security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3459)

Browse Source 
(cherry picked from commit 7815d23110)
This commit is contained in:
github-actions[bot]
2024-02-20 22:56:59 +05:30
parent fb835e396d
commit c772b2a842
1 changed files with 140 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+140 -133
View File
@@ -232,9 +232,9 @@
"06568a02-af29-4f20-929c-f3af281e41aa": {
"min_stack_version": "8.3",
"rule_name": "System Time Discovery",
"sha256": "79c7e1897310a5fff8e9aa62c967679ae8fb0f6681b13c0fd66289142de0e1d6",
"sha256": "d5237e35b753d923902ad797bb8384e1f6c0cb0ba658c922501345f214656ad0",
"type": "eql",
"version": 5
"version": 6
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"min_stack_version": "8.9",
@@ -274,9 +274,9 @@
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "9a08bba2e66dd9f99a6a87ab539e1f2f205273b9af8e42a91a6be93beeb479e8",
"sha256": "c1b6e6aa892be3945036add52e7bd2f08908e60aeed4c6315a65552df23ecc67",
"type": "threshold",
"version": 5
"version": 6
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.3",
@@ -400,9 +400,9 @@
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "4d8b6dfe62f6b9bc2ce89b79f7ad0e881dc744022d619b382b2e6e2d3ed15a17",
"sha256": "476a0edd057a4e2d08908bf18854969a1f8160a17b8197ca8011a73923904063",
"type": "query",
"version": 4
"version": 5
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"min_stack_version": "8.3",
@@ -811,9 +811,9 @@
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"min_stack_version": "8.3",
"rule_name": "Execution from a Removable Media with Network Connection",
"sha256": "395e463813d0cad1e718f84d5a13a564016c82b69dcfd8027af981c0ec07cc2f",
"sha256": "59fddcae552c2d4781435a2f28a96e640148621b9b484f76e9ac48786281e4bc",
"type": "eql",
"version": 1
"version": 2
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"min_stack_version": "8.3",
@@ -1047,9 +1047,9 @@
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
"min_stack_version": "8.4",
"rule_name": "Process Created with a Duplicated Token",
"sha256": "108c96892c8db5e48adb3729e9a21cf75d35c098e4739cc055042e86fbeddccb",
"sha256": "51febd0739715d80d22439ab57ace39d85b46bb853c1af905477341ceb640fb4",
"type": "eql",
"version": 1
"version": 2
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"min_stack_version": "8.3",
@@ -1182,9 +1182,9 @@
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "476840872bfeccaff488dd65134b6a82f2299b815ee751a661219204e8c1ad9a",
"sha256": "4e8f5265298debd75d88f29bc50550406da7325514321ca41560e53e4a216081",
"type": "query",
"version": 4
"version": 5
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"min_stack_version": "8.3",
@@ -1196,9 +1196,9 @@
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"min_stack_version": "8.3",
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "a57fdc00e51caf3e5c8c515a75a6b8e8bc79b4e2dbb0f9fb97bc36859dd60525",
"sha256": "c4d1ee33d81051c5ff7f08405dd13f19bbce0e914ff0b347df5862b2f40d568d",
"type": "eql",
"version": 1
"version": 2
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"min_stack_version": "8.8",
@@ -1495,9 +1495,9 @@
"2724808c-ba5d-48b2-86d2-0002103df753": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Clear Kernel Ring Buffer",
"sha256": "e93a1e9fd50b7401c5d62def71f3729c535a1a070f8e42194e4a2a9bfe8843b4",
"sha256": "ab06e0853ec7a2402c68a2aa0ced95e3fcaca432ce6fbd3fa620af718b998b19",
"type": "eql",
"version": 1
"version": 2
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"min_stack_version": "8.3",
@@ -1847,9 +1847,9 @@
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
"min_stack_version": "8.5",
"rule_name": "ESXI Timestomping using Touch Command",
"sha256": "9648e6c27ae63c4d6b1419abbd96b927ee8834cb13bac73d2f3c36c874122c45",
"sha256": "c5d4a3001d7351c602369af6c986ac059de87c9b83a9217a63faaacf66a54a0f",
"type": "eql",
"version": 5
"version": 6
},
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
"min_stack_version": "8.3",
@@ -2232,9 +2232,9 @@
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "d2820917e295f70cedcc97c012d7e6f4bfa4368d8a77e79023225614feb95c7a",
"sha256": "d9d09e692225a41f36175b833c81800c8d1406c6a21c6806f6cbadb83703de20",
"type": "query",
"version": 3
"version": 4
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"min_stack_version": "8.9",
@@ -2269,9 +2269,9 @@
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"min_stack_version": "8.3",
"rule_name": "Kernel Driver Load",
"sha256": "b59ce0343e153ae461c5fccc6dd6aa3b6f38eff17a3960852a0a1b9c9dc88e3b",
"sha256": "943b3b49ddeb5d7f3cedcc5cd924db6f3c7c44435aa3913ee577e89925ae0651",
"type": "eql",
"version": 2
"version": 3
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"min_stack_version": "8.3",
@@ -2283,9 +2283,9 @@
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote File Execution via MSIEXEC",
"sha256": "1d20b245f40477327dbf43e563d8a93eca7531b9c1fa4649a0e9692d0eb33b01",
"sha256": "0fb96a14a8d3a0b8997c74edf2be7897a1b81413fae271d17d5fda854048013e",
"type": "eql",
"version": 1
"version": 2
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"min_stack_version": "8.3",
@@ -2379,15 +2379,15 @@
"8.3": {
"max_allowable_version": 102,
"rule_name": "Suspicious Modprobe File Event",
"sha256": "db18497df8258d667278d17da2d21dadbc1c81dedbd75ddcbb22e91e172a8c1c",
"sha256": "57d346776e2d53dc371be91bf8eee48d1a5551497057024f0cba657e1b22f6d0",
"type": "eql",
"version": 3
"version": 4
}
},
"rule_name": "Suspicious Modprobe File Event",
"sha256": "e2563182898cd53fd297c35504ad76579440cfef8eabe9d2cfe715150dce74eb",
"sha256": "3023790e7b7a847fa8ec6fe47f0279307de8e1d4a2153a86caee8a3f11a98e70",
"type": "new_terms",
"version": 105
"version": 106
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"min_stack_version": "8.3",
@@ -2631,9 +2631,9 @@
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"min_stack_version": "8.3",
"rule_name": "Remote XSL Script Execution via COM",
"sha256": "19961cd9171e3ef5204e98314fdf573ac68e28c6ab1c5e91b5f1d71c919ea7db",
"sha256": "d4882ff69ab688f9fca0f0a882c05bf12a3ff514316d6e48ea51e1083291d3d3",
"type": "eql",
"version": 1
"version": 2
},
"493834ca-f861-414c-8602-150d5505b777": {
"min_stack_version": "8.3",
@@ -2896,9 +2896,9 @@
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "32d05a814889ee60dc87a1d8bfd9ccde871f528b806978fcd7a8e999fac7d565",
"sha256": "ba6f6235a7b0a8e6655ecc8e374d2babccf8db929b8f1c864ce81a77ebeedaf5",
"type": "eql",
"version": 5
"version": 6
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"min_stack_version": "8.9",
@@ -3117,9 +3117,9 @@
}
},
"rule_name": "Execution of an Unsigned Service",
"sha256": "296152e8a3e1843df21e40fa6f6a05608b99b61ab06971ab80e9a3a35910b4fb",
"sha256": "67ac84282d2bc8987b76b1e8952870cc1ca8a5f6e785c58287418e2891195912",
"type": "new_terms",
"version": 103
"version": 104
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"min_stack_version": "8.3",
@@ -3287,9 +3287,9 @@
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Browser Process",
"sha256": "10846cbf0f6d148b7fc84a14a62f5bc1b44382eda5971d84a0747c8788c93721",
"sha256": "2d94e33407ad1d25db5a4b56b151dc596b9c6ea33d2cba827569ae0b97f87ca1",
"type": "eql",
"version": 2
"version": 3
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.3",
@@ -3338,9 +3338,9 @@
"5c895b4f-9133-4e68-9e23-59902175355c": {
"min_stack_version": "8.6",
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "9a1e8c65a29391713f609dcbd4a1305713e9a2c306af2f32b6a83dfce192b63b",
"sha256": "ad5eeef0b7620188e2de743a8794671ea257a4c72445a2d45c4f12096f612bae",
"type": "eql",
"version": 4
"version": 5
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"min_stack_version": "8.3",
@@ -3352,9 +3352,9 @@
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
"min_stack_version": "8.3",
"rule_name": "Potential Defense Evasion via PRoot",
"sha256": "178b04d6fc23202ec48ba3400969daf969f8d4985439414241705f5d43766ae0",
"sha256": "be2a9109a8b40a08a25097540efd4d1ffafe3c26095cc25b462030b39462392d",
"type": "eql",
"version": 5
"version": 6
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"min_stack_version": "8.3",
@@ -3465,9 +3465,9 @@
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"min_stack_version": "8.3",
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "57a629aaa1c6c8e3211d86871c40fb1532a1b8041321a4a49e09bf2207ddd1d7",
"sha256": "c1ecce5f4f3b0d7eaff18f79bffa18faefea70a9b382c04dc2906d33aae8c613",
"type": "eql",
"version": 1
"version": 2
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.3",
@@ -3612,9 +3612,9 @@
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "846fa5c4e35ad6a575c527857f8f08531770497ebfbd1e5c44038c9711e941fe",
"sha256": "7276ea3de496fc30d8ffc602965c04577358f410edf577705d215ceba2541c20",
"type": "eql",
"version": 5
"version": 6
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"min_stack_version": "8.3",
@@ -3857,9 +3857,9 @@
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "fd2f406746a1331d05c1e2bf2940f233dfaaa7ab24732e3e56902a388363e65f",
"sha256": "7cf65464523d24beeac567cd5b9693fec22ad30bbfe4cb108c18b3cfc557ca40",
"type": "eql",
"version": 4
"version": 5
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"min_stack_version": "8.6",
@@ -3970,9 +3970,9 @@
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "58ce00446ecb88689b8d1b9f52c81a45a77fd09bd0553ddaff0cf1cf19685342",
"sha256": "8eb2075e6417e1abd98c79d0219606d314440ac873cfec2cf2f89d99059bfc4a",
"type": "eql",
"version": 4
"version": 5
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
@@ -4102,9 +4102,9 @@
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Passwd File Event Action",
"sha256": "643fd4dc9cb7afb75d6f948bdf9b15f87829f59236c645698ef6ceb52a951768",
"sha256": "1b2764ccaeebfb5e63fcb98c2a9e754f7fc0abe955e47356b0b4ee9351ac4e0f",
"type": "eql",
"version": 1
"version": 2
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"min_stack_version": "8.3",
@@ -4176,22 +4176,22 @@
"8.3": {
"max_allowable_version": 102,
"rule_name": "Suspicious Sysctl File Event",
"sha256": "677db0e224b9e590ddaf2525bccc03fcd4c576f741537f13434eb9cecdd77bdc",
"sha256": "dc62f12237c63e7f170343cc5fcf2587a078f5af5e823d46e6545f8b11a01b90",
"type": "eql",
"version": 3
"version": 4
}
},
"rule_name": "Suspicious Sysctl File Event",
"sha256": "bfc9a20f20463b90faf15152ce6289f0f6144771298c87568ef2133798040a07",
"sha256": "b493f247e0861ac433a25a825222313ab55a2ae065aadec697ad0bd00e0bab11",
"type": "new_terms",
"version": 105
"version": 106
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"min_stack_version": "8.3",
"rule_name": "Service Disabled via Registry Modification",
"sha256": "372c468ec6a0ebd2259d3b111dd8e4431353594ad85c0e66a0b97284f21d84f1",
"sha256": "c653ba7a8ebd99c0b7c04528b1b96f4449c827220889523a00d2f33355290e21",
"type": "eql",
"version": 1
"version": 2
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"min_stack_version": "8.3",
@@ -4233,9 +4233,9 @@
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "799b4669a8e13bfbb627ddec54045adfc695820ba3e46b6dd098a33d9bf72da8",
"sha256": "206720563a79d6cc24a435a4e574b8ac6f666a690d5b70e18d8aee09cc146701",
"type": "eql",
"version": 108
"version": 109
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"min_stack_version": "8.3",
@@ -4356,9 +4356,9 @@
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as System32 Executable",
"sha256": "51fa21c1094b9e214686668956d499fc25f19607d7b1a93fc094aa557eda00d7",
"sha256": "1943ef42d3d41a9bb7d30423c06e9e6f16b6f75bb01a8658560bbae4295466fa",
"type": "eql",
"version": 2
"version": 3
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.3",
@@ -4494,9 +4494,9 @@
}
},
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "bc8f0cbcbf93a3e84a7433c81cb3997b0f23a2d6b1a1df28e3828f0fe7f1ac50",
"sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee",
"type": "new_terms",
"version": 101
"version": 102
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"min_stack_version": "8.6",
@@ -4511,22 +4511,22 @@
"8.3": {
"max_allowable_version": 102,
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "2dcd549142325271b0cc47d8d2a3b32dc6f1187d7ed0a0a2ad21238ba64e8ff0",
"sha256": "e8cbeafae45cf6592034b68de6f2166705890d49c7a6e5821b387dfa6c535dc9",
"type": "eql",
"version": 3
"version": 4
}
},
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "9328c54c32125014fec6bdbd75bf9d2b513fccfc86f1ea0a04e8ca44d8a6a097",
"sha256": "22fe55cc67764e0781b6c19cc0ac5ae66736e3a22e1ee2fe53f7dbaab789d871",
"type": "new_terms",
"version": 104
"version": 105
},
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Extension",
"sha256": "892abe65dfb4e821b001077e250ac7619928c9a8ba796ec314d9abce74c74ba8",
"sha256": "849158b9fff15cf3e795600d5fe440fb36196a94c269e1824b18a91c2981e613",
"type": "eql",
"version": 2
"version": 3
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"min_stack_version": "8.3",
@@ -4602,9 +4602,9 @@
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Local Account Brute Force Detected",
"sha256": "11bd5d0b943d146c2e7e684fa4b128c4692eae1ef64172cc1e8969eeabddeb73",
"sha256": "e155a8639900413960f4bd12ebce8f9c122312dae7c25f4438034c20e4fca668",
"type": "eql",
"version": 4
"version": 5
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"min_stack_version": "8.3",
@@ -4622,16 +4622,16 @@
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "02f2a52e75f96bb21611dfd66db9eacbdc7bde77eb1e7da4a5934751321134cc",
"sha256": "7f84af009ff9448c0b9f76177f86e6e043e7efac677af1511782322b71970a50",
"type": "eql",
"version": 5
"version": 6
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "814b05ca584b27e70940b7b56b00e0a980f69f27a29a732faf88da9bab468c7a",
"sha256": "2fc30dddfd6bb058fdb2c7cb62eb8c88bfc1859dea0b06dddb7e4df8bd87a205",
"type": "query",
"version": 2
"version": 3
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"min_stack_version": "8.3",
@@ -4965,9 +4965,9 @@
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"min_stack_version": "8.3",
"rule_name": "File with Suspicious Extension Downloaded",
"sha256": "4aee04fcae9856c8db9a767d12e37c08a83d89f0665b4be03150aa01c6e03b4b",
"sha256": "e41fc833a05de05b304b09e2ec0982c3dd204b76ba262d05796e49162ea088ef",
"type": "eql",
"version": 1
"version": 2
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"min_stack_version": "8.8",
@@ -4993,9 +4993,9 @@
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
"min_stack_version": "8.3",
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
"sha256": "dd3d04e43bbd83b16a0414f323260473ea086aa839efad492a35c4a2cd203829",
"sha256": "4d2494baa6fceb73dd108e6e1c5f1584cb2577a49f8edea428ac9b6d5f49ae88",
"type": "eql",
"version": 1
"version": 2
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"min_stack_version": "8.3",
@@ -5724,9 +5724,9 @@
}
},
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "7b78fdf9a5ee44c30961d116be5d1d92f5800058130e514664356ef5256a2cea",
"sha256": "4ab67b4caab391230f6183fbc044cb1b7175bacef62351a227a5f3d5b2754ebf",
"type": "new_terms",
"version": 208
"version": 209
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"min_stack_version": "8.9",
@@ -5782,9 +5782,9 @@
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"min_stack_version": "8.3",
"rule_name": "File Deletion via Shred",
"sha256": "afbf43fb0d4ed4dc316833240730da4201b617ea02e60983d0ae60fa628e4926",
"type": "query",
"version": 107
"sha256": "9fdb40d449cc37e389ca527d2412f00004449adc3a106b14df51079f903bc912",
"type": "eql",
"version": 108
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"min_stack_version": "8.3",
@@ -5895,9 +5895,9 @@
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"min_stack_version": "8.6",
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "164f4808f9233c0316265e8ac731e74784cc410587f5710bdd9f8f72fff7c7c3",
"sha256": "056330ce15b11c973e70c3e0c1d7bb71f2e6412c067cf08db1ed4428a5dcbd57",
"type": "eql",
"version": 4
"version": 5
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"min_stack_version": "8.3",
@@ -6218,9 +6218,9 @@
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Communication App Child Process",
"sha256": "0e8ff7a50a23c7b9726e3fce8b74834754c75e9cc4bee21fddbb73b9acde9c43",
"sha256": "21910b480ebd6a0ef74d410a04cc389bf6624c492e88f2c65a46efd0138a2592",
"type": "eql",
"version": 2
"version": 3
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"min_stack_version": "8.3",
@@ -6260,9 +6260,9 @@
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"min_stack_version": "8.3",
"rule_name": "Network Activity Detected via cat",
"sha256": "d8ce7ce1d50539e7b9b135a7463c03309cee47dba07797c4c9a4198edb10e223",
"sha256": "273bd88b39f74afde539b7000e0a8c2b3d02c42ec1ddfa6c931a1e59806e1fa5",
"type": "eql",
"version": 4
"version": 5
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"min_stack_version": "8.3",
@@ -6554,9 +6554,9 @@
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "6d865b15c3674b78e2d9de64bec58d2deacaffeddce4099ecf15fd02b52261f4",
"sha256": "4bc5b6a6479dbdf6890629a58ca0e0ec89a67f6a4f02e5c9a27a9cb3ec5f3ede",
"type": "eql",
"version": 108
"version": 109
},
"b9960fef-82c6-4816-befa-44745030e917": {
"min_stack_version": "8.3",
@@ -6575,9 +6575,9 @@
"ba81c182-4287-489d-af4d-8ae834b06040": {
"min_stack_version": "8.3",
"rule_name": "Kernel Driver Load by non-root User",
"sha256": "bd4ce205bb988bb06084a9673646c8c684685ecef659dfa4c881ed82df863856",
"sha256": "399fbc887cd3dcfac9f551c83064514c087821520af909339cdc11d7461ee18d",
"type": "eql",
"version": 1
"version": 2
},
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"min_stack_version": "8.3",
@@ -6726,9 +6726,9 @@
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"min_stack_version": "8.3",
"rule_name": "Potential Pspy Process Monitoring Detected",
"sha256": "a104d57c93d224bbb66c4c3ec0155970728973744f4f6e5f064a97439c0e12ca",
"sha256": "b9d7536fd8c294924c4644cfcc4ee0b8432a0e92eba51894cdc57c6fbb209ac7",
"type": "eql",
"version": 5
"version": 6
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"min_stack_version": "8.3",
@@ -6949,9 +6949,9 @@
"c5677997-f75b-4cda-b830-a75920514096": {
"min_stack_version": "8.3",
"rule_name": "Service Path Modification via sc.exe",
"sha256": "471c10523b0876136cb7b2ebcf2df348a37efbe907b5bb0bd57c7650ce7c4fea",
"sha256": "7caa1e811b55ed98053fe152b172e60b4cd16b518423dd231768da1dafb2af8d",
"type": "eql",
"version": 1
"version": 2
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"min_stack_version": "8.3",
@@ -7317,9 +7317,9 @@
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"min_stack_version": "8.3",
"rule_name": "Kernel Module Removal",
"sha256": "3389bde0d2034a85fbb3b9902602f9751c82b86ef92ede4fd68b2c2aaac43319",
"sha256": "ac001f6d06404c3010498800679030f8b4ab7b39e8c10db9a57b6493b7da835f",
"type": "eql",
"version": 107
"version": 108
},
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"min_stack_version": "8.3",
@@ -7562,9 +7562,9 @@
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"min_stack_version": "8.3",
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "fe9f5628cc8de2846077446c09d501bd05f366c5f81e3900c513dfa420b6ff75",
"sha256": "ce07cc502120394f374d4b4f5e5f706cfe97c593a8d2e56b9d4e8800acffad99",
"type": "eql",
"version": 3
"version": 4
},
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
"min_stack_version": "8.3",
@@ -7576,9 +7576,9 @@
"d55abdfb-5384-402b-add4-6c401501b0c3": {
"min_stack_version": "8.11",
"rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities",
"sha256": "b07dbc77b8f4bfd154ce8d14ca9df9f80d7953d60caef71fc5167d9136db5ec0",
"sha256": "81a411530dfa4b02f26c004e92004cd7accc1592660c45e38896fdc83888a950",
"type": "eql",
"version": 1
"version": 2
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"min_stack_version": "8.3",
@@ -7824,9 +7824,9 @@
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
"min_stack_version": "8.3",
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "e947ad288f1da43e4a883eb9da07ee706c06e2905ae2445421e2280db1d72486",
"sha256": "2dec4f8780da5987b36ab32a471d2c70a5eaee968d608b8ce70ea52290021878",
"type": "eql",
"version": 5
"version": 6
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"min_stack_version": "8.3",
@@ -7851,6 +7851,13 @@
"type": "machine_learning",
"version": 208
},
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "44f7baab75f773277a10c7030dcd1cfd26a107a3dc957f0fcb5163db547ae530",
"type": "eql",
"version": 1
},
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Install Kali Linux via WSL",
@@ -7882,9 +7889,9 @@
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"min_stack_version": "8.3",
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "3fdd204c8b26e4dc4f20eaf80a88b4f37cd9093b77f365fbf505b27c37e500d7",
"type": "query",
"version": 107
"sha256": "0f2e6ac845f8b90178b87d34179c8221ebb916e5b879e1acba116f2bc751ead8",
"type": "eql",
"version": 108
},
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
"min_stack_version": "8.6",
@@ -8182,9 +8189,9 @@
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "856cdc898f8b290d5ebe5bfffde4ce85f483f62eb7e0158a0f9e35f6e8dc2afd",
"sha256": "9a219e929d52b9d5fd2593524c043db217318eb6f540793dae2c595418f5dc02",
"type": "new_terms",
"version": 1
"version": 2
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.10",
@@ -8315,16 +8322,16 @@
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process For MSSQL Service Accounts",
"sha256": "b79eae658a0dc89978d022131f60766565b9d713cf71cfa900e632da05719fe3",
"sha256": "cdb82fbb668c46c37e97ed4485ecc44f5e15ee31cc32e28105e7294c0540d5fb",
"type": "eql",
"version": 2
"version": 3
},
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"sha256": "332682a3600cb59f9e5416f1a36782dd5b2cd5140ad2365e794fe319c8057d6a",
"sha256": "efb77e476e3e66708e2f7ecbe21f66cf503537cfbd24fd1e39c1532f88bb4050",
"type": "eql",
"version": 6
"version": 7
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"min_stack_version": "8.9",
@@ -8526,9 +8533,9 @@
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"min_stack_version": "8.3",
"rule_name": "Potential Disabling of SELinux",
"sha256": "67e5d80d98a14e59513c76c67d9e7b585867dfa1bd03bc7fe57b4e529040abcf",
"type": "query",
"version": 107
"sha256": "23a5f7e32120fdb45c8175f8b7d7466b7f576e9d71127c5cbf486776602a7d54",
"type": "eql",
"version": 108
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.3",
@@ -8685,9 +8692,9 @@
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"sha256": "b484fef67869242e81d258aa6dd2f985dce79cf7ac6f49d81e8d62e1b34d69aa",
"sha256": "a93c8008dc51bde8313842833bc7faf55795a8b998c830cefdcde94c2a9e4845",
"type": "eql",
"version": 5
"version": 6
},
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
"min_stack_version": "8.8",
@@ -8933,9 +8940,9 @@
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"min_stack_version": "8.3",
"rule_name": "WMIC Remote Command",
"sha256": "e1ef94a11c4732f762e8f4e61014834b56c85ac0b9238a537e111d942fb12601",
"sha256": "42d6b84b3a8696b0bf6bf486d60aab97b24df9b1e2f726ff15bf8b3c0159f746",
"type": "eql",
"version": 2
"version": 3
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"min_stack_version": "8.3",
@@ -9133,16 +9140,16 @@
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "49d714fa5c7450eb4f2ae0d249c48cc4200969fed6ea2b87d14a560608ca32ce",
"sha256": "781215a658d1365ecd39d5ce42561c2c2a1db86acac3e8ecc9a2c3348dacc021",
"type": "eql",
"version": 6
"version": 7
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"min_stack_version": "8.3",
"rule_name": "Potential Disabling of AppArmor",
"sha256": "34fdcfc5bff48dc2d657a33d95b6f8a56e38e5110fad29d01863329e1f5e1f68",
"sha256": "4f8a4b5f58afc63fe8e1fef64b1f0f5ed48bce8b895a9f80afb8ff33e8f74f3e",
"type": "eql",
"version": 3
"version": 4
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"min_stack_version": "8.4",
@@ -9156,9 +9163,9 @@
}
},
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "83d55181cc10cf106c86f733adfc8bcd7100be39580cbdaf2784a6237cd2f61b",
"sha256": "2e04de492ae2b8608ce4404506cff8d8216450e3eac0292441ce1ca740d506cf",
"type": "eql",
"version": 102
"version": 103
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"min_stack_version": "8.3",
@@ -9263,9 +9270,9 @@
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"min_stack_version": "8.3",
"rule_name": "System Binary Copied and/or Moved to Suspicious Directory",
"sha256": "759181917690fc8b164537ae1754768a85a84855c58bb9f2895f687a62a3c0ce",
"sha256": "ea4a0401b39029ef4d1b12bf940efeebe5fc61796cc104ec9be7996712141b89",
"type": "eql",
"version": 5
"version": 6
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.3",
@@ -9277,9 +9284,9 @@
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "233aae2af8866a118d0080a5d695beef8bddfb17bf9788964055df0f6cfdad5b",
"sha256": "2473b403823acee1746c83419cdd4634fb84599c481a5d10e3b1af3e519f11bc",
"type": "query",
"version": 3
"version": 4
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"min_stack_version": "8.3",
@@ -9291,9 +9298,9 @@
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Business App Installer",
"sha256": "f8fb3a902d4649dae09ebfd3622387f97612d9ce93d0c82dc28badc57bf61ae1",
"sha256": "40b6160ff1840321119de9eaf4ab17ad8efd8941b316318fda962bb59ada871b",
"type": "eql",
"version": 2
"version": 3
},
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
"min_stack_version": "8.3",