security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7 (#2542)

Browse Source 
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7

* newline in version lock file to start CI

* removed newline in version lock file

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
This commit is contained in:
github-actions[bot]
2023-02-10 14:11:33 -05:00
committed by GitHub
parent f8d26f4ce0
commit c07ced2ce4
1 changed files with 432 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+432 -222
View File
@@ -27,9 +27,9 @@
}
},
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "f19012c14051bae97b3ec8e0c2b82ee4325142f29b82f38ff5bebe41342457e4",
"sha256": "c7de6d72863dec230757cef0a9c0f80712da9201bce2718b9eb941702f24f009",
"type": "eql",
"version": 103
"version": 104
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.3",
@@ -178,9 +178,9 @@
}
},
"rule_name": "Modification of OpenSSH Binaries",
"sha256": "9c6c8085d85d10c9acfad0058cf824b42e944f3a526546007d5d3d0cd1611619",
"sha256": "edf609361691fa44e08b3afe6e228569a275b1bff6e9ca69f7a3fb310729dd30",
"type": "query",
"version": 101
"version": 102
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"min_stack_version": "8.3",
@@ -194,9 +194,9 @@
}
},
"rule_name": "Potential DNS Tunneling via Iodine",
"sha256": "da42562546a403904c8ab4d5f1bf64eb76d5933a509a3923c1133f73475ba559",
"sha256": "a30b95c76cade7d1f01c342b63a5051ca7528bdb217206cf8b76c407c473f70e",
"type": "query",
"version": 101
"version": 102
},
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
"min_stack_version": "8.3",
@@ -226,9 +226,9 @@
}
},
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "8528138a2d42c4ef0f5c4052a6f4eb1e452a851f16de34d153d962ba1cd4b3cd",
"sha256": "8ce8763f9f55667594d84f07808bfda0b0ca589d23ecbeb1da05e826d9cc1b00",
"type": "eql",
"version": 102
"version": 103
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.3",
@@ -274,9 +274,9 @@
}
},
"rule_name": "Interactive Terminal Spawned via Perl",
"sha256": "0078a2280c39199096a1666696783c47e12ff57a914887aa283bb1feb53a4eda",
"sha256": "9c9aa184bc72371aa863d5d0a48f83bf4477ebf6234089901a882a32fdd3acfb",
"type": "query",
"version": 101
"version": 102
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"min_stack_version": "8.3",
@@ -290,9 +290,23 @@
}
},
"rule_name": "Remote System Discovery Commands",
"sha256": "14f8498cd9c3605264e7ba2a12f22b9587f55c134839a41c1cbb2b657d80c6d3",
"sha256": "f9e70b9e0214d46406d682c68451c0f9ffce855b4e35d134ad755183705c4a3c",
"type": "eql",
"version": 103
"version": 104
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"min_stack_version": "8.3",
"rule_name": "System Time Discovery",
"sha256": "429a27a6981584c96be32e6974d86e36dba692b2d143105550b49440ede3a73d",
"type": "eql",
"version": 1
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "fb870dd17fc26ca0bc9e05d1bf325d7f93f2316af9a235ddd7eac1623aaefca6",
"type": "eql",
"version": 1
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"min_stack_version": "8.3",
@@ -485,9 +499,9 @@
}
},
"rule_name": "Anomalous Windows Process Creation",
"sha256": "e56af9f20aeb3c799f9f604360002ecd00c37feb5a712e6ffd320b7248621010",
"sha256": "ecd52dd84866e0c10534c9c0544109928b9a309ad8cacf2ee3895c77ca1c268b",
"type": "machine_learning",
"version": 100
"version": 101
},
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
"min_stack_version": "8.3",
@@ -501,9 +515,9 @@
}
},
"rule_name": "User account exposed to Kerberoasting",
"sha256": "db61615c674a3ce285700a7ca9c38689748cc60f7de2015c7c87809fb3916bc7",
"sha256": "d94d68f639f89d48b98e457aa9df22dd6053970c90cbde5705ca54e912486634",
"type": "query",
"version": 103
"version": 104
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"min_stack_version": "8.3",
@@ -572,9 +586,9 @@
}
},
"rule_name": "Nping Process Activity",
"sha256": "95be323eeaf86c2effc37f493654631497f6ba359a6e2eb9e9c461fbcb58fdcd",
"sha256": "60aa60bdedc8eaf31bd74cae64bf0407ef018d589ba6db35e3e2a72537ca046e",
"type": "query",
"version": 101
"version": 102
},
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"min_stack_version": "8.3",
@@ -821,6 +835,13 @@
"type": "query",
"version": 100
},
"128468bf-cab1-4637-99ea-fdf3780a4609": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Lsass Process Access",
"sha256": "3bf104a9b118c6ebece736db128eeebb8963fc95451a9a3e01e74cbacd8da1e8",
"type": "eql",
"version": 1
},
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
"min_stack_version": "8.4",
"previous": {
@@ -911,9 +932,9 @@
}
},
"rule_name": "Rare User Logon",
"sha256": "2cee5f1ed8eb3e96b51fe2e95091998e361671f08e86aee4e30f60585529cd00",
"sha256": "1d17bf03df5bf0b49cbb773de6fc227caca2d11937306974f43cd0138eeefb60",
"type": "machine_learning",
"version": 100
"version": 101
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
@@ -1004,9 +1025,9 @@
}
},
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "d7a930666b4897f3e6ad4cae910ba7d91950f18ee7f501d9b51052e6c46f00c7",
"sha256": "cf03af67c80afdce88b0d90377426b870072a256c1c7df1a1beea891c3ebf5da",
"type": "query",
"version": 103
"version": 104
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.3",
@@ -1056,6 +1077,13 @@
"type": "query",
"version": 101
},
"166727ab-6768-4e26-b80c-948b228ffc06": {
"min_stack_version": "8.3",
"rule_name": "File Creation Time Changed",
"sha256": "8679eb3e73de8b6787e36c5714238604b9bf5808daa4db90366c435106c87aeb",
"type": "eql",
"version": 1
},
"16904215-2c95-4ac8-bf5c-12354e047192": {
"min_stack_version": "8.3",
"previous": {
@@ -1116,9 +1144,9 @@
}
},
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "64a498b05a35861230579c6423cfa101e7722f72d4f10e9c15842d6d98a21772",
"sha256": "eea586935d79abcd6421d9aff5117f9ef42bee87a51a3ca973aad3f06312b11d",
"type": "query",
"version": 103
"version": 104
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"min_stack_version": "8.3",
@@ -1132,9 +1160,9 @@
}
},
"rule_name": "Unusual Windows Username",
"sha256": "8f1da2c97c296b4e212e5aacd5a608a1043a71c6de193a0568f82e09fc04cb6e",
"sha256": "bd033053790a1ba029730acd83253e02993b628b5a8e4fd81fbf14f83db9cc2f",
"type": "machine_learning",
"version": 100
"version": 101
},
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
"min_stack_version": "8.3",
@@ -1369,9 +1397,9 @@
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux SSH Brute Force Detected",
"sha256": "39da680feee7ad38a8cee738d28975c62ada6344a4154b17e3c349b57c74a4b7",
"sha256": "3b9a570d671bdf42e09bde62959d75df45319e2c35851c9f4477f29a5453d8b1",
"type": "eql",
"version": 2
"version": 3
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"min_stack_version": "8.3",
@@ -1385,9 +1413,9 @@
}
},
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "90b6e6f3757968c798b350aec14b7a9a3b4567f3917a518eab4a067d93bc8f92",
"sha256": "0632f4ba371145aa2b15a3655f4ecaecea2aeca4b27e04e67b46fb0241594edd",
"type": "query",
"version": 104
"version": 105
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"min_stack_version": "8.3",
@@ -1401,9 +1429,9 @@
}
},
"rule_name": "Suspicious File Creation in /etc for Persistence",
"sha256": "fd574c78325d2683a832f7b4b8df354b794166d3cf0d68721511a8b1df6772b5",
"sha256": "c6a71ae7553a24a31f3dec7ce83acf7b453825c65d6f062971c89280faf0bcf2",
"type": "eql",
"version": 102
"version": 103
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"min_stack_version": "8.3",
@@ -1433,9 +1461,9 @@
}
},
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "01259c36f97d276e0dfe2ed552945732d4f7c9730deb8bfa28fddc8aa693f4b6",
"sha256": "9abe3eeb36a2c0086b01100242b8fc7aded50c2fa641182c89e2260a7e541b1e",
"type": "eql",
"version": 101
"version": 102
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.3",
@@ -1469,6 +1497,13 @@
"type": "eql",
"version": 103
},
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "e67c7801dc3b5bde8ca3b0e52b02b3aef364ef9c79715855203ded393a8b827e",
"type": "query",
"version": 1
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.3",
"previous": {
@@ -1485,6 +1520,13 @@
"type": "eql",
"version": 101
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"min_stack_version": "8.4",
"rule_name": "Suspicious Inter-Process Communication via Outlook",
"sha256": "a580bc9436a45328df8f9e7083af6f46f0300acf46eb47d93ec17922ba306eec",
"type": "eql",
"version": 1
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"min_stack_version": "8.3",
"previous": {
@@ -1533,6 +1575,13 @@
"type": "machine_learning",
"version": 100
},
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"min_stack_version": "8.3",
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "c8a800a96f44d79b7b23ef582111b16903c957a8684ef2b857423b9366ab2349",
"type": "query",
"version": 1
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"min_stack_version": "8.3",
"previous": {
@@ -1561,9 +1610,9 @@
}
},
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "043fd214a5e74e23bcc4de915f6a875519278944ff560c9c81d82ff805167289",
"sha256": "3bf40800afe7ecea145fd48ab213a17e8167ee83e0cd90a00569c85396afcab8",
"type": "eql",
"version": 102
"version": 103
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"min_stack_version": "8.3",
@@ -1657,9 +1706,9 @@
}
},
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "6692aea3904b62c7c555a43f6924b23132f4e04c32517510298d016cb7c673bc",
"sha256": "5fb1d97793624a75442f3067cc2280bf297eb591df40318a63f48f7857c03842",
"type": "eql",
"version": 103
"version": 104
},
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
"rule_name": "Auditd Max Login Sessions",
@@ -1686,9 +1735,9 @@
}
},
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "f7a5c712a4469a66a6f138c749ceb8daeb01b6acceeccb4972e3b13332ede4d2",
"sha256": "a56037b84903d61f8b7a24676a0c69ecb2d97e68cb08598e81c94929cd49514a",
"type": "query",
"version": 101
"version": 102
},
"22599847-5d13-48cb-8872-5796fee8692b": {
"min_stack_version": "8.3",
@@ -1734,9 +1783,9 @@
}
},
"rule_name": "Potential Shell via Web Server",
"sha256": "4514b076f4ae9f9a5905f71bae0fe30bffd6a120c18e51e72580bb87a0a96a30",
"sha256": "97d5433074b220c0d3b27958c7fd2fd38c55cc3c57b590054c786fc9aa25e840",
"type": "query",
"version": 103
"version": 104
},
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
"min_stack_version": "8.3",
@@ -1766,9 +1815,9 @@
}
},
"rule_name": "Kernel module load via insmod",
"sha256": "560deab9cf9e540b16155fd81c9b95e705bc60d3a0b877a66a7208b103c6eeeb",
"sha256": "5cab9c181aec10768926e2efcb755954c6e2d39e9c237bc8b9dad61df738cb2c",
"type": "eql",
"version": 101
"version": 102
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.3",
@@ -1885,9 +1934,9 @@
}
},
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "f205af382353a1fad072152a1d4207f2a6879ad7f1d85ad7eaf0fc9354a31ae2",
"sha256": "95983afba71232a0a0e6ab8d88e8206c05964364b48e00a86ba9f9783653f119",
"type": "eql",
"version": 101
"version": 102
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"min_stack_version": "8.3",
@@ -1933,9 +1982,9 @@
}
},
"rule_name": "Account Password Reset Remotely",
"sha256": "4f368ca08309253b3eb4c2ee299b7e9a2ff1f704e42cff23c25d11536e8561c1",
"sha256": "b38e8457cc6ea7684e8e680670c148197fdfed4d3d75b911bf2449c7b543e0fd",
"type": "eql",
"version": 102
"version": 103
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.3",
@@ -2035,9 +2084,9 @@
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "47b528308d655d9a40ebf1c7faaa183193cc2911f418dfca1c1a10cfe13cdcfc",
"sha256": "aea4e63d5946a488ca0c3c8c09c71de573dcf51f67a37b015d3f19396e72c667",
"type": "eql",
"version": 103
"version": 104
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"min_stack_version": "8.4",
@@ -2122,9 +2171,9 @@
}
},
"rule_name": "Enumeration of Kernel Modules",
"sha256": "22b03287ec583dc4b58992a5292c592a3d4b32cdc92036f8e67c9dca6565d163",
"sha256": "2db9fac7d1791b3b92114daa5a8c4092e66fc044c3c8d79dd930d1078f1d9b7a",
"type": "query",
"version": 101
"version": 102
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.3",
@@ -2273,9 +2322,9 @@
}
},
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "e65f2bc49d0ad4f48d814b50ee066ea12b93e1776a29720fcf0740865d58d560",
"sha256": "c091f579cf50b81ad35a919ce791b19235c25103b2805163478be58d919586ab",
"type": "query",
"version": 101
"version": 102
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"min_stack_version": "8.3",
@@ -2590,9 +2639,9 @@
}
},
"rule_name": "Process Started from Process ID (PID) File",
"sha256": "33f6b875baae098995aaf796af0d3f2d526e52ea81fbfaea897bf5ea92c1b100",
"sha256": "e59144c7f7f00aa2bc71f86283209350b86adbf2811b719d29f84431c70dfb43",
"type": "eql",
"version": 102
"version": 103
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"min_stack_version": "8.3",
@@ -2917,6 +2966,13 @@
"type": "query",
"version": 104
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "2ca249687674bcc11d0c257edb9c9b0b02dc5d81e5cc9b04dda796156ad5f10b",
"type": "eql",
"version": 1
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"min_stack_version": "8.3",
"previous": {
@@ -3009,9 +3065,9 @@
}
},
"rule_name": "Binary Executed from Shared Memory Directory",
"sha256": "8b929648cfb7d78b3a120a4f301a77f449cb973bfe1a9c27f06181ed69f7166a",
"sha256": "ac945f3d31e112933dedfaa1b80add45db8907ec5437f92ad2901de01a6aa986",
"type": "eql",
"version": 102
"version": 103
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.3",
@@ -3096,9 +3152,9 @@
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"min_stack_version": "8.3",
"rule_name": "Process Creation via Secondary Logon",
"sha256": "052d5a9f9406a1f40d7f42883351dbe850f4516a045258094c2329d751a43be5",
"sha256": "331d4983cfe1f7e04d6f4301d9b745a70196e51245a64a0af2218b0723342dda",
"type": "eql",
"version": 3
"version": 4
},
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
"min_stack_version": "8.3",
@@ -3160,16 +3216,16 @@
}
},
"rule_name": "Unusual Windows Path Activity",
"sha256": "96e95f6a002908e770ee8dc9e06b3f4955d02ace7a630a562d77630e0f51b2f7",
"sha256": "e05711b976cd84d5d5d9cd0e19eec120be46afe57e895f2eef2a5fcda8a2dc92",
"type": "machine_learning",
"version": 100
"version": 101
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"min_stack_version": "8.3",
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "01c2d67560189623c292b168be7435d48a38318feb338e35bfc1854ecb950346",
"sha256": "892bf5ebff22903ba929949a6fe05131b9cb4017ae9c75db456b46a54620296f",
"type": "eql",
"version": 3
"version": 4
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"min_stack_version": "8.3",
@@ -3199,9 +3255,9 @@
}
},
"rule_name": "Windows Event Logs Cleared",
"sha256": "10626d753b4eff838e90b212ec77c6670f7cd47eeede6ac704face10fd5bf4d7",
"sha256": "4fe0e5f5f2bd8b0e5cf07843397002cb2d43d6fc7e92609a9b97e474c01984c4",
"type": "query",
"version": 103
"version": 104
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.3",
@@ -3215,9 +3271,9 @@
}
},
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "b37a7206844162a0d22b4306477a385bd3b9232f2f33434163d4ad93c827260e",
"sha256": "09f390313b2d381ab331407c8fbb29ae79f0f854b3c432c8c40eff8c2d423963",
"type": "eql",
"version": 103
"version": 104
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"min_stack_version": "8.3",
@@ -3270,9 +3326,9 @@
}
},
"rule_name": "Unusual Process For a Linux Host",
"sha256": "dd683127f834182f5df0f60d7a3e94dc4e45b4c40f7852a7e4bd07f9bd32c77a",
"sha256": "60b84bf0d5b85a9282036208761447a6c8579f766a3ed3611f8cb70b1eb62e38",
"type": "machine_learning",
"version": 100
"version": 101
},
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"min_stack_version": "8.3",
@@ -3286,9 +3342,9 @@
}
},
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "4580fa6e639f76df7d490f941e5046bb7e8515e2da02aab4835d5dc59fba7f56",
"sha256": "d6a9bcfaddb37f31b3411499f1c2870454642246efb1bca00035e71122ae4794",
"type": "eql",
"version": 103
"version": 104
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"rule_name": "Execution via Regsvcs/Regasm",
@@ -3331,9 +3387,9 @@
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "db40bc83f15ca46413d2e2a28895c8e182be5e1915dbb23757ee962f4b5f93c5",
"sha256": "77015417c3fac6ad21989399018c0c76fcace6e411a060d3c9068be88fc3f132",
"type": "eql",
"version": 2
"version": 3
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"min_stack_version": "8.3",
@@ -3498,16 +3554,16 @@
}
},
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "601d99c47256f14bb93a96523ea4ce04d64d54e9bf07d5e52470688c40b2be00",
"sha256": "ee14442f4b0990c333bb6b4853b0ff7580cd17651a7deec9f9e8a985706c7b02",
"type": "eql",
"version": 103
"version": 104
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "6eec5b895f96299f32ce5a547b7554f3387e9847f925b55db9da6ae5dd29712f",
"sha256": "f47402604158d70428f9aeb696e1d32e9790a74562d8e1162c9962bc49ac3c11",
"type": "eql",
"version": 2
"version": 3
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.3",
@@ -3664,10 +3720,10 @@
"version": 4
}
},
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "7030623ff8ed02e7b897ef7ef3b699bea67e8ba26933109df011dfd79d4ba57c",
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "28c3127fec34a57bc9845f5891e14e3b9feaa8b5d8972c0bcb3e18f30af543ab",
"type": "eql",
"version": 101
"version": 102
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"min_stack_version": "8.3",
@@ -3681,9 +3737,9 @@
}
},
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "a16976984526b0efb4f810dce465854718dbce285eb527269af3546e03d291db",
"sha256": "8e2bf5b5d340583fec1eaa51e7e79a91ebde05866d3b9245b962a146c72a50c2",
"type": "eql",
"version": 103
"version": 104
},
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
"min_stack_version": "8.3",
@@ -3835,9 +3891,9 @@
}
},
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "cbd75271ff293520f527248177c43524f79dd2cbf3d0203a274805532927a8af",
"sha256": "ff13912139a4517ac291b4354e73bd334e700e375cf2a90024683940872664bf",
"type": "query",
"version": 101
"version": 102
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"min_stack_version": "8.3",
@@ -4187,9 +4243,9 @@
}
},
"rule_name": "Virtual Machine Fingerprinting",
"sha256": "406c63c241969aec0d4903a96fdfee40068bd8ba9eeff7e28dd19054e77ccb74",
"sha256": "8fcd82a081b3f9c1fd3218750a2061ec58843a983aaf156b7a5ef7c0bdceb9ec",
"type": "query",
"version": 101
"version": 102
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.3",
@@ -4223,6 +4279,13 @@
"type": "query",
"version": 101
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"min_stack_version": "8.4",
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "2622829873c0dad57043933fc2de320cd5353690328a12142331f357e7721482",
"type": "new_terms",
"version": 1
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"min_stack_version": "8.3",
"previous": {
@@ -4267,9 +4330,9 @@
}
},
"rule_name": "User Added to Privileged Group",
"sha256": "72cf570c5e08d6e35939e770e5346b5ded9f7f6c44b25695126e2871c24bc330",
"sha256": "85fbc6f2d51ab05dd8812e4911c0e7c523c319ffee128cc6850f669f250c4b83",
"type": "eql",
"version": 103
"version": 104
},
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"min_stack_version": "8.3",
@@ -4440,9 +4503,9 @@
}
},
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "40e4e50e213f12414a720dbad1084ac9c5c66f7327c57db4a0983cd0f76293aa",
"sha256": "edc406d29a3c64903dc3af00d0a52f40129e13634f06d56b6fe7508e0f3540e6",
"type": "query",
"version": 104
"version": 105
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
@@ -4462,9 +4525,9 @@
}
},
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "6e4e3620fed8f9ea0448c296c02aa8ae04d544da84785fc04054bf8607a3f582",
"sha256": "65f399bf70c38dfce92e0bbc0b4e676429e70705e1008e716aec59948173fd7e",
"type": "eql",
"version": 103
"version": 104
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.3",
@@ -4494,9 +4557,9 @@
}
},
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "f328cea65c10625168e096a7e5c8e93cdd31f422cca5d98369d950159018d39e",
"sha256": "6a468dd1a8358f22163af0d81fd0affdf1b87e6c3ffed81ac4a7861b8f58261f",
"type": "query",
"version": 103
"version": 104
},
"63c05204-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
@@ -4547,9 +4610,9 @@
}
},
"rule_name": "Anomalous Process For a Linux Population",
"sha256": "58ad6b8312fa08066d30ca38f7178f10d0af84bc3348a306635a0d5693e495fb",
"sha256": "f4141ba07edb7c3d404fd06b4c4c7b7d6f3df17fb2b4a3f0e07814919b212115",
"type": "machine_learning",
"version": 100
"version": 101
},
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
"min_stack_version": "8.3",
@@ -4663,9 +4726,9 @@
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.3",
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "73d4b5395efb686a194e3ddb89c49017e043c35ba64ca0a14bfa70c12ee0954f",
"sha256": "7c6d8a037c2fea4f8738fa66454a76bd68f83d96e24403e5f98e4e7b4b229b53",
"type": "query",
"version": 2
"version": 3
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"min_stack_version": "8.3",
@@ -4733,9 +4796,9 @@
}
},
"rule_name": "High Number of Process Terminations",
"sha256": "639238e9ffd3ee7e008b5f02e37b7ccbf46d4422ab31c96c38fbd007b5aedbed",
"sha256": "10da0992fd7a09eeb512f86ad67c1f1c2c97f6ed4830246652f0e25f7b708362",
"type": "threshold",
"version": 103
"version": 104
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
@@ -4984,9 +5047,9 @@
}
},
"rule_name": "Sensitive Files Compression",
"sha256": "fee59fe99d0d07ff31585fb6fd902e2345ca5effd3f73a26bc436917b51c6f95",
"sha256": "485d9790253ec193714681048f7c37837597f54d18a3a25b90287c1e5c556539",
"type": "query",
"version": 101
"version": 102
},
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"min_stack_version": "8.3",
@@ -5000,9 +5063,9 @@
}
},
"rule_name": "Remote Computer Account DnsHostName Update",
"sha256": "a17f13296f2d3df813973ae7fc885584d1eed5ef45a4d7dd26ddeec6ce3a8524",
"sha256": "22ef56a16f21d022a7426745003d5a097a4762abc7b89536c3e08a284f1b3434",
"type": "eql",
"version": 102
"version": 103
},
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"min_stack_version": "8.3",
@@ -5032,9 +5095,9 @@
}
},
"rule_name": "Unusual Process For a Windows Host",
"sha256": "791ab8700a52039f24e5816979494fbae818c52ba20be375d733e9fa730af444",
"sha256": "548f0645083a7ffa45c063a362c867656de7a3b9a6337c0ebe535c2c47e0f0d4",
"type": "machine_learning",
"version": 102
"version": 103
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"min_stack_version": "8.3",
@@ -5048,9 +5111,9 @@
}
},
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "0f387df0bf637f8a7cdcac7e35c402a5c25cab0df5667d31c4ed069e209e0acc",
"sha256": "6590429ef4dd0c7c03651a26da378c7469bc7432237ebb389604cec9c899cb93",
"type": "machine_learning",
"version": 100
"version": 101
},
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"min_stack_version": "8.3",
@@ -5064,9 +5127,9 @@
}
},
"rule_name": "AdminSDHolder Backdoor",
"sha256": "823a60f4eff0a08a07f0b7b587d0bdc4c9ba0ed9937b83d090f7cb54af71c584",
"sha256": "46b146a76ebdf8357eb7d63b912b9acfea4c6b0bdcb6ca6c7689843578706712",
"type": "query",
"version": 101
"version": 102
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"min_stack_version": "8.3",
@@ -5247,9 +5310,9 @@
}
},
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "41ea9f156324eea554574fff4f47cb2f85787cfbd528d003c4edf70727d46273",
"sha256": "b73947946bbb78df5d00587ef4fbaff9fd3285067f053dac2c6bb15183eea53b",
"type": "query",
"version": 101
"version": 102
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"min_stack_version": "8.3",
@@ -5263,9 +5326,9 @@
}
},
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "ed682581d7ce837ffeb2bb1be122fb8a8e0920720f15a954b568698df0fba347",
"sha256": "c38e3b065ba4c165164034a882010132d7780e019fbba43e93a1e9c35bfd4122",
"type": "eql",
"version": 103
"version": 104
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.3",
@@ -5365,9 +5428,9 @@
}
},
"rule_name": "Unusual Hour for a User to Logon",
"sha256": "1e847948be954f3a3cbfb10357ae89e2badbfd6a8fbe0b16d728d77166473a07",
"sha256": "ce205d617ff2774aa7ff81d968f2e10d57aad9adb9237907f115f14874df8d75",
"type": "machine_learning",
"version": 100
"version": 101
},
"746edc4c-c54c-49c6-97a1-651223819448": {
"min_stack_version": "8.3",
@@ -5443,9 +5506,9 @@
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"min_stack_version": "8.3",
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "b740d503c95c58aeba713bc41e42f568aac13a10168ddde244b4f1fd24e48d82",
"sha256": "9d019640feccf23d7830a68debfa05f46666627c6634b65ee162a2cc46a97386",
"type": "eql",
"version": 2
"version": 3
},
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
"min_stack_version": "8.3",
@@ -5459,9 +5522,9 @@
}
},
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "9315850612e1d358cb5968a2fb3eefae569db6be399418ffb5a3b90436cc6318",
"sha256": "a9e20813e5d1de790f3e9cca4af57e618f1b786930e24bc5d8048ab405369c89",
"type": "eql",
"version": 101
"version": 102
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"min_stack_version": "8.3",
@@ -5605,6 +5668,13 @@
"type": "machine_learning",
"version": 103
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Loaded by Svchost",
"sha256": "8ee5bb828dd71d53f8bf888f8b7e4c68814737b16fdda8ed8a0da80ff662dc56",
"type": "eql",
"version": 1
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"min_stack_version": "8.3",
"previous": {
@@ -5621,6 +5691,13 @@
"type": "query",
"version": 102
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.3",
"rule_name": "Potential Exfiltration via Certreq",
"sha256": "4b89688d571d43de20d56f466b059ca7105f787fe643cf8959712316521f8b6d",
"type": "eql",
"version": 1
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.3",
"previous": {
@@ -5633,9 +5710,9 @@
}
},
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "64806f347838c3a33b49368f7d967eb7d3aecbf621422c687f39c639b19a856c",
"sha256": "21a3a459a30be294fd89ec9db6c1512d90e034a7d23d7cd287275caed77c41e0",
"type": "query",
"version": 102
"version": 103
},
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
"rule_name": "Network Sniffing via Tcpdump",
@@ -5840,9 +5917,9 @@
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"min_stack_version": "8.3",
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "fd5ab0ae7cb653cd05d3107277504f88d6ebadc8fec6a461410a5a5600eef57a",
"sha256": "5fc7c71c51b4631d1dc4631bb13b9e92135cc98e2a9be2b242b2ed3705be47f8",
"type": "eql",
"version": 2
"version": 3
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"min_stack_version": "8.3",
@@ -5910,9 +5987,9 @@
}
},
"rule_name": "Potential Remote Credential Access via Registry",
"sha256": "12ad8300187f8f8f5a9836c103f88114fd217d0c28e14c7400a7287e0e664e4b",
"sha256": "5d3f6f0111eade36e60550698a809efaeb5b47f6eb8f7163ed84ab7f0423f89a",
"type": "eql",
"version": 103
"version": 104
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"min_stack_version": "8.3",
@@ -6006,9 +6083,9 @@
}
},
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "f0439ce3410d09e36cfe5bea67ac81cbd854b04fe0638e1389b43253b80919c3",
"sha256": "b7ada289ffd8554cdf8b23ca57e5f2ca9e9aa9103d4a110e31af57575e5c5b70",
"type": "eql",
"version": 103
"version": 104
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"min_stack_version": "8.3",
@@ -6320,9 +6397,9 @@
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"min_stack_version": "8.3",
"rule_name": "Potential SSH Password Guessing",
"sha256": "f3072b10eb99e14482d38788bec66c31017c460362ce56b950f8364b00fa3026",
"sha256": "ab2fdb97f0e3e218efcf7558e6be6f7de344c7044b4fcdb37640cc4b07e3e6e4",
"type": "eql",
"version": 2
"version": 3
},
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"min_stack_version": "8.3",
@@ -6336,9 +6413,9 @@
}
},
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "59e68c56d5fc6ad0c04dc18a23f9dcb28d139880b1bf811883a2d3bb10333665",
"sha256": "b604023e3d065e0815826dcb5b2e26722031fba689549e9a44473126e9322e8d",
"type": "eql",
"version": 101
"version": 102
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"min_stack_version": "8.3",
@@ -6422,9 +6499,9 @@
}
},
"rule_name": "Hping Process Activity",
"sha256": "ae8e750b52b2b170b9b595bfec9a99d5e74d8c48eca1662c7e2363cf99744d40",
"sha256": "fbad45adf472ed976562d80120474678abe7b304e20dc16c9d04e2911b0e13db",
"type": "query",
"version": 101
"version": 102
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"min_stack_version": "8.3",
@@ -6544,12 +6621,19 @@
"type": "machine_learning",
"version": 100
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "f8d38de1aa8a043f4253a6d31e673233fa1b612409392ffa5dca683eff3e86ee",
"type": "query",
"version": 1
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.3",
"rule_name": "A scheduled task was created",
"sha256": "81c3b09aa79394e3f8c0d5a43f43d06e82f1334a2bac6d7a821a263a0a8623ba",
"sha256": "1e60cbeb1a3e3eddcdb21edb4ee9bbe48d9ffbfeacd965a0d0845c9afcffccfd",
"type": "eql",
"version": 3
"version": 4
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"min_stack_version": "8.3",
@@ -6677,6 +6761,13 @@
"type": "query",
"version": 101
},
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"min_stack_version": "8.3",
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "c8e23a5fc8492bd2b0de1300b69d8a2df6b46ff4ee37fbc94652738d5bef0fcc",
"type": "eql",
"version": 1
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
@@ -6737,9 +6828,9 @@
}
},
"rule_name": "File made Immutable by Chattr",
"sha256": "24ee320fcd777929a2e5be22e8b6bb6a925eaa230669693b1b271f05c62b36f2",
"sha256": "810afaffb5ad2f3afff2f79b2da017a4e05e79bb3b407ad1d2405484dc3fa732",
"type": "eql",
"version": 101
"version": 102
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.3",
@@ -7003,9 +7094,9 @@
}
},
"rule_name": "Spike in Failed Logon Events",
"sha256": "7e5b5594bdac57e03898b8c51949acf659ff2c63340b3ac26bd251c9f1556196",
"sha256": "db82d4e4446fe54e603f48ad06a6e42b1ab4251700d7fd06afb3dcc0db3c7776",
"type": "machine_learning",
"version": 100
"version": 101
},
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
"min_stack_version": "8.3",
@@ -7104,9 +7195,9 @@
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"min_stack_version": "8.3",
"rule_name": "Remote Logon followed by Scheduled Task Creation",
"sha256": "3f358925fb1d6175f876ca1d4cad49e8c5cf468acb9dc145c3f137b1c8614bd8",
"sha256": "bf21a84716a434390b5db52758a95fd3d418bd777913683c47b053b0efef9ca7",
"type": "eql",
"version": 2
"version": 3
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.3",
@@ -7120,9 +7211,9 @@
}
},
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "d10741a1a3c783a25a2bf1bd6869553db40b735bce0e289de9cb0ab6cb8bdf56",
"sha256": "6136c283900e035f1a91b7ac2025a8a1f20eeaa65e52bde601f0752b3bac52b3",
"type": "eql",
"version": 102
"version": 103
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -7286,9 +7377,9 @@
}
},
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "dc2785bae701f3db2068ccfb0d9028dda6ef433d33320a42a115a42336a0f54b",
"sha256": "02d1ec11f7fbab5ed2c9fd914b0c77fcefd5bb508600f8056e96dbb928107e23",
"type": "eql",
"version": 101
"version": 102
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"min_stack_version": "8.3",
@@ -7302,9 +7393,9 @@
}
},
"rule_name": "Potential Credential Access via DCSync",
"sha256": "262e2f1b79195159ea878ea195be2cd996c36a56d8a22a540290756ccb0eb873",
"sha256": "9d21d071f93ffd899250d9bf1aaea08e51be063cbb580ca989375fc819f15d29",
"type": "eql",
"version": 103
"version": 104
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"min_stack_version": "8.3",
@@ -7341,9 +7432,9 @@
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"min_stack_version": "8.3",
"rule_name": "A scheduled task was updated",
"sha256": "ce882bbfb1d9c40e848cd45e39dbf0045e84ebb64af21331dd4b1ebae249347e",
"sha256": "2cfda45048e8471208372b3cffd610238002b437d8fe1c50df724f183f467308",
"type": "eql",
"version": 3
"version": 4
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"min_stack_version": "8.3",
@@ -7389,9 +7480,9 @@
}
},
"rule_name": "File Deletion via Shred",
"sha256": "91778159aa6189ce86a7237ebb39890b7343661c5348e2506db78d5692582242",
"sha256": "314a5884f22a3359a26baf905f1aeaa5f763eee3cb05fac489b4db201773368b",
"type": "query",
"version": 101
"version": 102
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"min_stack_version": "8.3",
@@ -7409,6 +7500,13 @@
"type": "eql",
"version": 102
},
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"min_stack_version": "8.3",
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "7a48c53fa6de261c1f453cc9b79bbb19fa40e19fc49b2032e970f4568f99e064",
"type": "eql",
"version": 1
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"min_stack_version": "8.3",
"previous": {
@@ -7425,6 +7523,13 @@
"type": "query",
"version": 102
},
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
"min_stack_version": "8.7",
"rule_name": "My First Rule",
"sha256": "35074e5f08c9198dd631dcce1d0c399686563f2286461207a2ea71b194f859df",
"type": "threshold",
"version": 1
},
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"min_stack_version": "8.3",
"previous": {
@@ -7473,6 +7578,13 @@
"type": "query",
"version": 104
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "9fff2ce0dfd6c5e4048c9ab12cc0fe9fbf3f2d2e2fc95f656fbe0d1c8ea50553",
"type": "query",
"version": 1
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"min_stack_version": "8.3",
"previous": {
@@ -7514,9 +7626,9 @@
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"min_stack_version": "8.3",
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
"sha256": "8a396165e99be43114ae40eb1174151552a1821df4e8635e0a4012c01574ecc6",
"sha256": "1d6b98e58965800afb3a94671902ad93f24ff2462f7521ef443285d49ab1e77e",
"type": "eql",
"version": 2
"version": 3
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"min_stack_version": "8.3",
@@ -7562,9 +7674,9 @@
}
},
"rule_name": "Suspicious MS Office Child Process",
"sha256": "c2ada3a9efccb20c8ad7863b140f2f2e756b3c87ff6a109436f549f1782a7b97",
"sha256": "53655eed69c04e50c9f00f9535ccb05aa546a53781f86c71ea28038364774f08",
"type": "eql",
"version": 103
"version": 104
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"min_stack_version": "8.3",
@@ -7742,9 +7854,9 @@
}
},
"rule_name": "System Log File Deletion",
"sha256": "e957af32272cbe8f63a9f16b0d4539f8c3015cbf87e63c4ee97aa3886b55bdf9",
"sha256": "5e1ba5cfea65070d578b5c4066ade73ef2fb204e7c76eec11f53b5e668c10716",
"type": "eql",
"version": 102
"version": 103
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.3",
@@ -8032,9 +8144,9 @@
}
},
"rule_name": "File Transfer or Listener Established via Netcat",
"sha256": "51c6165128b661d0b7b4468860289dc3c2cf78a66519095c032633694b43b920",
"sha256": "36c67e800be8302ecbf982f19c0e494ffe964aee0fc3baf29fd1afa774417819",
"type": "eql",
"version": 103
"version": 104
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"min_stack_version": "8.3",
@@ -8186,6 +8298,13 @@
"type": "eql",
"version": 103
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"min_stack_version": "8.3",
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "849a4dcdc7ed10fc67b23319b00c58b5b427c9d0dd3cf3ee4d36376fd0113b24",
"type": "eql",
"version": 1
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"min_stack_version": "8.3",
"previous": {
@@ -8262,9 +8381,9 @@
}
},
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "620157c94e530a9b79fc01d1cd732c48c936128b4202327b17e814f1c502d364",
"sha256": "62986a0d012a2f8939557f466eeddabf8d18e9367ddf7e56410994b111951922",
"type": "eql",
"version": 103
"version": 104
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"min_stack_version": "8.3",
@@ -8294,9 +8413,9 @@
}
},
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "6e831fce582191305c1d7d3da75c0f080265f7c68e86194ad2a7f6b5bc6e4bad",
"sha256": "2654446d80ef2b779cd83ced0386d0bdc6645a9a2dc1f911e685f8f24acc3da4",
"type": "eql",
"version": 102
"version": 103
},
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
"min_stack_version": "8.3",
@@ -8346,6 +8465,13 @@
"type": "query",
"version": 102
},
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "d8762a09b111ab8d2d5bc112f617688c01e562accac5b39e1bfe57f21f27ce5b",
"type": "query",
"version": 1
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.3",
"previous": {
@@ -8406,9 +8532,9 @@
}
},
"rule_name": "Chkconfig Service Add",
"sha256": "8d327e0ae652be44e3e65d14ddd87454ab8620235a4e95a146e566464a1ac8e7",
"sha256": "5fe2855f41ece0e588106fa10d9b715b88d4eeb15462f31c5ed89713f209c7e4",
"type": "eql",
"version": 101
"version": 102
},
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
"min_stack_version": "8.3",
@@ -8429,9 +8555,9 @@
}
},
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "7faeeba1773a6daa9dcb89c1f792a9cb0e2592573b0762edf7db14d9a6ec5b80",
"sha256": "e13749f4cdb81497eae4f10ea6d2793802e73ce6e5004edd85df0604f22f7566",
"type": "query",
"version": 103
"version": 104
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"min_stack_version": "8.3",
@@ -8692,9 +8818,9 @@
}
},
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "438aa121c93519e469d9edc53809ec8126490a8c7983d8287dcb3a31f2a192ab",
"sha256": "eb53ced03a788f015585b601920f6f4a160c560a1c8f42301116264368e9fac8",
"type": "eql",
"version": 101
"version": 102
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.3",
@@ -8964,9 +9090,9 @@
}
},
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "d880e73eb0f8381fffd43c6bdad0166536e7247a1ccf527249f2476e5bf71523",
"sha256": "7dedaa7b03a2a85bc6dbbb022e7738c95cec94842dd19477b6c07b5144b2080d",
"type": "eql",
"version": 101
"version": 102
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"min_stack_version": "8.3",
@@ -9153,9 +9279,9 @@
}
},
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "bbb3f5026d23f21f3f16d0ed4f0baa27be993fcf8ecbd9b8f22c9b9e3f05f53b",
"sha256": "066becab1c26c97bd8fb1dc87645602bc15b55ad4f6f86371afd0d1e6c568778",
"type": "eql",
"version": 102
"version": 103
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"min_stack_version": "8.3",
@@ -9169,9 +9295,9 @@
}
},
"rule_name": "Spike in Network Traffic To a Country",
"sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f",
"sha256": "6595a2e7b8d1b846176e9f7d6996c5873a1fe31295c997b67ec785103dc9f80b",
"type": "machine_learning",
"version": 100
"version": 101
},
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"min_stack_version": "8.3",
@@ -9323,6 +9449,13 @@
"type": "query",
"version": 101
},
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "1cc2d330e553c3ab397bec687b77e75e3101dcfbf657b305c1c20d88b5ca9ac1",
"type": "eql",
"version": 1
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
@@ -9341,9 +9474,9 @@
}
},
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "62e87462fadee6fe66b6c85465f0e3ca7adbbbdd1d6fa0e41fb0a57728d1745d",
"sha256": "a9790f44b45077afb176ebe3305571572dd5c274941f43974b066cb6453eac90",
"type": "eql",
"version": 103
"version": 104
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"min_stack_version": "8.4",
@@ -9527,9 +9660,9 @@
}
},
"rule_name": "Kernel Module Removal",
"sha256": "6cc9635dce995fdf627267bbb2abcd1fcb36561903af0b981a8a8b2a4762c7f6",
"sha256": "74ae325209e5dee6f744022775c8601cebb1e8075ba5537ebed3ef119e607160",
"type": "query",
"version": 101
"version": 102
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"min_stack_version": "8.3",
@@ -9563,6 +9696,13 @@
"type": "query",
"version": 102
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.3",
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "4882ffe1a789ddbb6fd2c44b7ac04c3fcdf24ca190bbfa09b44470ace053894c",
"type": "query",
"version": 1
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.3",
"previous": {
@@ -9637,16 +9777,16 @@
}
},
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "5fd5701587cdab72d657edfaccd7fe940fec90dd207cb6670a926ebf88271104",
"sha256": "a44f9bd49038a63d136be9404852920a70a42aae8c7f5b0223e6a641ef413307",
"type": "eql",
"version": 103
"version": 104
},
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"min_stack_version": "8.3",
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "282d06a65647fe54f60f3db53a4e90e4ca1f35d991c8465fa27433f7a6d4bc0d",
"sha256": "66f1321b1b0a33f990c4bd6bf70232ffdad598ea0afc5ebd3e91039941ace72f",
"type": "eql",
"version": 2
"version": 3
},
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"min_stack_version": "8.3",
@@ -9730,16 +9870,16 @@
}
},
"rule_name": "Clearing Windows Event Logs",
"sha256": "3cdb7a1338aa9523b76c57f85dc185771716dd8d027d1caa4417983fab2c72e1",
"sha256": "c48f60d424ad00e54cefd0f08adfad04c0f3a22152d5fd10d79f03997753ffb7",
"type": "eql",
"version": 103
"version": 104
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"min_stack_version": "8.3",
"rule_name": "Remote Windows Service Installed",
"sha256": "bad7de839da9e8039e8ca5c03239d606ee947cec4daa12c23f502a690b8ddbd9",
"sha256": "a9eb42f20c02bcb8e8a5712956a7427413bcb4bd8f0fa5528e33c5473b727b68",
"type": "eql",
"version": 2
"version": 3
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"min_stack_version": "8.3",
@@ -10013,9 +10153,9 @@
}
},
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "2cf5a9acb775dee9ad7c604ed07b8b591f1ecf553f8c29bbe7f9f6a70d9b47ab",
"sha256": "d56a342fd22b3e865309114f916f8232f2b2c7a5321d815c902ac0d8efb44649",
"type": "query",
"version": 101
"version": 102
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"min_stack_version": "8.3",
@@ -10065,6 +10205,13 @@
"type": "query",
"version": 100
},
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"min_stack_version": "8.3",
"rule_name": "Untrusted Driver Loaded",
"sha256": "5222c53fd532817cef9f5361d92def34c9f3610f7f996ebda9c4c4144cca7c7e",
"type": "eql",
"version": 1
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"min_stack_version": "8.3",
"previous": {
@@ -10097,12 +10244,19 @@
"type": "eql",
"version": 103
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"min_stack_version": "8.3",
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "2036bddb6ac3673e597668fff2730069943ed87fb219f70eeda0cad4cb04b072",
"type": "eql",
"version": 1
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"min_stack_version": "8.3",
"rule_name": "Suspicious service was installed in the system",
"sha256": "d3660213ffad98fa0d57973d893f138195a92c78b6ea390b05707081ca2da77b",
"sha256": "b4d8d2a21f873c3e9fd06f43deb9927cd58a464b52226ae29d59f17fb86df39b",
"type": "eql",
"version": 2
"version": 3
},
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
@@ -10126,6 +10280,13 @@
"type": "query",
"version": 104
},
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"min_stack_version": "8.3",
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "0d002d9f5f60d202c3d56bf7331e4cf81f6bab516674186c19ec7c99a5c347b9",
"type": "eql",
"version": 1
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"min_stack_version": "8.3",
"previous": {
@@ -10180,12 +10341,19 @@
"type": "machine_learning",
"version": 103
},
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "afeae3198689de2891bd62742d72ff581601370a24a44c278956fa63ed4c0ec8",
"type": "eql",
"version": 1
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Reverse Shell Created via Named Pipe",
"sha256": "ddf86f713e01b7a42dfb4cbac2eabe95771dd00eb95e9272258e5eabed84b6f0",
"sha256": "e0cae89eb945a7df29dbc662628dcb9949fb367b716d67c5d13029a1c91d18c8",
"type": "eql",
"version": 2
"version": 3
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"min_stack_version": "8.3",
@@ -10231,9 +10399,9 @@
}
},
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "8f363bbd5a97faf23a2823c81078c304bbaa77645e263fa8622630d980a73fe5",
"sha256": "d2c6ef1a3c3d9ef10b9af4e2e4f506acb24747f56d96632f6a3d6928f0e9b213",
"type": "query",
"version": 101
"version": 102
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"min_stack_version": "8.6",
@@ -10347,9 +10515,16 @@
}
},
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "4a5fff0627325f8c9a0c2f2d6e23358b50e1aa635e65b5e3d206e4ec625b73e3",
"sha256": "7d81ed7b8ba08b6415516abcf421f759a041a5cbbd051913a0401b3df605ae6d",
"type": "query",
"version": 101
"version": 102
},
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"min_stack_version": "8.3",
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "fa82f09915234a615f7dcd30b662ecdb799b937041d2403d2b644887a1d00f83",
"type": "eql",
"version": 1
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"min_stack_version": "8.3",
@@ -10458,10 +10633,10 @@
"version": 3
}
},
"rule_name": "Spike in Logon Events from a Source IP",
"sha256": "a5988a3dfc897aa2a50b11f7ed790699fb3b5c8450c61d82e331ff65dc180d6f",
"rule_name": "Spike in Successful Logon Events from a Source IP",
"sha256": "65eb48226070aeaf8ac4104367de86ca3a4f7e422547bd73f4bc25286bf6e2fc",
"type": "machine_learning",
"version": 100
"version": 101
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.3",
@@ -10495,6 +10670,13 @@
"type": "query",
"version": 104
},
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"min_stack_version": "8.3",
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "a8733807013f83691ba2facd49013ba9c3709450dc7a813f8936285656d18086",
"type": "eql",
"version": 1
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.3",
"previous": {
@@ -10603,9 +10785,9 @@
}
},
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "66b9ceb8d93427406d2d097accc4acf0f4c1d6ad76dcfc0d9c7a8d3489c35868",
"sha256": "82e3cd5c0d5b26c5fbdc4e4e0bc7f28017ef24f209db4309fb012b9e0d610aa6",
"type": "eql",
"version": 101
"version": 102
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.3",
@@ -10635,9 +10817,9 @@
}
},
"rule_name": "Service Creation via Local Kerberos Authentication",
"sha256": "a07da4943d2aaf8e54ebf90165c0967ee8b7c6f00176ccc5a7a174a0c335fb21",
"sha256": "93b7937727492cc72b68bf3b72232f58a29fdcb39cdb6bf548afc84d22da4d4c",
"type": "eql",
"version": 101
"version": 102
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"min_stack_version": "8.3",
@@ -10651,9 +10833,9 @@
}
},
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "1bbd28ed34614893af4f422de55b58962b7c6fcf2a5986a8cabead6a46da4d6b",
"sha256": "286706a0bad8c733061dfb173bc5dc13242f4b2b462061129819d507b33d69fe",
"type": "query",
"version": 103
"version": 104
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"min_stack_version": "8.4",
@@ -10815,9 +10997,9 @@
}
},
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "a570ca618c8c2c947839d258b7a7708e622375200ea16c2f9975c52392b8f91c",
"sha256": "e0279781cc294b6e98d639c8680925bd7a6b6a852c7c8f06c7b6ae9b2083ddfe",
"type": "eql",
"version": 101
"version": 102
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"min_stack_version": "8.3",
@@ -10835,6 +11017,13 @@
"type": "eql",
"version": 101
},
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"min_stack_version": "8.3",
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
"sha256": "dc9f542719133b4db619437dcf9a91603b68950ee66166eb35dc92ac18ae0864",
"type": "eql",
"version": 1
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.3",
"previous": {
@@ -11019,9 +11208,9 @@
}
},
"rule_name": "Potential Disabling of SELinux",
"sha256": "92cb291d40a64cdf4134bffc69eda6c274d7e4d23cd7a5db74006b6bde75b548",
"sha256": "e471f2312e6728d6bee2568cc973617b69a6fcb36fa4293676d8ec82dc159e35",
"type": "query",
"version": 101
"version": 102
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.3",
@@ -11224,9 +11413,9 @@
}
},
"rule_name": "BPF filter applied using TC",
"sha256": "27c2bf87022ca8599942fafab15bbcfb8e0c45cb1c4f6a0ec8a9473d593d6352",
"sha256": "9cf91201e94b653c02a269c75e3a748c05410aa62759345a3f1a8beb69692d9c",
"type": "eql",
"version": 101
"version": 102
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"min_stack_version": "8.3",
@@ -11240,9 +11429,9 @@
}
},
"rule_name": "Whoami Process Activity",
"sha256": "59256cf0b2544c3b4aac5517c14738543bfec976b2ff3d83124c0328e48df8c4",
"sha256": "2207b7204e3ba643a52ae4e20343f56159d267050833c2c1f1d45ce9abd07da1",
"type": "eql",
"version": 103
"version": 104
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"min_stack_version": "8.3",
@@ -11340,6 +11529,13 @@
"type": "query",
"version": 101
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "Forwarded Google Workspace Security Alert",
"sha256": "1a2ce130f9e8b773c7d97020fa3039a810ef71d16d18da31f8f66f7e75a99823",
"type": "query",
"version": 1
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"min_stack_version": "8.3",
"previous": {
@@ -11368,9 +11564,9 @@
}
},
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "09802de623888464e61fa36f71e514e2afda4617aba39a3aa441293963dfec0e",
"sha256": "e1e0aa11f0f4d8ca7ac2cc7d5eecdc8e4bde970d7fda2786102a70871f93066b",
"type": "eql",
"version": 101
"version": 102
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"min_stack_version": "8.3",
@@ -11487,9 +11683,9 @@
}
},
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "2ed438689ec226d4ee5693d69db0e972c648d4f3aa0a4f727269734993893e68",
"sha256": "3071f41d3d0c0f76d09501b6937f2c5ab9c6753c8334b8816c5c095b1ecaa371",
"type": "query",
"version": 103
"version": 104
},
"f52362cd-baf1-4b6d-84be-064efc826461": {
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
@@ -11680,12 +11876,19 @@
"type": "machine_learning",
"version": 100
},
"f95972d3-c23b-463b-89a8-796b3f369b49": {
"min_stack_version": "8.3",
"rule_name": "Ingress Transfer via Windows BITS",
"sha256": "745bb1be87344d9e00096579e5898b162f17b556d0bc96c27d3ed966f64bfdb4",
"type": "eql",
"version": 1
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"min_stack_version": "8.3",
"rule_name": "Privileged Account Brute Force",
"sha256": "fd55d37e39f06e0295a19c28a056edf2a605a5e2c962f3bbaaad28bd1fd125a9",
"sha256": "486e9fa1036193d11bd1ce6163bbee2520d47b33eea727dded1b778761cd0d30",
"type": "eql",
"version": 2
"version": 3
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.3",
@@ -11719,6 +11922,13 @@
"type": "eql",
"version": 102
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "26561bac820e0bc77b73e91c53c594cbdae8bc790334a473ff1ffd87ec0798ab",
"type": "eql",
"version": 1
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"min_stack_version": "8.3",
"previous": {