diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index b1230729e..564a25ff2 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -27,9 +27,9 @@ } }, "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "f19012c14051bae97b3ec8e0c2b82ee4325142f29b82f38ff5bebe41342457e4", + "sha256": "c7de6d72863dec230757cef0a9c0f80712da9201bce2718b9eb941702f24f009", "type": "eql", - "version": 103 + "version": 104 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.3", @@ -178,9 +178,9 @@ } }, "rule_name": "Modification of OpenSSH Binaries", - "sha256": "9c6c8085d85d10c9acfad0058cf824b42e944f3a526546007d5d3d0cd1611619", + "sha256": "edf609361691fa44e08b3afe6e228569a275b1bff6e9ca69f7a3fb310729dd30", "type": "query", - "version": 101 + "version": 102 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "min_stack_version": "8.3", @@ -194,9 +194,9 @@ } }, "rule_name": "Potential DNS Tunneling via Iodine", - "sha256": "da42562546a403904c8ab4d5f1bf64eb76d5933a509a3923c1133f73475ba559", + "sha256": "a30b95c76cade7d1f01c342b63a5051ca7528bdb217206cf8b76c407c473f70e", "type": "query", - "version": 101 + "version": 102 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "min_stack_version": "8.3", @@ -226,9 +226,9 @@ } }, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "8528138a2d42c4ef0f5c4052a6f4eb1e452a851f16de34d153d962ba1cd4b3cd", + "sha256": "8ce8763f9f55667594d84f07808bfda0b0ca589d23ecbeb1da05e826d9cc1b00", "type": "eql", - "version": 102 + "version": 103 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.3", @@ -274,9 +274,9 @@ } }, "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "0078a2280c39199096a1666696783c47e12ff57a914887aa283bb1feb53a4eda", + "sha256": "9c9aa184bc72371aa863d5d0a48f83bf4477ebf6234089901a882a32fdd3acfb", "type": "query", - "version": 101 + "version": 102 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.3", @@ -290,9 +290,23 @@ } }, "rule_name": "Remote System Discovery Commands", - "sha256": "14f8498cd9c3605264e7ba2a12f22b9587f55c134839a41c1cbb2b657d80c6d3", + "sha256": "f9e70b9e0214d46406d682c68451c0f9ffce855b4e35d134ad755183705c4a3c", "type": "eql", - "version": 103 + "version": 104 + }, + "06568a02-af29-4f20-929c-f3af281e41aa": { + "min_stack_version": "8.3", + "rule_name": "System Time Discovery", + "sha256": "429a27a6981584c96be32e6974d86e36dba692b2d143105550b49440ede3a73d", + "type": "eql", + "version": 1 + }, + "06a7a03c-c735-47a6-a313-51c354aef6c3": { + "min_stack_version": "8.3", + "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", + "sha256": "fb870dd17fc26ca0bc9e05d1bf325d7f93f2316af9a235ddd7eac1623aaefca6", + "type": "eql", + "version": 1 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.3", @@ -485,9 +499,9 @@ } }, "rule_name": "Anomalous Windows Process Creation", - "sha256": "e56af9f20aeb3c799f9f604360002ecd00c37feb5a712e6ffd320b7248621010", + "sha256": "ecd52dd84866e0c10534c9c0544109928b9a309ad8cacf2ee3895c77ca1c268b", "type": "machine_learning", - "version": 100 + "version": 101 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "min_stack_version": "8.3", @@ -501,9 +515,9 @@ } }, "rule_name": "User account exposed to Kerberoasting", - "sha256": "db61615c674a3ce285700a7ca9c38689748cc60f7de2015c7c87809fb3916bc7", + "sha256": "d94d68f639f89d48b98e457aa9df22dd6053970c90cbde5705ca54e912486634", "type": "query", - "version": 103 + "version": 104 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.3", @@ -572,9 +586,9 @@ } }, "rule_name": "Nping Process Activity", - "sha256": "95be323eeaf86c2effc37f493654631497f6ba359a6e2eb9e9c461fbcb58fdcd", + "sha256": "60aa60bdedc8eaf31bd74cae64bf0407ef018d589ba6db35e3e2a72537ca046e", "type": "query", - "version": 101 + "version": 102 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "min_stack_version": "8.3", @@ -821,6 +835,13 @@ "type": "query", "version": 100 }, + "128468bf-cab1-4637-99ea-fdf3780a4609": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Lsass Process Access", + "sha256": "3bf104a9b118c6ebece736db128eeebb8963fc95451a9a3e01e74cbacd8da1e8", + "type": "eql", + "version": 1 + }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "min_stack_version": "8.4", "previous": { @@ -911,9 +932,9 @@ } }, "rule_name": "Rare User Logon", - "sha256": "2cee5f1ed8eb3e96b51fe2e95091998e361671f08e86aee4e30f60585529cd00", + "sha256": "1d17bf03df5bf0b49cbb773de6fc227caca2d11937306974f43cd0138eeefb60", "type": "machine_learning", - "version": 100 + "version": 101 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -1004,9 +1025,9 @@ } }, "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "d7a930666b4897f3e6ad4cae910ba7d91950f18ee7f501d9b51052e6c46f00c7", + "sha256": "cf03af67c80afdce88b0d90377426b870072a256c1c7df1a1beea891c3ebf5da", "type": "query", - "version": 103 + "version": 104 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.3", @@ -1056,6 +1077,13 @@ "type": "query", "version": 101 }, + "166727ab-6768-4e26-b80c-948b228ffc06": { + "min_stack_version": "8.3", + "rule_name": "File Creation Time Changed", + "sha256": "8679eb3e73de8b6787e36c5714238604b9bf5808daa4db90366c435106c87aeb", + "type": "eql", + "version": 1 + }, "16904215-2c95-4ac8-bf5c-12354e047192": { "min_stack_version": "8.3", "previous": { @@ -1116,9 +1144,9 @@ } }, "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "64a498b05a35861230579c6423cfa101e7722f72d4f10e9c15842d6d98a21772", + "sha256": "eea586935d79abcd6421d9aff5117f9ef42bee87a51a3ca973aad3f06312b11d", "type": "query", - "version": 103 + "version": 104 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.3", @@ -1132,9 +1160,9 @@ } }, "rule_name": "Unusual Windows Username", - "sha256": "8f1da2c97c296b4e212e5aacd5a608a1043a71c6de193a0568f82e09fc04cb6e", + "sha256": "bd033053790a1ba029730acd83253e02993b628b5a8e4fd81fbf14f83db9cc2f", "type": "machine_learning", - "version": 100 + "version": 101 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "8.3", @@ -1369,9 +1397,9 @@ "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "min_stack_version": "8.3", "rule_name": "Potential Linux SSH Brute Force Detected", - "sha256": "39da680feee7ad38a8cee738d28975c62ada6344a4154b17e3c349b57c74a4b7", + "sha256": "3b9a570d671bdf42e09bde62959d75df45319e2c35851c9f4477f29a5453d8b1", "type": "eql", - "version": 2 + "version": 3 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "min_stack_version": "8.3", @@ -1385,9 +1413,9 @@ } }, "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "90b6e6f3757968c798b350aec14b7a9a3b4567f3917a518eab4a067d93bc8f92", + "sha256": "0632f4ba371145aa2b15a3655f4ecaecea2aeca4b27e04e67b46fb0241594edd", "type": "query", - "version": 104 + "version": 105 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", @@ -1401,9 +1429,9 @@ } }, "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "fd574c78325d2683a832f7b4b8df354b794166d3cf0d68721511a8b1df6772b5", + "sha256": "c6a71ae7553a24a31f3dec7ce83acf7b453825c65d6f062971c89280faf0bcf2", "type": "eql", - "version": 102 + "version": 103 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "min_stack_version": "8.3", @@ -1433,9 +1461,9 @@ } }, "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "01259c36f97d276e0dfe2ed552945732d4f7c9730deb8bfa28fddc8aa693f4b6", + "sha256": "9abe3eeb36a2c0086b01100242b8fc7aded50c2fa641182c89e2260a7e541b1e", "type": "eql", - "version": 101 + "version": 102 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.3", @@ -1469,6 +1497,13 @@ "type": "eql", "version": 103 }, + "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { + "min_stack_version": "8.3", + "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", + "sha256": "e67c7801dc3b5bde8ca3b0e52b02b3aef364ef9c79715855203ded393a8b827e", + "type": "query", + "version": 1 + }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.3", "previous": { @@ -1485,6 +1520,13 @@ "type": "eql", "version": 101 }, + "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { + "min_stack_version": "8.4", + "rule_name": "Suspicious Inter-Process Communication via Outlook", + "sha256": "a580bc9436a45328df8f9e7083af6f46f0300acf46eb47d93ec17922ba306eec", + "type": "eql", + "version": 1 + }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.3", "previous": { @@ -1533,6 +1575,13 @@ "type": "machine_learning", "version": 100 }, + "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { + "min_stack_version": "8.3", + "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", + "sha256": "c8a800a96f44d79b7b23ef582111b16903c957a8684ef2b857423b9366ab2349", + "type": "query", + "version": 1 + }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "8.3", "previous": { @@ -1561,9 +1610,9 @@ } }, "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "043fd214a5e74e23bcc4de915f6a875519278944ff560c9c81d82ff805167289", + "sha256": "3bf40800afe7ecea145fd48ab213a17e8167ee83e0cd90a00569c85396afcab8", "type": "eql", - "version": 102 + "version": 103 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "min_stack_version": "8.3", @@ -1657,9 +1706,9 @@ } }, "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "6692aea3904b62c7c555a43f6924b23132f4e04c32517510298d016cb7c673bc", + "sha256": "5fb1d97793624a75442f3067cc2280bf297eb591df40318a63f48f7857c03842", "type": "eql", - "version": 103 + "version": 104 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -1686,9 +1735,9 @@ } }, "rule_name": "SSH Authorized Keys File Modification", - "sha256": "f7a5c712a4469a66a6f138c749ceb8daeb01b6acceeccb4972e3b13332ede4d2", + "sha256": "a56037b84903d61f8b7a24676a0c69ecb2d97e68cb08598e81c94929cd49514a", "type": "query", - "version": 101 + "version": 102 }, "22599847-5d13-48cb-8872-5796fee8692b": { "min_stack_version": "8.3", @@ -1734,9 +1783,9 @@ } }, "rule_name": "Potential Shell via Web Server", - "sha256": "4514b076f4ae9f9a5905f71bae0fe30bffd6a120c18e51e72580bb87a0a96a30", + "sha256": "97d5433074b220c0d3b27958c7fd2fd38c55cc3c57b590054c786fc9aa25e840", "type": "query", - "version": 103 + "version": 104 }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "min_stack_version": "8.3", @@ -1766,9 +1815,9 @@ } }, "rule_name": "Kernel module load via insmod", - "sha256": "560deab9cf9e540b16155fd81c9b95e705bc60d3a0b877a66a7208b103c6eeeb", + "sha256": "5cab9c181aec10768926e2efcb755954c6e2d39e9c237bc8b9dad61df738cb2c", "type": "eql", - "version": 101 + "version": 102 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", @@ -1885,9 +1934,9 @@ } }, "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "f205af382353a1fad072152a1d4207f2a6879ad7f1d85ad7eaf0fc9354a31ae2", + "sha256": "95983afba71232a0a0e6ab8d88e8206c05964364b48e00a86ba9f9783653f119", "type": "eql", - "version": 101 + "version": 102 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "min_stack_version": "8.3", @@ -1933,9 +1982,9 @@ } }, "rule_name": "Account Password Reset Remotely", - "sha256": "4f368ca08309253b3eb4c2ee299b7e9a2ff1f704e42cff23c25d11536e8561c1", + "sha256": "b38e8457cc6ea7684e8e680670c148197fdfed4d3d75b911bf2449c7b543e0fd", "type": "eql", - "version": 102 + "version": 103 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", @@ -2035,9 +2084,9 @@ } }, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "47b528308d655d9a40ebf1c7faaa183193cc2911f418dfca1c1a10cfe13cdcfc", + "sha256": "aea4e63d5946a488ca0c3c8c09c71de573dcf51f67a37b015d3f19396e72c667", "type": "eql", - "version": 103 + "version": 104 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "min_stack_version": "8.4", @@ -2122,9 +2171,9 @@ } }, "rule_name": "Enumeration of Kernel Modules", - "sha256": "22b03287ec583dc4b58992a5292c592a3d4b32cdc92036f8e67c9dca6565d163", + "sha256": "2db9fac7d1791b3b92114daa5a8c4092e66fc044c3c8d79dd930d1078f1d9b7a", "type": "query", - "version": 101 + "version": 102 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.3", @@ -2273,9 +2322,9 @@ } }, "rule_name": "Attempt to Disable Syslog Service", - "sha256": "e65f2bc49d0ad4f48d814b50ee066ea12b93e1776a29720fcf0740865d58d560", + "sha256": "c091f579cf50b81ad35a919ce791b19235c25103b2805163478be58d919586ab", "type": "query", - "version": 101 + "version": 102 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "min_stack_version": "8.3", @@ -2590,9 +2639,9 @@ } }, "rule_name": "Process Started from Process ID (PID) File", - "sha256": "33f6b875baae098995aaf796af0d3f2d526e52ea81fbfaea897bf5ea92c1b100", + "sha256": "e59144c7f7f00aa2bc71f86283209350b86adbf2811b719d29f84431c70dfb43", "type": "eql", - "version": 102 + "version": 103 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.3", @@ -2917,6 +2966,13 @@ "type": "query", "version": 104 }, + "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Execution via Windows Subsystem for Linux", + "sha256": "2ca249687674bcc11d0c257edb9c9b0b02dc5d81e5cc9b04dda796156ad5f10b", + "type": "eql", + "version": 1 + }, "3e3d15c6-1509-479a-b125-21718372157e": { "min_stack_version": "8.3", "previous": { @@ -3009,9 +3065,9 @@ } }, "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "8b929648cfb7d78b3a120a4f301a77f449cb973bfe1a9c27f06181ed69f7166a", + "sha256": "ac945f3d31e112933dedfaa1b80add45db8907ec5437f92ad2901de01a6aa986", "type": "eql", - "version": 102 + "version": 103 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", @@ -3096,9 +3152,9 @@ "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.3", "rule_name": "Process Creation via Secondary Logon", - "sha256": "052d5a9f9406a1f40d7f42883351dbe850f4516a045258094c2329d751a43be5", + "sha256": "331d4983cfe1f7e04d6f4301d9b745a70196e51245a64a0af2218b0723342dda", "type": "eql", - "version": 3 + "version": 4 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "min_stack_version": "8.3", @@ -3160,16 +3216,16 @@ } }, "rule_name": "Unusual Windows Path Activity", - "sha256": "96e95f6a002908e770ee8dc9e06b3f4955d02ace7a630a562d77630e0f51b2f7", + "sha256": "e05711b976cd84d5d5d9cd0e19eec120be46afe57e895f2eef2a5fcda8a2dc92", "type": "machine_learning", - "version": 100 + "version": 101 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.3", "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "01c2d67560189623c292b168be7435d48a38318feb338e35bfc1854ecb950346", + "sha256": "892bf5ebff22903ba929949a6fe05131b9cb4017ae9c75db456b46a54620296f", "type": "eql", - "version": 3 + "version": 4 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "min_stack_version": "8.3", @@ -3199,9 +3255,9 @@ } }, "rule_name": "Windows Event Logs Cleared", - "sha256": "10626d753b4eff838e90b212ec77c6670f7cd47eeede6ac704face10fd5bf4d7", + "sha256": "4fe0e5f5f2bd8b0e5cf07843397002cb2d43d6fc7e92609a9b97e474c01984c4", "type": "query", - "version": 103 + "version": 104 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.3", @@ -3215,9 +3271,9 @@ } }, "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "b37a7206844162a0d22b4306477a385bd3b9232f2f33434163d4ad93c827260e", + "sha256": "09f390313b2d381ab331407c8fbb29ae79f0f854b3c432c8c40eff8c2d423963", "type": "eql", - "version": 103 + "version": 104 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.3", @@ -3270,9 +3326,9 @@ } }, "rule_name": "Unusual Process For a Linux Host", - "sha256": "dd683127f834182f5df0f60d7a3e94dc4e45b4c40f7852a7e4bd07f9bd32c77a", + "sha256": "60b84bf0d5b85a9282036208761447a6c8579f766a3ed3611f8cb70b1eb62e38", "type": "machine_learning", - "version": 100 + "version": 101 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.3", @@ -3286,9 +3342,9 @@ } }, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "4580fa6e639f76df7d490f941e5046bb7e8515e2da02aab4835d5dc59fba7f56", + "sha256": "d6a9bcfaddb37f31b3411499f1c2870454642246efb1bca00035e71122ae4794", "type": "eql", - "version": 103 + "version": 104 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -3331,9 +3387,9 @@ "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "db40bc83f15ca46413d2e2a28895c8e182be5e1915dbb23757ee962f4b5f93c5", + "sha256": "77015417c3fac6ad21989399018c0c76fcace6e411a060d3c9068be88fc3f132", "type": "eql", - "version": 2 + "version": 3 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "min_stack_version": "8.3", @@ -3498,16 +3554,16 @@ } }, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "601d99c47256f14bb93a96523ea4ce04d64d54e9bf07d5e52470688c40b2be00", + "sha256": "ee14442f4b0990c333bb6b4853b0ff7580cd17651a7deec9f9e8a985706c7b02", "type": "eql", - "version": 103 + "version": 104 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "6eec5b895f96299f32ce5a547b7554f3387e9847f925b55db9da6ae5dd29712f", + "sha256": "f47402604158d70428f9aeb696e1d32e9790a74562d8e1162c9962bc49ac3c11", "type": "eql", - "version": 2 + "version": 3 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.3", @@ -3664,10 +3720,10 @@ "version": 4 } }, - "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "7030623ff8ed02e7b897ef7ef3b699bea67e8ba26933109df011dfd79d4ba57c", + "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", + "sha256": "28c3127fec34a57bc9845f5891e14e3b9feaa8b5d8972c0bcb3e18f30af543ab", "type": "eql", - "version": 101 + "version": 102 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.3", @@ -3681,9 +3737,9 @@ } }, "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "a16976984526b0efb4f810dce465854718dbce285eb527269af3546e03d291db", + "sha256": "8e2bf5b5d340583fec1eaa51e7e79a91ebde05866d3b9245b962a146c72a50c2", "type": "eql", - "version": 103 + "version": 104 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "min_stack_version": "8.3", @@ -3835,9 +3891,9 @@ } }, "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "cbd75271ff293520f527248177c43524f79dd2cbf3d0203a274805532927a8af", + "sha256": "ff13912139a4517ac291b4354e73bd334e700e375cf2a90024683940872664bf", "type": "query", - "version": 101 + "version": 102 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.3", @@ -4187,9 +4243,9 @@ } }, "rule_name": "Virtual Machine Fingerprinting", - "sha256": "406c63c241969aec0d4903a96fdfee40068bd8ba9eeff7e28dd19054e77ccb74", + "sha256": "8fcd82a081b3f9c1fd3218750a2061ec58843a983aaf156b7a5ef7c0bdceb9ec", "type": "query", - "version": 101 + "version": 102 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.3", @@ -4223,6 +4279,13 @@ "type": "query", "version": 101 }, + "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { + "min_stack_version": "8.4", + "rule_name": "FirstTime Seen Account Performing DCSync", + "sha256": "2622829873c0dad57043933fc2de320cd5353690328a12142331f357e7721482", + "type": "new_terms", + "version": 1 + }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", "previous": { @@ -4267,9 +4330,9 @@ } }, "rule_name": "User Added to Privileged Group", - "sha256": "72cf570c5e08d6e35939e770e5346b5ded9f7f6c44b25695126e2871c24bc330", + "sha256": "85fbc6f2d51ab05dd8812e4911c0e7c523c319ffee128cc6850f669f250c4b83", "type": "eql", - "version": 103 + "version": 104 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.3", @@ -4440,9 +4503,9 @@ } }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "40e4e50e213f12414a720dbad1084ac9c5c66f7327c57db4a0983cd0f76293aa", + "sha256": "edc406d29a3c64903dc3af00d0a52f40129e13634f06d56b6fe7508e0f3540e6", "type": "query", - "version": 104 + "version": 105 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -4462,9 +4525,9 @@ } }, "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "6e4e3620fed8f9ea0448c296c02aa8ae04d544da84785fc04054bf8607a3f582", + "sha256": "65f399bf70c38dfce92e0bbc0b4e676429e70705e1008e716aec59948173fd7e", "type": "eql", - "version": 103 + "version": 104 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.3", @@ -4494,9 +4557,9 @@ } }, "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "f328cea65c10625168e096a7e5c8e93cdd31f422cca5d98369d950159018d39e", + "sha256": "6a468dd1a8358f22163af0d81fd0affdf1b87e6c3ffed81ac4a7861b8f58261f", "type": "query", - "version": 103 + "version": 104 }, "63c05204-339a-11ed-a261-0242ac120002": { "min_stack_version": "8.4", @@ -4547,9 +4610,9 @@ } }, "rule_name": "Anomalous Process For a Linux Population", - "sha256": "58ad6b8312fa08066d30ca38f7178f10d0af84bc3348a306635a0d5693e495fb", + "sha256": "f4141ba07edb7c3d404fd06b4c4c7b7d6f3df17fb2b4a3f0e07814919b212115", "type": "machine_learning", - "version": 100 + "version": 101 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "min_stack_version": "8.3", @@ -4663,9 +4726,9 @@ "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.3", "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "73d4b5395efb686a194e3ddb89c49017e043c35ba64ca0a14bfa70c12ee0954f", + "sha256": "7c6d8a037c2fea4f8738fa66454a76bd68f83d96e24403e5f98e4e7b4b229b53", "type": "query", - "version": 2 + "version": 3 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.3", @@ -4733,9 +4796,9 @@ } }, "rule_name": "High Number of Process Terminations", - "sha256": "639238e9ffd3ee7e008b5f02e37b7ccbf46d4422ab31c96c38fbd007b5aedbed", + "sha256": "10da0992fd7a09eeb512f86ad67c1f1c2c97f6ed4830246652f0e25f7b708362", "type": "threshold", - "version": 103 + "version": 104 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -4984,9 +5047,9 @@ } }, "rule_name": "Sensitive Files Compression", - "sha256": "fee59fe99d0d07ff31585fb6fd902e2345ca5effd3f73a26bc436917b51c6f95", + "sha256": "485d9790253ec193714681048f7c37837597f54d18a3a25b90287c1e5c556539", "type": "query", - "version": 101 + "version": 102 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.3", @@ -5000,9 +5063,9 @@ } }, "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "a17f13296f2d3df813973ae7fc885584d1eed5ef45a4d7dd26ddeec6ce3a8524", + "sha256": "22ef56a16f21d022a7426745003d5a097a4762abc7b89536c3e08a284f1b3434", "type": "eql", - "version": 102 + "version": 103 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.3", @@ -5032,9 +5095,9 @@ } }, "rule_name": "Unusual Process For a Windows Host", - "sha256": "791ab8700a52039f24e5816979494fbae818c52ba20be375d733e9fa730af444", + "sha256": "548f0645083a7ffa45c063a362c867656de7a3b9a6337c0ebe535c2c47e0f0d4", "type": "machine_learning", - "version": 102 + "version": 103 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.3", @@ -5048,9 +5111,9 @@ } }, "rule_name": "Anomalous Process For a Windows Population", - "sha256": "0f387df0bf637f8a7cdcac7e35c402a5c25cab0df5667d31c4ed069e209e0acc", + "sha256": "6590429ef4dd0c7c03651a26da378c7469bc7432237ebb389604cec9c899cb93", "type": "machine_learning", - "version": 100 + "version": 101 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "min_stack_version": "8.3", @@ -5064,9 +5127,9 @@ } }, "rule_name": "AdminSDHolder Backdoor", - "sha256": "823a60f4eff0a08a07f0b7b587d0bdc4c9ba0ed9937b83d090f7cb54af71c584", + "sha256": "46b146a76ebdf8357eb7d63b912b9acfea4c6b0bdcb6ca6c7689843578706712", "type": "query", - "version": 101 + "version": 102 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "min_stack_version": "8.3", @@ -5247,9 +5310,9 @@ } }, "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "41ea9f156324eea554574fff4f47cb2f85787cfbd528d003c4edf70727d46273", + "sha256": "b73947946bbb78df5d00587ef4fbaff9fd3285067f053dac2c6bb15183eea53b", "type": "query", - "version": 101 + "version": 102 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.3", @@ -5263,9 +5326,9 @@ } }, "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "ed682581d7ce837ffeb2bb1be122fb8a8e0920720f15a954b568698df0fba347", + "sha256": "c38e3b065ba4c165164034a882010132d7780e019fbba43e93a1e9c35bfd4122", "type": "eql", - "version": 103 + "version": 104 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.3", @@ -5365,9 +5428,9 @@ } }, "rule_name": "Unusual Hour for a User to Logon", - "sha256": "1e847948be954f3a3cbfb10357ae89e2badbfd6a8fbe0b16d728d77166473a07", + "sha256": "ce205d617ff2774aa7ff81d968f2e10d57aad9adb9237907f115f14874df8d75", "type": "machine_learning", - "version": 100 + "version": 101 }, "746edc4c-c54c-49c6-97a1-651223819448": { "min_stack_version": "8.3", @@ -5443,9 +5506,9 @@ "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.3", "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "b740d503c95c58aeba713bc41e42f568aac13a10168ddde244b4f1fd24e48d82", + "sha256": "9d019640feccf23d7830a68debfa05f46666627c6634b65ee162a2cc46a97386", "type": "eql", - "version": 2 + "version": 3 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.3", @@ -5459,9 +5522,9 @@ } }, "rule_name": "Creation of Hidden Shared Object File", - "sha256": "9315850612e1d358cb5968a2fb3eefae569db6be399418ffb5a3b90436cc6318", + "sha256": "a9e20813e5d1de790f3e9cca4af57e618f1b786930e24bc5d8048ab405369c89", "type": "eql", - "version": 101 + "version": 102 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.3", @@ -5605,6 +5668,13 @@ "type": "machine_learning", "version": 103 }, + "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { + "min_stack_version": "8.4", + "rule_name": "Unsigned DLL Loaded by Svchost", + "sha256": "8ee5bb828dd71d53f8bf888f8b7e4c68814737b16fdda8ed8a0da80ff662dc56", + "type": "eql", + "version": 1 + }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "min_stack_version": "8.3", "previous": { @@ -5621,6 +5691,13 @@ "type": "query", "version": 102 }, + "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { + "min_stack_version": "8.3", + "rule_name": "Potential Exfiltration via Certreq", + "sha256": "4b89688d571d43de20d56f466b059ca7105f787fe643cf8959712316521f8b6d", + "type": "eql", + "version": 1 + }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.3", "previous": { @@ -5633,9 +5710,9 @@ } }, "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "64806f347838c3a33b49368f7d967eb7d3aecbf621422c687f39c639b19a856c", + "sha256": "21a3a459a30be294fd89ec9db6c1512d90e034a7d23d7cd287275caed77c41e0", "type": "query", - "version": 102 + "version": 103 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -5840,9 +5917,9 @@ "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.3", "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "fd5ab0ae7cb653cd05d3107277504f88d6ebadc8fec6a461410a5a5600eef57a", + "sha256": "5fc7c71c51b4631d1dc4631bb13b9e92135cc98e2a9be2b242b2ed3705be47f8", "type": "eql", - "version": 2 + "version": 3 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.3", @@ -5910,9 +5987,9 @@ } }, "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "12ad8300187f8f8f5a9836c103f88114fd217d0c28e14c7400a7287e0e664e4b", + "sha256": "5d3f6f0111eade36e60550698a809efaeb5b47f6eb8f7163ed84ab7f0423f89a", "type": "eql", - "version": 103 + "version": 104 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "8.3", @@ -6006,9 +6083,9 @@ } }, "rule_name": "Enumeration of Administrator Accounts", - "sha256": "f0439ce3410d09e36cfe5bea67ac81cbd854b04fe0638e1389b43253b80919c3", + "sha256": "b7ada289ffd8554cdf8b23ca57e5f2ca9e9aa9103d4a110e31af57575e5c5b70", "type": "eql", - "version": 103 + "version": 104 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "min_stack_version": "8.3", @@ -6320,9 +6397,9 @@ "8cb84371-d053-4f4f-bce0-c74990e28f28": { "min_stack_version": "8.3", "rule_name": "Potential SSH Password Guessing", - "sha256": "f3072b10eb99e14482d38788bec66c31017c460362ce56b950f8364b00fa3026", + "sha256": "ab2fdb97f0e3e218efcf7558e6be6f7de344c7044b4fcdb37640cc4b07e3e6e4", "type": "eql", - "version": 2 + "version": 3 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "min_stack_version": "8.3", @@ -6336,9 +6413,9 @@ } }, "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "59e68c56d5fc6ad0c04dc18a23f9dcb28d139880b1bf811883a2d3bb10333665", + "sha256": "b604023e3d065e0815826dcb5b2e26722031fba689549e9a44473126e9322e8d", "type": "eql", - "version": 101 + "version": 102 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "min_stack_version": "8.3", @@ -6422,9 +6499,9 @@ } }, "rule_name": "Hping Process Activity", - "sha256": "ae8e750b52b2b170b9b595bfec9a99d5e74d8c48eca1662c7e2363cf99744d40", + "sha256": "fbad45adf472ed976562d80120474678abe7b304e20dc16c9d04e2911b0e13db", "type": "query", - "version": 101 + "version": 102 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "min_stack_version": "8.3", @@ -6544,12 +6621,19 @@ "type": "machine_learning", "version": 100 }, + "92984446-aefb-4d5e-ad12-598042ca80ba": { + "min_stack_version": "8.3", + "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", + "sha256": "f8d38de1aa8a043f4253a6d31e673233fa1b612409392ffa5dca683eff3e86ee", + "type": "query", + "version": 1 + }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "min_stack_version": "8.3", "rule_name": "A scheduled task was created", - "sha256": "81c3b09aa79394e3f8c0d5a43f43d06e82f1334a2bac6d7a821a263a0a8623ba", + "sha256": "1e60cbeb1a3e3eddcdb21edb4ee9bbe48d9ffbfeacd965a0d0845c9afcffccfd", "type": "eql", - "version": 3 + "version": 4 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "min_stack_version": "8.3", @@ -6677,6 +6761,13 @@ "type": "query", "version": 101 }, + "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { + "min_stack_version": "8.3", + "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", + "sha256": "c8e23a5fc8492bd2b0de1300b69d8a2df6b46ff4ee37fbc94652738d5bef0fcc", + "type": "eql", + "version": 1 + }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "min_stack_version": "8.4", "previous": { @@ -6737,9 +6828,9 @@ } }, "rule_name": "File made Immutable by Chattr", - "sha256": "24ee320fcd777929a2e5be22e8b6bb6a925eaa230669693b1b271f05c62b36f2", + "sha256": "810afaffb5ad2f3afff2f79b2da017a4e05e79bb3b407ad1d2405484dc3fa732", "type": "eql", - "version": 101 + "version": 102 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.3", @@ -7003,9 +7094,9 @@ } }, "rule_name": "Spike in Failed Logon Events", - "sha256": "7e5b5594bdac57e03898b8c51949acf659ff2c63340b3ac26bd251c9f1556196", + "sha256": "db82d4e4446fe54e603f48ad06a6e42b1ab4251700d7fd06afb3dcc0db3c7776", "type": "machine_learning", - "version": 100 + "version": 101 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "min_stack_version": "8.3", @@ -7104,9 +7195,9 @@ "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.3", "rule_name": "Remote Logon followed by Scheduled Task Creation", - "sha256": "3f358925fb1d6175f876ca1d4cad49e8c5cf468acb9dc145c3f137b1c8614bd8", + "sha256": "bf21a84716a434390b5db52758a95fd3d418bd777913683c47b053b0efef9ca7", "type": "eql", - "version": 2 + "version": 3 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.3", @@ -7120,9 +7211,9 @@ } }, "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "d10741a1a3c783a25a2bf1bd6869553db40b735bce0e289de9cb0ab6cb8bdf56", + "sha256": "6136c283900e035f1a91b7ac2025a8a1f20eeaa65e52bde601f0752b3bac52b3", "type": "eql", - "version": 102 + "version": 103 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "min_stack_version": "8.4", @@ -7286,9 +7377,9 @@ } }, "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "dc2785bae701f3db2068ccfb0d9028dda6ef433d33320a42a115a42336a0f54b", + "sha256": "02d1ec11f7fbab5ed2c9fd914b0c77fcefd5bb508600f8056e96dbb928107e23", "type": "eql", - "version": 101 + "version": 102 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.3", @@ -7302,9 +7393,9 @@ } }, "rule_name": "Potential Credential Access via DCSync", - "sha256": "262e2f1b79195159ea878ea195be2cd996c36a56d8a22a540290756ccb0eb873", + "sha256": "9d21d071f93ffd899250d9bf1aaea08e51be063cbb580ca989375fc819f15d29", "type": "eql", - "version": 103 + "version": 104 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "min_stack_version": "8.3", @@ -7341,9 +7432,9 @@ "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.3", "rule_name": "A scheduled task was updated", - "sha256": "ce882bbfb1d9c40e848cd45e39dbf0045e84ebb64af21331dd4b1ebae249347e", + "sha256": "2cfda45048e8471208372b3cffd610238002b437d8fe1c50df724f183f467308", "type": "eql", - "version": 3 + "version": 4 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "min_stack_version": "8.3", @@ -7389,9 +7480,9 @@ } }, "rule_name": "File Deletion via Shred", - "sha256": "91778159aa6189ce86a7237ebb39890b7343661c5348e2506db78d5692582242", + "sha256": "314a5884f22a3359a26baf905f1aeaa5f763eee3cb05fac489b4db201773368b", "type": "query", - "version": 101 + "version": 102 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.3", @@ -7409,6 +7500,13 @@ "type": "eql", "version": 102 }, + "a1699af0-8e1e-4ed0-8ec1-89783538a061": { + "min_stack_version": "8.3", + "rule_name": "Windows Subsystem for Linux Distribution Installed", + "sha256": "7a48c53fa6de261c1f453cc9b79bbb19fa40e19fc49b2032e970f4568f99e064", + "type": "eql", + "version": 1 + }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "min_stack_version": "8.3", "previous": { @@ -7425,6 +7523,13 @@ "type": "query", "version": 102 }, + "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { + "min_stack_version": "8.7", + "rule_name": "My First Rule", + "sha256": "35074e5f08c9198dd631dcce1d0c399686563f2286461207a2ea71b194f859df", + "type": "threshold", + "version": 1 + }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "min_stack_version": "8.3", "previous": { @@ -7473,6 +7578,13 @@ "type": "query", "version": 104 }, + "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { + "min_stack_version": "8.3", + "rule_name": "PowerShell Mailbox Collection Script", + "sha256": "9fff2ce0dfd6c5e4048c9ab12cc0fe9fbf3f2d2e2fc95f656fbe0d1c8ea50553", + "type": "query", + "version": 1 + }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.3", "previous": { @@ -7514,9 +7626,9 @@ "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "min_stack_version": "8.3", "rule_name": "Potential SSH Brute Force Detected on Privileged Account", - "sha256": "8a396165e99be43114ae40eb1174151552a1821df4e8635e0a4012c01574ecc6", + "sha256": "1d6b98e58965800afb3a94671902ad93f24ff2462f7521ef443285d49ab1e77e", "type": "eql", - "version": 2 + "version": 3 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "min_stack_version": "8.3", @@ -7562,9 +7674,9 @@ } }, "rule_name": "Suspicious MS Office Child Process", - "sha256": "c2ada3a9efccb20c8ad7863b140f2f2e756b3c87ff6a109436f549f1782a7b97", + "sha256": "53655eed69c04e50c9f00f9535ccb05aa546a53781f86c71ea28038364774f08", "type": "eql", - "version": 103 + "version": 104 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "min_stack_version": "8.3", @@ -7742,9 +7854,9 @@ } }, "rule_name": "System Log File Deletion", - "sha256": "e957af32272cbe8f63a9f16b0d4539f8c3015cbf87e63c4ee97aa3886b55bdf9", + "sha256": "5e1ba5cfea65070d578b5c4066ade73ef2fb204e7c76eec11f53b5e668c10716", "type": "eql", - "version": 102 + "version": 103 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", @@ -8032,9 +8144,9 @@ } }, "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "51c6165128b661d0b7b4468860289dc3c2cf78a66519095c032633694b43b920", + "sha256": "36c67e800be8302ecbf982f19c0e494ffe964aee0fc3baf29fd1afa774417819", "type": "eql", - "version": 103 + "version": 104 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.3", @@ -8186,6 +8298,13 @@ "type": "eql", "version": 103 }, + "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { + "min_stack_version": "8.3", + "rule_name": "Code Signing Policy Modification Through Built-in tools", + "sha256": "849a4dcdc7ed10fc67b23319b00c58b5b427c9d0dd3cf3ee4d36376fd0113b24", + "type": "eql", + "version": 1 + }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "min_stack_version": "8.3", "previous": { @@ -8262,9 +8381,9 @@ } }, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "620157c94e530a9b79fc01d1cd732c48c936128b4202327b17e814f1c502d364", + "sha256": "62986a0d012a2f8939557f466eeddabf8d18e9367ddf7e56410994b111951922", "type": "eql", - "version": 103 + "version": 104 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "min_stack_version": "8.3", @@ -8294,9 +8413,9 @@ } }, "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "6e831fce582191305c1d7d3da75c0f080265f7c68e86194ad2a7f6b5bc6e4bad", + "sha256": "2654446d80ef2b779cd83ced0386d0bdc6645a9a2dc1f911e685f8f24acc3da4", "type": "eql", - "version": 102 + "version": 103 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "min_stack_version": "8.3", @@ -8346,6 +8465,13 @@ "type": "query", "version": 102 }, + "b8386923-b02c-4b94-986a-d223d9b01f88": { + "min_stack_version": "8.3", + "rule_name": "PowerShell Invoke-NinjaCopy script", + "sha256": "d8762a09b111ab8d2d5bc112f617688c01e562accac5b39e1bfe57f21f27ce5b", + "type": "query", + "version": 1 + }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.3", "previous": { @@ -8406,9 +8532,9 @@ } }, "rule_name": "Chkconfig Service Add", - "sha256": "8d327e0ae652be44e3e65d14ddd87454ab8620235a4e95a146e566464a1ac8e7", + "sha256": "5fe2855f41ece0e588106fa10d9b715b88d4eeb15462f31c5ed89713f209c7e4", "type": "eql", - "version": 101 + "version": 102 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "min_stack_version": "8.3", @@ -8429,9 +8555,9 @@ } }, "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "7faeeba1773a6daa9dcb89c1f792a9cb0e2592573b0762edf7db14d9a6ec5b80", + "sha256": "e13749f4cdb81497eae4f10ea6d2793802e73ce6e5004edd85df0604f22f7566", "type": "query", - "version": 103 + "version": 104 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "8.3", @@ -8692,9 +8818,9 @@ } }, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "438aa121c93519e469d9edc53809ec8126490a8c7983d8287dcb3a31f2a192ab", + "sha256": "eb53ced03a788f015585b601920f6f4a160c560a1c8f42301116264368e9fac8", "type": "eql", - "version": 101 + "version": 102 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.3", @@ -8964,9 +9090,9 @@ } }, "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "d880e73eb0f8381fffd43c6bdad0166536e7247a1ccf527249f2476e5bf71523", + "sha256": "7dedaa7b03a2a85bc6dbbb022e7738c95cec94842dd19477b6c07b5144b2080d", "type": "eql", - "version": 101 + "version": 102 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "min_stack_version": "8.3", @@ -9153,9 +9279,9 @@ } }, "rule_name": "Unusual File Modification by dns.exe", - "sha256": "bbb3f5026d23f21f3f16d0ed4f0baa27be993fcf8ecbd9b8f22c9b9e3f05f53b", + "sha256": "066becab1c26c97bd8fb1dc87645602bc15b55ad4f6f86371afd0d1e6c568778", "type": "eql", - "version": 102 + "version": 103 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "min_stack_version": "8.3", @@ -9169,9 +9295,9 @@ } }, "rule_name": "Spike in Network Traffic To a Country", - "sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f", + "sha256": "6595a2e7b8d1b846176e9f7d6996c5873a1fe31295c997b67ec785103dc9f80b", "type": "machine_learning", - "version": 100 + "version": 101 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "min_stack_version": "8.3", @@ -9323,6 +9449,13 @@ "type": "query", "version": 101 }, + "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { + "min_stack_version": "8.4", + "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", + "sha256": "1cc2d330e553c3ab397bec687b77e75e3101dcfbf657b305c1c20d88b5ca9ac1", + "type": "eql", + "version": 1 + }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", "sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed", @@ -9341,9 +9474,9 @@ } }, "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "62e87462fadee6fe66b6c85465f0e3ca7adbbbdd1d6fa0e41fb0a57728d1745d", + "sha256": "a9790f44b45077afb176ebe3305571572dd5c274941f43974b066cb6453eac90", "type": "eql", - "version": 103 + "version": 104 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.4", @@ -9527,9 +9660,9 @@ } }, "rule_name": "Kernel Module Removal", - "sha256": "6cc9635dce995fdf627267bbb2abcd1fcb36561903af0b981a8a8b2a4762c7f6", + "sha256": "74ae325209e5dee6f744022775c8601cebb1e8075ba5537ebed3ef119e607160", "type": "query", - "version": 101 + "version": 102 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.3", @@ -9563,6 +9696,13 @@ "type": "query", "version": 102 }, + "cde1bafa-9f01-4f43-a872-605b678968b0": { + "min_stack_version": "8.3", + "rule_name": "Potential PowerShell HackTool Script by Function Names", + "sha256": "4882ffe1a789ddbb6fd2c44b7ac04c3fcdf24ca190bbfa09b44470ace053894c", + "type": "query", + "version": 1 + }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.3", "previous": { @@ -9637,16 +9777,16 @@ } }, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "5fd5701587cdab72d657edfaccd7fe940fec90dd207cb6670a926ebf88271104", + "sha256": "a44f9bd49038a63d136be9404852920a70a42aae8c7f5b0223e6a641ef413307", "type": "eql", - "version": 103 + "version": 104 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { "min_stack_version": "8.3", "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "282d06a65647fe54f60f3db53a4e90e4ca1f35d991c8465fa27433f7a6d4bc0d", + "sha256": "66f1321b1b0a33f990c4bd6bf70232ffdad598ea0afc5ebd3e91039941ace72f", "type": "eql", - "version": 2 + "version": 3 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.3", @@ -9730,16 +9870,16 @@ } }, "rule_name": "Clearing Windows Event Logs", - "sha256": "3cdb7a1338aa9523b76c57f85dc185771716dd8d027d1caa4417983fab2c72e1", + "sha256": "c48f60d424ad00e54cefd0f08adfad04c0f3a22152d5fd10d79f03997753ffb7", "type": "eql", - "version": 103 + "version": 104 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "min_stack_version": "8.3", "rule_name": "Remote Windows Service Installed", - "sha256": "bad7de839da9e8039e8ca5c03239d606ee947cec4daa12c23f502a690b8ddbd9", + "sha256": "a9eb42f20c02bcb8e8a5712956a7427413bcb4bd8f0fa5528e33c5473b727b68", "type": "eql", - "version": 2 + "version": 3 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "min_stack_version": "8.3", @@ -10013,9 +10153,9 @@ } }, "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "2cf5a9acb775dee9ad7c604ed07b8b591f1ecf553f8c29bbe7f9f6a70d9b47ab", + "sha256": "d56a342fd22b3e865309114f916f8232f2b2c7a5321d815c902ac0d8efb44649", "type": "query", - "version": 101 + "version": 102 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "min_stack_version": "8.3", @@ -10065,6 +10205,13 @@ "type": "query", "version": 100 }, + "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { + "min_stack_version": "8.3", + "rule_name": "Untrusted Driver Loaded", + "sha256": "5222c53fd532817cef9f5361d92def34c9f3610f7f996ebda9c4c4144cca7c7e", + "type": "eql", + "version": 1 + }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "min_stack_version": "8.3", "previous": { @@ -10097,12 +10244,19 @@ "type": "eql", "version": 103 }, + "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { + "min_stack_version": "8.3", + "rule_name": "Code Signing Policy Modification Through Registry", + "sha256": "2036bddb6ac3673e597668fff2730069943ed87fb219f70eeda0cad4cb04b072", + "type": "eql", + "version": 1 + }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.3", "rule_name": "Suspicious service was installed in the system", - "sha256": "d3660213ffad98fa0d57973d893f138195a92c78b6ea390b05707081ca2da77b", + "sha256": "b4d8d2a21f873c3e9fd06f43deb9927cd58a464b52226ae29d59f17fb86df39b", "type": "eql", - "version": 2 + "version": 3 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -10126,6 +10280,13 @@ "type": "query", "version": 104 }, + "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { + "min_stack_version": "8.3", + "rule_name": "Execution via Windows Subsystem for Linux", + "sha256": "0d002d9f5f60d202c3d56bf7331e4cf81f6bab516674186c19ec7c99a5c347b9", + "type": "eql", + "version": 1 + }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "min_stack_version": "8.3", "previous": { @@ -10180,12 +10341,19 @@ "type": "machine_learning", "version": 103 }, + "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { + "min_stack_version": "8.3", + "rule_name": "Attempt to Install Kali Linux via WSL", + "sha256": "afeae3198689de2891bd62742d72ff581601370a24a44c278956fa63ed4c0ec8", + "type": "eql", + "version": 1 + }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "min_stack_version": "8.3", "rule_name": "Reverse Shell Created via Named Pipe", - "sha256": "ddf86f713e01b7a42dfb4cbac2eabe95771dd00eb95e9272258e5eabed84b6f0", + "sha256": "e0cae89eb945a7df29dbc662628dcb9949fb367b716d67c5d13029a1c91d18c8", "type": "eql", - "version": 2 + "version": 3 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.3", @@ -10231,9 +10399,9 @@ } }, "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "8f363bbd5a97faf23a2823c81078c304bbaa77645e263fa8622630d980a73fe5", + "sha256": "d2c6ef1a3c3d9ef10b9af4e2e4f506acb24747f56d96632f6a3d6928f0e9b213", "type": "query", - "version": 101 + "version": 102 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "min_stack_version": "8.6", @@ -10347,9 +10515,16 @@ } }, "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "4a5fff0627325f8c9a0c2f2d6e23358b50e1aa635e65b5e3d206e4ec625b73e3", + "sha256": "7d81ed7b8ba08b6415516abcf421f759a041a5cbbd051913a0401b3df605ae6d", "type": "query", - "version": 101 + "version": 102 + }, + "e0881d20-54ac-457f-8733-fe0bc5d44c55": { + "min_stack_version": "8.3", + "rule_name": "System Service Discovery through built-in Windows Utilities", + "sha256": "fa82f09915234a615f7dcd30b662ecdb799b937041d2403d2b644887a1d00f83", + "type": "eql", + "version": 1 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.3", @@ -10458,10 +10633,10 @@ "version": 3 } }, - "rule_name": "Spike in Logon Events from a Source IP", - "sha256": "a5988a3dfc897aa2a50b11f7ed790699fb3b5c8450c61d82e331ff65dc180d6f", + "rule_name": "Spike in Successful Logon Events from a Source IP", + "sha256": "65eb48226070aeaf8ac4104367de86ca3a4f7e422547bd73f4bc25286bf6e2fc", "type": "machine_learning", - "version": 100 + "version": 101 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.3", @@ -10495,6 +10670,13 @@ "type": "query", "version": 104 }, + "e2e0537d-7d8f-4910-a11d-559bcf61295a": { + "min_stack_version": "8.3", + "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", + "sha256": "a8733807013f83691ba2facd49013ba9c3709450dc7a813f8936285656d18086", + "type": "eql", + "version": 1 + }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.3", "previous": { @@ -10603,9 +10785,9 @@ } }, "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "66b9ceb8d93427406d2d097accc4acf0f4c1d6ad76dcfc0d9c7a8d3489c35868", + "sha256": "82e3cd5c0d5b26c5fbdc4e4e0bc7f28017ef24f209db4309fb012b9e0d610aa6", "type": "eql", - "version": 101 + "version": 102 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.3", @@ -10635,9 +10817,9 @@ } }, "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "a07da4943d2aaf8e54ebf90165c0967ee8b7c6f00176ccc5a7a174a0c335fb21", + "sha256": "93b7937727492cc72b68bf3b72232f58a29fdcb39cdb6bf548afc84d22da4d4c", "type": "eql", - "version": 101 + "version": 102 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.3", @@ -10651,9 +10833,9 @@ } }, "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "1bbd28ed34614893af4f422de55b58962b7c6fcf2a5986a8cabead6a46da4d6b", + "sha256": "286706a0bad8c733061dfb173bc5dc13242f4b2b462061129819d507b33d69fe", "type": "query", - "version": 103 + "version": 104 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "min_stack_version": "8.4", @@ -10815,9 +10997,9 @@ } }, "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "a570ca618c8c2c947839d258b7a7708e622375200ea16c2f9975c52392b8f91c", + "sha256": "e0279781cc294b6e98d639c8680925bd7a6b6a852c7c8f06c7b6ae9b2083ddfe", "type": "eql", - "version": 101 + "version": 102 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.3", @@ -10835,6 +11017,13 @@ "type": "eql", "version": 101 }, + "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { + "min_stack_version": "8.3", + "rule_name": "Host Files System Changes via Windows Subsystem for Linux", + "sha256": "dc9f542719133b4db619437dcf9a91603b68950ee66166eb35dc92ac18ae0864", + "type": "eql", + "version": 1 + }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.3", "previous": { @@ -11019,9 +11208,9 @@ } }, "rule_name": "Potential Disabling of SELinux", - "sha256": "92cb291d40a64cdf4134bffc69eda6c274d7e4d23cd7a5db74006b6bde75b548", + "sha256": "e471f2312e6728d6bee2568cc973617b69a6fcb36fa4293676d8ec82dc159e35", "type": "query", - "version": 101 + "version": 102 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.3", @@ -11224,9 +11413,9 @@ } }, "rule_name": "BPF filter applied using TC", - "sha256": "27c2bf87022ca8599942fafab15bbcfb8e0c45cb1c4f6a0ec8a9473d593d6352", + "sha256": "9cf91201e94b653c02a269c75e3a748c05410aa62759345a3f1a8beb69692d9c", "type": "eql", - "version": 101 + "version": 102 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.3", @@ -11240,9 +11429,9 @@ } }, "rule_name": "Whoami Process Activity", - "sha256": "59256cf0b2544c3b4aac5517c14738543bfec976b2ff3d83124c0328e48df8c4", + "sha256": "2207b7204e3ba643a52ae4e20343f56159d267050833c2c1f1d45ce9abd07da1", "type": "eql", - "version": 103 + "version": 104 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.3", @@ -11340,6 +11529,13 @@ "type": "query", "version": 101 }, + "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { + "min_stack_version": "8.4", + "rule_name": "Forwarded Google Workspace Security Alert", + "sha256": "1a2ce130f9e8b773c7d97020fa3039a810ef71d16d18da31f8f66f7e75a99823", + "type": "query", + "version": 1 + }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "min_stack_version": "8.3", "previous": { @@ -11368,9 +11564,9 @@ } }, "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "09802de623888464e61fa36f71e514e2afda4617aba39a3aa441293963dfec0e", + "sha256": "e1e0aa11f0f4d8ca7ac2cc7d5eecdc8e4bde970d7fda2786102a70871f93066b", "type": "eql", - "version": 101 + "version": 102 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.3", @@ -11487,9 +11683,9 @@ } }, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "2ed438689ec226d4ee5693d69db0e972c648d4f3aa0a4f727269734993893e68", + "sha256": "3071f41d3d0c0f76d09501b6937f2c5ab9c6753c8334b8816c5c095b1ecaa371", "type": "query", - "version": 103 + "version": 104 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -11680,12 +11876,19 @@ "type": "machine_learning", "version": 100 }, + "f95972d3-c23b-463b-89a8-796b3f369b49": { + "min_stack_version": "8.3", + "rule_name": "Ingress Transfer via Windows BITS", + "sha256": "745bb1be87344d9e00096579e5898b162f17b556d0bc96c27d3ed966f64bfdb4", + "type": "eql", + "version": 1 + }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "min_stack_version": "8.3", "rule_name": "Privileged Account Brute Force", - "sha256": "fd55d37e39f06e0295a19c28a056edf2a605a5e2c962f3bbaaad28bd1fd125a9", + "sha256": "486e9fa1036193d11bd1ce6163bbee2520d47b33eea727dded1b778761cd0d30", "type": "eql", - "version": 2 + "version": 3 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.3", @@ -11719,6 +11922,13 @@ "type": "eql", "version": 102 }, + "fa488440-04cc-41d7-9279-539387bf2a17": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Antimalware Scan Interface DLL", + "sha256": "26561bac820e0bc77b73e91c53c594cbdae8bc790334a473ff1ffd87ec0798ab", + "type": "eql", + "version": 1 + }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.3", "previous": {