Merge branch '7.9' into main

2020-08-27 15:54:44 -08:00
parent 779a3a5b0d 4ffdc46ba7
commit aec3ec31b9
76 changed files with 225 additions and 150 deletions
@@ -6,18 +6,18 @@
  },
  "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
    "rule_name": "System Shells via Services",
-    "sha256": "f68a9dce69186cf8572e292ecf08940d2147a15758ea95fdc2c7f088de2b90cf",
-    "version": 3
+    "sha256": "6d47bcc98a871cdd3e70fe35d093133b1c731a17ffb0c7ea03fd0d61fc00dc02",
+    "version": 4
  },
  "041d4d41-9589-43e2-ba13-5680af75ebc2": {
    "rule_name": "Potential DNS Tunneling via Iodine",
-    "sha256": "b5191f150c1ebb72435b3d9f7fa94f5899d19721c18e0bdaa29fd60fa8467bc7",
-    "version": 3
+    "sha256": "c17a009f2b1b2146fcda7e2375a6560d89536bca1d9fcc52ad5c444b4bcfc179",
+    "version": 4
  },
  "05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
    "rule_name": "Interactive Terminal Spawned via Perl",
-    "sha256": "d0be61c3e42cf4bde25d38756c9c22b8a22823b69d30a865812f5df76e36694f",
-    "version": 2
+    "sha256": "d88cc0ea7309e063e63b8241cc54e7e269ae1b33866dd3bf8f46c438d0d308d7",
+    "version": 3
  },
  "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
    "rule_name": "Potential Evasion via Filter Manager",
@@ -41,28 +41,28 @@
  },
  "0d69150b-96f8-467c-a86d-a67a3378ce77": {
    "rule_name": "Nping Process Activity",
-    "sha256": "c85589b020359d809d3f65951b4cee3cc7c10da104effeeaa2fc920eed8ff4a6",
-    "version": 3
+    "sha256": "182668d6e35a7cd6ee4f8c9d4c8254a38d117cae8f100783156fcb793fbe0fac",
+    "version": 4
  },
  "0e79980b-4250-4a50-a509-69294c14e84b": {
    "rule_name": "MsBuild Making Network Connections",
-    "sha256": "11cb63b795999bdd1ea0eb1d4cbf5c6b8d86c4945a480136eeaa80f9161fd522",
-    "version": 3
+    "sha256": "fa80576323984a1cdbae7de84168b41ea9aa136a4d4eb5b1881c30927aa2d72e",
+    "version": 4
  },
  "0f616aee-8161-4120-857e-742366f5eeb3": {
    "rule_name": "PowerShell spawning Cmd",
-    "sha256": "823211d2d9e7031bcc9ea0b8602b7e2dda7d6cf7b53dee522c071d8fd2a71d2a",
-    "version": 3
+    "sha256": "059dc81a07c9f3e03e8a0789bff2cb08a59001fdf8fe3a1cb0bcda6d3caa7bc1",
+    "version": 4
  },
  "120559c6-5e24-49f4-9e30-8ffe697df6b9": {
    "rule_name": "User Discovery via Whoami",
-    "sha256": "5b24e533677a2f73bf8b544ce6fbf607947458de6b8882958699b9598a3d4a60",
-    "version": 3
+    "sha256": "07e4c45585d14e41fadd1bb2f2d089924be88eeb447ed751d600b3ea06d118f2",
+    "version": 4
  },
  "125417b8-d3df-479f-8418-12d7e034fee3": {
    "rule_name": "Attempt to Disable IPTables or Firewall",
-    "sha256": "cbc8586826f96d5f656bee2ad503dd04e7969434458387de04f4064d8339fa9f",
-    "version": 2
+    "sha256": "59632e186f6b83ff142f1be24f88219a64b9eba91582c6d1151737be05565348",
+    "version": 3
  },
  "139c7458-566a-410c-a5cd-f80238d6a5cd": {
    "rule_name": "SQL Traffic to the Internet",
@@ -121,13 +121,13 @@
  },
  "1aa9181a-492b-4c01-8b16-fa0735786b2b": {
    "rule_name": "User Account Creation",
-    "sha256": "74696927e06e5fe8c85631d79fbe1c3a4a6b4050e8a47bbe7c15189a0407a7fb",
-    "version": 3
+    "sha256": "402a5e361bf78100cbd475dfe6d13b574e07edaa4fd6515e9c6ad9b2cb741ec4",
+    "version": 4
  },
  "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
    "rule_name": "Connection to Internal Network via Telnet",
-    "sha256": "7bb31e4849331d9eb2654a8dcc8e8f7e92932705a68217ddfeaf56def57a7e85",
-    "version": 2
+    "sha256": "2e57557c9b3fcb6208d6c61b61fa0c76f5155884ab6f0ee01c7ddd1527283d13",
+    "version": 3
  },
  "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
    "rule_name": "Exploit - Detected - Elastic Endpoint Security",
@@ -141,13 +141,13 @@
  },
  "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
    "rule_name": "Potential Shell via Web Server",
-    "sha256": "4bfbdc1a0d610ccb336a4816910e33f31ab91509561cfd36f9796e0a3ac975fc",
-    "version": 4
+    "sha256": "0ffb12553181b7aba190ba88d9e29ad6f0e6e41cb0b0c290dc111c8c5ebc463d",
+    "version": 5
  },
  "2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
    "rule_name": "Net command via SYSTEM account",
-    "sha256": "ea63231f092eb92bb5af6281ae6a75d533362eff9969622f300b444469215456",
-    "version": 2
+    "sha256": "8b67949307e8e23b7ba787b251923997097cd417c90f07c137ff306f8ffeee58",
+    "version": 3
  },
  "2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
    "rule_name": "Exploit - Prevented - Elastic Endpoint Security",
@@ -156,23 +156,23 @@
  },
  "2bf78aa2-9c56-48de-b139-f169bf99cf86": {
    "rule_name": "Adobe Hijack Persistence",
-    "sha256": "05564512fe328ac4a4fcfffe78ae6a65ea0d787a48aceaf575edae53c7f95d0f",
-    "version": 3
+    "sha256": "10a5ff3172ab7265ac7e29a3d64a77992312238f2c35037d3a723bbd26644eac",
+    "version": 4
  },
  "2d8043ed-5bda-4caf-801c-c1feb7410504": {
    "rule_name": "Enumeration of Kernel Modules",
-    "sha256": "d599196e0f60c0f8dffb2d1fca21196e2c6ddf937531106b6bb8e633bfcc3333",
-    "version": 2
+    "sha256": "3a00bcfef88df687e9f60af981f5e45b7f1d7275c637bf6d346c9a8424ed4aa2",
+    "version": 3
  },
  "2f8a1226-5720-437d-9c20-e0029deb6194": {
    "rule_name": "Attempt to Disable Syslog Service",
-    "sha256": "c374f6e74954bf81a5cbbe653d457c42b7f23208449b56ac24281d0d6a1e91db",
-    "version": 2
+    "sha256": "a2a3c2eb4e76f3161927f2f3708a7831c0254f05598cf174afe04e173b9b726e",
+    "version": 3
  },
  "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
    "rule_name": "Bypass UAC via Event Viewer",
-    "sha256": "92fb6101c53b13f0bf3405f410860ce804f3ba778e06f566431dcda90fe894ba",
-    "version": 2
+    "sha256": "d639e962c341c024aaf84dc2d15fb964b80d6ffeb33446bfc689972ac0e74896",
+    "version": 3
  },
  "32923416-763a-4531-bb35-f33b9232ecdb": {
    "rule_name": "RPC (Remote Procedure Call) to the Internet",
@@ -181,8 +181,8 @@
  },
  "32f4675e-6c49-4ace-80f9-97c9259dca2e": {
    "rule_name": "Suspicious MS Outlook Child Process",
-    "sha256": "582776dd04e5cd8c0f07883b793d2cb8e663233686cd8261b144e394e5bc00b3",
-    "version": 3
+    "sha256": "20851dcbbe8b5b2d488ec89f42ae0a34d28ca793f91c59c9a746a071063e4fd5",
+    "version": 4
  },
  "333de828-8190-4cf5-8d7c-7575846f6fe0": {
    "rule_name": "AWS IAM User Addition to Group",
@@ -196,8 +196,8 @@
  },
  "35df0dd8-092d-4a83-88c1-5151a804f31b": {
    "rule_name": "Unusual Parent-Child Relationship",
-    "sha256": "7ce5606939cea6e45c7659bde7b679c0c33a164a9cecae385eb2a89379b7bcde",
-    "version": 3
+    "sha256": "d6cfb4698aec1b5cf0d032dc63a045734b6d2f64f1512eed04ec2830dae5edc5",
+    "version": 4
  },
  "37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
    "rule_name": "AWS Execution via System Manager",
@@ -211,8 +211,8 @@
  },
  "3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
    "rule_name": "Network Connection via Certutil",
-    "sha256": "9d456ed87d910cb6ebb86be154c58f80a7e4a011f8f55ddc2ff451f3efc23fe9",
-    "version": 2
+    "sha256": "2ddb1724d79b9606e5fa60cef5a8ea1b4f61ca4586693d6fa9c74083bbb86402",
+    "version": 3
  },
  "39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
    "rule_name": "AWS EC2 Network Access Control List Creation",
@@ -221,8 +221,8 @@
  },
  "3a86e085-094c-412d-97ff-2439731e59cb": {
    "rule_name": "Setgid Bit Set via chmod",
-    "sha256": "10a09743e9baaae69190eabcc1d7f6fc61ff8da5e7ff5a79208b7b25f2c05473",
-    "version": 2
+    "sha256": "6b771c1099456446df103f77a607770b53cd33f3cf21ef60fda8a8a7914961c3",
+    "version": 3
  },
  "3ad49c61-7adc-42c1-b788-732eda2f5abf": {
    "rule_name": "VNC (Virtual Network Computing) to the Internet",
@@ -271,8 +271,8 @@
  },
  "4630d948-40d4-4cef-ac69-4002e29bc3db": {
    "rule_name": "Adding Hidden File Attribute via Attrib",
-    "sha256": "9cd83ec78d98435f5388ded75a9b1034f52da57884d1052801099e79f1087072",
-    "version": 3
+    "sha256": "cbd3d898a80fdb3bd7c79c2f6486138e0d9d4577d34256136ccc8282a54d12ea",
+    "version": 4
  },
  "46f804f5-b289-43d6-a881-9387cf594f75": {
    "rule_name": "Unusual Process For a Linux Host",
@@ -281,13 +281,13 @@
  },
  "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
    "rule_name": "Execution via Regsvcs/Regasm",
-    "sha256": "637246c78b6fa0905bfc47ca942265bc7fc7daa16e544a1dad9aacd0d8932e89",
-    "version": 2
+    "sha256": "cb6f8a29b6e8e22054ad733b4c8d1e4a3203a08cc8333c9c0ced2057dba9e71e",
+    "version": 3
  },
  "4b438734-3793-4fda-bd42-ceeada0be8f9": {
    "rule_name": "Disable Windows Firewall Rules via Netsh",
-    "sha256": "5b03dfdf92939205720bd9a2a6ba3fcac321ab46278a63cf862a9ca8881623a7",
-    "version": 3
+    "sha256": "7efb0cbeb8fdb7d49f6daeca8b7877ab7472b9bd0046e8e25596320bf7836d50",
+    "version": 4
  },
  "523116c0-d89d-4d7c-82c2-39e6845a78ef": {
    "rule_name": "AWS GuardDuty Detector Deletion",
@@ -296,8 +296,8 @@
  },
  "52aaab7b-b51c-441a-89ce-4387b3aea886": {
    "rule_name": "Unusual Network Connection via RunDLL32",
-    "sha256": "f92bcc8271ce1e1082d42f76466838e17a0e94800d8c667f36df7f5dc55a1f92",
-    "version": 4
+    "sha256": "e091babf5f308e98b3f0d883ec8d4d6a7ead789f240e79b6c89b974ba77ac80f",
+    "version": 5
  },
  "52afbdc5-db15-485e-bc24-f5707f820c4b": {
    "rule_name": "Unusual Linux Network Activity",
@@ -316,13 +316,13 @@
  },
  "53a26770-9cbd-40c5-8b57-61d01a325e14": {
    "rule_name": "Suspicious PDF Reader Child Process",
-    "sha256": "82ba007857d824bcb38916fca098f15f5bb777191a7403c8e31f860514664d6b",
-    "version": 2
+    "sha256": "ecaccdda66ec525035e0abe4cc0c05cf1ca2bcb9ab42fc9b087d15e6df1af6b5",
+    "version": 3
  },
  "55d551c6-333b-4665-ab7e-5d14a59715ce": {
    "rule_name": "PsExec Network Connection",
-    "sha256": "b05123353ff4a1d27d4631d4bbc2f16860b755c4c32ec12dd65583f752866f43",
-    "version": 3
+    "sha256": "8906bc996c13a315e04670626ece6862e0fac10a206fe365d567c09c4b0ae50c",
+    "version": 4
  },
  "56557cde-d923-4b88-adee-c61b3f3b5dc3": {
    "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
@@ -341,8 +341,8 @@
  },
  "581add16-df76-42bb-af8e-c979bfb39a59": {
    "rule_name": "Deleting Backup Catalogs with Wbadmin",
-    "sha256": "a2f23de5e7249c0e4e28212eca17fcf83fdbea776f898f3bc5c456d9b80deb43",
-    "version": 3
+    "sha256": "711209a022fc43f31489e05a3dd413ef7c89e4bc058376f1bb54c98896dfaf94",
+    "version": 4
  },
  "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
    "rule_name": "AWS CloudTrail Log Created",
@@ -351,8 +351,8 @@
  },
  "5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
    "rule_name": "Virtual Machine Fingerprinting",
-    "sha256": "1de8ead775e787c3256447c82655c40866a9513c245d1223939e04cb9f9763cf",
-    "version": 2
+    "sha256": "9dfe20ded6d2881ef9ab368960f6232c28a7c20783b35ab2176cccff4ca8d19c",
+    "version": 3
  },
  "5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
    "rule_name": "AWS WAF Rule or Rule Group Deletion",
@@ -361,18 +361,18 @@
  },
  "610949a1-312f-4e04-bb55-3a79b8c95267": {
    "rule_name": "Unusual Process Network Connection",
-    "sha256": "1ad6e642d8c578f97d2569cc471059c7029ec1190e89c9dd0042c5a88906275b",
-    "version": 3
+    "sha256": "e35d9a9c665928aa65a412aacdc9115351f3ce4a6d8c2588629b84e9243c341d",
+    "version": 4
  },
  "61c31c14-507f-4627-8c31-072556b89a9c": {
    "rule_name": "Mknod Process Activity",
-    "sha256": "64a4c6687e8b28df55161028153804821cace7ea512cbabe778d559283d14a8d",
-    "version": 3
+    "sha256": "87b5626a84518eec3d829cb474cb47532b10bb4a1d0b11d755c3682475d7cc3a",
+    "version": 4
  },
  "63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
    "rule_name": "Network Connection via Signed Binary",
-    "sha256": "404f0a34bef511d70d8dd11f094e02aa8a3fe938bdfb3d4441c4dbf6ea1a2cd3",
-    "version": 3
+    "sha256": "548c73b1abd270a73ac51e0460895d3836f11ceadc8b19559a65c9618e20a118",
+    "version": 4
  },
  "647fc812-7996-4795-8869-9c4ea595fe88": {
    "rule_name": "Anomalous Process For a Linux Population",
@@ -406,8 +406,8 @@
  },
  "69c251fb-a5d6-4035-b5ec-40438bd829ff": {
    "rule_name": "Modification of Boot Configuration",
-    "sha256": "c9771d9c525e750a0017693621b03d3aef6a3ec5773461ed3a1661ab43f85b53",
-    "version": 2
+    "sha256": "228c4a9cc746a7de36dcd5f9b3cc9c86d0b06e7aef98059cecf0b2a0c7ed2c2d",
+    "version": 3
  },
  "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
    "rule_name": "AWS IAM Password Recovery Requested",
@@ -476,13 +476,13 @@
  },
  "7a137d76-ce3d-48e2-947d-2747796a78c0": {
    "rule_name": "Network Sniffing via Tcpdump",
-    "sha256": "c2c87b8c43abfa894c8e9d4fae2a21a63ad5e6608775215ee4315901207fc51d",
-    "version": 3
+    "sha256": "ade46e96d842d8cbbf57a750750a9608f727e242b08491889ea63a07dffd4ca3",
+    "version": 4
  },
  "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
    "rule_name": "Deletion of Bash Command Line History",
-    "sha256": "90b821385ca30c677f757792c1f20543e852cc3e84161b7c67418e0795598fc8",
-    "version": 1
+    "sha256": "9d890cbfcc12c01039cba5c143d094316e061f0a4d5d3b08165cf2eac4abb643",
+    "version": 2
  },
  "7d2c38d7-ede7-4bdf-b140-445906e6c540": {
    "rule_name": "Tor Activity to the Internet",
@@ -501,8 +501,8 @@
  },
  "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
    "rule_name": "Persistence via Kernel Module Modification",
-    "sha256": "80125097341af87cd48b9ad11105d466d5956ccc306450a562cfd0eb3ba33e5c",
-    "version": 3
+    "sha256": "7de69f7a4a1f9689fe091d5b70484d4392ad24039b3a80f47d39d322d4719e55",
+    "version": 4
  },
  "8623535c-1e17-44e1-aa97-7a0699c3037d": {
    "rule_name": "AWS EC2 Network Access Control List Deletion",
@@ -521,13 +521,13 @@
  },
  "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
    "rule_name": "Command Prompt Network Connection",
-    "sha256": "84bf6f16be980111319510f8654f6b42ac0a4e73405b2f031c9d5b0633e71014",
-    "version": 3
+    "sha256": "920af03d75efd763b940e822bf4ba93d3f8fd8dde10e116f98e7d459096de622",
+    "version": 4
  },
  "8a1b0278-0f9a-487d-96bd-d4833298e87a": {
    "rule_name": "Setuid Bit Set via chmod",
-    "sha256": "80d32998b1c5af4f744b6890f5b5d734fd59f208e072929836a823619660d6b5",
-    "version": 2
+    "sha256": "af04c32620120d576ec2c15c7a49bb359b6c1c77490206e947ed86826020fa3a",
+    "version": 3
  },
  "8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
    "rule_name": "RDP (Remote Desktop Protocol) from the Internet",
@@ -541,8 +541,8 @@
  },
  "90169566-2260-4824-b8e4-8615c3b4ed52": {
    "rule_name": "Hping Process Activity",
-    "sha256": "a981451a19485a25d6fe0c5a5c6760be1d66decf16a4989d48754e3b7add6ab6",
-    "version": 3
+    "sha256": "983df73edf11df0faa699d91d23031739d932dc4134e634c5c886fd07c6d5a4f",
+    "version": 4
  },
  "9055ece6-2689-4224-a0e0-b04881e1f8ad": {
    "rule_name": "AWS RDS Cluster Deletion",
@@ -571,8 +571,8 @@
  },
  "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
    "rule_name": "Sudoers File Modification",
-    "sha256": "d11b8d0bb029ec776940640f440bc35573b8d5a83f2306cc9365c36dd2110be7",
-    "version": 2
+    "sha256": "7d7d732303b9069da8939be0085b0b8f1fba316e25e4531e3d078f3ef0bab9c3",
+    "version": 3
  },
  "9395fd2c-9947-4472-86ef-4aceb2f7e872": {
    "rule_name": "AWS EC2 Flow Log Deletion",
@@ -586,8 +586,8 @@
  },
  "97f22dab-84e8-409d-955e-dacd1d31670b": {
    "rule_name": "Base64 Encoding/Decoding Activity",
-    "sha256": "feb2b3549a08e130d7b06da043cae62e646e2199b3c31bb71aa7ff059c3a7b6e",
-    "version": 2
+    "sha256": "b83f0cfa5bbb7f02fa48798def53d8b1a57fd8734d0d24e95e8ebe34444e5249",
+    "version": 3
  },
  "98fd7407-0bd5-5817-cda0-3fcc33113a56": {
    "rule_name": "AWS EC2 Snapshot Activity",
@@ -611,28 +611,28 @@
  },
  "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
    "rule_name": "Microsoft Build Engine Started by a Script Process",
-    "sha256": "2f83765c4911e648c0be0db638d9cc346965a71141933eac60f40861b9b7cd91",
-    "version": 2
+    "sha256": "d6ebaa11d210241095adfa1bcc998743ab486836f893b87e044a8255829f52fb",
+    "version": 3
  },
  "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
    "rule_name": "Microsoft Build Engine Started by a System Process",
-    "sha256": "a21ff9b2f5134165746bb88ae1aee78d6bd955a455052c829ab18ccd9f06118f",
-    "version": 2
+    "sha256": "2bbb3b9cbeead17b40f9663e52ec3b42f4b1d58dd645962c431d84b7ce149c90",
+    "version": 3
  },
  "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
    "rule_name": "Microsoft Build Engine Using an Alternate Name",
-    "sha256": "6734ab6912ee86be6f5eff281217b5f9c95ac51596cd01d2f9359cc3b8de7758",
-    "version": 2
+    "sha256": "c7b27e753ab08dc5bd3cab380b67f4b346279dbeddea2b55aa862747f335e56b",
+    "version": 3
  },
  "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
    "rule_name": "Microsoft Build Engine Loading Windows Credential Libraries",
-    "sha256": "9aa85ddacb0b3441dfcb53ec6d5b5c5ce908c558a242c764bd3f44624f8153ee",
-    "version": 2
+    "sha256": "45fff1a065830305c07e41b12e2645e34ba7c10c5512268efd85d2e50ce4f833",
+    "version": 3
  },
  "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
    "rule_name": "Microsoft Build Engine Started an Unusual Process",
-    "sha256": "2c2569ff1e94344e1f975de973207510adf013f3a1d023c86508e8a116014454",
-    "version": 2
+    "sha256": "0aefc28ef5fa42264e4082dd010644052873fc54ae3cb0b7bc3cbf5a882fe345",
+    "version": 3
  },
  "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
    "rule_name": "Process Injection by the Microsoft Build Engine",
@@ -641,8 +641,8 @@
  },
  "9f9a2a82-93a8-4b1a-8778-1780895626d4": {
    "rule_name": "File Permission Modification in Writable Directory",
-    "sha256": "15ed502ec9c70e5b3fa1de7c99ec0877ac1907ece60779a324b8461956093012",
-    "version": 2
+    "sha256": "a615c13125f279c6b25a34d110cf8d84f45e4bbce23e9ec63080952a04342760",
+    "version": 3
  },
  "a00681e3-9ed6-447c-ab2c-be648821c622": {
    "rule_name": "AWS Access Secret in Secrets Manager",
@@ -651,13 +651,13 @@
  },
  "a1329140-8de3-4445-9f87-908fb6d824f4": {
    "rule_name": "File Deletion via Shred",
-    "sha256": "4f3f62c5999ec7b6e172437a4f359adc08bb68fc7a83c954c4f019b5d64a8664",
-    "version": 2
+    "sha256": "10ea375a05dd802cd9169b589070582864cac1a66a76de45d14c2b089c25e902",
+    "version": 3
  },
  "a4ec1382-4557-452b-89ba-e413b22ed4b8": {
    "rule_name": "Network Connection via Mshta",
-    "sha256": "59d713111ca42fcac2769d8939303019253c300d5455524e3fff4446f24282ad",
-    "version": 3
+    "sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
+    "version": 4
  },
  "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
    "rule_name": "AWS IAM Assume Role Policy Update",
@@ -666,8 +666,8 @@
  },
  "a624863f-a70d-417f-a7d2-7a404638d47f": {
    "rule_name": "Suspicious MS Office Child Process",
-    "sha256": "63f8ff2b6aafc463ae4759cabe61f70564a50e3d77328cf40916ae99b7ea9813",
-    "version": 3
+    "sha256": "0f44750ec993f9fdde22d2e85e1679352f4d94c946293223c066533697a50f59",
+    "version": 4
  },
  "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
    "rule_name": "Web Application Suspicious Activity: POST Request Declined",
@@ -676,8 +676,8 @@
  },
  "a9198571-b135-4a76-b055-e3e5a476fd83": {
    "rule_name": "Hex Encoding/Decoding Activity",
-    "sha256": "c22e81459d98bd8fc47e911677c6ee40218253b7ec3bcb2e21c3d7e6116e7d4e",
-    "version": 2
+    "sha256": "d191c76742500aaa9f0d3284ffa0c5fb620768826b7ed5ea0d2eea116d838d86",
+    "version": 3
  },
  "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
    "rule_name": "IPSEC NAT Traversal Port Activity",
@@ -696,18 +696,18 @@
  },
  "adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
    "rule_name": "Netcat Network Activity",
-    "sha256": "eb3f95d0ec4f799be133ce35a3b5365edbdf780a99a638023ef5aff1f64c5b1e",
-    "version": 3
+    "sha256": "a86bc32201580a304e3177b759ade73e627c671d5e11853a88415f784b18d71b",
+    "version": 4
  },
  "afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
    "rule_name": "Local Scheduled Task Commands",
-    "sha256": "5850b379eef292ad97ff952faf36cd85e8ce9f9c34e36b3f0efe0b844cde9c8f",
-    "version": 3
+    "sha256": "d6d29ecdfb8d8ac87743712066146346c70d2a2991a00def356c8ed4733871bf",
+    "version": 4
  },
  "b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
    "rule_name": "Network Connection via Compiled HTML File",
-    "sha256": "397a3304cb369f9f0567541e5bd84323c385ec834cb499a0e67d718f64006f52",
-    "version": 3
+    "sha256": "88b6fdcc1f81a38ae42c2cc4d883604e9f5acd4a58af5f48a0c48e398665b9a4",
+    "version": 4
  },
  "b347b919-665f-4aac-b9e8-68369bf2340c": {
    "rule_name": "Unusual Linux Username",
@@ -721,8 +721,8 @@
  },
  "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
    "rule_name": "Volume Shadow Copy Deletion via VssAdmin",
-    "sha256": "9a89bb4616053a27b9da19b0e039f20b5b06eddb82c0254daa490038e565943f",
-    "version": 3
+    "sha256": "fc61426143133407bddabf689f0b5244aff16def118cbf470929b71174763637",
+    "version": 4
  },
  "b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
    "rule_name": "Attempt to Deactivate Okta Policy",
@@ -736,13 +736,13 @@
  },
  "b86afe07-0d98-4738-b15d-8d7465f95ff5": {
    "rule_name": "Network Connection via MsXsl",
-    "sha256": "a6b35cd7c01efd9e3ff5f09556cfeae330c4c59d78c7d467cf32b8c376f93371",
-    "version": 2
+    "sha256": "b82fc0de50c86b935980223c1fd582a618f509e526ba9d363771d0b5601b2628",
+    "version": 3
  },
  "b9666521-4742-49ce-9ddc-b8e84c35acae": {
    "rule_name": "Creation of Hidden Files and Directories",
-    "sha256": "0032ef35ec0d687bcb474eedb0e01318c6d305c658ec692cf78bfb9d1bf2e1dc",
-    "version": 1
+    "sha256": "c9369962e142eda14a770259206ca03ba72a0d0b907996d25498e4e2ef847796",
+    "version": 2
  },
  "ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
    "rule_name": "Unusual Windows Network Activity",
@@ -771,8 +771,8 @@
  },
  "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
    "rule_name": "Microsoft Build Engine Started by an Office Application",
-    "sha256": "dd84d55464f543307c27a7f776fafdb99ab36e58ad7a7d5cbe9dbd3bd4c39a33",
-    "version": 2
+    "sha256": "15fd9d9b15627d4a9dd571999362b14fb2e86016cf6e27740af6c1f45f64db96",
+    "version": 3
  },
  "c6474c34-4953-447a-903e-9fcb7b6661aa": {
    "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
@@ -786,13 +786,13 @@
  },
  "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
    "rule_name": "Direct Outbound SMB Connection",
-    "sha256": "f323552f1aa665fbffde188f19226fda514df98d5e174725d61cd0d413ed8130",
-    "version": 3
+    "sha256": "fae4636ddb0a185e2acbb41f8fea2f8510f6cf0ae61bbddd0218c63a74d5483b",
+    "version": 4
  },
  "c87fca17-b3a9-4e83-b545-f30746c53920": {
    "rule_name": "Nmap Process Activity",
-    "sha256": "b0134afadd79015919a72fb3e6fa0f3994aca735609a71ab4aaa03c89c6ceee4",
-    "version": 3
+    "sha256": "b82bf76e52898dfa29ff4736c2c989d575b0bf9c06fdb8bfcbf1ee737f41ccaf",
+    "version": 4
  },
  "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
    "rule_name": "Credential Manipulation - Prevented - Elastic Endpoint Security",
@@ -816,13 +816,13 @@
  },
  "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
    "rule_name": "Socat Process Activity",
-    "sha256": "68d871126791b1040df2c53b6dc057432217be3b4376703b7cb81a2057344720",
-    "version": 3
+    "sha256": "5dfa85cf3d23f692d8b5612ae518fda01ad11c2a9e4b3858f6f2eb79112332ac",
+    "version": 4
  },
  "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
    "rule_name": "Kernel Module Removal",
-    "sha256": "f9fdcf439337f1fe71aa24215d02c09249e9cfb978f217d3edef60d6607d9403",
-    "version": 2
+    "sha256": "db63134024db06c912eac8f9cbb156a98ba56e576abec86baff108edc6a7a10b",
+    "version": 3
  },
  "cd89602e-9db0-48e3-9391-ae3bf241acd8": {
    "rule_name": "Attempt to Deactivate MFA for Okta User Account",
@@ -836,8 +836,8 @@
  },
  "d331bbe2-6db4-4941-80a5-8270db72eb61": {
    "rule_name": "Clearing Windows Event Logs",
-    "sha256": "6bf85d1d2f89adc041f3190145f1de20672f190727b302eaaf43268951d5e100",
-    "version": 3
+    "sha256": "1e199885d6b2ee9d5652ae342c7a56130596f14f4207396452c15db2d826c26f",
+    "version": 4
  },
  "d49cc73f-7a16-4def-89ce-9fc7127d7820": {
    "rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
@@ -851,13 +851,13 @@
  },
  "d6450d4e-81c6-46a3-bd94-079886318ed5": {
    "rule_name": "Strace Process Activity",
-    "sha256": "9d82b60fa077eab2c9bd133e9a3c4d56e2cf3f1ba86047b23540dc6b837266fb",
-    "version": 3
+    "sha256": "2932086916e97a5920805f062c8461646c61448d36248aa6bf403133c86efa34",
+    "version": 4
  },
  "d76b02ef-fc95-4001-9297-01cb7412232f": {
    "rule_name": "Interactive Terminal Spawned via Python",
-    "sha256": "6e298f0f3fed486ae6f4eb0a4d93d8deebf1597264ec5ac5ed32c42d8616263a",
-    "version": 2
+    "sha256": "0a50429de3280c10cd206152131fed4f9491b08502c8877352256f7965470a0f",
+    "version": 3
  },
  "d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
    "rule_name": "SMTP on Port 26/TCP",
@@ -876,8 +876,8 @@
  },
  "dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
    "rule_name": "Volume Shadow Copy Deletion via WMIC",
-    "sha256": "64fccc407b6b538dbab612c8a8040476660146645f1940b48a64a324c51e705b",
-    "version": 3
+    "sha256": "4b8ef95da8429452dcf67363672f8a9e6c4e45bc80bd729ad5d3b3e60a550a7c",
+    "version": 4
  },
  "dca28dee-c999-400f-b640-50a081cc0fd1": {
    "rule_name": "Unusual Country For an AWS Command",
@@ -886,13 +886,13 @@
  },
  "debff20a-46bc-4a4d-bae5-5cdd14222795": {
    "rule_name": "Base16 or Base32 Encoding/Decoding Activity",
-    "sha256": "5f837c9e27f696b82b77dcb7d2c4a1a92142c2464451fc000104488ed8d65160",
-    "version": 2
+    "sha256": "d3b991ebc8647e62117b27fbc8ed1f9c22a7daddb565daa4d2e617d1c8cf71b6",
+    "version": 3
  },
  "df959768-b0c9-4d45-988c-5606a2be8e5a": {
    "rule_name": "Unusual Process Execution - Temp",
-    "sha256": "88700a3ed7404230c3fdcfb911bf74ef67178524e736a46f09cd82435b4e825d",
-    "version": 3
+    "sha256": "26f7ffcfddc4a817c1cedd32dc68cef4167749ada87584c1ab790d2b44a41485",
+    "version": 4
  },
  "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
    "rule_name": "AWS RDS Cluster Creation",
@@ -901,8 +901,8 @@
  },
  "e19e64ee-130e-4c07-961f-8a339f0b8362": {
    "rule_name": "Connection to External Network via Telnet",
-    "sha256": "1bdc0e8f97c88ad7d853ebb1870d959cd48583d54e72572f169a3fb35907e1aa",
-    "version": 2
+    "sha256": "8dddae484d130d6bbcf5b88ba30b257f4ec4b0cf0e3eff8233822488c848ad9f",
+    "version": 3
  },
  "e2a67480-3b79-403d-96e3-fdd2992c50ef": {
    "rule_name": "AWS Management Console Root Login",
@@ -936,8 +936,8 @@
  },
  "e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
    "rule_name": "Local Service Commands",
-    "sha256": "09a14045036f6a30948b02a97ace4a3004863642b39f1d965fb7bc175fadff25",
-    "version": 3
+    "sha256": "7f40a97cad0ae6acde9832aff4deb5250d452c2c825f894a138ae9f0d86a4121",
+    "version": 4
  },
  "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
    "rule_name": "SSH (Secure Shell) from the Internet",
@@ -956,8 +956,8 @@
  },
  "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
    "rule_name": "Potential Disabling of SELinux",
-    "sha256": "8f7296c828ca1babc06b6d8f33006f235b006335b8e05dca5f6cd0dec669975f",
-    "version": 2
+    "sha256": "3354f1c679152be687ac4eef73892612b5b488f0cfe4e0e2636dc3dfdfa45b6a",
+    "version": 3
  },
  "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
    "rule_name": "AWS RDS Instance/Cluster Stoppage",
@@ -971,13 +971,13 @@
  },
  "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
    "rule_name": "Windows Script Executing PowerShell",
-    "sha256": "681ddd7b3337bb41f2496d94153c346d7e8e4fd2cab289c5c5168e3f5446d549",
-    "version": 3
+    "sha256": "fbb250048e91b7b8df4a0555a9ddc8cf98009dbf2434019bf0e88839983dd332",
+    "version": 4
  },
  "f675872f-6d85-40a3-b502-c0d2ef101e92": {
    "rule_name": "Delete Volume USN Journal with Fsutil",
-    "sha256": "9fc4f152c5dbe06bbbdf27a4d307abc2da1116b564acc79b30034913e3b12219",
-    "version": 3
+    "sha256": "37d052555eb47692d5dd98ecf41af9de6d21b1526b7047c228a532e021ca04ca",
+    "version": 4
  },
  "f772ec8a-e182-483c-91d2-72058f76a44c": {
    "rule_name": "AWS CloudWatch Alarm Deletion",
@@ -991,8 +991,8 @@
  },
  "fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
    "rule_name": "Network Connection via Regsvr",
-    "sha256": "78487cacf86e895d025eabed659c5ffaa0ded038a19808d5d6bb5f70978fb014",
-    "version": 3
+    "sha256": "01a7ea6c1cda22f3edc887d557916a5f27184cbb9c90dd7c09e36f3c68fd59f4",
+    "version": 4
  },
  "fbd44836-0d69-4004-a0b4-03c20370c435": {
    "rule_name": "AWS Configuration Recorder Stopped",
@@ -1006,12 +1006,12 @@
  },
  "fd70c98a-c410-42dc-a2e3-761c71848acf": {
    "rule_name": "Encoding or Decoding Files via CertUtil",
-    "sha256": "cd0e189f8420314a834c4916b9685304b8edc4259d275796ee0e06fb7df0338b",
-    "version": 3
+    "sha256": "d650ddaf396c9379540944aa0f084b0ef5802ec62367cb311ac6a4f0dd353d2d",
+    "version": 4
  },
  "fd7a6052-58fa-4397-93c3-4795249ccfa2": {
    "rule_name": "Svchost spawning Cmd",
-    "sha256": "53659b10280ff1cf084f6f27a95b3eae81c1e9e9e2cf0806e7eb61f14da0fc6d",
-    "version": 3
+    "sha256": "730e186178e67ceed90c1a70820a8ab14290ee86c749c73739fbff617f7da978",
+    "version": 4
  }
 }
@@ -17,6 +17,7 @@ false_positives = [
    troubleshooting.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to
 receive or send network traffic.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade
 detection by security controls.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    filtered by the process executable or username values.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    filtered by the process executable or username values.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic
 investigations.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Identifies potential attempts to disable Security-Enhanced Linux (SELinux), whic
 support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and
 activities.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Malware or other files dropped or created on a system by an adversary may leave
 a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or
 remove them at the end as part of the post-intrusion cleanup process.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    by username.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    filtered by the process executable or username values.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -17,6 +17,7 @@ false_positives = [
    behavior. These events can be filtered by the process arguments, username, or process name values.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
@@ -17,6 +17,7 @@ false_positives = [
    Note that some Linux distributions are not built to support the removal of modules at all.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -17,6 +17,7 @@ false_positives = [
    by ordinary users is uncommon. These can be exempted by process name or username.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -17,6 +17,7 @@ false_positives = [
    process arguments to eliminate potential noise.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    automation tools and frameworks.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully
 interactive tty after obtaining initial access to a host.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully
 interactive tty after obtaining initial access to a host.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -18,6 +18,7 @@ false_positives = [
    suspicious.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -18,6 +18,7 @@ false_positives = [
    suspicious.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    uncommon.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    uncommon.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -18,6 +18,7 @@ false_positives = [
    originate from scripts, automation tools, and frameworks.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -18,6 +18,7 @@ false_positives = [
    uncommon.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    username.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -17,6 +17,7 @@ false_positives = [
    more likely to be suspicious.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    originate from developers or SREs engaged in debugging or system call tracing.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    programs by ordinary users is uncommon.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -13,6 +13,7 @@ false_positives = [
    behavior.
    """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -12,6 +12,7 @@ group. An adversary can take advantage of this to either do a shell escape or ex
 with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
 on their own malware to make sure they're able to execute in elevated contexts in the future.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
@@ -12,6 +12,7 @@ user. An adversary can take advantage of this to either do a shell escape or exp
 with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
 on their own malware to make sure they're able to execute in elevated contexts in the future.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take
 advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or
 malware, from a remote URL.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically lin
 credential management. This technique is sometimes used for credential dumping.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -7,6 +7,7 @@ updated_date = "2020/08/03"
 [rule]
 author = ["Elastic"]
 description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection
 or destroy forensic evidence on a system.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence
 of files created during post-exploitation activities.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent
 system recovery.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to
 disable the firewall during troubleshooting or to enable network mobility.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Identifies the use of certutil.exe to encode or decode data. CertUtil is a nativ
 Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and
 control or exfiltration.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    this program to be started by an Office application like Word or Excel.
    """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by a script or t
 behavior is unusual and is sometimes used by malicious payloads.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or t
 Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started after being rena
 indicate an attempt to run unnoticed or undetected.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    triggers this rule it can be exempted by process, user or host name.
    """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Binaries signed with trusted digital certificates can execute on Windows systems
 validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass
 application allowlists and signature validation.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an
 attacker as a destructive technique.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or
 other destructive attacks.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or
 other destructive attacks.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It
 is used in command line operations for control of users, groups, services, and network connections.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    environment for network connections being made from the command prompt to determine any abnormal use of this tool.
    """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -7,6 +7,7 @@ updated_date = "2020/08/03"
 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -7,6 +7,7 @@ updated_date = "2020/08/03"
 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe"
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTM
 malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable
 program (hh.exe).
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
 lateral movement but will be noisy if commonly done by admins.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often
 leveraged by adversaries to execute code and evade detection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged
 by adversaries to execute malicious scripts and evade detection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged
 by adversaries to execute malicious scripts and evade detection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    environment to determine the amount of noise to expect from this tool.
    """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    is unusual.
    """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes
 executing a PowerShell script, may be indicative of malicious activity.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ Identifies suspicious child processes of frequently targeted Microsoft Office ap
 These child processes are often launched during exploitation of Office applications or from documents with malicious
 macros.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear
 phishing activity.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies suspicious child processes of PDF reader applications. These child processes are often launched via
 exploitation of PDF applications or social engineering.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity
 and may identify malicious DLLs.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies network activity from unexpected system applications. This may indicate adversarial activity as these
 applications are often leveraged by adversaries to execute code and evade detection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to r
 (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows
 utility.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -12,6 +12,7 @@ over Server Message Block (SMB), which communicates between hosts using port 445
 connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or
 suspicious user-level processes moving laterally.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -7,6 +7,7 @@ updated_date = "2020/08/03"
 [rule]
 author = ["Elastic"]
 description = "Detects writing executable files that will be automatically launched by Adobe on launch."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -8,6 +8,7 @@ updated_date = "2020/08/03"
 author = ["Elastic"]
 description = "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges."
 false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration
 testers may run a shell as a service to gain SYSTEM permissions.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or
 domain.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with
 elevated permissions.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ description = """
 Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange
 activity on a system.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"