5146efc6e8a4", "type": "query", - "version": 112 + "version": 113 } }, "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "391c7298682fb3726536a7f552ccf9f49fd3d8d83acaf1ca3ba74e49aa91590a", + "sha256": "af8023c96394cc43f92cf51e13e0cacc0d93158f5241c62ad651a238d3c617c1", "type": "query", - "version": 213 + "version": 214 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -7775,22 +7871,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "f4f3005ebf031857782967a3872088cf11afc078151a683045d3bf756aa415c0", + "sha256": "1cc5185969e04329ea04aa4bf8d5d1e3a8d47fa9e0ac1f47e3012111ef6c91be", "type": "eql", - "version": 5 + "version": 6 }, "8.13": { "max_allowable_version": 304, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "da4714c9dcfb5d07b5b39b1939ecbfc5b46b7da8d7d77a91c9093ee2ee6e18e1", + "sha256": "72222c6f6a422dc7edd2b2143a7b80819949cb1356894fe018a138774633fee6", "type": "eql", - "version": 207 + "version": 208 } }, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "647288a0f887d8f1f0552ecfef80652333f04873e5f925195d218507a369b28e", + "sha256": "1932d2c6a7574c3d3dcd32ba76e9193f88aa77d2be7e5591e0616b44a0172290", "type": "eql", - "version": 308 + "version": 309 }, "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { "min_stack_version": "8.14", @@ -7831,6 +7927,12 @@ "type": "eql", "version": 210 }, + "7f65f984-5642-4291-a0a0-2bbefce4c617": { + "rule_name": "Python Path File (pth) Creation", + "sha256": "3e310759ffae8dd92e3b462c5c57e748a44ffeabbadd2510eda16addf05c84c7", + "type": "eql", + "version": 1 + }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "rule_name": "Discovery of Internet Capabilities via Built-in Tools", "sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee", @@ -7890,15 +7992,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", - "sha256": "70cb8aeef7011beb9cbd55faf6160037ba6c072935e5f73404df35820c44f059", + "sha256": "f3e0f53c321d7760c971547d90245085ba16e37bb4a6cbbb16a17e495f180f1d", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", - "sha256": "4a3c5fd150828acc188647d8c5574f0b88da993c4d0abaaa285644ff08021608", + "sha256": "cd00aafb325b718b74940c08fcc167b018b79db66f6d2ecb94b54f5fd3a55d1d", "type": "eql", - "version": 104 + "version": 105 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", @@ -7969,15 +8071,15 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "6bf952805cab991d5963490e557576ee982dbb3d351e9a2b4b2a18092b5980c4", + "sha256": "f3147338285b65e5fc2727bb5e244417230a438c509b93732c76fc659df7a77e", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "e4459ed8785c0a590bfca408bc7e0bf79a7101cffb3c56690bac0f7cebb948fd", + "sha256": "4e4089ee80c9f3fe5c661058d288082e4d02074f2e92640bf2a14b63fdec41a8", "type": "eql", - "version": 109 + "version": 110 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", @@ -8022,22 +8124,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "81ca7480b1ca8ad4fd6c7cdddfb2622e9b14641cb9b0b612e22d6bca9e329179", + "sha256": "d97f88a21e5ef203f235aaa22174e05b7a3af6d503f8955c63fbad955ab56a5b", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 200, "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "13fd6f48996c900fb7a162c04e7b0e7ea52bd9bb0cf837a4edfb19ebb6c3e8c4", + "sha256": "d452c13b253efe39545cb5208cb8dcc730eec15c3cf732e06e875f95f930d0a7", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "8f162f40f9630207e21d4ce6a4025ddefcdfc01ac59158bc49c0ef854c20450c", + "sha256": "bcd9044616fb4c41c855119819ab2ed72243d4d248199226a9d6287def186883", "type": "eql", - "version": 203 + "version": 204 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "min_stack_version": "8.13", @@ -8105,15 +8207,15 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "edbf1332772ff82f1ca2598dd8a01f2db70fbc0b0fc319db2140d545aeb1a4f0", + "sha256": "ed8b2a515385353dbfff6d484b45000dd49af48e2b5abc8e44406fa955d7225e", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "d9c16cda743982a7c6cdbdb8dc28e0a6b4b32544874e6716412faa3814b400a7", + "sha256": "0aeabad8b6360ffeb8fa1b4e1f3b623d7b0ade5cde31301f7321c1463ec7fa9c", "type": "eql", - "version": 214 + "version": 215 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "rule_name": "Potential Remote Credential Access via Registry", @@ -8127,6 +8229,13 @@ "type": "new_terms", "version": 211 }, + "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { + "min_stack_version": "8.13", + "rule_name": "Potential Subnet Scanning Activity from Compromised Host", + "sha256": "3ca0053a517e206cbd88cae6c14ed9398b99f6ee5021cef8d89c40b9a66ba4f8", + "type": "esql", + "version": 1 + }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", "sha256": "8c5a7758239101b15cc23eb4fb35a783f8e692ad99783c3801a074cdcd98e637", @@ -8170,15 +8279,15 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Enumeration of Administrator Accounts", - "sha256": "043665e2ef98b00727f9e07b55549bee2d56066daf42ca2553e2b1bfa8aaf20e", + "sha256": "f8c272cacf74e41908905fbe517ec45ff817e7a6f81d7a2cc3997687c84ad708", "type": "eql", - "version": 114 + "version": 115 } }, "rule_name": "Enumeration of Administrator Accounts", - "sha256": "a362b8b5e455f372dabfdad53f4b89385185d08f8e4cd581f2d4d3a13bc1a59b", + "sha256": "b50e5bd6eb867aa0c8f17a52fb8f577cdd31f5d5f75f4be9e1d462d4222d22e5", "type": "eql", - "version": 215 + "version": 216 }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", @@ -8244,15 +8353,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "9bd93a579ae1a7bbd18dedf1ae6dad6e63793a9512980fd85c8ae941687b452d", + "sha256": "e247d1c92d0054f5c3a3d6aa1d7d50053e63ec57610f92bf623e1c665d5fef72", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "81c8f8ed0970f15203496f9c2987f89c5c57a24edfbffac2587aeb52629ec0ce", + "sha256": "097ecbe7691d20f9769066582286b7b4cf5089fcc6870e7167267a94faf759d8", "type": "eql", - "version": 104 + "version": 105 + }, + "894b7cc9-040b-427c-aca5-36b40d3667bf": { + "min_stack_version": "8.13", + "rule_name": "Unusual File Creation by Web Server", + "sha256": "8cae8e72cd21c891b3a56fb7489a1dd3047402b91600b8407a06bd207d353617", + "type": "esql", + "version": 1 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -8388,6 +8504,13 @@ "type": "query", "version": 411 }, + "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": { + "min_stack_version": "8.13", + "rule_name": "Unusual Command Execution from Web Server Parent", + "sha256": "2eb13bc908da7bb2301a0f62d0860956cb7aa1d99d970bbb6e6d6b32dfc428ca", + "type": "esql", + "version": 1 + }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", "sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693", @@ -8439,22 +8562,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "9ce5994792151c28626d0f425f8e0bce511165c1596d5abe844a65343516481d", + "sha256": "91cdd11fc144f89b569a54e7275f2028a431bf4b3f898c924be4ca038ed1e1db", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "0233b0c095271e86a61b4f41bb130007b740f4c4e75718f9ca731a3bc4f94511", + "sha256": "10276d358882ef3da69495c0a49a1a76d8f27b5759699cd6abe910853de7d0a3", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "1b8dcfb849fbca85f3c0f9347e3081f3c8e4b4f6736756a7de5d88cc31652ce9", + "sha256": "5e8971df8497f0c448f35992264db5351dcb8c2fd6a7a53ed18fea0eec89b727", "type": "eql", - "version": 311 + "version": 312 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Events Deleted", @@ -8474,22 +8597,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Child Process of dns.exe", - "sha256": "3e7ec0c52dab161d210c5a8c1871fb05710c9a0fc8e713a61ec2b46834a99460", + "sha256": "911e718531c11fae196314f279f6f059a3a14dee38701be164c18c20a69be5a8", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Unusual Child Process of dns.exe", - "sha256": "38d0941ee472b5919ff202905e616b35d4fcf58b34c86b0f728f3570f8e9d3c8", + "sha256": "684919ee328c12075a6ff89741a91ca29400e405462c9ae06ea7003439680d37", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Unusual Child Process of dns.exe", - "sha256": "8e9cdfcc336ce2f5c05c2db76a514795e03b4b84ef65fb2ccd5d14b90a043f77", + "sha256": "867b10d1207fb72a4c80df7516090d981653a229fe0961a03d278b07a8e8b269", "type": "eql", - "version": 313 + "version": 314 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", @@ -8522,10 +8645,10 @@ "version": 3 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { - "rule_name": "Suspicious Interactive Shell Spawned From Inside A Container", - "sha256": "3f9d9832999051ccb2f4f680d70c51666a85ffacbbdeb85974b1c3ef4eb6aff4", + "rule_name": "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container", + "sha256": "88ade54075f60d3f7d6b81818ce258f39b487468f44dde8a70aaac119e397edd", "type": "eql", - "version": 4 + "version": 5 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "min_stack_version": "8.13", @@ -8555,22 +8678,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "0271ec3b7dbac27363d1768f6fb6633b1ab0c6eaf0382a21336ca11b2cc1f0b1", + "sha256": "cc8123040408a5a7b8824468814a4a6152edc5a53ce52f8d4a21411633b35e12", "type": "eql", - "version": 4 + "version": 5 }, "8.13": { "max_allowable_version": 203, "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "1cef3e85f9ce38dcb49c69b0cde38dc80d5d7fe5c048432052116587f371866d", + "sha256": "c3e58264f54e251fc042b772277da53c784ead76674487f0c33c678b7dd0a9b5", "type": "eql", - "version": 105 + "version": 106 } }, "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "93bf077b552d68637b1f5ec442da5952dfac9a2d11adba7777c8199be69b8fcf", + "sha256": "523a79457ebd120192055f51dd87edc16265da30254315d5d7fda6729362e1a1", "type": "eql", - "version": 207 + "version": 208 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", @@ -8584,15 +8707,22 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Bitsadmin Activity", - "sha256": "5b0252807a2fe30f852e9467564c981179272010b0d5b4a8fbddcfcd5713fd6e", + "sha256": "96da24c5865af45e8f97dda18459a22901c821608d0882b14b8d21d20c5db1f3", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Bitsadmin Activity", - "sha256": "0eb3d4c886d1825f2f64434cbc2f7f824a2f31eb5a1f37d0c409129c1d89ab86", + "sha256": "b26871ba275b05a8a536baa79c0e3200e9624866b75d442ef29859ec0e3574f9", "type": "eql", - "version": 105 + "version": 106 + }, + "8eeeda11-dca6-4c3e-910f-7089db412d1c": { + "min_stack_version": "8.13", + "rule_name": "Unusual File Transfer Utility Launched", + "sha256": "f8716bca394f674cd16c413cffed7862bb3e4038a525c750adf70d3d2406ed09", + "type": "esql", + "version": 1 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "min_stack_version": "8.14", @@ -8600,15 +8730,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "d9d7ef5d8a35b0d509f6c52f7e95a8741f5ffc80c671295bcb5b24651ae9e8b4", + "sha256": "b3f6fd62337753431592f0b819d7b43364bec6c27449bda2d19dedddedc22d07", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "4a2ba32e4ade2dda214d50545bdffa1d1d97099b107e173b18969c0cc6b4fc31", + "sha256": "4bc16ba3becb47c564ddf8155c01f3fb0d4c5ede2cb27e19c359d7d715b65a25", "type": "eql", - "version": 104 + "version": 105 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", @@ -8700,15 +8830,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "InstallUtil Activity", - "sha256": "6f7157de8bdb8a54f183dd25c580741a6975960ce6320bb1e64d9a04b082b30f", + "sha256": "e5667b196187758d6237ff6bf5f23a6f6e1aeb96192193c9497c622982907440", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "InstallUtil Activity", - "sha256": "9f9c56b567948852bcbe378e570fdf547ce08d08295a8993571cd4b4327af2e7", + "sha256": "d3506c72c7907f32e455ea418eabeca0f6cba286dd09633a0ab16fa9b324c357", "type": "eql", - "version": 104 + "version": 105 }, "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { "rule_name": "Auditd Login Attempt at Forbidden Time", @@ -8790,15 +8920,15 @@ "8.12": { "max_allowable_version": 108, "rule_name": "A scheduled task was created", - "sha256": "d6747d1290f1796ed4e4f87144b3b8399615d65f1fc3916ffb33b2060b900a5b", + "sha256": "b1fa6b0fe20d2fd8ffedb8e8b14ef7d3b57c533ea32c88b2841028986b3bf6f7", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "A scheduled task was created", - "sha256": "38d6ea55b4bc9a334bcda8a6cf1640203f0bb3b12a67a82301f1af5765c75412", + "sha256": "249deafe81ed265426800418a9a92b7d725e73e8f846b33cbcc9f4055e6b220c", "type": "eql", - "version": 110 + "version": 111 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { "min_stack_version": "8.14", @@ -8806,15 +8936,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "fa28cefe9751d4a0325f5ebbe3ea32294ce408c668b871efac8d0eb508456468", + "sha256": "b0a73c7ef98e6c64fd9209a4d9dd91fd447c52af2d20f698ea91c6b7221d922e", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "f2f9b1f0bae96ec9051aaa8b62628e6079e822cb5501c2ca5969afbf5d8521a1", + "sha256": "9e98be89300ce747f2919cfb437c25751c974c69e9de7111a7de7a59bc9c493e", "type": "eql", - "version": 106 + "version": 107 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS STS Role Assumption by Service", @@ -8913,22 +9043,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "4fa63aacb71764801fa191bd2326696f937bd85aa84baa0883b51ec2b967b3b8", + "sha256": "46c457a7a1a2443ebb06f362b2f728a3fa9ea4f0c6261d4bdc32a7de7e92ab6e", "type": "eql", - "version": 11 + "version": 12 }, "8.13": { "max_allowable_version": 208, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "1d785de785b00340684b4e0f441211c357cf2ee299f22b28f3bb5e2a3bdf1784", + "sha256": "3bf1f307ad367938a343c262bcf271d1e172a74528f40a5f70364cbfd688a804", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "10a993dd4620cab6a35f2dfbdfb89ca009ba18a7c60e6e10c93bc8954cacb6bd", + "sha256": "3ca2f8aaffac020eba3dfe8981e8cac731522b3d81551575b2e84370c8c9c9e9", "type": "eql", - "version": 211 + "version": 212 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "min_stack_version": "8.15", @@ -9044,10 +9174,10 @@ "version": 2 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { - "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", - "sha256": "79d1b7004319abbd6311a32bb7e63bdb9edf25beaba2503a2bb7fe596b63048a", + "rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container", + "sha256": "664d91c0caabcfe4dc2f59f70f0f2794d27fd6412090b2e38af73e4fe008def3", "type": "eql", - "version": 3 + "version": 4 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.13", @@ -9106,15 +9236,15 @@ "8.12": { "max_allowable_version": 107, "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "61c1a4427e02b605bc3f9c668f45b6c876d901b271b04e6d5ab681b96370ef3c", + "sha256": "1a312776aa0b8db999e00c4e025deb6da554ec3738734de8d788a6e8c2d8b957", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "a3103e7a211a1b85248f488f250216ebfa31f23d029f49d87340c7c74ebbf34a", + "sha256": "fd2dab81de38537fa82851e66cba9cbe80121418b4151135a71506229f41bd19", "type": "eql", - "version": 109 + "version": 110 }, "9705b458-689a-4ec6-afe8-b4648d090612": { "min_stack_version": "8.13", @@ -9136,10 +9266,17 @@ "version": 105 }, "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { - "rule_name": "File System Debugger Launched Inside a Privileged Container", - "sha256": "38153858d0ad809d23edde22212b8e76f0e17a2813aeb4b4b8144dd46c1dc699", + "rule_name": "Deprecated - File System Debugger Launched Inside a Privileged Container", + "sha256": "2d3f1fb31aed3137b4c66bc1c06f0b69ebd962020c11d14fad42177ba41d2319", "type": "eql", - "version": 2 + "version": 3 + }, + "976b2391-413f-4a94-acb4-7911f3803346": { + "min_stack_version": "8.13", + "rule_name": "Unusual Process Spawned from Web Server Parent", + "sha256": "65425366319a1036000c5b118c93b8838f7357205eb7f98d09811cd3d417fdac", + "type": "esql", + "version": 1 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", @@ -9176,22 +9313,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious Zoom Child Process", - "sha256": "9de7f3413eaf33a9a4c7ff77a174eab1cc42d1f3c3f4327567efe65ce7c7db7d", + "sha256": "89aac019d039da3e9cc8d5a90ad24c527336df5dcb17667cd41e0bee861b36af", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 413, "rule_name": "Suspicious Zoom Child Process", - "sha256": "d2b8083ef96d8b40fa12bfc2f2ef8433f49b06144264a9bb5cf5d805f26f34e3", + "sha256": "81d81d2a203cc3c331a1a84c28d088567742339d61e0f33dde9e1035758db531", "type": "eql", - "version": 316 + "version": 317 } }, "rule_name": "Suspicious Zoom Child Process", - "sha256": "75a2acd6fec4e5e9aa275a9b8af68eb1de804913337ede2bfbcd0420422bc0ff", + "sha256": "8e2d7ddbc2af722c230fd0a23e1428cc5fb0493d0382e9e124410a5087628899", "type": "eql", - "version": 417 + "version": 418 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -9251,15 +9388,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Indirect Command Execution via Forfiles/Pcalua", - "sha256": "4281493e0e1c2e1d8da0462e3464ee6477d337993c3844b7ac96f49510e498dc", + "sha256": "8f278d6cccbc4ea629a93950010eaec7cf14434d52853ef5918623c532fa1fbf", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Indirect Command Execution via Forfiles/Pcalua", - "sha256": "56ee900c3c60566cdad73204b69ff67f4e49dd0fbbf0ad53ddaaf26095c60caa", + "sha256": "52f62bfbdb63f99ed6802e2dd419d04a89be011d0af0805d94a0e58280834400", "type": "eql", - "version": 104 + "version": 105 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", @@ -9455,22 +9592,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "034dbbe0e465dbc6001136495954743ac55334e869c7c26cc9a626641ff6aa1b", + "sha256": "1ca4124ab56004a70f6da7a9a4d37c4f17b4b6f6dae275a42b309b567ba942ab", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 311, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "0912aa1b6bc991c999aa95627f0b21c7a306638eb24927bdceb97a8ff3299250", + "sha256": "84f14d803c60917b6e0fc1ed345759a7a8cba6fcc2cb04ce790c8f6f410b8789", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "a374edbd21cdd1d173a65c55d3d972a408a56b5c6350100b0dac8c36141ab105", + "sha256": "7813df08730563638f4d24c630eaa2b5dfa818903e6017334b38afc51984e497", "type": "eql", - "version": 314 + "version": 315 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", @@ -9506,15 +9643,15 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "3e15a597d73ad4a145c44b02a7b7c7cd1825b1cd4c5a3278a1c07008434f6a08", + "sha256": "16a3342d1003ae1b974b870f7a8388dbc7041f06704202c476621831405e4ad9", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "dc1a5b32175347af1afd41737265cbb2862a8c64a10583b52fa85a49f73f1afa", + "sha256": "13c9045416c8248f845b761d980512aab51c64c5413e295c18c59953eb5438e9", "type": "eql", - "version": 110 + "version": 111 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { "rule_name": "Potential Enumeration via Active Directory Web Service", @@ -9569,9 +9706,9 @@ } }, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "8781554bff624a0faedf21aec63a088525699563be1aa50547303cc3af235151", + "sha256": "c42cd52eb73933b7ba7eb1c1c25bfca2e8215a4e3c8f773c16584bfd38174c1e", "type": "new_terms", - "version": 312 + "version": 313 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.14", @@ -9579,22 +9716,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "bfab358531d2fb7cfa9b7a47b1508d37b00322f539ac43fa61530596a4eb2466", + "sha256": "3bd8a686c90d2b907e79cb8d81ba383c30178ea847082f7fe1759d803be174af", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 310, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "29e49c1b420b1f8b800a4ac388b31b3bdbd3de5b3d1bd4a25b3655c2879ec8ed", + "sha256": "a5612eb45ae24f371fdd1a61b1d6c0ca308cc2c8dc2fab9ac4bd95b6f32b8fc4", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "3462d5554238a5314c72b9c3f0c56611fd6c922c4c7ee065d1ffc95969e14966", + "sha256": "3c4a04e50ac49b7af2d68bbf893ab9bded4c25fdb56571258a632a4a4a0bc7cf", "type": "eql", - "version": 313 + "version": 314 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.14", @@ -9634,15 +9771,15 @@ "8.12": { "max_allowable_version": 313, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "e084fdc2aeb3587b28f10bf09ec2903a8523537a67b3b1538f46727a736d16f8", + "sha256": "fdb27be4ce2b9a135b03186611685488a9d4a989738c3edd28687e83b9f7e349", "type": "new_terms", - "version": 215 + "version": 216 } }, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "35156b3e9740e59353d84856c46b8780be71d93b456573600a2f5093cea01698", + "sha256": "0a3531614c20fc9734ed5511346286cf1814c660d2dd86e7ca61b414d1052ec7", "type": "new_terms", - "version": 315 + "version": 316 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.14", @@ -9656,9 +9793,9 @@ } }, "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "926469208de2cc16311faa56f835813cb0da62cf3ee0ff79366e3c2572a11edf", + "sha256": "93adb711b7a1ad99c4215e7623c63eeeb35de931e53749d3abbbe7aeb344d334", "type": "eql", - "version": 208 + "version": 209 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", @@ -9672,6 +9809,12 @@ "type": "machine_learning", "version": 105 }, + "9e11faee-fddb-11ef-8257-f661ea17fbcd": { + "rule_name": "Azure Entra ID Rare Authentication Requirement for Principal User", + "sha256": "5d5c0a0d20bb041e22f4d97a3c49b1e687c2381e75e1b707e7e85c4bae6c4b5c", + "type": "new_terms", + "version": 1 + }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", "sha256": "aad06c86f00fc49143d2b0b6c0f3b27380ed7eff0b3cf20193f5338fc2ea0a9f", @@ -9700,15 +9843,15 @@ "8.12": { "max_allowable_version": 214, "rule_name": "Potential Credential Access via DCSync", - "sha256": "388a01708d3869a0ca1119a2328e6a9e032e23d91d96db063212e6f69e863921", + "sha256": "b5ad0d7ace8669b1eea8d9a58c38cb027d236901af048b6f308e8b921b7fb4a0", "type": "eql", - "version": 115 + "version": 116 } }, "rule_name": "Potential Credential Access via DCSync", - "sha256": "c827437febd6573bc72e13eee68be8b34803f97343b531bf5a4ac64899989cc7", + "sha256": "a931d7b18207e55bd0c94cf0011568c27d08e2cfafba8ce17542ec209e78e426", "type": "eql", - "version": 216 + "version": 217 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", @@ -9728,15 +9871,15 @@ "8.12": { "max_allowable_version": 108, "rule_name": "A scheduled task was updated", - "sha256": "73081f6875d6de77e1cfc1de7cd27bbd885b7f016546a3e004f06be2c614c254", + "sha256": "24db103856c5596c20cce21e7e92ea1d20a82b95691be3b31c7718f15984c193", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "A scheduled task was updated", - "sha256": "b4abe619c6873dbbf537a259fb41b785fd39c973534f78af8f41347c1f9a6834", + "sha256": "dd983fdaa73edf71a2cc567f3fa7189cb995df66ceb66751f6047036d45700ea", "type": "eql", - "version": 110 + "version": 111 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "rule_name": "Potential Privilege Escalation via Python cap_setuid", @@ -9788,15 +9931,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "ff0cfb580ab3d4b49d481e29249862e6b6880e365188f6042d40d1b3773f1b70", + "sha256": "5fa1a396391aee8e4f152b75cbd71a7944b0a4850e20e3496a5de3f463d46031", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "12d937324cbeaaa49e957871d3d23a99d065e3a5070e763111e10bcb6a0e9a92", + "sha256": "2e3cb26c1d0f253e34915465fd896789a7056d7faeafad6435baa712f4d4358c", "type": "eql", - "version": 209 + "version": 210 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.14", @@ -9944,10 +10087,10 @@ "version": 100 }, "a52a9439-d52c-401c-be37-2785235c6547": { - "rule_name": "Netcat Listener Established Inside A Container", - "sha256": "04ff1b708f21926ca8673e536f01751da5464d3c618e199dad5190935569c59e", + "rule_name": "Deprecated - Netcat Listener Established Inside A Container", + "sha256": "fd8969a55ab13b838a1e6d7c81ce6d0a88af0b34bec2c1e8ecd214505daf0196", "type": "eql", - "version": 3 + "version": 4 }, "a577e524-c2ee-47bd-9c5b-e917d01d3276": { "rule_name": "CAP_SYS_ADMIN Assigned to Binary", @@ -9991,22 +10134,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious MS Office Child Process", - "sha256": "3c33d3c17dd17722da2beb479065e86e20568514289f6b08fa02d682146ad1ed", + "sha256": "5c80f53958876a026ffb64b1eeee262e9fc7df01ceba845b9e2d9690744fc22a", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious MS Office Child Process", - "sha256": "588a86512ac13842f4f3b0dfcf78a653ee96c402aca625c9db1f793666c9479d", + "sha256": "bb2821c8c28461a976dec059fb9da7427ebafa6082a3aa9095dc1b42eabb8054", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Suspicious MS Office Child Process", - "sha256": "df103b761567aa84a163bf20bed5e548a1a13df931fa93006532bb57e57af65b", + "sha256": "a68523228ec0fc453c23646ced21d0b57a3417cebc9b74d4232992adf3b96a38", "type": "eql", - "version": 314 + "version": 315 }, "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { "rule_name": "AWS S3 Bucket Server Access Logging Disabled", @@ -10038,22 +10181,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "065a55514fdc9035ad658a5e591fa4c6fa510746aa52a1f262714061676b6d4d", + "sha256": "f94eed7bd541165126c32c94597db40548996aafff6604d4461961c9daa182ee", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "c96159806a102e910abdca6cdd017afdce8fcae45e565867bbd1f7b43abc431b", + "sha256": "b114be44b544deba03a1417c2ce3c4a5e94689f375f28e7a41fefee718c6c001", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "4aaa0273cb33a2b9fccdcc176011775da2bcc37db98deab6d7b0fb2b9792a8b3", + "sha256": "341a50ecd0f4ebb8543687abbf979227065c91bcd013a47d4f135107b26ecf89", "type": "eql", - "version": 312 + "version": 313 }, "a80d96cd-1164-41b3-9852-ef58724be496": { "rule_name": "Privileged Docker Container Creation", @@ -10081,9 +10224,9 @@ }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { "rule_name": "Suspicious File Downloaded from Google Drive", - "sha256": "9067b8538121e710f6bc88912dc5b959b87527aba3c8d4799197e2b1155bfafa", + "sha256": "af6c29f7ca5a3acf5c0a9b81b9be7a3d630222ef6aaa8bd14ae44a6d9682248f", "type": "eql", - "version": 5 + "version": 6 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "rule_name": "High Variance in RDP Session Duration", @@ -10376,22 +10519,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "810a8c957958d6e605deb047daa6566df4f3fc373fd5b47f4840489c8b1d76d4", + "sha256": "ce99c263910efa69241137ea09accded8b37ab436213bd6a80d3c8736c01d957", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "be076a1dbd4f050fe7d76ce1b43d766bf6de4de026ea97dc7ed5bf45358d73cb", + "sha256": "d7fd7b183cdcd959de4cad44e21af6a406556b7a2d7848338dff1bda0a4e4947", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "c1a7cd36ec3ec749ea82e4039eaf388f2e5733806e0aa2d62166f97dbeeeda22", + "sha256": "877b82511a776fabb258c7294666c134b9fe2720c4b3adb773f6332473caf911", "type": "eql", - "version": 310 + "version": 311 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -10421,6 +10564,12 @@ "type": "eql", "version": 104 }, + "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": { + "rule_name": "Decline in host-based traffic", + "sha256": "0615c9d044eb7a81ca8254362ba850c6e3f29202d1fabfe3bc811b8b9149a05f", + "type": "machine_learning", + "version": 1 + }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.14", "previous": { @@ -10528,9 +10677,9 @@ }, "af22d970-7106-45b4-b5e3-460d15333727": { "rule_name": "First Occurrence of Entra ID Auth via DeviceCode Protocol", - "sha256": "c873fc0c596cd973f1b742aac95e71e5cdd88437995ca1108204c81efb510ef3", + "sha256": "46f3600dac141091ef1e675e1b7fd1c5eb2710d472899b827c7cdb282a16771b", "type": "new_terms", - "version": 2 + "version": 3 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "rule_name": "Unusual User Privilege Enumeration via id", @@ -10578,6 +10727,13 @@ "type": "query", "version": 107 }, + "b0450411-46e5-46d2-9b35-8b5dd9ba763e": { + "min_stack_version": "8.13", + "rule_name": "Potential Denial of Azure OpenAI ML Service", + "sha256": "e06e9851654f73dc96d981f25bb9fe7241126b9b028623c499bea1026e7e7bff", + "type": "esql", + "version": 1 + }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "min_stack_version": "8.14", "previous": { @@ -10636,15 +10792,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Potential Network Share Discovery", - "sha256": "d9f7984d4c89a14a40266258ea1b410241ad8120b38c698f8df2b0b38685c01c", + "sha256": "e984a3d3d48ac2c527b8cc9639ad36794477d63017e31f65023ddef04404f01d", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Potential Network Share Discovery", - "sha256": "1eec14e34b78d05d1d54269871b6b0fffff322f1f5bba3508e37ad163c8f498e", + "sha256": "a59215d5f80a3d3ca3e4611cfe0f4266d000c7ac58879ddd30ba94193e0ba79a", "type": "eql", - "version": 106 + "version": 107 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", @@ -10708,22 +10864,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "788aa64f654d1ac9b8ffd4d72359798797fc89867374541a87bbe9a894fcf4e5", + "sha256": "bb3314617957ebc4e0040f77083a7b5191ad7d4aac12c6f8e24d76b9157acc0d", "type": "eql", - "version": 115 + "version": 116 }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "319f2d05d6abb9b5ba124cc01beac7e744ae47dc12b992b2bed1a9e23f17d27d", + "sha256": "b5f67f0db406d5c2ba14017d2992671bb8f8d5baecbff16bb3dc5c7a9f5349fc", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "36ec98bc6180df8ef468f9c0214119135f7e9048ef4758dc1373818fc33d81e2", + "sha256": "7619c7c7851d86a7c00dd33358f2a195e219abc5a71877a14e1d058f089679dd", "type": "eql", - "version": 314 + "version": 315 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.14", @@ -10731,22 +10887,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "e8d26c789dc518e64dbc8a2ebc802ec86ad2ece06bdd9b24713721e87e4c3f2e", + "sha256": "827b2e6312c74d28a9c2c605507eb0ece093b284e60e26bfc9107c6733929d1b", "type": "eql", - "version": 10 + "version": 11 }, "8.13": { "max_allowable_version": 208, "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "8e1370bc732b7ca13a8a4398d2978e5fbce22c79d8ed69889d4271f8500f9347", + "sha256": "880efdb0e8afa50b33a2244e2d322195958eb94a5cf7d3350bc81687308d4ed0", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "ada7de75fee9e8d288c51a4bea4856ecbad5060b978f2319b741a67989164c15", + "sha256": "8747c38dc0c5c1f095c574509b9f5f8f8559565e457678aa2382014c1f360627", "type": "eql", - "version": 211 + "version": 212 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", @@ -10766,15 +10922,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "At.exe Command Lateral Movement", - "sha256": "2abb4b86050fb28a5ecd1b9b0c29831409dc9f84f79ea5b162542a3f3e371402", + "sha256": "a1aa72dc7cf218498b4bd3cb3adceb831db178df81c7bcd254159323dda53cc1", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "At.exe Command Lateral Movement", - "sha256": "0faf08d3fdfac536a63dfff97a2abbd6313f1fefaf83540375468e94be91e7a0", + "sha256": "7bdc29998a4df28f2c5f145fb8616a73d22bd40857000f5ff345f304a82ece97", "type": "eql", - "version": 105 + "version": 106 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.15", @@ -10811,22 +10967,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Clearing Windows Console History", - "sha256": "31a8236d386d194b359d207af5df1bf72482fd394b73f8560ec1fc6de98072eb", + "sha256": "d42b2a9e2f10c1fcdb5ef9f4e61976c421ed73777e0d9e8ce2cf19cd049ea169", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Clearing Windows Console History", - "sha256": "2750851ffd550e98d2fa0f4b5654f051e62a2b807d18128b748c136fcfa2d9ce", + "sha256": "d749f074e83e0054eee1daa97f50831d810c8082d16bb985c7e98ff4618ec2c7", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Clearing Windows Console History", - "sha256": "4895530aff3222c2708c780f6046f091fe54c7f8ae320663a9e360501eaead98", + "sha256": "2c520e669cc319fbcea530b0ae4bbdb5e0957465b447349c216ff5b15b51309c", "type": "eql", - "version": 313 + "version": 314 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.14", @@ -10834,22 +10990,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "4466accbd5ff400c7b23c229e6337d6832b2b1ec20954ba16572704e2f965837", + "sha256": "efddb07094d4112b3fe52e056949b21c437249bb7173dcd0184fef80a1591834", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "f507b4e773a9237e2f79ee6904335b27b7cde346688aeee533fbdf6dfc06bf52", + "sha256": "3712d140a6e40ecb5f5069fda566444132ed4b17f3d0102195b93ebae8b4175e", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "a23c2164fc398c84a3801c90a53f1caaa9b506aeb7e2200ced7b22100fbc25bf", + "sha256": "05e2efb7276a733c2adf3681d0ffd4d02f6b6f275d68f93d23b7bab0f37be852", "type": "eql", - "version": 313 + "version": 314 }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { "rule_name": "Systemd Service Started by Unusual Parent Process", @@ -10885,22 +11041,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Potential Veeam Credential Access Command", - "sha256": "1f948ef193a4bd5afe3496e85933faafaa574a3999c3f5ebdb743dc559799312", + "sha256": "4e3ae75a438564e128dbbe0d7dfbb9db97cbd49cea4ca9c060dffec9d64e974b", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 201, "rule_name": "Potential Veeam Credential Access Command", - "sha256": "668a4b5083f2e5cddf17ac87a8d72dea5459ecb274000056b4b1190cf8cc9bb5", + "sha256": "7fc925d9354790c0cb64f217ce0c978632281ba46ab5e671f3f3d092d609f03c", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Potential Veeam Credential Access Command", - "sha256": "bb6f902b009039096c1412de2474ec0ac73ebe4aa60b042d2c63f0b0a7d3d2bf", + "sha256": "185217c47b57dc0e942f3d4acda3ec10d274848c91c1261ea8eadf3faec9e687", "type": "eql", - "version": 204 + "version": 205 }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "min_stack_version": "8.14", @@ -11117,15 +11273,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "5971f13dca2e4aa9242197c75db0ea4b322db1fbca63722424ceb9cbd06d0233", + "sha256": "afa94a71cd99d31b1c816a7710f3e00e86c7854df6db0f251d9194ed981a82b7", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "3acd9e9b9d59edb71bdeac456f55d8a99ada6edeb583af312a886c1c4701c997", + "sha256": "0dbd728ccdee18242ce73777503e932ab66219ba7271621060c5b98633ac1107", "type": "eql", - "version": 211 + "version": 212 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories via CommandLine", @@ -11242,9 +11398,9 @@ }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "rule_name": "Potential SYN-Based Port Scan Detected", - "sha256": "0ffdbbf812a677f1dd016ce2e7d9d185f7c0273ae4a7874f2b06728137c60cb5", + "sha256": "ca7cb850b228b5d6ab6ee6f7893e1bb49c6b1e24498299ac9177cafe74cf64bb", "type": "threshold", - "version": 10 + "version": 11 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", @@ -11328,15 +11484,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Potential Defense Evasion via CMSTP.exe", - "sha256": "668daa0b262a8a546290c3bcc29fe23cbf7ab05b7089f4dc2d7368a4f98fa04a", + "sha256": "1a4b9e6b364c8dab7b70af95029c1837cef25faa14161bce57283c750b0f6c1b", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Potential Defense Evasion via CMSTP.exe", - "sha256": "f2c6e76e5fa6fe5da59e415f4cc032e5aaf06f2c593e87a084a824ba80b62548", + "sha256": "e90bca644b9c4deecb5cb69654940894035152e5ce6d74f3c45b3193ff56aa8b", "type": "eql", - "version": 106 + "version": 107 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.14", @@ -11366,15 +11522,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "c8d4db837c40680f29b2140e0f41995c0ce4aed2dbca551b70894be0abd9fd37", + "sha256": "ca3c535c19bcb70517a067c7f2fee45d4cda7183c15f51ff65edc5558f9180d4", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "2100b7b6c9f3ce481f1dcf4333c039e84300cc7aa056627d9862759994df042c", + "sha256": "c81455cfc1549f0c20acc4d63b70b45f4a82f73a2589aa193d0eae48dcbc4fd4", "type": "eql", - "version": 210 + "version": 211 }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { "min_stack_version": "8.14", @@ -11382,15 +11538,15 @@ "8.13": { "max_allowable_version": 100, "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "128e25dc4dd9800c4db478e306a37b6768835a4ef62f53f680e0cdd502d7d9bc", + "sha256": "b7d2b3d62bcd3f5f072a3d0eee1d7ffc41c8ab186328c6e58ec190d567786da5", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "1720faed921c7d07dedcada05ff659ef564368cbddc18be19a79320dab755437", + "sha256": "7fd0fad617863a3fa3b7d26140f49d61db07e3841a2112fde8231db1a9c55ae3", "type": "eql", - "version": 104 + "version": 105 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "8.14", @@ -11420,22 +11576,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "1bf926c25f9a52807b31c6c522765f3687f5c07aded267e5efb051935cd32426", + "sha256": "b92d79f08cb700838477ef425e6e82c0645fa7621fc8db3acfcacbe1b383f49c", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 309, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "50a2fccdd9f12b719de8bf5aa6575e9411a70beb5f69f0d624a2d57b94565894", + "sha256": "83ee3ea43af4877d7c995fd8d7a2ef67b13bbdf1e5ef140fad511c76c5676d9d", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "760c0bdbfa8e2d2cbd1b79da8d81f2bef5f54a26c29695209f466ed712a2ba4a", + "sha256": "7b9b7c2ada7e7e5ed1ccf83734701f53aa579ce4df309fba3aacddb16a8eb9fa", "type": "eql", - "version": 313 + "version": 314 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", @@ -11567,9 +11723,9 @@ }, "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", - "sha256": "639384f73345b48b0a96eb16e0b3f8160d8573e672cdc7743e710a69b00c200a", + "sha256": "90eee60fa4fd3963cbc29c1f58b1675616c99e865e1ceacd168802b7df454d85", "type": "eql", - "version": 4 + "version": 5 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.14", @@ -11577,22 +11733,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "29903b3865bb0e5568138436f842ca97f4731359045b7bff776424130946cc06", + "sha256": "fc1b233c930cf034d1c534a92b4ee42fffb15b398da01bad0b93741527b11b4d", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "69a7694bbee8a347e6b1f706a60da157e9a3f4ebef346e841475709ae3d55f67", + "sha256": "876985abcedfa9f369eb1b552bcf96e7ba482aee631b990fce2007928b0355cd", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "dab86b9d33245df07123dcaad409fafb00109831e1aaa7d92ab104baa5ac8f46", + "sha256": "d68e0ca9ae67ed1ba16a2c62ee6dca41fa25ad178352a45fb29e08d0920c6c66", "type": "eql", - "version": 313 + "version": 314 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "rule_name": "Unusual Linux Network Connection Discovery", @@ -11681,22 +11837,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "bc1b90a1a5d02845a8233abdaaff8ca068f4d6ccb29b7d6e8df55c25ccc8190d", + "sha256": "7da7deae7aaaaa19159214551ee72b6c0cf82a2eca4ae8edb3eaefe8aa0a69a8", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 309, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "66d36844c67b648b4c4559b7763008bb43f79e6e5a69933731f037b434d1b553", + "sha256": "2189d24d38c91a875a7ef420d330d9f074f3f874a38e25a6082487a328b98b28", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "72af0267f6d68ef9e8303b0f95ca9b116c0ab53dec1fbb65653f47f1db386071", + "sha256": "efd529afc416fb90d5b3370adef9ee8b8e42b1a423035ef86d017b22629b1de0", "type": "eql", - "version": 312 + "version": 313 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.14", @@ -11733,15 +11889,22 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Attempted Private Key Access", - "sha256": "b2c8c3e7141403ad662ca97ee2128c56cee7a9922533a8296c69671cb2ce92fa", + "sha256": "ca0b00b33c8214c0a733b6e9ab2291c4a4e2bc92103a928da8778c792f66d428", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Attempted Private Key Access", - "sha256": "67111e4bc078ef2f52e3170b75a2068f4df825c1c368432e246b5473474ab975", + "sha256": "e6610e9bc8709d63404f439099e2274b94e6feaf5c4d781d3cba8797f41bb218", "type": "eql", - "version": 107 + "version": 108 + }, + "c5637438-e32d-4bb3-bc13-bd7932b3289f": { + "min_stack_version": "8.13", + "rule_name": "Unusual Base64 Encoding/Decoding Activity", + "sha256": "0a148e281a7113c56b07159b06c263d44a96451217b4ed1cfb60d2187f87efd7", + "type": "esql", + "version": 1 }, "c5677997-f75b-4cda-b830-a75920514096": { "min_stack_version": "8.14", @@ -11749,15 +11912,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Service Path Modification via sc.exe", - "sha256": "d4b7737d66ebdff698638b968d1b299b70f7f6f299ff70afa22ab9d911dada32", + "sha256": "a2d3d1147504ad2b3c7930bba24c2055e523d84b2feeb737211417cb72d8eb56", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Service Path Modification via sc.exe", - "sha256": "68a44067c32fb88cc99fc0e545ddfb866037e9bc40ee5f130d2798f03f4e94aa", + "sha256": "4b544e89f0c85e979ed5572561c0781ae88708e037117d8963541ef94eb070ec", "type": "eql", - "version": 106 + "version": 107 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.14", @@ -11833,22 +11996,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "5153767a496dccc99d12eced8554a65fe9665ecda63cd00274c500bcdadd1281", + "sha256": "4daab056bff3e4d5ae1ad7c4643448ae6fa836f83f095a5cc615f506cad68e8c", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "234ab55015e205be9f494759489e7407d97a9587f61784858ec614d199b4599e", + "sha256": "9a5614b3e8f31ae092611d49189818157e18dda6ceb19becc0f624b2a81938ff", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "e8f809976fd19dc1921f285ff28a22407baf1aac6f21a7d4d2b1377a3770de14", + "sha256": "ecf12cfbacf7d550b987fe63d6114222e641aeb764b32e4823d6c7712bc2c185", "type": "eql", - "version": 312 + "version": 313 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "rule_name": "CyberArk Privileged Access Security Recommended Monitor", @@ -11869,22 +12032,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Remote File Download via MpCmdRun", - "sha256": "264309c3db8c109a609e4940bae53e25b00cd85ca02cfd4adbf27f2113815950", + "sha256": "67e77129c5ce0eb04df88c0d64d4f387ef1de59bc03f8d9e7eb11e9c050cd0c0", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 312, "rule_name": "Remote File Download via MpCmdRun", - "sha256": "3e854ebb07cef539caae7a12bdabdbe67a2d9931c64e2558b2fce09bcb270e12", + "sha256": "8ca38e918ccb9a3bebd448356f11e4ebbbdd1fde86f8cf71f7b8c36eedc5ae79", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Remote File Download via MpCmdRun", - "sha256": "c4bcf943fd4ffed84dca06e325620fcd175c62a4953b6070d11085699584bb0f", + "sha256": "d63b7af246369d52debf0c9e1196c9abfa1b1d3b7b127b2cb53e0bcf7587d0d8", "type": "eql", - "version": 315 + "version": 316 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -11951,6 +12114,12 @@ "type": "eql", "version": 3 }, + "c766bc56-fdca-11ef-b194-f661ea17fbcd": { + "rule_name": "Azure Entra ID Rare App ID for Principal Authentication", + "sha256": "7f59a80362f46d096681439f02d9aa46ace84ac2426f550b434733c6b1308ce6", + "type": "new_terms", + "version": 1 + }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.14", "previous": { @@ -12066,22 +12235,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "0650a9d5a9a0652dfbf6134767ecd50de79b4300912151bf929d62a8487c1c3f", + "sha256": "e9d9ba83d54f62f31234ba17fcc63773d044a09d7ccbdfb8a1a86e2031ae84a8", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 311, "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "d5e6366373a4f2a5a6d949519a1a95eb5bb692aeee5d81396c80291f549e176d", + "sha256": "8e261fd99ec8e3455388206109e90213fa0b5ebbcbdfc02b64bfa47746b86c16", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "83f572dcc38a77f73655b953ffcf03ce0b0b5d017a8528b7163012096212f4f7", + "sha256": "5e0e2e0eaa91c13f7ba154969ad792a7747c7a6c7ba3ea9093aaaf1d4d0ded69", "type": "eql", - "version": 313 + "version": 314 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", @@ -12221,6 +12390,13 @@ "type": "query", "version": 412 }, + "cca64114-fb8b-11ef-86e2-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Azure Entra ID Password Spraying (Non-Interactive SFA)", + "sha256": "6c701e58e1612d0491da0b3b77e57b49ef3688848d3a1110cfa3ed6f1210f903", + "type": "esql", + "version": 1 + }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", "sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2", @@ -12381,22 +12557,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "d6cd204299d4a7613c0652ab78b54b1b97f5c11b4f208fb0b5fb05d0f142656f", + "sha256": "0d3af72ea1eb174dd4aa290ec7c8e3e240acb51358169eb0529e77b099a7dfca", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 309, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "abd7f59b6a23d28908dddaf17edaa914939c9587f387ef557ca5faaff341abd2", + "sha256": "3b3aadecba256b51549529cae3290f4a09328fef1f5fabd621ec318d51a049ce", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "90451475ce48d53de51f8ef8c31ab01801580c163221def965e9ed6c9b7d3b3b", + "sha256": "d60cc4622721041fc7781551bd3d381428fc01276aa7e8a1055f90a75d27b878", "type": "eql", - "version": 312 + "version": 313 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", @@ -12428,22 +12604,22 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "8db9e44ecf31d95be5241f20bf1dda7fee037f97daf672d1c60aa48ed16fa84a", + "sha256": "4f9cf9d0307112c1578c481ffc975559438e8151e1dfaf9597d21d7a66cea7fa", "type": "eql", - "version": 115 + "version": 116 }, "8.13": { "max_allowable_version": 313, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "a54a9feef37567feb968c9bb2bbd6e0343c7c1a2371538b9d448e491e4870ce4", + "sha256": "b124bcc3b121f9136501c7d4ce5d1419c47a828e64480ae750e0906b25489af2", "type": "eql", - "version": 215 + "version": 216 } }, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "627a9ee7b45a19df7b70233781fb7c76b129346cdb7286aeed83bdc9c87a7da6", + "sha256": "cb9333ce51666fab48bb330cb9fac7bda9376ec73b3a039aae1a81ad7a112a43", "type": "eql", - "version": 315 + "version": 316 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "rule_name": "Archive File with Unusual Extension", @@ -12468,10 +12644,10 @@ "version": 111 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { - "rule_name": "AWS Credentials Searched For Inside A Container", - "sha256": "b3f0dfc6f24cc6c2787d62f56817932713a1a3feddb8a231273e9a0e3c66a88f", + "rule_name": "Deprecated - AWS Credentials Searched For Inside A Container", + "sha256": "b2a40d71fd9d37d3049115575c0b2fb19ff325ffd3ffd71b963d514ce7feb28f", "type": "eql", - "version": 2 + "version": 3 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.14", @@ -12502,22 +12678,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "3917ba5bb57ddff2af656072117cadeef74e6d09afc56a3ae5f26106282c7f20", + "sha256": "29b901e2e2a500cc3e5930938d94b49c5b7f44fe6564aadc087f290832d6d74a", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 311, "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "37145c723b473d65d0bb500dc4e602e9be53c701bebccba958554a5992032cba", + "sha256": "ee54b6b3c0af6cbb6be3c7dd4c8f04d47eb50a579955817390e77e0cbc7eadd9", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "3034865be9da254728b4d1468ec5c2ffa3dfc305f180a77e47c5b69a916508fa", + "sha256": "8993357af0c7f71ea5a6211f75cf96089c4c9ec88913377fe9c9baf72aaf6e4f", "type": "eql", - "version": 313 + "version": 314 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "rule_name": "Expired or Revoked Driver Loaded", @@ -12578,22 +12754,22 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Clearing Windows Event Logs", - "sha256": "cfc55cfb48ed78d6c469f7e3ac99f4aceb2d4b827a98a98a4ee7da4b1046e548", + "sha256": "43df104be9f108fd08b8d71599f09bd2a9e4f98e5df1e6d8b0c41786bf127629", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "Clearing Windows Event Logs", - "sha256": "6d45b9b9acf8b31cca0f0c7d70ffd9e42c69b4f9ddbc0db1fa912fc154bf735a", + "sha256": "a10ce3920c7f51ff84dd06f0d4c83d000d591660132213cb6aa19fca1059919c", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Clearing Windows Event Logs", - "sha256": "10c1f03793fcb8bad9555616905d87289a0f11c3a96622a566e66223f9df88a3", + "sha256": "400229c7fa25221d2fd2db218ffe282f8d4d597d85d9cf9cf783ce03e28a1159", "type": "eql", - "version": 315 + "version": 316 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "min_stack_version": "8.14", @@ -12601,15 +12777,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Remote Windows Service Installed", - "sha256": "aa6cdcf93a49ab5e86235d0f4bef6b42dd410c7af99275ef526c0d215b127609", + "sha256": "1f3ebacad2b755fcdf9e30e67395eb3ae6c0947abedc632542b5b4eb17039d93", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Remote Windows Service Installed", - "sha256": "ca8463464ebf568c419e1064f2ee75dca25cfbe1117c40f7af9a92a48acc6ac3", + "sha256": "295c3ce74dc2067ec71ab0fff5dac7193d4fd70509c1e5281c190b6af90aefd1", "type": "eql", - "version": 108 + "version": 109 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { "min_stack_version": "8.14", @@ -12617,15 +12793,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "WMI WBEMTEST Utility Execution", - "sha256": "5bcaf5dc0f395444215ce0aad01b433014a5a155b896171c1d041df226e51766", + "sha256": "5a91c133bc777a7e2499b024f42ebe1be6983609c8f38e00a4d81924dc72acc8", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "WMI WBEMTEST Utility Execution", - "sha256": "5f491cb250197e96f8b04303127d25ac73bfa4d6a8c4f391c9557212b28adb50", + "sha256": "aa88ac4bf872c3c3928d2121657a6b88338d937fe1a3813231c8f20a5cf966c3", "type": "eql", - "version": 104 + "version": 105 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", @@ -12800,15 +12976,15 @@ "8.12": { "max_allowable_version": 113, "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "b62cb287eba4d616dacf2fdc8e98db08f74415252b83c5346cf1299121dd401e", + "sha256": "272699ab944dda3fb2374c7f0cba8b4585ace10fee2a21b12b9c6215519c3c29", "type": "eql", - "version": 14 + "version": 15 } }, "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "2a52d9f39f0bdb9a5b2e617864be31ade499082777e54548585639125a49dc8e", + "sha256": "a8b94f958358ecb558c04272526096c255c70adfcfc23e85dc392fb9523b761a", "type": "eql", - "version": 115 + "version": 116 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", @@ -12838,22 +13014,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "eee49e97f8be4dd945fdd081627a3fa84151189394053407c767cc654b03f61a", + "sha256": "cc15c76a2369027ba3e6633b87d7a3839f5365946de2dcfe4ec1b82a982e4641", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 311, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "636a5aa15d3dee30f441ac50911f29d0c8a99035e4b8d1e57294c5957baf6b73", + "sha256": "2a7761657cfa115b0d73fce0563817e7b4a07b1c776039e0570d60c26f45b79c", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "77f519e1c25064d73042352df755adbf55aaa3901bd4c338ef309863f9b8dbd2", + "sha256": "9f589cbf31fdc71f8e4c57f7cd8dc4956c30179ae4df20fba67d41e87e071ada", "type": "eql", - "version": 314 + "version": 315 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", @@ -12899,6 +13075,12 @@ "type": "eql", "version": 212 }, + "d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": { + "rule_name": "Python Site or User Customize File Creation", + "sha256": "62541c951385c527fe469fdbc9ae9791a101d3286ff2a6b2524ee63951e31599", + "type": "eql", + "version": 1 + }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Permissions Modification", "sha256": "b6f7d9e1c6d3053f849ee87cdd0567aa3e046fbf9c1400a060021426261838d2", @@ -12935,22 +13117,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "NTDS Dump via Wbadmin", - "sha256": "a3662b99a5aeaba17b20017e4f74a5a700018221aa4f539eae6586749aef123b", + "sha256": "0ec890060837395012ad0a162820039feccc988f8395fc1078f45daf4bc7abb3", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 201, "rule_name": "NTDS Dump via Wbadmin", - "sha256": "6d5f2be14d23c96aec4e7d179a2f0102cb02ce3f198dc30016b6ea842a71fdb1", + "sha256": "021063dbb016001657028d480f2e2a48e6eaf2e544441b2ea8dd23cd9fe1deb7", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "NTDS Dump via Wbadmin", - "sha256": "432106a3b18e6a6c3983f2db37cc0d7c3d3a12ef2622c48805e23e67fc76576d", + "sha256": "2d9145c7d1b3795172c0ec1ad4721ccc4055fe6b14d51880f6dd59c2e1498e5d", "type": "eql", - "version": 204 + "version": 205 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.14", @@ -12958,22 +13140,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "c312ca88ca87b5842950e5a73570f60860a7d415c34293e91196686fbad5e738", + "sha256": "9b8ad5964185c38f5bff7a86e3f4cef521ba3f743dafbe475f84111b6c97c473", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "b0c3e97ff9361dd6edacb9ed48e4b541387b984a265fa98d119adee51577458d", + "sha256": "88280b0f1705bc61a7d02fd3670dfb3d6b3364732637b21cf99e9543d1a98e05", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "21e3bb58844ec1cf781a8dc4fabc5dd00365515d481779308fbe721a11082c50", + "sha256": "1574ae43ff903032be7747f88500fcab7396be626f95da26921145560ab5d488", "type": "eql", - "version": 313 + "version": 314 }, "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { "min_stack_version": "8.14", @@ -12981,22 +13163,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "f33fa3c2f6e59b87d777b60c36ca2f7b49b83e7d55fd70bda7b51c5164f2e484", + "sha256": "fbe7d02b10b540aff7b825dc36b8716bf16c7de4668ecbad5001a3239c6c5166", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 200, "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "6992b10f898c3dd9c58648107a909375f088a7cbe752dfa3e89ad95f36d12be6", + "sha256": "8fd732f25e901ace558a167c84fa62b658c0f38ab260059e37ffdb4d690fb45f", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "091d2119d9f9bd8b91745b62a2dcab088dd2631acb0cbf1eb5b855fa829ef778", + "sha256": "bb3b92db48376983d30d61f54bdabb41250c33883d13ac5920d416e91b08a827", "type": "eql", - "version": 202 + "version": 203 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.14", @@ -13033,15 +13215,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Suspicious Service was Installed in the System", - "sha256": "0d596807e4224d804bdfe2e04ba7a55241ebcd35ec0c8329585b908e6a811d4c", + "sha256": "9a42aaff1236e24c34e84e08efd9a7e42009c0c63b347d4fe373822df560b886", "type": "eql", - "version": 11 + "version": 12 } }, "rule_name": "Suspicious Service was Installed in the System", - "sha256": "8c5a1b27f6a02621b57dc23c369f980d79cbceb34f18024d02dcf75ca46ae963", + "sha256": "b047f4e0b3115a5cae6311130cf82c3c278d25ed4dd930e2f697a0d9d9e7f0d0", "type": "eql", - "version": 111 + "version": 112 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -13055,15 +13237,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "6e675455e0691aa059267316b5c588a3be00378d5ffc8f0d62d327ea9cf9bf9b", + "sha256": "6d19402e85f66e45583b1eeb0c1b22e5641e069db1d10342a0bde8f44b0fae5d", "type": "new_terms", - "version": 7 + "version": 8 } }, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "e40d42488b5d12045dd32b4d104b2128f4032fc3e2a66c9578576d8f75e093b3", + "sha256": "7e22a1c442db7cad59d546607a489f1c7050f79fd38503b21f27303ba5241f7e", "type": "new_terms", - "version": 107 + "version": 108 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Multi-Factor Authentication Disabled for an Azure User", @@ -13100,22 +13282,22 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "1ec2b5f008f9e9bead822c864926d9183431f584d472eb22e8ff3ce2939b9c8c", + "sha256": "9aadc22b5ec9cea06ee0b9088f5ccbd36a3306d609eac169139751b082504d50", "type": "eql", - "version": 8 + "version": 9 }, "8.13": { "max_allowable_version": 206, "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "daf311a52ba5b293679091a760f4b56a52f62f96e0ab510ea01cd988baa19167", + "sha256": "a02c1d8fea25864162d20fe9d56a7b95c9cb558593d39dd4b0dbe5718022ac55", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "20558f6e7908c8dea171a7635ec499e0ebeccbe62d14d7f06850636afc8283f6", + "sha256": "029980f0576e49caacd25ad0de41f0b2408bc96f253c336d6cec15df9a3314ce", "type": "eql", - "version": 209 + "version": 210 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", @@ -13190,22 +13372,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "f0a835fbc3354f77c2f9932da85b594a119039f747e7af1bc8cd8fd0699c3f75", + "sha256": "976ac05caaa7708302cfafccd5edd0af529b333c3550b12e398506b43b82e625", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "fc94eadae513c2cc5d7926f9b29162dc04e94539951f7b86fd3bdd9832ca46db", + "sha256": "11d89db06537fb1ca446cbef23180ba0070a9636b860a6494c0c9fb2bb8dcbab", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "6c79aab936e1fe25141e3e984b8d2113e9aa91ff99605c1bfd90084361126379", + "sha256": "d4fcd570b5466abc21101a20f25749dd7c2c72e8392e316c2f2f7841c0b635b4", "type": "eql", - "version": 313 + "version": 314 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", @@ -13219,22 +13401,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious Execution from INET Cache", - "sha256": "6aecf0b6e2c4fdfeae54ec1cfaa51070bd371c150206b98a27cf2be01bbad3a0", + "sha256": "40d55e7663cb9633996f2dd6c03729438145e69e0239b0e638f5ee1a40d4281d", "type": "eql", - "version": 4 + "version": 5 }, "8.13": { "max_allowable_version": 202, "rule_name": "Suspicious Execution from INET Cache", - "sha256": "e97febd5beb392ed445ad0e67d7a284e6d6588dd93baad573301b7714cff4c46", + "sha256": "35fcbc09ebaeca1f271a2a19eea3012efb1af8eae8ba0f4a9c6736dcfbe5d7e4", "type": "eql", - "version": 104 + "version": 105 } }, "rule_name": "Suspicious Execution from INET Cache", - "sha256": "ab1e64f0d5a84e58ddf9a0fdbe54ccd23b6eeda4909f99483374237a1c2c74c1", + "sha256": "6a5c4edf3847efdf6dd62e8a6de3c4eb4741877eac727dd8af8aa473666167c2", "type": "eql", - "version": 205 + "version": 206 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.14", @@ -13242,22 +13424,22 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "8475f6c6b1206c9fd3c5085bb9b4677b0b6e931699d1763068961d84d8aa46a6", + "sha256": "26b7b9e5fd76bd0fa239139c7322893447787d8462f784bd120a62794e64b358", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 207, "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "c4104efeb172e0634cf59ac025d803d9d3171803756060c76e6bf8cfd3d88a90", + "sha256": "0d40357f250d05884f10feb5097cb69fa88c7a4549156688aa38a58a2e133b86", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "795b6a57e976d8a06dd804326ac7ea4f673753436de7405e506a7a6ea8d8974a", + "sha256": "40b3e43ae452b8ba4364d1c4d0c6b7a79485a65182d891ec986426cc31129bd4", "type": "eql", - "version": 210 + "version": 211 }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", @@ -13271,6 +13453,13 @@ "type": "eql", "version": 6 }, + "dd983e79-22e8-44d1-9173-d57dba514cac": { + "min_stack_version": "8.13", + "rule_name": "Docker Socket Enumeration", + "sha256": "542d6fce1df6a18b8cd0f22e854d01e313ac186fa85f51d79f48e57ab1fb5682", + "type": "eql", + "version": 1 + }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.14", "previous": { @@ -13307,22 +13496,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "dc59f461ee6eaded59582a8d9d1665d294369cbd7cefb74b93fc69c65b3626e3", + "sha256": "d8c2c36ac62b1821bf4164411d30ffcb97ae6b3ec8b2736dffe412305fa71633", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 310, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "d48e91e2df3b46dddd47dc1f8381eccd2d4ea3654875665feb8871b7f7df2498", + "sha256": "f9398ff0b3917ee5a9e279f22d4c8ac753ec5cc7c514744cf5c102a23ce5e265", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "0e4c1d925e33511a5ca1c1b97c6b325baac1871f6c4426d17058007044aadf6f", + "sha256": "8a6ba13f0dda67fe805dbee6d884a1189538027f029d6401919c7a92c9ed24ab", "type": "eql", - "version": 313 + "version": 314 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.13", @@ -13450,15 +13639,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "d66a68b32ae569978a6ef6580b94f0b86b0f34b30ebec5e7173db7138003bce5", + "sha256": "be3e036bd85d0139f9025316971ebdafff2b115de3d7e46ecf4a12fc2b17fb34", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "93383cc44307548a071047b61fc0df04c3b9f6b286e64e7f6d26fcc4f6e1b84c", + "sha256": "cabb2f1ee545a8afab4bdfae8d8fbb983de8802e1eaec837f32286aad16a00e2", "type": "eql", - "version": 209 + "version": 210 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.14", @@ -13466,15 +13655,15 @@ "8.12": { "max_allowable_version": 108, "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "741569f3966efbf4451f3705f1cc486fb78f55422a1766913c2619b70072586e", + "sha256": "71df05db291794ae655d563c9f6cc812bb3c8ebd1f3b076fb3103cc1a9af152b", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "d82fcf936af322fa2da05ceac8ec3a4994a372bf58f8664d1345e0dddc57d275", + "sha256": "edb551d4e6634b6ecd115cc56d888b82abb68d7b87cc04db6f15ca884e5b3c91", "type": "eql", - "version": 109 + "version": 110 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.15", @@ -13629,22 +13818,22 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "8d70b76836720ce1d1bfc90c83ef511c63192ceba13afe89de6d4bd71db8d10c", + "sha256": "59e0f66055f6ca2de75fc83f80895d38b0544cb232a27c17b5ad274d18842db7", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 207, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "8c937a63efdd09c306a4b062fb0111216523fadb6b29f8ddd000fc831dffb3a3", + "sha256": "d5de70a49caf18d246524ba6fa7ffeb2b6243da158fd0f838868f41a72f368d0", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "16d97ecf035e7b51f4cd64bf55a659d5b15dd93323fc78280d023922c5e1d00a", + "sha256": "a3074187de9cbb825e91c16b2cf56280f48b19fbb58b6e294f6e007a3ebe7b47", "type": "eql", - "version": 210 + "version": 211 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.14", @@ -13690,22 +13879,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "c66a168ed3b1aa0efc9fd8a2c7f723b9b814fd5d0c3d2b6f04b437cf128a89ff", + "sha256": "820ccc16d8a4a8f7fc46cc17069ec359a736b3d3803d156ed511f05a771b7416", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 310, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "076f262b0c9c62805bd7d969fc2bc5a6e3ae9dcbfa5c30cc922041a3087b7a7f", + "sha256": "a8cf4ae254ee226a844438801018251c0ed156dc36375ea7377e33b67efc830d", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "77d77852881da5c7de3250605cbf8440cfb6dae48e1b9b767e4aad194d02688d", + "sha256": "02f5e8471f2ec0c5b618a104a190faf75c17cbac5c9d84ac619dd6dbc1ceaee5", "type": "eql", - "version": 313 + "version": 314 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route53 private hosted zone associated with a VPC", @@ -13757,15 +13946,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "15409282fc22300e62bdd9cfa9c3699264d000fb84da5ff6405ad81aaa842305", + "sha256": "9041b77e8259e34d407916d77afca09bc12083780a68fa76b3ab0f545ec0a85b", "type": "new_terms", - "version": 6 + "version": 7 } }, "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "e2d4147e9b55b1a927716d2a92ff1672ed2857f83721c419e597fac90cda2559", + "sha256": "7f8cbe7c809f5f6439380cc95e39d43499010dcce8d9d9e5c86366cd832ca302", "type": "new_terms", - "version": 106 + "version": 107 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.15", @@ -13796,15 +13985,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "efce8f9ccb0652297ffed54f6d3ccb3c621da9704c8b1a147357fe1b2dec9780", + "sha256": "5c7d57bc4534a2a0e0954dc8aac857d465f5fe162da03efd1c900a9ac9680bcf", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "beac001dcd5095010c452fd5a86f0733003a76aa6c8e8f3de2c8d7abef8fa9e1", + "sha256": "a46f14f105c573fc3663af37227e949ac9d8ff5771cfe823163a5b5a839f60ba", "type": "eql", - "version": 207 + "version": 208 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.14", @@ -13812,15 +14001,15 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "2a9607c64117bf0a530a215badcbd0b2b71ec685ac068bedc537c920300ebb03", + "sha256": "e4f8a8d92eb2a30728e395c24a0e1fefe6b75222d110fcf1b87cd80b2dccc30a", "type": "query", - "version": 113 + "version": 114 } }, "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "4f3219372b857ac80a9bfa981a981b8fca89e436d209e90b51d436bb7e8becbe", + "sha256": "f7c403156a8b86200d6bd124b68887764d5362fc6b53b8468bccd221b4d9fe55", "type": "eql", - "version": 214 + "version": 215 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", @@ -13995,15 +14184,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "32055c8d4af293ff9a8be66666fca76693403db6496116430450aab41050d035", + "sha256": "e9a897b3d6e54d43b0c0b67f4ddcda48e4a01a450374c5953fbfc9e6a13c0568", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "90408a5fd78cdaf27de15d201a1c9a85a6ef0ded0315d91be4d71a8ad7f8ac51", + "sha256": "88531315d5644d775abd814a7f79203b41a18642843ce25dbd7516e740d6ed2a", "type": "eql", - "version": 214 + "version": 215 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.14", @@ -14274,22 +14463,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "IIS HTTP Logging Disabled", - "sha256": "1d1a052986ba865ecb1849338b1b869d684513a6631e04cab4c9db4a1eed568f", + "sha256": "3195012ac10b6acb9ebb4755275fdac561d8f506d8cef35b17fd47c2ab509787", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "IIS HTTP Logging Disabled", - "sha256": "efe3336c2caa03ca5f2f4c180030a6988719173b020f4ef0b6328548942e1cc0", + "sha256": "ab59351227fd6484a4b159f3a14973dda7045b27ac198fe102586b190e574639", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "IIS HTTP Logging Disabled", - "sha256": "93b513e8ce449023833b25afd4c092d6d39708e07c92d3169dd2fe80a10617d7", + "sha256": "1a2121317ae7d1b300b92ea3307889c9851bd10a65e714b8f37ba6fbf52f179f", "type": "eql", - "version": 312 + "version": 313 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "min_stack_version": "8.14", @@ -14297,28 +14486,28 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "59220b274ab98c211eafbd5205e41e943cadddbebe78776bd28a88a2b38d017b", + "sha256": "076b7a80f89f6a6f1a3081a38ce953a5acf2175da6922f04cbe0f6d6a55b0356", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 311, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "dae2d05e8c9a23744a3d55ec56c1540501141276c8789e74c7e1aa33e787721d", + "sha256": "86c59576f4ae4cad721a7fd636edf4192fd6dac90a899e71bc8c3d9ebb79154b", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "76b8d3439003b72e5e932ff9c74478b5688253f8092575aea6c69d58e043bcc5", + "sha256": "789d46c9447286758f21fbcf2f6f2d2c30de369ac38a78bbbd0d8a8518e422aa", "type": "eql", - "version": 314 + "version": 315 }, "ec604672-bed9-43e1-8871-cf591c052550": { - "rule_name": "File Made Executable via Chmod Inside A Container", - "sha256": "c4678239b073c9e1c28fd96f625436ef8f93ab27e0b80d9d2da6d39d0ced459d", + "rule_name": "Deprecated - File Made Executable via Chmod Inside A Container", + "sha256": "e83d9c10df932ec1ea757f8db704550f8f70c3bb48b0155578659ee10099091c", "type": "eql", - "version": 3 + "version": 4 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", @@ -14344,6 +14533,12 @@ "type": "query", "version": 207 }, + "ed3fedc3-dd10-45a5-a485-34a8b48cea46": { + "rule_name": "Unusual Remote File Creation", + "sha256": "25b7a11580eaa10f455ac93b195afb23108822c1ca8665f2f28fd2816ef1edf6", + "type": "new_terms", + "version": 1 + }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Azure Global Administrator Role Addition to PIM User", "sha256": "31edfa8b99be2305a6bb1447799c69cf2f60e5a834ce4b064a4b4665bea80dd1", @@ -14356,22 +14551,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "AdFind Command Activity", - "sha256": "c46b6502090d25c7bb5161cdb2c5e4487119fface180acbec85cd9f704de19b1", + "sha256": "d60af1f28f9f81685a9aa0c7a36a0cb1c35ba51859da6d4ebddbc8bb02ac9907", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "AdFind Command Activity", - "sha256": "39ddeac69ba7e957dbde30dd6afb1b62daefa13143c99fcc1c9131251c2da3f1", + "sha256": "48f50e30ab0904b32f28ab124297e93c7d20c9f3b7601a91abe9ee1f4e5fcb08", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "AdFind Command Activity", - "sha256": "666a39201e6cd023560381806ba6b8b178ce2bc7596b8084f46b63bec57859a2", + "sha256": "b05a29a436ac542b88bb1e6c8d05c378015f4988803a39a6e5f4c0be47607513", "type": "eql", - "version": 314 + "version": 315 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.15", @@ -14402,22 +14597,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "495c9c3c998abfebae7ebc1d58f5d3fbf791ad4eaf2718e83c11d65598b43fe3", + "sha256": "58dd0e1e34abe8443249ad67198996b183471f4fc2f883d57058fd29a584325c", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 312, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "3b0ac08f7d0c601b06e44b9edb38650af8ddbdc85f786151f275fa96f595fe72", + "sha256": "8cd9d18fd66c29f88fb14bbae4dfefffb29f97c2bf89c097c6f6cf10e24125b0", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "9a796bd4864dce9764f4ff2cbf3bd4ccb3217521e23209f69c4e18ecf9ad41d1", + "sha256": "36fe3eb7700258bcd9214dcd215ae71c9a1def542f197f5e822450a297d327b9", "type": "eql", - "version": 315 + "version": 316 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "rule_name": "Linux User Account Creation", @@ -14454,15 +14649,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Unusual Print Spooler Child Process", - "sha256": "0c4cf82321253f33a4bf12dfa7306b7c39b7082304cab83766ef69126f83169e", + "sha256": "5bc2e722e6fb7b61ce923befd4ce4b3a3d8fdacf1290dba7ec5ea911760c53e8", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Unusual Print Spooler Child Process", - "sha256": "83d9b00ad3282d46a266bd3524f468f382c3f23737c05e7e9196acf838551cdf", + "sha256": "e9bd712f3f743bd51f11e419a9ab89603ed0cf358d4fc912e877907e172a2080", "type": "eql", - "version": 210 + "version": 211 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "rule_name": "Shortcut File Written or Modified on Startup Folder", @@ -14515,10 +14710,10 @@ "version": 109 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { - "rule_name": "Potential Container Escape via Modified notify_on_release File", - "sha256": "f08d245a0e30752adf439c2153063782f96520a044e2dda10798503db0580fcd", + "rule_name": "Deprecated - Potential Container Escape via Modified notify_on_release File", + "sha256": "e4750e67d85a5bceb46ee02825a18989d55a065f353791467ac9bdcc98f4cb7a", "type": "eql", - "version": 2 + "version": 3 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.14", @@ -14526,15 +14721,15 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Whoami Process Activity", - "sha256": "85fc0e0d9af73aa5f5fc4dd729db10425c22c61214f864625a235cffcca9c508", + "sha256": "b020b8f8487dff043ed4f8e013dc6aee3af6d55ecfbd53cb47b9537f140e9427", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Whoami Process Activity", - "sha256": "214f8fb47c57ac54428d1979e50f4e691ccd265637670689bfab291afa11f712", + "sha256": "311d843fda11fcbf852fdb41fc87dd280481e8bd3d0b7319527aba5059fe4954", "type": "eql", - "version": 213 + "version": 214 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", @@ -14755,9 +14950,9 @@ }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "rule_name": "Google Workspace Object Copied to External Drive with App Consent", - "sha256": "3ac6f85158571e7ae9821f8407cf1039e071354f5ae798cd907c077d71b4ef58", + "sha256": "68842c4cfacadb832e1f45c3c1a25ccad99d8f7ce2309f64689ad93997eb9216", "type": "eql", - "version": 7 + "version": 8 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", @@ -14777,9 +14972,9 @@ } }, "rule_name": "WMI Incoming Lateral Movement", - "sha256": "3ec45777f4c943a7de5082d971bee5996e5cf726ae6f42fc987b77c52f13bf8a", + "sha256": "0362f87f30104a3705ec25a5424fbfe8a39cde9dc0337cda33dfc8426b0522bb", "type": "eql", - "version": 211 + "version": 212 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", @@ -14793,6 +14988,12 @@ "type": "eql", "version": 5 }, + "f391d3fd-219b-42a3-9ba9-2f66eb0155aa": { + "rule_name": "Kill Command Execution", + "sha256": "9d6d2a6025d89d9936130285a084379d1d31b9e3568db970acc29d05c1c6a7fb", + "type": "new_terms", + "version": 1 + }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", "sha256": "d523f9e7b0b0a672bde61148eda10896934ae0f610892a879adf5a29cd789057", @@ -14802,9 +15003,9 @@ "f401a0e3-5eeb-4591-969a-f435488e7d12": { "min_stack_version": "8.14", "rule_name": "Remote Desktop File Opened from Suspicious Path", - "sha256": "903fd6d4ce8c22d0a4ed7c11940e77eca417f1bc8b231482bebb4e46f6aad27d", + "sha256": "ee6f8d0f53cd74d79393a04a0a83fb95d10b020160092e227b0db1f484289f16", "type": "eql", - "version": 2 + "version": 3 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Potential curl CVE-2023-38545 Exploitation", @@ -14847,15 +15048,15 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "30ba3d2c92f6f824dc2745bf9a9f728b5d08a4fd8af315800636042be2f05a3d", + "sha256": "9c9490d04847aa87bb7ecf37a56631b96d3e56c1a3fb00b8c6b2fc5739161f46", "type": "query", - "version": 113 + "version": 114 } }, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "98da37735724187372bf1f311df3eb82e1dcc9d8792eb8c6faa5d20cd518c69d", + "sha256": "bec893fc82f770985073646d905e8d123ff1994906b7c611522639f92f1361cb", "type": "query", - "version": 214 + "version": 215 }, "f4b857b3-faef-430d-b420-90be48647f00": { "min_stack_version": "8.13", @@ -14913,10 +15114,10 @@ "version": 312 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { - "rule_name": "SSH Connection Established Inside A Running Container", - "sha256": "9d8c510e4b95da8e5072e5d93be80f049c9f4ed253d40845f7ac67920ddf4158", + "rule_name": "Deprecated - SSH Connection Established Inside A Running Container", + "sha256": "e9a0161ce66e4dbbc1d7b04ff2e17e6b37a210d29e6dff9d8ca021d2a0c65355", "type": "eql", - "version": 3 + "version": 4 }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "min_stack_version": "8.14", @@ -14947,15 +15148,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "333be162aecfbad2bbd9669d7b3a4cd1351d709be0aaeae0bf00799471195531", + "sha256": "7985f5aefba2ea64d65352cb9a8eafeb6764e30498ccb6d629242be6c5b979ab", "type": "query", - "version": 7 + "version": 8 } }, "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "a6c101a1883de891bb4d57551be80870b4826b128ce142cd1118f3aec69e22da", + "sha256": "f743162d208f76da7f2a978f2cb537ce0f8849dfe5a42af3ab46246b6bd8371b", "type": "query", - "version": 107 + "version": 108 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { "min_stack_version": "8.14", @@ -14963,15 +15164,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "WMIC Remote Command", - "sha256": "824ed78aea5ddf39cae5d2dc171b0f9f632d21b3e248777f36b5c884e141a689", + "sha256": "03ff2581fa827afb289f1ed2f6e5aaa30032940c26bdf3b8d440b729539d3e53", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "WMIC Remote Command", - "sha256": "3bd84cb33875e0103cc886054ecc28efc9a73d479a6af6ebc8457657b6b35189", + "sha256": "733c3aee481bf3891f180a572bda3b7c68d7c19d1d7a3989c0def03ae9fe0933", "type": "eql", - "version": 107 + "version": 108 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { "min_stack_version": "8.13", @@ -15030,15 +15231,15 @@ "8.13": { "max_allowable_version": 309, "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "b83dd05aaef86c18fe47f7a8bdc6132a6c0d868069edcc7801fff9dcd7d10428", + "sha256": "62eb84c5f2680cf2953c3a642bb4371ea70e676be5e9e9ac2dcf237f4040cb81", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "94e0a975da6a20b8e5a7088399f5da7561593424d1eb70d66d5a542963808c79", + "sha256": "af1f6d2bf1fa3cfb4d9c71f51f507b819781648a109443ee036b66be24aca5b9", "type": "eql", - "version": 311 + "version": 312 }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", @@ -15052,22 +15253,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "405bde7c6d0f3ef9dcfc7e1924b27101ba6c8b94fad77b6398bd191d56a95503", + "sha256": "4b55ce8144feb04c19f2449fa5a4c724ce26861e85a8ff9d63ba91fc24c90ae9", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "d3bf5930d646553b64fceb3142ba60e854e52fe3478bad4d52ce0a606395d9ee", + "sha256": "37d393c66c6a0a664ed5d4ec5f5497345d8fdbec26f4247d4528d04510eaac3e", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "81b4cea2ac276f83aaf465ba9217bfeea8d6f63be702f6088801a22b09cb7b77", + "sha256": "605f5f70bc621228a60d3f975abc644f00df34913b0b363cc8cec5d226e082c1", "type": "eql", - "version": 311 + "version": 312 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", @@ -15100,10 +15301,10 @@ "version": 209 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { - "rule_name": "SSH Authorized Keys File Modified Inside a Container", - "sha256": "dbb02018892869ad01ea50413f348fb8681007ab55495ec2669108a301956156", + "rule_name": "Deprecated - SSH Authorized Keys File Modified Inside a Container", + "sha256": "841b368a5a82196761403f4ff326d8459a4501d8431b5e1dc3395acd18a3c104", "type": "eql", - "version": 4 + "version": 5 }, "f7a1c536-9ac0-11ef-9911-f661ea17fbcd": { "rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance", @@ -15211,15 +15412,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "de3cf59b7dd66998abe201a8eaf36dbba367e448780f8d30c428d89610b5c18f", + "sha256": "29c2ae7b2d50ee5ef2f2bcf97f7765c9e3fd3285a0a90abc25a099698c75201d", "type": "query", - "version": 5 + "version": 6 } }, "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "bed1ed023c04637d3664efd5fbb73d3aa0cfea24257dfb18a925fea3d2cbef3f", + "sha256": "6ba1bf053fdf699e3aec2f40f34fc6e5a4213ec85fc037f203b85e7f7e59a4d9", "type": "query", - "version": 105 + "version": 106 }, "f909075d-afc7-42d7-b399-600b94352fd9": { "min_stack_version": "8.14", @@ -15294,15 +15495,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Privileged Account Brute Force", - "sha256": "a3e155da55738446b14a3519a8631b9d6a3f2a2420e7abea9743574cfa5a699f", + "sha256": "47b50b29f44c12811728607a941a9e0e41788b4bf9a46e739700c9b40261cd5f", "type": "eql", - "version": 11 + "version": 12 } }, "rule_name": "Privileged Account Brute Force", - "sha256": "d609cef02e743a187baf0068f42fe95b28bef7bee1d26bb067e3d09188bf7281", + "sha256": "ed7080268b9fbed899ea78e7e762a2895ae5e18afed44aa1df3c997525874bf6", "type": "eql", - "version": 111 + "version": 112 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.15", @@ -15333,22 +15534,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "38cd36c0e10b5e71de73e548f13243d29e06b1bab2ca10c74ae875da1606664d", + "sha256": "51e2f2e64af9db1e8aff099e445cf685c9af9929b2a4dc5c5e041d2cd8d6caa9", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 310, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "2ec223a448f81f94a8f428864b7dc4f7b173fb01a997740f6f29143c0496219c", + "sha256": "3d4b0d2242c7cd5acdcd0a38384b7f696c1f8811eee13cbbad561ce3c97eb99d", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "4300b10c7504d0440412581634a019e1a6e58f0db412301ee1b20b04516532bf", + "sha256": "f44d655cddfab574bad8ba3b58410fce4204c988aae453914b18474b396ea244", "type": "eql", - "version": 313 + "version": 314 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "rule_name": "Potential External Linux SSH Brute Force Detected", @@ -15439,6 +15640,13 @@ "type": "threshold", "version": 205 }, + "fb16f9ef-cb03-4234-adc2-44641f3b71ee": { + "min_stack_version": "8.13", + "rule_name": "Azure OpenAI Insecure Output Handling", + "sha256": "5c688822ac431693ee2b4997dcf5f420f610ce923f4235bde962d0b0b5df90d7", + "type": "esql", + "version": 1 + }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", "sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412", @@ -15536,22 +15744,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "fb02d9d052a80cb71ebc3d197b2737a8bb72f875dc6f26fcb777715dc8ea8007", + "sha256": "1ddee753094159e636e994613c0a04ccd3e560927f3709a93fe7d8eff775b79e", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "003cbead1025ca8c3bb1f33eddf4a98de00f555cb184077b194142cc838263b0", + "sha256": "09749f912d0f05abcfbd2cfc5517db716e29e39627f25bcfe727de8cf2455d62", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "8d5354802a1da8218bdca789c1118dd3c0e75072f015978e3ce65b239357204c", + "sha256": "ecad7f4f5f9d2d94f799155a9d4edf26afe515204c3d70ccf998bb5c38a05820", "type": "eql", - "version": 313 + "version": 314 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.14", @@ -15559,22 +15767,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious CertUtil Commands", - "sha256": "13dd1c7c1c9bea325d7f705da1527335b7e0e12d8f5e7d942ed99c6b9d1a7a5d", + "sha256": "379008bb580fbcb724bd44937e0f2111250767511073c4d6fe5bf58915e22fa7", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Suspicious CertUtil Commands", - "sha256": "2ab5b41ea028baf2c8143494762615137f2d9daec219a470c3ac43a8dc70d0d5", + "sha256": "0d6fb82afcda861a6b2d317f524c33af9bdc4bef870304c2dbb53d186692501c", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Suspicious CertUtil Commands", - "sha256": "9e178f0e88993fc08a6e3bf41eaf0502281774f9ebbfe9477e09a20b55e8fc8f", + "sha256": "b78d113de0bcc2d10346ef3dcedc2bb6f2425ad39eb45da5c6599ebf70360488", "type": "eql", - "version": 312 + "version": 313 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "min_stack_version": "8.14", @@ -15582,22 +15790,22 @@ "8.12": { "max_allowable_version": 317, "rule_name": "Svchost spawning Cmd", - "sha256": "fd2168d3b0db808329e092b89905660cf80f6a564f9e3218506dfba05e409c61", + "sha256": "a61a30ecc9514cb3b5eb1f9d31f97e104e4a51cffd65cbe67fad341835938bfe", "type": "new_terms", - "version": 219 + "version": 220 }, "8.13": { "max_allowable_version": 417, "rule_name": "Svchost spawning Cmd", - "sha256": "89907452efa6d5a092c9819fec02d0a27a824e7e526e5a031f271cd0a9cce5be", + "sha256": "8b25fa755b63d74097491bf3d52c9edec8d0b5234cfdd6cb62e4f5ac32198bc4", "type": "new_terms", - "version": 319 + "version": 320 } }, "rule_name": "Svchost spawning Cmd", - "sha256": "e648c831b55c6701ce80a615623526f8eb2024dd98dd5a6caaa49692191e85d8", + "sha256": "70083ab8bb26ab3862c4b0f8f287939374e513aa751728554cde9ac66f4f0565", "type": "new_terms", - "version": 419 + "version": 420 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", @@ -15666,6 +15874,12 @@ "type": "eql", "version": 314 }, + "fe8d6507-b543-4bbc-849f-dc0da6db29f6": { + "rule_name": "Spike in host-based traffic", + "sha256": "baa59da5dcb208d63be6ca6420e0b62e2ca919aef3ddcb747743d03641a266e9", + "type": "machine_learning", + "version": 1 + }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", "sha256": "6d71e2f5b064aa990886b9f8855595def2146202b93e657c62c021e3bc852c84", diff --git a/pyproject.toml b/pyproject.toml index bd0c8570f..fb398de18 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.4.21" +version = "0.4.22" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"