diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 6307f0392..40d95969b 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -232,9 +232,9 @@ "06568a02-af29-4f20-929c-f3af281e41aa": { "min_stack_version": "8.3", "rule_name": "System Time Discovery", - "sha256": "79c7e1897310a5fff8e9aa62c967679ae8fb0f6681b13c0fd66289142de0e1d6", + "sha256": "d5237e35b753d923902ad797bb8384e1f6c0cb0ba658c922501345f214656ad0", "type": "eql", - "version": 5 + "version": 6 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "min_stack_version": "8.9", @@ -274,9 +274,9 @@ "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", - "sha256": "9a08bba2e66dd9f99a6a87ab539e1f2f205273b9af8e42a91a6be93beeb479e8", + "sha256": "c1b6e6aa892be3945036add52e7bd2f08908e60aeed4c6315a65552df23ecc67", "type": "threshold", - "version": 5 + "version": 6 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.3", @@ -400,9 +400,9 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "4d8b6dfe62f6b9bc2ce89b79f7ad0e881dc744022d619b382b2e6e2d3ed15a17", + "sha256": "476a0edd057a4e2d08908bf18854969a1f8160a17b8197ca8011a73923904063", "type": "query", - "version": 4 + "version": 5 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.3", @@ -811,9 +811,9 @@ "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "min_stack_version": "8.3", "rule_name": "Execution from a Removable Media with Network Connection", - "sha256": "395e463813d0cad1e718f84d5a13a564016c82b69dcfd8027af981c0ec07cc2f", + "sha256": "59fddcae552c2d4781435a2f28a96e640148621b9b484f76e9ac48786281e4bc", "type": "eql", - "version": 1 + "version": 2 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.3", @@ -1047,9 +1047,9 @@ "1b0b4818-5655-409b-9c73-341cac4bb73f": { "min_stack_version": "8.4", "rule_name": "Process Created with a Duplicated Token", - "sha256": "108c96892c8db5e48adb3729e9a21cf75d35c098e4739cc055042e86fbeddccb", + "sha256": "51febd0739715d80d22439ab57ace39d85b46bb853c1af905477341ceb640fb4", "type": "eql", - "version": 1 + "version": 2 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.3", @@ -1182,9 +1182,9 @@ "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "476840872bfeccaff488dd65134b6a82f2299b815ee751a661219204e8c1ad9a", + "sha256": "4e8f5265298debd75d88f29bc50550406da7325514321ca41560e53e4a216081", "type": "query", - "version": 4 + "version": 5 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "min_stack_version": "8.3", @@ -1196,9 +1196,9 @@ "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "min_stack_version": "8.3", "rule_name": "Creation of SettingContent-ms Files", - "sha256": "a57fdc00e51caf3e5c8c515a75a6b8e8bc79b4e2dbb0f9fb97bc36859dd60525", + "sha256": "c4d1ee33d81051c5ff7f08405dd13f19bbce0e914ff0b347df5862b2f40d568d", "type": "eql", - "version": 1 + "version": 2 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { "min_stack_version": "8.8", @@ -1495,9 +1495,9 @@ "2724808c-ba5d-48b2-86d2-0002103df753": { "min_stack_version": "8.3", "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "e93a1e9fd50b7401c5d62def71f3729c535a1a070f8e42194e4a2a9bfe8843b4", + "sha256": "ab06e0853ec7a2402c68a2aa0ced95e3fcaca432ce6fbd3fa620af718b998b19", "type": "eql", - "version": 1 + "version": 2 }, "272a6484-2663-46db-a532-ef734bf9a796": { "min_stack_version": "8.3", @@ -1847,9 +1847,9 @@ "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "min_stack_version": "8.5", "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "9648e6c27ae63c4d6b1419abbd96b927ee8834cb13bac73d2f3c36c874122c45", + "sha256": "c5d4a3001d7351c602369af6c986ac059de87c9b83a9217a63faaacf66a54a0f", "type": "eql", - "version": 5 + "version": 6 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "min_stack_version": "8.3", @@ -2232,9 +2232,9 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "d2820917e295f70cedcc97c012d7e6f4bfa4368d8a77e79023225614feb95c7a", + "sha256": "d9d09e692225a41f36175b833c81800c8d1406c6a21c6806f6cbadb83703de20", "type": "query", - "version": 3 + "version": 4 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "min_stack_version": "8.9", @@ -2269,9 +2269,9 @@ "3e12a439-d002-4944-bc42-171c0dcb9b96": { "min_stack_version": "8.3", "rule_name": "Kernel Driver Load", - "sha256": "b59ce0343e153ae461c5fccc6dd6aa3b6f38eff17a3960852a0a1b9c9dc88e3b", + "sha256": "943b3b49ddeb5d7f3cedcc5cd924db6f3c7c44435aa3913ee577e89925ae0651", "type": "eql", - "version": 2 + "version": 3 }, "3e3d15c6-1509-479a-b125-21718372157e": { "min_stack_version": "8.3", @@ -2283,9 +2283,9 @@ "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "min_stack_version": "8.3", "rule_name": "Potential Remote File Execution via MSIEXEC", - "sha256": "1d20b245f40477327dbf43e563d8a93eca7531b9c1fa4649a0e9692d0eb33b01", + "sha256": "0fb96a14a8d3a0b8997c74edf2be7897a1b81413fae271d17d5fda854048013e", "type": "eql", - "version": 1 + "version": 2 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.3", @@ -2379,15 +2379,15 @@ "8.3": { "max_allowable_version": 102, "rule_name": "Suspicious Modprobe File Event", - "sha256": "db18497df8258d667278d17da2d21dadbc1c81dedbd75ddcbb22e91e172a8c1c", + "sha256": "57d346776e2d53dc371be91bf8eee48d1a5551497057024f0cba657e1b22f6d0", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Suspicious Modprobe File Event", - "sha256": "e2563182898cd53fd297c35504ad76579440cfef8eabe9d2cfe715150dce74eb", + "sha256": "3023790e7b7a847fa8ec6fe47f0279307de8e1d4a2153a86caee8a3f11a98e70", "type": "new_terms", - "version": 105 + "version": 106 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "min_stack_version": "8.3", @@ -2631,9 +2631,9 @@ "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "min_stack_version": "8.3", "rule_name": "Remote XSL Script Execution via COM", - "sha256": "19961cd9171e3ef5204e98314fdf573ac68e28c6ab1c5e91b5f1d71c919ea7db", + "sha256": "d4882ff69ab688f9fca0f0a882c05bf12a3ff514316d6e48ea51e1083291d3d3", "type": "eql", - "version": 1 + "version": 2 }, "493834ca-f861-414c-8602-150d5505b777": { "min_stack_version": "8.3", @@ -2896,9 +2896,9 @@ "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", - "sha256": "32d05a814889ee60dc87a1d8bfd9ccde871f528b806978fcd7a8e999fac7d565", + "sha256": "ba6f6235a7b0a8e6655ecc8e374d2babccf8db929b8f1c864ce81a77ebeedaf5", "type": "eql", - "version": 5 + "version": 6 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "min_stack_version": "8.9", @@ -3117,9 +3117,9 @@ } }, "rule_name": "Execution of an Unsigned Service", - "sha256": "296152e8a3e1843df21e40fa6f6a05608b99b61ab06971ab80e9a3a35910b4fb", + "sha256": "67ac84282d2bc8987b76b1e8952870cc1ca8a5f6e785c58287418e2891195912", "type": "new_terms", - "version": 103 + "version": 104 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "min_stack_version": "8.3", @@ -3287,9 +3287,9 @@ "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Browser Process", - "sha256": "10846cbf0f6d148b7fc84a14a62f5bc1b44382eda5971d84a0747c8788c93721", + "sha256": "2d94e33407ad1d25db5a4b56b151dc596b9c6ea33d2cba827569ae0b97f87ca1", "type": "eql", - "version": 2 + "version": 3 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.3", @@ -3338,9 +3338,9 @@ "5c895b4f-9133-4e68-9e23-59902175355c": { "min_stack_version": "8.6", "rule_name": "Potential Meterpreter Reverse Shell", - "sha256": "9a1e8c65a29391713f609dcbd4a1305713e9a2c306af2f32b6a83dfce192b63b", + "sha256": "ad5eeef0b7620188e2de743a8794671ea257a4c72445a2d45c4f12096f612bae", "type": "eql", - "version": 4 + "version": 5 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", @@ -3352,9 +3352,9 @@ "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "178b04d6fc23202ec48ba3400969daf969f8d4985439414241705f5d43766ae0", + "sha256": "be2a9109a8b40a08a25097540efd4d1ffafe3c26095cc25b462030b39462392d", "type": "eql", - "version": 5 + "version": 6 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.3", @@ -3465,9 +3465,9 @@ "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "min_stack_version": "8.3", "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "57a629aaa1c6c8e3211d86871c40fb1532a1b8041321a4a49e09bf2207ddd1d7", + "sha256": "c1ecce5f4f3b0d7eaff18f79bffa18faefea70a9b382c04dc2906d33aae8c613", "type": "eql", - "version": 1 + "version": 2 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.3", @@ -3612,9 +3612,9 @@ "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", - "sha256": "846fa5c4e35ad6a575c527857f8f08531770497ebfbd1e5c44038c9711e941fe", + "sha256": "7276ea3de496fc30d8ffc602965c04577358f410edf577705d215ceba2541c20", "type": "eql", - "version": 5 + "version": 6 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", @@ -3857,9 +3857,9 @@ "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "min_stack_version": "8.3", "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "fd2f406746a1331d05c1e2bf2940f233dfaaa7ab24732e3e56902a388363e65f", + "sha256": "7cf65464523d24beeac567cd5b9693fec22ad30bbfe4cb108c18b3cfc557ca40", "type": "eql", - "version": 4 + "version": 5 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "min_stack_version": "8.6", @@ -3970,9 +3970,9 @@ "6ee947e9-de7e-4281-a55d-09289bdf947e": { "min_stack_version": "8.3", "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "58ce00446ecb88689b8d1b9f52c81a45a77fd09bd0553ddaff0cf1cf19685342", + "sha256": "8eb2075e6417e1abd98c79d0219606d314440ac873cfec2cf2f89d99059bfc4a", "type": "eql", - "version": 4 + "version": 5 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -4102,9 +4102,9 @@ "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "min_stack_version": "8.3", "rule_name": "Suspicious Passwd File Event Action", - "sha256": "643fd4dc9cb7afb75d6f948bdf9b15f87829f59236c645698ef6ceb52a951768", + "sha256": "1b2764ccaeebfb5e63fcb98c2a9e754f7fc0abe955e47356b0b4ee9351ac4e0f", "type": "eql", - "version": 1 + "version": 2 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "min_stack_version": "8.3", @@ -4176,22 +4176,22 @@ "8.3": { "max_allowable_version": 102, "rule_name": "Suspicious Sysctl File Event", - "sha256": "677db0e224b9e590ddaf2525bccc03fcd4c576f741537f13434eb9cecdd77bdc", + "sha256": "dc62f12237c63e7f170343cc5fcf2587a078f5af5e823d46e6545f8b11a01b90", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Suspicious Sysctl File Event", - "sha256": "bfc9a20f20463b90faf15152ce6289f0f6144771298c87568ef2133798040a07", + "sha256": "b493f247e0861ac433a25a825222313ab55a2ae065aadec697ad0bd00e0bab11", "type": "new_terms", - "version": 105 + "version": 106 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "min_stack_version": "8.3", "rule_name": "Service Disabled via Registry Modification", - "sha256": "372c468ec6a0ebd2259d3b111dd8e4431353594ad85c0e66a0b97284f21d84f1", + "sha256": "c653ba7a8ebd99c0b7c04528b1b96f4449c827220889523a00d2f33355290e21", "type": "eql", - "version": 1 + "version": 2 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "min_stack_version": "8.3", @@ -4233,9 +4233,9 @@ "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Shared Object File", - "sha256": "799b4669a8e13bfbb627ddec54045adfc695820ba3e46b6dd098a33d9bf72da8", + "sha256": "206720563a79d6cc24a435a4e574b8ac6f666a690d5b70e18d8aee09cc146701", "type": "eql", - "version": 108 + "version": 109 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.3", @@ -4356,9 +4356,9 @@ "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as System32 Executable", - "sha256": "51fa21c1094b9e214686668956d499fc25f19607d7b1a93fc094aa557eda00d7", + "sha256": "1943ef42d3d41a9bb7d30423c06e9e6f16b6f75bb01a8658560bbae4295466fa", "type": "eql", - "version": 2 + "version": 3 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "min_stack_version": "8.3", @@ -4494,9 +4494,9 @@ } }, "rule_name": "Discovery of Internet Capabilities via Built-in Tools", - "sha256": "bc8f0cbcbf93a3e84a7433c81cb3997b0f23a2d6b1a1df28e3828f0fe7f1ac50", + "sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee", "type": "new_terms", - "version": 101 + "version": 102 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "min_stack_version": "8.6", @@ -4511,22 +4511,22 @@ "8.3": { "max_allowable_version": 102, "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "2dcd549142325271b0cc47d8d2a3b32dc6f1187d7ed0a0a2ad21238ba64e8ff0", + "sha256": "e8cbeafae45cf6592034b68de6f2166705890d49c7a6e5821b387dfa6c535dc9", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "9328c54c32125014fec6bdbd75bf9d2b513fccfc86f1ea0a04e8ca44d8a6a097", + "sha256": "22fe55cc67764e0781b6c19cc0ac5ae66736e3a22e1ee2fe53f7dbaab789d871", "type": "new_terms", - "version": 104 + "version": 105 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "min_stack_version": "8.3", "rule_name": "Unusual Process Extension", - "sha256": "892abe65dfb4e821b001077e250ac7619928c9a8ba796ec314d9abce74c74ba8", + "sha256": "849158b9fff15cf3e795600d5fe440fb36196a94c269e1824b18a91c2981e613", "type": "eql", - "version": 2 + "version": 3 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "min_stack_version": "8.3", @@ -4602,9 +4602,9 @@ "835c0622-114e-40b5-a346-f843ea5d01f1": { "min_stack_version": "8.3", "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "11bd5d0b943d146c2e7e684fa4b128c4692eae1ef64172cc1e8969eeabddeb73", + "sha256": "e155a8639900413960f4bd12ebce8f9c122312dae7c25f4438034c20e4fca668", "type": "eql", - "version": 4 + "version": 5 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "min_stack_version": "8.3", @@ -4622,16 +4622,16 @@ "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "02f2a52e75f96bb21611dfd66db9eacbdc7bde77eb1e7da4a5934751321134cc", + "sha256": "7f84af009ff9448c0b9f76177f86e6e043e7efac677af1511782322b71970a50", "type": "eql", - "version": 5 + "version": 6 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Transport Agent Install Script", - "sha256": "814b05ca584b27e70940b7b56b00e0a980f69f27a29a732faf88da9bab468c7a", + "sha256": "2fc30dddfd6bb058fdb2c7cb62eb8c88bfc1859dea0b06dddb7e4df8bd87a205", "type": "query", - "version": 2 + "version": 3 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { "min_stack_version": "8.3", @@ -4965,9 +4965,9 @@ "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "min_stack_version": "8.3", "rule_name": "File with Suspicious Extension Downloaded", - "sha256": "4aee04fcae9856c8db9a767d12e37c08a83d89f0665b4be03150aa01c6e03b4b", + "sha256": "e41fc833a05de05b304b09e2ec0982c3dd204b76ba262d05796e49162ea088ef", "type": "eql", - "version": 1 + "version": 2 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "min_stack_version": "8.8", @@ -4993,9 +4993,9 @@ "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "min_stack_version": "8.3", "rule_name": "Potential Outgoing RDP Connection by Unusual Process", - "sha256": "dd3d04e43bbd83b16a0414f323260473ea086aa839efad492a35c4a2cd203829", + "sha256": "4d2494baa6fceb73dd108e6e1c5f1584cb2577a49f8edea428ac9b6d5f49ae88", "type": "eql", - "version": 1 + "version": 2 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "min_stack_version": "8.3", @@ -5724,9 +5724,9 @@ } }, "rule_name": "File Permission Modification in Writable Directory", - "sha256": "7b78fdf9a5ee44c30961d116be5d1d92f5800058130e514664356ef5256a2cea", + "sha256": "4ab67b4caab391230f6183fbc044cb1b7175bacef62351a227a5f3d5b2754ebf", "type": "new_terms", - "version": 208 + "version": 209 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "min_stack_version": "8.9", @@ -5782,9 +5782,9 @@ "a1329140-8de3-4445-9f87-908fb6d824f4": { "min_stack_version": "8.3", "rule_name": "File Deletion via Shred", - "sha256": "afbf43fb0d4ed4dc316833240730da4201b617ea02e60983d0ae60fa628e4926", - "type": "query", - "version": 107 + "sha256": "9fdb40d449cc37e389ca527d2412f00004449adc3a106b14df51079f903bc912", + "type": "eql", + "version": 108 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.3", @@ -5895,9 +5895,9 @@ "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { "min_stack_version": "8.6", "rule_name": "Potential Reverse Shell via UDP", - "sha256": "164f4808f9233c0316265e8ac731e74784cc410587f5710bdd9f8f72fff7c7c3", + "sha256": "056330ce15b11c973e70c3e0c1d7bb71f2e6412c067cf08db1ed4428a5dcbd57", "type": "eql", - "version": 4 + "version": 5 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "min_stack_version": "8.3", @@ -6218,9 +6218,9 @@ "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "min_stack_version": "8.3", "rule_name": "Suspicious Communication App Child Process", - "sha256": "0e8ff7a50a23c7b9726e3fce8b74834754c75e9cc4bee21fddbb73b9acde9c43", + "sha256": "21910b480ebd6a0ef74d410a04cc389bf6624c492e88f2c65a46efd0138a2592", "type": "eql", - "version": 2 + "version": 3 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "min_stack_version": "8.3", @@ -6260,9 +6260,9 @@ "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "min_stack_version": "8.3", "rule_name": "Network Activity Detected via cat", - "sha256": "d8ce7ce1d50539e7b9b135a7463c03309cee47dba07797c4c9a4198edb10e223", + "sha256": "273bd88b39f74afde539b7000e0a8c2b3d02c42ec1ddfa6c931a1e59806e1fa5", "type": "eql", - "version": 4 + "version": 5 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "min_stack_version": "8.3", @@ -6554,9 +6554,9 @@ "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "6d865b15c3674b78e2d9de64bec58d2deacaffeddce4099ecf15fd02b52261f4", + "sha256": "4bc5b6a6479dbdf6890629a58ca0e0ec89a67f6a4f02e5c9a27a9cb3ec5f3ede", "type": "eql", - "version": 108 + "version": 109 }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.3", @@ -6575,9 +6575,9 @@ "ba81c182-4287-489d-af4d-8ae834b06040": { "min_stack_version": "8.3", "rule_name": "Kernel Driver Load by non-root User", - "sha256": "bd4ce205bb988bb06084a9673646c8c684685ecef659dfa4c881ed82df863856", + "sha256": "399fbc887cd3dcfac9f551c83064514c087821520af909339cdc11d7461ee18d", "type": "eql", - "version": 1 + "version": 2 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.3", @@ -6726,9 +6726,9 @@ "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "min_stack_version": "8.3", "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "a104d57c93d224bbb66c4c3ec0155970728973744f4f6e5f064a97439c0e12ca", + "sha256": "b9d7536fd8c294924c4644cfcc4ee0b8432a0e92eba51894cdc57c6fbb209ac7", "type": "eql", - "version": 5 + "version": 6 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.3", @@ -6949,9 +6949,9 @@ "c5677997-f75b-4cda-b830-a75920514096": { "min_stack_version": "8.3", "rule_name": "Service Path Modification via sc.exe", - "sha256": "471c10523b0876136cb7b2ebcf2df348a37efbe907b5bb0bd57c7650ce7c4fea", + "sha256": "7caa1e811b55ed98053fe152b172e60b4cd16b518423dd231768da1dafb2af8d", "type": "eql", - "version": 1 + "version": 2 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.3", @@ -7317,9 +7317,9 @@ "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "min_stack_version": "8.3", "rule_name": "Kernel Module Removal", - "sha256": "3389bde0d2034a85fbb3b9902602f9751c82b86ef92ede4fd68b2c2aaac43319", + "sha256": "ac001f6d06404c3010498800679030f8b4ab7b39e8c10db9a57b6493b7da835f", "type": "eql", - "version": 107 + "version": 108 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "min_stack_version": "8.3", @@ -7562,9 +7562,9 @@ "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "min_stack_version": "8.3", "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "fe9f5628cc8de2846077446c09d501bd05f366c5f81e3900c513dfa420b6ff75", + "sha256": "ce07cc502120394f374d4b4f5e5f706cfe97c593a8d2e56b9d4e8800acffad99", "type": "eql", - "version": 3 + "version": 4 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "min_stack_version": "8.3", @@ -7576,9 +7576,9 @@ "d55abdfb-5384-402b-add4-6c401501b0c3": { "min_stack_version": "8.11", "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", - "sha256": "b07dbc77b8f4bfd154ce8d14ca9df9f80d7953d60caef71fc5167d9136db5ec0", + "sha256": "81a411530dfa4b02f26c004e92004cd7accc1592660c45e38896fdc83888a950", "type": "eql", - "version": 1 + "version": 2 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.3", @@ -7824,9 +7824,9 @@ "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { "min_stack_version": "8.3", "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "e947ad288f1da43e4a883eb9da07ee706c06e2905ae2445421e2280db1d72486", + "sha256": "2dec4f8780da5987b36ab32a471d2c70a5eaee968d608b8ce70ea52290021878", "type": "eql", - "version": 5 + "version": 6 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.3", @@ -7851,6 +7851,13 @@ "type": "machine_learning", "version": 208 }, + "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Execution from INET Cache", + "sha256": "44f7baab75f773277a10c7030dcd1cfd26a107a3dc957f0fcb5163db547ae530", + "type": "eql", + "version": 1 + }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.3", "rule_name": "Attempt to Install Kali Linux via WSL", @@ -7882,9 +7889,9 @@ "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.3", "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "3fdd204c8b26e4dc4f20eaf80a88b4f37cd9093b77f365fbf505b27c37e500d7", - "type": "query", - "version": 107 + "sha256": "0f2e6ac845f8b90178b87d34179c8221ebb916e5b879e1acba116f2bc751ead8", + "type": "eql", + "version": 108 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "min_stack_version": "8.6", @@ -8182,9 +8189,9 @@ "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "min_stack_version": "8.4", "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "856cdc898f8b290d5ebe5bfffde4ce85f483f62eb7e0158a0f9e35f6e8dc2afd", + "sha256": "9a219e929d52b9d5fd2593524c043db217318eb6f540793dae2c595418f5dc02", "type": "new_terms", - "version": 1 + "version": 2 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.10", @@ -8315,16 +8322,16 @@ "e74d645b-fec6-431e-bf93-ca64a538e0de": { "min_stack_version": "8.3", "rule_name": "Unusual Process For MSSQL Service Accounts", - "sha256": "b79eae658a0dc89978d022131f60766565b9d713cf71cfa900e632da05719fe3", + "sha256": "cdb82fbb668c46c37e97ed4485ecc44f5e15ee31cc32e28105e7294c0540d5fb", "type": "eql", - "version": 2 + "version": 3 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "332682a3600cb59f9e5416f1a36782dd5b2cd5140ad2365e794fe319c8057d6a", + "sha256": "efb77e476e3e66708e2f7ecbe21f66cf503537cfbd24fd1e39c1532f88bb4050", "type": "eql", - "version": 6 + "version": 7 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "min_stack_version": "8.9", @@ -8526,9 +8533,9 @@ "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of SELinux", - "sha256": "67e5d80d98a14e59513c76c67d9e7b585867dfa1bd03bc7fe57b4e529040abcf", - "type": "query", - "version": 107 + "sha256": "23a5f7e32120fdb45c8175f8b7d7466b7f576e9d71127c5cbf486776602a7d54", + "type": "eql", + "version": 108 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.3", @@ -8685,9 +8692,9 @@ "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "b484fef67869242e81d258aa6dd2f985dce79cf7ac6f49d81e8d62e1b34d69aa", + "sha256": "a93c8008dc51bde8313842833bc7faf55795a8b998c830cefdcde94c2a9e4845", "type": "eql", - "version": 5 + "version": 6 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "min_stack_version": "8.8", @@ -8933,9 +8940,9 @@ "f59668de-caa0-4b84-94c1-3a1549e1e798": { "min_stack_version": "8.3", "rule_name": "WMIC Remote Command", - "sha256": "e1ef94a11c4732f762e8f4e61014834b56c85ac0b9238a537e111d942fb12601", + "sha256": "42d6b84b3a8696b0bf6bf486d60aab97b24df9b1e2f726ff15bf8b3c0159f746", "type": "eql", - "version": 2 + "version": 3 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { "min_stack_version": "8.3", @@ -9133,16 +9140,16 @@ "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.3", "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "49d714fa5c7450eb4f2ae0d249c48cc4200969fed6ea2b87d14a560608ca32ce", + "sha256": "781215a658d1365ecd39d5ce42561c2c2a1db86acac3e8ecc9a2c3348dacc021", "type": "eql", - "version": 6 + "version": 7 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of AppArmor", - "sha256": "34fdcfc5bff48dc2d657a33d95b6f8a56e38e5110fad29d01863329e1f5e1f68", + "sha256": "4f8a4b5f58afc63fe8e1fef64b1f0f5ed48bce8b895a9f80afb8ff33e8f74f3e", "type": "eql", - "version": 3 + "version": 4 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "min_stack_version": "8.4", @@ -9156,9 +9163,9 @@ } }, "rule_name": "Potential Masquerading as System32 DLL", - "sha256": "83d55181cc10cf106c86f733adfc8bcd7100be39580cbdaf2784a6237cd2f61b", + "sha256": "2e04de492ae2b8608ce4404506cff8d8216450e3eac0292441ce1ca740d506cf", "type": "eql", - "version": 102 + "version": 103 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.3", @@ -9263,9 +9270,9 @@ "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "min_stack_version": "8.3", "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", - "sha256": "759181917690fc8b164537ae1754768a85a84855c58bb9f2895f687a62a3c0ce", + "sha256": "ea4a0401b39029ef4d1b12bf940efeebe5fc61796cc104ec9be7996712141b89", "type": "eql", - "version": 5 + "version": 6 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.3", @@ -9277,9 +9284,9 @@ "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "233aae2af8866a118d0080a5d695beef8bddfb17bf9788964055df0f6cfdad5b", + "sha256": "2473b403823acee1746c83419cdd4634fb84599c481a5d10e3b1af3e519f11bc", "type": "query", - "version": 3 + "version": 4 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.3", @@ -9291,9 +9298,9 @@ "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Business App Installer", - "sha256": "f8fb3a902d4649dae09ebfd3622387f97612d9ce93d0c82dc28badc57bf61ae1", + "sha256": "40b6160ff1840321119de9eaf4ab17ad8efd8941b316318fda962bb59ada871b", "type": "eql", - "version": 2 + "version": 3 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "min_stack_version": "8.3",