security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3402)

Browse Source 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2024-01-23 16:36:55 -05:00
committed by GitHub
parent 92804343bc
commit d093336125
1 changed files with 593 additions and 348 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+593 -348
View File
@@ -25,9 +25,9 @@
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.3",
"rule_name": "System Shells via Services",
"sha256": "629ee62bf64e9993225823b0969be69d7b4494d53adc0ffbcdc501745be3ab8f",
"sha256": "d72a2228f26b816836305d763e5f5d9e903ab000038bc927f5d10e28df155280",
"type": "eql",
"version": 108
"version": 109
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"min_stack_version": "8.4",
@@ -62,9 +62,16 @@
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Scan Detected",
"sha256": "6f969409e34ce2e04899c197404f8717d28ae3866797966be0653c4a3867fdc6",
"sha256": "931bd95c0fff284b33e383dce3f3fccaf7b0c36b8b6b946b1c39ff5ded2aa8e1",
"type": "threshold",
"version": 4
"version": 5
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"min_stack_version": "8.6",
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf",
"type": "new_terms",
"version": 1
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.3",
@@ -73,6 +80,13 @@
"type": "eql",
"version": 104
},
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c",
"type": "new_terms",
"version": 1
},
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
"min_stack_version": "8.4",
"rule_name": "Process Created with an Elevated Token",
@@ -113,9 +127,9 @@
"035889c4-2686-4583-a7df-67f89c292f2c": {
"min_stack_version": "8.3",
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "71c36a582a1af6f143c5b2316611eceae40fef43328be88831c24b2317e7ccae",
"sha256": "ca908726d59b4cf703f6581eb6f0a4c16fb229de48c658e6bba676c7d9361eba",
"type": "threshold",
"version": 106
"version": 107
},
"03a514d9-500e-443e-b6a9-72718c548f6c": {
"min_stack_version": "8.8",
@@ -134,9 +148,9 @@
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"min_stack_version": "8.3",
"rule_name": "Modification of OpenSSH Binaries",
"sha256": "a8e44864c0255586bcea1d4b241810c54170028501986f52bb80bf79c2136c98",
"sha256": "785439b8acfcb7be5e877bbadd7b188c28a7885da00919345b3b34e66078913d",
"type": "query",
"version": 107
"version": 108
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"min_stack_version": "8.3",
@@ -162,16 +176,16 @@
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through Systemd-udevd",
"sha256": "e8095cdee7458ed504ab6072b4d91c7d572d159b7f95965cb8b93a5fc4c1ed32",
"sha256": "db11dd77c2e7a28b415f709d5c6a4c2f50d6639fac4480ca35e0ccdddd837c96",
"type": "new_terms",
"version": 1
"version": 2
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.3",
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "1e11e71d550916f3027c212e5cb88b8489cc66382f8969badce547b978a64358",
"sha256": "80b8bb48b4fce2dd59b11697d5479583573647d553b1d1d3d0ca963201efefcc",
"type": "eql",
"version": 107
"version": 108
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"min_stack_version": "8.3",
@@ -218,23 +232,23 @@
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "15afab23b7e9efd31d6586f78173366c7895bb1610bd6431cfc8cf2daf8dc063",
"sha256": "6496727d4e84e81c75d87d620f9a6662b800036f1ec2ee26b2a4b2435ccda542",
"type": "eql",
"version": 5
"version": 6
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"min_stack_version": "8.3",
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "ff88a573a0a319738afbfe4b609f25b741830e26d67d348a9b995e5a9d489dcb",
"sha256": "a5be493d23c3644249db774ca160524b0b3548ce18b1df4b5de264c3669e6040",
"type": "eql",
"version": 107
"version": 108
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"min_stack_version": "8.3",
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "6992b6ee67e76b2c6fa0320f7a2f7acccc539973b27803777e37f928b1adce03",
"sha256": "46d41b236b25880398aac6dea334d1bc51952f1d572e60c41b5ab3a788e131e0",
"type": "eql",
"version": 107
"version": 108
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"min_stack_version": "8.3",
@@ -328,6 +342,13 @@
"type": "eql",
"version": 108
},
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
"min_stack_version": "8.3",
"rule_name": "Member Removed From GitHub Organization",
"sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a",
"type": "eql",
"version": 1
},
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
@@ -351,16 +372,16 @@
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"min_stack_version": "8.3",
"rule_name": "Malware - Detected - Elastic Endgame",
"sha256": "e7526826870e2810425f96e236661c418fd0b78632279740ea92cfe0edc0de6c",
"sha256": "1d54e7fa05f9055911fdd08afc440de0282fbecfe9baa76fdc9cf4c99b627eb9",
"type": "query",
"version": 101
"version": 102
},
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
"min_stack_version": "8.10",
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"sha256": "9b3055e1c359a21625fd9a6ffb3b15d6ddcc6c9cbce357e0f66d68ba9a2a4164",
"sha256": "2151e8b13ed3dce7a9030f388097dc3817f5ab5278a2c55f95b73e9555b04803",
"type": "query",
"version": 2
"version": 3
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.3",
@@ -400,9 +421,9 @@
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel IP Address Indicator Match",
"sha256": "0226bcc18f65bc8670480b12a71f13488f9f7fc519e664d5a16634de8b356951",
"sha256": "bc71d46cc38c3a7272c00864dffb0f4e5823f7e5ca227e353c03222f5b495d47",
"type": "threat_match",
"version": 4
"version": 5
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"min_stack_version": "8.3",
@@ -417,9 +438,9 @@
"8.3": {
"max_allowable_version": 203,
"rule_name": "Threat Intel Indicator Match",
"sha256": "92b2fe11e138552116f69ae042966934b52ed36c6cfa6e03831de7f703c68bca",
"sha256": "7d0bb73186b47e9fa99ec5b21fe2b862b5cbd6432100901fc476e30bced047a3",
"type": "threat_match",
"version": 104
"version": 105
}
},
"rule_name": "Deprecated - Threat Intel Indicator Match",
@@ -455,6 +476,13 @@
"type": "eql",
"version": 108
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8",
"type": "new_terms",
"version": 1
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"min_stack_version": "8.3",
"rule_name": "SharePoint Malware File Upload",
@@ -472,9 +500,9 @@
"0e79980b-4250-4a50-a509-69294c14e84b": {
"min_stack_version": "8.3",
"rule_name": "MsBuild Making Network Connections",
"sha256": "a1bf29b67c9d4b591676101ae899db1fa607402bfd59d1ea37a30c02d751f9b3",
"sha256": "d1a94c81e85a1b9fb1aba526d7729eed01b427fbefaec5199b72c052d1997e54",
"type": "eql",
"version": 106
"version": 107
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"min_stack_version": "8.6",
@@ -488,9 +516,9 @@
}
},
"rule_name": "Potential Persistence Through Run Control Detected",
"sha256": "2fbbc2683f2b38e5fbfa30e12d93b04afa2aa3f59df9b312bb793cab7f3211d8",
"sha256": "7c22691e28a23660a7113e885a7fecbca37a2f17d4754aba5a241c67c583c6cf",
"type": "new_terms",
"version": 108
"version": 109
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"min_stack_version": "8.3",
@@ -594,9 +622,9 @@
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"min_stack_version": "8.3",
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "e3f49374583b3283173ec5a2b56bf984b274041c4f13c423595f0740c9437bc5",
"sha256": "af3455c52f4b99f05a1427f15471253761c36723cb4172a84145388e407cfcb8",
"type": "eql",
"version": 109
"version": 110
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"min_stack_version": "8.9",
@@ -691,16 +719,16 @@
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "6f00425e03b75ccad2d669adf599edf5e627579bfd6c02dfd5a8b8074c9ee0e1",
"sha256": "ab075d8ca064a4111f9af869e8e288dd7fd899530f0ae335a2000922ab11f85e",
"type": "eql",
"version": 108
"version": 109
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "f7da8ec3bf0a1cd28b4e1bc7a091b73bc0f8a408eb3510bd3abc386277dca211",
"sha256": "d357bcec8f40c28fa9de55b73371d9c960ec6b9f2459165eb5c088cd4d80e104",
"type": "eql",
"version": 105
"version": 106
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"min_stack_version": "8.3",
@@ -762,9 +790,9 @@
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "4b1eec485af47d33737ca5c571fb0460f4b65037669ab0dbabe9bac5698770dd",
"sha256": "e76175d8ec5046e1a55cd0f4b4d1e8618673be71fd72dd869baa6319f3318ba9",
"type": "eql",
"version": 106
"version": 107
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"min_stack_version": "8.3",
@@ -783,9 +811,9 @@
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "42bf489fc1a03321f0d5b7eb330f6afaf2d64dfea7d2e5afdc041c2ed1b084bc",
"sha256": "bab7586b9982960e9ed0d58cbc50190eb1ced3d84619eb875ab0f08530a36e46",
"type": "eql",
"version": 109
"version": 110
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"min_stack_version": "8.3",
@@ -794,6 +822,13 @@
"type": "eql",
"version": 106
},
"160896de-b66f-42cb-8fef-20f53a9006ea": {
"min_stack_version": "8.8",
"rule_name": "Potential Container Escape via Modified release_agent File",
"sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3",
"type": "eql",
"version": 1
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"min_stack_version": "8.3",
"rule_name": "Azure Automation Runbook Created or Modified",
@@ -804,9 +839,9 @@
"166727ab-6768-4e26-b80c-948b228ffc06": {
"min_stack_version": "8.3",
"rule_name": "File Creation Time Changed",
"sha256": "a13ea0c57c34bf29a26117cd89ad3d1760dedb9b4fa54adcc0eee079fa605f83",
"sha256": "731a20072629af54217aa058ebf32b818df5a5da9a254a9bdd66ddbc015f54d7",
"type": "eql",
"version": 3
"version": 4
},
"16904215-2c95-4ac8-bf5c-12354e047192": {
"min_stack_version": "8.3",
@@ -834,9 +869,9 @@
"16a52c14-7883-47af-8745-9357803f0d4c": {
"min_stack_version": "8.3",
"rule_name": "Component Object Model Hijacking",
"sha256": "c0cd1aaa9aa6759d34b3b00592c50454726fad1c02fe5887b0a6f33c1e4ef794",
"sha256": "9666ca9229a5a528a88f0720ea9efd02000c9b61d3067bbcc19ea7a828b113cd",
"type": "eql",
"version": 109
"version": 110
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"min_stack_version": "8.3",
@@ -883,9 +918,9 @@
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Service Created by Previously Unknown Process",
"sha256": "400131c604d2387a643233aeae981ecf85b248f90b0914a4b349e1ed55ddce84",
"sha256": "ab0f76e6ff9d332fa33d758e475549d77bb91d4546829680176822bace816c5f",
"type": "new_terms",
"version": 7
"version": 8
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.3",
@@ -1049,9 +1084,9 @@
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Creation in /etc for Persistence",
"sha256": "1b168626a13b010e11e758702eb6d895a779be9163e0265089d56c852cd438b6",
"sha256": "605d61a4fee6349c89182c783e73678a38f5f4705bca65b99a1a5a0307664fea",
"type": "eql",
"version": 111
"version": 112
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"min_stack_version": "8.3",
@@ -1105,9 +1140,9 @@
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "9d74966200ab76215b5f75666d8a4991c2b0147b50e7786298a59b9b037dc303",
"sha256": "c279117a6a19806a1041da8d0f6481b5ab1616f90ad686a58746bfbcc1341cf9",
"type": "eql",
"version": 106
"version": 107
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"min_stack_version": "8.4",
@@ -1151,6 +1186,13 @@
"type": "eql",
"version": 1
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0",
"type": "new_terms",
"version": 1
},
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
"min_stack_version": "8.3",
"rule_name": "Unusual Sudo Activity",
@@ -1189,9 +1231,9 @@
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"min_stack_version": "8.3",
"rule_name": "Exploit - Detected - Elastic Endgame",
"sha256": "e985eb9816fbebe3599feb87b715f34c43f15a76293dc8ebefa29e0d5b6a7e3f",
"sha256": "2233e5ea218dfd0eb681e5eda22661045a5d6f2fc43bfd51a8e46a02691404ad",
"type": "query",
"version": 101
"version": 102
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"min_stack_version": "8.3",
@@ -1334,9 +1376,9 @@
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
"min_stack_version": "8.3",
"rule_name": "Kernel Module Load via insmod",
"sha256": "2cc6d7aa7add54ada5a4d8c00fdb52a0b87509638431999e633b74055b8c0f4a",
"sha256": "e8a71f53507413121ff82ca2496d461255f41f8c86c0027ce2fa487f9b157cdd",
"type": "eql",
"version": 107
"version": 108
},
"2377946d-0f01-4957-8812-6878985f515d": {
"min_stack_version": "8.9",
@@ -1348,9 +1390,9 @@
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"min_stack_version": "8.3",
"rule_name": "New GitHub Owner Added",
"sha256": "839fb4e1ecdfcb2be6949ac45bfd11ec72c4ccee48cff00ef05e661a7fc1c6a3",
"sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764",
"type": "eql",
"version": 2
"version": 3
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.3",
@@ -1369,9 +1411,9 @@
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"min_stack_version": "8.6",
"rule_name": "Network Activity Detected via Kworker",
"sha256": "135aee6821b8cd1ee41d9c054c4f355427b8352720b5463c6e68144a5f53830a",
"sha256": "38aef430c59433edfc458d3cfef8619dba63a6c1d681d6680c5d864aec8f5fc4",
"type": "new_terms",
"version": 1
"version": 2
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"min_stack_version": "8.10",
@@ -1404,9 +1446,9 @@
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"min_stack_version": "8.3",
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
"sha256": "3beffde62280896b2aa6df7e414ebeb74f72233abfefcc99493b20c3c02d6aed",
"sha256": "b17d343699156f436fb832585a96af5844d078cf79f5fa34771f1ceb6b0e95b2",
"type": "eql",
"version": 5
"version": 6
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"min_stack_version": "8.3",
@@ -1418,9 +1460,9 @@
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"min_stack_version": "8.3",
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "6034810ddf957379536be3d43d1d1f5868b60b212e1e0224b1347552764b3240",
"sha256": "ab30e15051fb603800f933ba9b3f6539ac75a662fd2dfcbe66c8f7121c7608a9",
"type": "threshold",
"version": 102
"version": 103
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.3",
@@ -1474,16 +1516,16 @@
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.3",
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "9d0bcbf7b54f9ec62e6ac93c6fc9afa7729ae93e9eda196e3470f9f2ce3c3131",
"sha256": "257b3fb90d62c5183542dcff6f0968b2b4c05ab2ff444c13476f8b16b2b4eec1",
"type": "eql",
"version": 108
"version": 109
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"min_stack_version": "8.3",
"rule_name": "Exploit - Prevented - Elastic Endgame",
"sha256": "2cd4ef3408eed788d9622c7de25f23314bbe10bbc4d7cfeb94d651618911ad94",
"sha256": "4783ea1c871e136da712f699297b8bf091b1796196bd60a91f318d9118146e90",
"type": "query",
"version": 101
"version": 102
},
"28738f9f-7427-4d23-bc69-756708b5f624": {
"min_stack_version": "8.3",
@@ -1498,6 +1540,13 @@
"type": "eql",
"version": 100
},
"28bc620d-b2f7-4132-b372-f77953881d05": {
"min_stack_version": "8.11",
"rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE",
"sha256": "94ac13353f3fecc614b24c287794d0db40f30741b295beb613566a654b053e1b",
"type": "eql",
"version": 1
},
"28d39238-0c01-420a-b77a-24e5a7378663": {
"min_stack_version": "8.3",
"rule_name": "Sudo Command Enumeration Detected",
@@ -1524,16 +1573,16 @@
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "ee657966d36d8e1dcc396dedd56fee8e5c2f1fdc6d06e0ad9dd4b9c5bc655463",
"sha256": "24dbe0a7ac74484f64918efe29bea45e8ad8b0e96d100b3bd08873b85aaabd45",
"type": "eql",
"version": 109
"version": 110
},
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.3",
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "583bcc5f3c4c54715db820cfd49175943c5c77bcf448a46843c29a7dfe8a1e0b",
"sha256": "7dd6d1e390ebfd93e78b9641381617dbb41f9a5bc0eabdc6182027ccbfca46fd",
"type": "eql",
"version": 108
"version": 109
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.6",
@@ -1547,9 +1596,9 @@
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "63b960b37cd4248376f81706924a1929775fa96a6eaf6575da361e96fafafc8b",
"sha256": "91640b4675f4fedbb77041e83d0aa845ecf1a343fbaa533835e78afe90aa97f8",
"type": "new_terms",
"version": 209
"version": 210
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"min_stack_version": "8.10",
@@ -1612,9 +1661,9 @@
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"min_stack_version": "8.3",
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "30fae5f472da92e741d6c44d0ad23b2c739fee3b3ccd38f73960e06567dda767",
"sha256": "ec77422daee02355d42a51e3660c24d0e608ef82ff3d92169665ed6149496dce",
"type": "eql",
"version": 107
"version": 108
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"min_stack_version": "8.3",
@@ -1635,9 +1684,9 @@
}
},
"rule_name": "Enumeration of Kernel Modules",
"sha256": "11cd32635c6cb009185cf4605d2b361f086b0699c8ac390eb8bf7fa0b988192a",
"sha256": "481aae41195f6dc58cb3f76032ffbfc5fe4f6940245db16f6e4d42cd0a735879",
"type": "new_terms",
"version": 207
"version": 208
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.8",
@@ -1665,16 +1714,16 @@
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"min_stack_version": "8.3",
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "6bbeaa26cdd427d0a628c899b4f643da7efd6be92918fc554a679d294bf1e136",
"sha256": "6aafdc4d1c33f41d82f7a067cce68c407f9cc905aa5f0bcee8e8a3626f89a88e",
"type": "threshold",
"version": 102
"version": 103
},
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
"min_stack_version": "8.3",
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "7c1c93dc3cbb29566f0cea895464bfbda60a453682f8184de11de21ca49597b1",
"sha256": "b923fa419e9ac1d3e41bd75e45c9c2ef9ddde2134eb32607cb9f601891fe589c",
"type": "eql",
"version": 6
"version": 7
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"min_stack_version": "8.3",
@@ -1774,6 +1823,13 @@
"type": "eql",
"version": 5
},
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Network Connection via Sudo Binary",
"sha256": "ddb98f4f685bbcea91b63f3f1c66d834819a438573a2789c94db0f944a2d6507",
"type": "eql",
"version": 1
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"min_stack_version": "8.3",
"rule_name": "Agent Spoofing - Mismatched Agent ID",
@@ -1791,9 +1847,9 @@
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"min_stack_version": "8.3",
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "daa92a1b6f43697ea1240f49a719d9b47291cfa4bfa6656460a9ede23b2d00e3",
"sha256": "d103eb4b3b70bcb7218f6d5ee253d330f07d90b75d10bfcaaab675d5d44ab6f6",
"type": "eql",
"version": 109
"version": 110
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"min_stack_version": "8.3",
@@ -1826,9 +1882,9 @@
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "9c7b1be8cd662dea09651d051b6aedfa04b3380cfa9fcb294a5776f8f883980b",
"sha256": "a2f256cc9ea71c50440bbb4867ab2f6f5f0a35d610c0cd90a07dfa83ad7bdb22",
"type": "eql",
"version": 108
"version": 109
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"min_stack_version": "8.9",
@@ -1870,9 +1926,9 @@
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
"min_stack_version": "8.3",
"rule_name": "GitHub Repository Deleted",
"sha256": "82225047c1559d8bba7c15944953088395802e8a1ad8fd0552714eee65b22635",
"sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744",
"type": "eql",
"version": 1
"version": 2
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"min_stack_version": "8.3",
@@ -1905,9 +1961,9 @@
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "f43b593fe851b23a69b109c4a9fd1e07aeb8374bab2d9c192ef74fc76cba8ec0",
"sha256": "0098a7a7001a8e52c8fd405da22d8b74b7752a3abc6c72ce58a3c1b4bc87a00e",
"type": "eql",
"version": 108
"version": 109
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"min_stack_version": "8.3",
@@ -2079,9 +2135,9 @@
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"min_stack_version": "8.3",
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "1feb23973523f2629afbcfd02fc9042a94493d897f520c7db2799fb1f9e27af7",
"sha256": "7a96acd466a52a000a95a7a901ce68338cde32312c53ad710e741dba79c4d31f",
"type": "eql",
"version": 108
"version": 109
},
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"min_stack_version": "8.3",
@@ -2110,12 +2166,19 @@
"type": "query",
"version": 103
},
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a",
"type": "new_terms",
"version": 1
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"min_stack_version": "8.3",
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "43bc73a5cbc5ccf4e81390755489787a2abc83ecabb1d94666471e4082fdd0a3",
"sha256": "e780bae977385affaf7a29979e4b42d96948ee5c5143d445e328977e47e0ad76",
"type": "query",
"version": 101
"version": 102
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.3",
@@ -2127,9 +2190,9 @@
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"min_stack_version": "8.3",
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "aa1f6b51dfaf16ed53025b1b4cb2f73647fb4e83a6da692753a3f319bf43c6e1",
"sha256": "4d3a67e13e1dbd3a56db47d759dd9a345c503a88359029cd2cbed24aae2f2da3",
"type": "eql",
"version": 109
"version": 110
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"min_stack_version": "8.3",
@@ -2171,9 +2234,9 @@
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "4d57fbe0eec06316d1ee5f24cf1f0a48bff5ed1d8f8bf4c944d57a25fc9c875e",
"sha256": "ffebc8558061bb7dea44422008c6d36bf5a9a5bd236b54a4c1c347e3afeaaa7a",
"type": "eql",
"version": 4
"version": 5
},
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"min_stack_version": "8.3",
@@ -2199,9 +2262,9 @@
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "09ed4561cb386a7b90520c318b820066f354c61f1b5e023d10563ad64a035c2b",
"sha256": "186e976103d3e2b613b34b59023ffb3714c57d1af81a74cdc5f6f5d820c3eff1",
"type": "eql",
"version": 107
"version": 108
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"min_stack_version": "8.8",
@@ -2222,9 +2285,9 @@
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"min_stack_version": "8.3",
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "d864c81705b90eda8f509178fdd93a918d5d23bf207160ac4eef1159233974e1",
"sha256": "6f5fb726f163898f2ca5b0b8de75a346cda8451de239adb986ada4f3128b4c67",
"type": "threshold",
"version": 102
"version": 103
},
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
"min_stack_version": "8.3",
@@ -2243,9 +2306,9 @@
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Binary Executed from Shared Memory Directory",
"sha256": "a99ea10f8baeb92b2c9e2c4363393f2718bab9daab338ce36617565d14e8a3c8",
"sha256": "cfed2c9b938c13970e3b6df4bc955a28ef3093ee600d6f2cd4b5cab3cc39200f",
"type": "eql",
"version": 108
"version": 109
},
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
"min_stack_version": "8.3",
@@ -2268,12 +2331,19 @@
"type": "machine_learning",
"version": 2
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"min_stack_version": "8.3",
"rule_name": "GitHub User Blocked From Organization",
"sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6",
"type": "eql",
"version": 1
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.3",
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "0f9c30762b9d866395af98426eb9a784abbf168110167161bb7302fc4402a8dc",
"sha256": "9c63624a50b10038636b37c3c2924f1d5de7987ca84d3f9faad86e420ec3c09d",
"type": "eql",
"version": 105
"version": 106
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"min_stack_version": "8.6",
@@ -2301,9 +2371,16 @@
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.3",
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "88b7f3edd6dcf39eb51d9ad50f608aae26b1aaaff95adb1f19b6565abcf8d9e1",
"sha256": "76d4c434f999b25ec34bbcbe809f0b6533b9d500519280f6a0558cca94ccf418",
"type": "eql",
"version": 108
"version": 109
},
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d",
"type": "new_terms",
"version": 1
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"min_stack_version": "8.3",
@@ -2319,6 +2396,13 @@
"type": "query",
"version": 105
},
"41f7da9e-4e9f-4a81-9b58-40d725d83bc0": {
"min_stack_version": "8.10",
"rule_name": "Mount Launched Inside a Privileged Container",
"sha256": "cbe5528e821d12676b1467cbad8a167c831250bb28080658e40c69119be90c7d",
"type": "eql",
"version": 1
},
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
"min_stack_version": "8.8",
"rule_name": "Interactive Exec Command Launched Against A Running Container",
@@ -2332,15 +2416,15 @@
"8.3": {
"max_allowable_version": 206,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "9ecdb590d2df1959b2b11908911f24308925c345cce10b0370721afd09a2196e",
"sha256": "882dcaea90df31c2153dbabfb17dc21bcc8f8866c862b5a02c20026eac301621",
"type": "threshold",
"version": 107
"version": 108
}
},
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "60954a70897438ce1627fe0aab388688a6c189b04e7eca5543e0c450283c029b",
"sha256": "191661b0af8a8c61df4f38e1c05684730daaa2e7211d90119b291ab3658f5ad3",
"type": "threshold",
"version": 207
"version": 208
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"min_stack_version": "8.3",
@@ -2401,9 +2485,9 @@
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"min_stack_version": "8.3",
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
"sha256": "223843bf80e272f189bee419979e4fcda5a2022bcf2c5c1f15706307e1f98fb1",
"sha256": "9cfb02a6c3d0cf6058f5cb24d68214a4eaf071af1b155fe7bebdf74a8d64b823",
"type": "query",
"version": 101
"version": 102
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"min_stack_version": "8.3",
@@ -2422,9 +2506,9 @@
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"min_stack_version": "8.3",
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "5b1155c651c8cba197b8525501a76da112e7941889fa0a8b5b0e27caf1105deb",
"sha256": "52236fcc17f178dc677b43983bcaa370fd8880a981d93b4470f67a60bd98d1eb",
"type": "eql",
"version": 109
"version": 110
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"min_stack_version": "8.3",
@@ -2443,9 +2527,9 @@
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through init.d Detected",
"sha256": "bac9e6b18e0ec38e0b8930bb9402ed0d4c8000c06cacaaabaa388556a67dcb48",
"sha256": "f81a299ab73bc88e675dad5dc2c317be157e02699f1149c411af6c0aac00899c",
"type": "new_terms",
"version": 7
"version": 8
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"min_stack_version": "8.8",
@@ -2477,9 +2561,9 @@
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "639eb15abbef368443484e39fabea441656acc3ae63f1e516bcf0809870d0297",
"sha256": "b50b2e234ba9baff98a048befd56242a0342a5ef08704dd5a631a993128dda42",
"type": "eql",
"version": 106
"version": 107
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"min_stack_version": "8.6",
@@ -2598,9 +2682,9 @@
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "a04f9f214a8657301ff6f4a703643d13ac53077379481968c70e4bf2cea816a6",
"sha256": "fa53a5c480d782e5ee5318fbf10402858e82c0ff4b2eba5cdf7d989c51400fb2",
"type": "eql",
"version": 107
"version": 108
},
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"min_stack_version": "8.8",
@@ -2626,9 +2710,9 @@
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "502fa24c53c1494b06d2a0ced551622a637c45233b440fc68dc1742cd299071b",
"sha256": "65b0598c0219095da6c676a23367d47d583e6c011bb811f52d8d45057bdfc6ab",
"type": "eql",
"version": 106
"version": 107
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.3",
@@ -2650,15 +2734,15 @@
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "32d9ab18831ca9798b2304547daeb8258a6f8905a01a54c468b20409eee885f6",
"sha256": "09c72f469d0aca040785500480c6c4086070ace209803e2f0b4f1d79de394a3f",
"type": "threshold",
"version": 105
"version": 106
}
},
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "c7f85d799207c359e3f84f41c0473858bad893198ffa7f3d8327d153eb0b422c",
"sha256": "4d3e2e99bc3f1b8cc5fc76a37bc23ff9e7a01b972e0c6ae67f78d0df8e43fedb",
"type": "threshold",
"version": 205
"version": 206
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"min_stack_version": "8.3",
@@ -2670,9 +2754,9 @@
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "6bb389b8e69d040d951bc64627e254593b1ba372685398e81c21eb814dd51b62",
"sha256": "012dcc784a14d30933595f8e32cf14a838ed2fbbfa50b2f89917ee06a761fe39",
"type": "eql",
"version": 109
"version": 110
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.3",
@@ -2691,9 +2775,9 @@
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.3",
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "a1c46d81fd67c7642daa17b16bf816cde74efe2dfaee7d15579ef7111e42b7ee",
"sha256": "53f2c0931c84562d99448bf354579e8eb99b5da5a53f8c4f362b42a9fc23eca7",
"type": "eql",
"version": 108
"version": 109
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"min_stack_version": "8.3",
@@ -2854,9 +2938,9 @@
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"min_stack_version": "8.6",
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "0ca4553577a276a0afb0bbee5fc06fa283385f41dc413ebf23ecd2e4eb1b6e6a",
"sha256": "2230b608e14905ab59a03345d40c4316f05604472bff811a58169a5d635033a0",
"type": "new_terms",
"version": 6
"version": 7
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"min_stack_version": "8.9",
@@ -2884,9 +2968,9 @@
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
"min_stack_version": "8.10",
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
"sha256": "7b3107911e8c741b9ec3094b7c7a52e543860a937b4ed244eece2b4aa8e5e3e7",
"sha256": "1b87bd4ff716c3bfcb0481e0db133d5ed6a99a9fc0e405796be2b43a2a5d6bcc",
"type": "query",
"version": 2
"version": 3
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"min_stack_version": "8.3",
@@ -2926,9 +3010,9 @@
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"min_stack_version": "8.3",
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "837622000e1ecb3a269462a17f996c294b62888bbbd19f9585ad12521b4326a3",
"sha256": "89aec2e14544effd2f05878927d6c65bda26642bea2827c7a323265202fb46d9",
"type": "query",
"version": 106
"version": 107
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"min_stack_version": "8.3",
@@ -3019,9 +3103,9 @@
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"min_stack_version": "8.3",
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
"sha256": "dd1d2bea2a77074d95a5cb954bac84a5931dfa69391613cb54de8fd114d134cd",
"sha256": "464173343b15452c0508079b2d1b419ba63394f705a0a4cd524b33d261d192db",
"type": "query",
"version": 101
"version": 102
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"min_stack_version": "8.3",
@@ -3047,9 +3131,9 @@
"581add16-df76-42bb-af8e-c979bfb39a59": {
"min_stack_version": "8.3",
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "1f51a18c5b7294c2940d6c10a4cf3140689a2b6d361f967a6a5b091240ad4a7d",
"sha256": "1aee67afb99246ef2de3ff6b98de2a7e529122c7d55d36b64fbb50403eee1812",
"type": "eql",
"version": 108
"version": 109
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"min_stack_version": "8.3",
@@ -3126,9 +3210,16 @@
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Java",
"sha256": "101fe62af1dde7632ea69d604f837f167ce9c392ec275f41f97edbf9d32bb888",
"sha256": "d823d6d2ef1fdf34aa36794f0b7cd7c6897423510a0d6c77184faf205c7eb97a",
"type": "eql",
"version": 6
"version": 7
},
"5ae02ebc-a5de-4eac-afe6-c88de696477d": {
"min_stack_version": "8.3",
"rule_name": "Potential Chroot Container Escape via Mount",
"sha256": "5c459c5221a6e2ba5f5e6fc56527730e829e106f36af310b02de97f2826c6805",
"type": "eql",
"version": 1
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"min_stack_version": "8.3",
@@ -3175,9 +3266,9 @@
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "4ef5a001820e5135ffd557947919a55c875cd3a75ed5f351507a7f3c9e06c77b",
"sha256": "64936778fc675a7134a1e258d68825febdbe5f0b92e5a17ac102f1eb4fafdd77",
"type": "eql",
"version": 105
"version": 106
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"min_stack_version": "8.9",
@@ -3195,6 +3286,13 @@
"type": "query",
"version": 205
},
"5c351f54-4187-4ad8-abc8-29b0cfbef8b1": {
"min_stack_version": "8.11",
"rule_name": "Process Capability Enumeration",
"sha256": "3f955af7035ed1c28ba10841d9d87b58de34c51c9146ed0ba4bf0d76ec560575",
"type": "eql",
"version": 1
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"min_stack_version": "8.4",
"rule_name": "FirstTime Seen Account Performing DCSync",
@@ -3329,6 +3427,13 @@
"type": "eql",
"version": 106
},
"61336fe6-c043-4743-ab6e-41292f439603": {
"min_stack_version": "8.3",
"rule_name": "New User Added To GitHub Organization",
"sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8",
"type": "eql",
"version": 1
},
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"min_stack_version": "8.3",
"rule_name": "Interactive Logon by an Unusual Process",
@@ -3339,9 +3444,9 @@
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "a2efc8419825dff241841f4cd67f7a4249150821200aa74a49a973b274ba1b66",
"sha256": "e38e7929eb1850d3a951bfc7accd55279ec17d943ffec88463263308ad74f4c4",
"type": "query",
"version": 111
"version": 112
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
@@ -3429,9 +3534,9 @@
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Recently Compiled Executable",
"sha256": "b50544cddecd269cc3a27814bdb19f3f1683fd8dcb3d2967588b2d38e487eb96",
"sha256": "4b0dcde25fcab555e3f2eb2ea71dbd1f97f28352307fc2018254f7849f996dec",
"type": "eql",
"version": 3
"version": 4
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
@@ -3559,9 +3664,9 @@
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"min_stack_version": "8.3",
"rule_name": "High Number of Process Terminations",
"sha256": "588f2aa6d820fea6e191906cb8791cee0b8a293222a681b6cc4ff1c3ff8f8ff6",
"sha256": "4d18f0f9724cf97382b88d3281dd5ed3c2b5c2dd53a7e9c8c5b39ffd7d43cf37",
"type": "threshold",
"version": 110
"version": 111
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
@@ -3602,9 +3707,9 @@
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"min_stack_version": "8.3",
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "cc263ea8f46aac31f4c4fc112a7dcd7ff453c89fa45066ec2569deff91b85ef5",
"sha256": "83d6dccf5b5f0ae4ea178909ae972c10cbc54dbf4a5958187462bbf92d888beb",
"type": "eql",
"version": 107
"version": 108
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"min_stack_version": "8.4",
@@ -3674,9 +3779,9 @@
"8.3": {
"max_allowable_version": 203,
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "f2d4dda1642f078dcb77b698976c25ba557553c259a493e3a18224bfbbf36a96",
"sha256": "32f01788e2000cbf97dfe76446aa173db05e8a73eac467ec634aec29072ba7e8",
"type": "threat_match",
"version": 104
"version": 105
}
},
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
@@ -3710,9 +3815,9 @@
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"min_stack_version": "8.3",
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "79a34adf5b2d2e77e4b9db0d019c6af379cfa51e10a016385e4127e496667530",
"sha256": "bd2e1f3a638be5723ff0cb90b678f2912a29bc22b31c66b9e6cafa9973e6e64d",
"type": "eql",
"version": 107
"version": 108
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.3",
@@ -3765,6 +3870,13 @@
"type": "eql",
"version": 106
},
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
"min_stack_version": "8.3",
"rule_name": "GitHub Repo Created",
"sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09",
"type": "eql",
"version": 1
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process For a Windows Host",
@@ -3955,9 +4067,9 @@
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.3",
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "89ab2e24c739c528f048080597db9f446386a62730ba1e392eae623512e2ec6f",
"sha256": "b5efd0d5cc03f23a2da9ba8c011e0cc2b84d668ea552d2146366bfddd578e639",
"type": "eql",
"version": 106
"version": 107
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"min_stack_version": "8.3",
@@ -4100,9 +4212,9 @@
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "551061d1ad90acc7d6514094b3e49c26ca4410c8372871f868166f8e386e17a3",
"sha256": "0b1d34efa9ae7e3ad725a2070ea832695c414dc144430193559862f9f0b91876",
"type": "eql",
"version": 7
"version": 8
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.3",
@@ -4114,9 +4226,9 @@
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"min_stack_version": "8.3",
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "d09566023f3a3ae877ed4d879c94ce1f4165ef8c664e0ef6794d43385d49cccf",
"sha256": "68070ae4d21b5df8c2d3a557ef4e6ec168133c90cc9738a6eb39dd108f5d585b",
"type": "eql",
"version": 108
"version": 109
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"min_stack_version": "8.3",
@@ -4135,16 +4247,16 @@
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"min_stack_version": "8.3",
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
"sha256": "80710ac325d0c53b1d15965386e8fbb32e1c4aace237b63664d9f4db8f7f815d",
"sha256": "218a6c64a0a6ca81daa448015ce3939bf8dc52af526230c34665f979786b8e59",
"type": "query",
"version": 102
"version": 103
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Sweep Detected",
"sha256": "e8646ede4715b107643a3098b6e032965f664c38e7341d9d0519b3a8510d2fab",
"sha256": "a076fa96b47fb15ed66e6f90750fdc91ac7f7cf9e496f47150eba1253dcbc6db",
"type": "threshold",
"version": 4
"version": 5
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"min_stack_version": "8.4",
@@ -4216,9 +4328,9 @@
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.3",
"rule_name": "Potential File Transfer via Certreq",
"sha256": "c33e5d3c93fbcee2f5e36fa7cabf7b38e81c6acc0d71b2fd57c13d5f3946887b",
"sha256": "c6ede1b19124b56c850d7eedf82e3104e0dd50089d1209a233c6146d28706b7e",
"type": "eql",
"version": 6
"version": 7
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.3",
@@ -4331,9 +4443,9 @@
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "c2521f557370eeadd9f5ab09fd706593451e0f0d44ffcb8ee63fd21ec3433862",
"sha256": "6e1d3e200b1ef78b0f609fb9f6d170ecf1dbbb0aad87854a50124ac68aa8e226",
"type": "eql",
"version": 106
"version": 107
},
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
"min_stack_version": "8.6",
@@ -4354,9 +4466,9 @@
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Timer Created",
"sha256": "74881e97ab7721a1e539586fa0f192f38d25d7565c81928c9a8515daff525604",
"sha256": "8487f4e6a066d9cadee56c12bbe5552ada0fd68af6a3b481ffe92c308184e3be",
"type": "new_terms",
"version": 7
"version": 8
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"min_stack_version": "8.6",
@@ -4407,9 +4519,9 @@
"80c52164-c82a-402c-9964-852533d58be1": {
"min_stack_version": "8.3",
"rule_name": "Process Injection - Detected - Elastic Endgame",
"sha256": "0dbd2d102b454f0abdb7f1d0be19cbee64db8c5429aee66b1cc09dc125766d6b",
"sha256": "661387b1e6ccd6656a40df519444a4dbea7f5c8fc82c4e4688368f9625bc1371",
"type": "query",
"version": 101
"version": 102
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"min_stack_version": "8.9",
@@ -4496,9 +4608,9 @@
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "ff711eea051615cadd16874b875330acd62c7aaf5fb10e2db0d36c1f15799712",
"sha256": "e48575e85ccf8ae97bd5dbbcdb93966f977cfa5497471f891a801e5b405c1dce",
"type": "eql",
"version": 108
"version": 109
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"min_stack_version": "8.3",
@@ -4519,9 +4631,9 @@
}
},
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "4c25f7bb1a234052d7a5d22439a6b2ceaf128a052fa764bb1d97b0d2b5928eee",
"sha256": "eb9b0b0b83082c3d6dbac814bde52b8353d73b0924dc994669c557a187778df9",
"type": "new_terms",
"version": 208
"version": 209
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"min_stack_version": "8.9",
@@ -4574,16 +4686,16 @@
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"min_stack_version": "8.3",
"rule_name": "Security Software Discovery via Grep",
"sha256": "f4d2ea0ece674f039a63702423275a0d16239f282e580bcea41aaacbf1505ae0",
"sha256": "a1792aee556816d8473a7ba3c81bb71e4e3f8995d2f02b96380ebc0983c971a5",
"type": "eql",
"version": 107
"version": 108
},
"871ea072-1b71-4def-b016-6278b505138d": {
"min_stack_version": "8.3",
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "faff9c1bc769a66960918e1a2f77f18910fbc478e2c1ab36d62656ed1756c01e",
"sha256": "08c61e68b49996cff45a5ca3297eff4d18ce1a33c304531ceac1883f33e28cb7",
"type": "eql",
"version": 109
"version": 110
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"min_stack_version": "8.9",
@@ -4610,9 +4722,9 @@
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"min_stack_version": "8.6",
"rule_name": "Potential Suspicious Clipboard Activity Detected",
"sha256": "a845a994f21837d7225484856beb19514cb92efaadf804f6caf1748812efd2e6",
"sha256": "6e05caa1477a9c6b87772ce6b8bd4cb5e5f6a6b3ac3a2aa4bb06fdf531e3fba4",
"type": "new_terms",
"version": 2
"version": 3
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"min_stack_version": "8.3",
@@ -4667,9 +4779,9 @@
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"min_stack_version": "8.3",
"rule_name": "Command Prompt Network Connection",
"sha256": "a7b53613b02ded1945e51652cf8c0a4b2548ec599948a7ac9a5a75287f819c3c",
"sha256": "c0b4574542b8ac38026cbeac09ec95c20afcf657fdf84c29293c742aa12dd7ea",
"type": "eql",
"version": 105
"version": 106
},
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"min_stack_version": "8.3",
@@ -4692,6 +4804,13 @@
"type": "eql",
"version": 2
},
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
"min_stack_version": "8.3",
"rule_name": "GitHub PAT Access Revoked",
"sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4",
"type": "eql",
"version": 1
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"min_stack_version": "8.3",
"rule_name": "Setuid / Setgid Bit Set via chmod",
@@ -4734,9 +4853,9 @@
}
},
"rule_name": "Suspicious JAVA Child Process",
"sha256": "951a0bb72f0f5df1d2a10560cdc54d757d5fee1b3ee2c3156ea9728b05591a19",
"sha256": "31161e50d04910648d64045479ad9d715cd57931900d62e347756f6f2c328d7f",
"type": "new_terms",
"version": 206
"version": 207
},
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
"min_stack_version": "8.3",
@@ -4790,9 +4909,9 @@
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"min_stack_version": "8.3",
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "c9bb739724755a7a6e1cbec08548874af36827e590163f7d6e0ff83b215c2fad",
"sha256": "15476273cd0025f1ff7fa6376ac4edbcf6651d4dc99c824ddbdbb6d2918271c1",
"type": "query",
"version": 101
"version": 102
},
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"min_stack_version": "8.3",
@@ -4957,6 +5076,13 @@
"type": "machine_learning",
"version": 103
},
"929223b4-fba3-4a1c-a943-ec4716ad23ec": {
"min_stack_version": "8.3",
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
"sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9",
"type": "threshold",
"version": 1
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
@@ -4967,9 +5093,16 @@
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.3",
"rule_name": "A scheduled task was created",
"sha256": "d06b732a19959ac408573130e7312505731217a17ec0035068bf7769ab026484",
"sha256": "d54ac464d0549dec4468d4706dfce032e2e8bed176f5ece56f3c6430378aff76",
"type": "eql",
"version": 7
"version": 8
},
"92d3a04e-6487-4b62-892d-70e640a590dc": {
"min_stack_version": "8.3",
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "7c38b0901885837073d9e0ad209f2c2ffc620ca353882769c852bc2106bdce4c",
"type": "eql",
"version": 1
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"min_stack_version": "8.9",
@@ -4999,9 +5132,9 @@
}
},
"rule_name": "Sudoers File Modification",
"sha256": "6a1a6b3462c4ea5f0ea3cf546684745e51efb7a52a094227c5b2f06e6fa90bc3",
"sha256": "f4d948d4c06ecb8fae9ce5be98bc19d8200ccb0e271913c4b2c41c01a45233b2",
"type": "new_terms",
"version": 203
"version": 204
},
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
"min_stack_version": "8.9",
@@ -5022,9 +5155,9 @@
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"min_stack_version": "8.3",
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "6b57124ee39f8300e5f18425933da9f3a453ac5c4b36f209412a6fe5dd615b60",
"sha256": "f4344ee212e64d34651acd2ebc698995f7ad7e879bff953a02edecf50a2ce80d",
"type": "eql",
"version": 107
"version": 108
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.3",
@@ -5119,9 +5252,9 @@
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"min_stack_version": "8.3",
"rule_name": "File made Immutable by Chattr",
"sha256": "c2ddd9f37a21375386f51998a552ce13bd1b9a8a140474192da60553fa322aba",
"sha256": "93ea8e110510f4d6b4d6a0d61e3b215308a17725f4f5220c8aded0d71979760f",
"type": "eql",
"version": 109
"version": 110
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.10",
@@ -5142,9 +5275,9 @@
"96d11d31-9a79-480f-8401-da28b194608f": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through MOTD File Creation Detected",
"sha256": "a65b4ea716da6e7c3ff70fae5abd7b6618963ba8e8e6f089bcf2d264bce4f23f",
"sha256": "44dc1535fd4e7eb81d869d9de8f6cacc76fed22ccd3dd934b014213d9cb3f7c6",
"type": "new_terms",
"version": 7
"version": 8
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"min_stack_version": "8.3",
@@ -5156,9 +5289,9 @@
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"min_stack_version": "8.3",
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "6e8d2549a28b15014cb6b7629b580649e27bef8496ddb32de9b5181c9dc480e4",
"sha256": "0406b3af7729bc87f43a01dead08aa82869be209941aa85bc7d4f2bcc959a505",
"type": "eql",
"version": 5
"version": 6
},
"97314185-2568-4561-ae81-f3e480e5e695": {
"min_stack_version": "8.3",
@@ -5174,6 +5307,13 @@
"type": "query",
"version": 104
},
"97697a52-4a76-4f0a-aa4f-25c178aae6eb": {
"min_stack_version": "8.10",
"rule_name": "File System Debugger Launched Inside a Privileged Container",
"sha256": "8b70f35aa7a70d475832890edfe725b921a6d72b0a57011af9fb02e3d81525b9",
"type": "eql",
"version": 1
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"min_stack_version": "8.9",
"previous": {
@@ -5286,9 +5426,9 @@
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"min_stack_version": "8.3",
"rule_name": "Process Injection - Prevented - Elastic Endgame",
"sha256": "6306143790d8722aa16246c98c608a9cd232df0e1686f9a92e6cd306e8ee7676",
"sha256": "3eb61b0c1f450cb261c64e332f3b607245dcae89bf60a1b375b61b21f7173d1d",
"type": "query",
"version": 101
"version": 102
},
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"min_stack_version": "8.3",
@@ -5374,16 +5514,23 @@
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"min_stack_version": "8.3",
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "a16bdb7510672df6f37801d5358499f1a79cde453022a2a3f424c450d519def1",
"sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c",
"type": "eql",
"version": 2
"version": 3
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "01291523553fdba38e5d3c7f1d2a822a56c6fecf2ae5081e5a3fcdd6421a827c",
"sha256": "c90bca94072951ac96d248d96623d3f465eb8149589da431958585d65f1b58dd",
"type": "eql",
"version": 108
"version": 109
},
"9b80cb26-9966-44b5-abbf-764fbdbc3586": {
"min_stack_version": "8.11",
"rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities",
"sha256": "a841eddbb327459aeaf07490f410d4a916c78b996157eff8364de689b0bb3d58",
"type": "eql",
"version": 1
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"min_stack_version": "8.3",
@@ -5477,9 +5624,9 @@
}
},
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "b6e512dc643a38fc0f3437b2ab9b8a2ab3d056ec85db592e39c41a9e5941c0a2",
"sha256": "15fb82f8d4353f95ae6afebc4b4f30ede5ce57b8bed8ddf57dda4453add96880",
"type": "new_terms",
"version": 208
"version": 209
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"min_stack_version": "8.3",
@@ -5528,9 +5675,9 @@
}
},
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "f9910945cb1925f34c18653ab7d5b0ab2d6ba8491db17ce29349b10dd5af8e4c",
"sha256": "7b78fdf9a5ee44c30961d116be5d1d92f5800058130e514664356ef5256a2cea",
"type": "new_terms",
"version": 207
"version": 208
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"min_stack_version": "8.9",
@@ -5689,6 +5836,13 @@
"type": "eql",
"version": 2
},
"a577e524-c2ee-47bd-9c5b-e917d01d3276": {
"min_stack_version": "8.11",
"rule_name": "CAP_SYS_ADMIN Assigned to Binary",
"sha256": "d5e3e722b643e6532e435b70be6debcd965f9202b481dd6b5338f6ba1c5ae12a",
"type": "new_terms",
"version": 1
},
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"min_stack_version": "8.6",
"rule_name": "Potential Reverse Shell via UDP",
@@ -5729,16 +5883,16 @@
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel Windows Registry Indicator Match",
"sha256": "ad3072e4913ac770d5ec08abc3f4164ebaeadfceadf19007ec2c196a86be9022",
"sha256": "9b269e2592ed655d3f250273bfc1a1116ab23ed32747541270da9a81f0d908bf",
"type": "threat_match",
"version": 4
"version": 5
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Office Child Process",
"sha256": "5aad9bb6f69714bb192aff73543dd6712d88a59758b870c26af66643e481fab7",
"sha256": "a81ed00d0e6066a39fd5a3f427861a0893752d04f344025ac5cf52af3bb89afb",
"type": "eql",
"version": 109
"version": 110
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"min_stack_version": "8.3",
@@ -5757,16 +5911,16 @@
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler SPL File Created",
"sha256": "39dc07aae00d71e5e210d726a51202807f31ce7e26afe10c19fb8a6d773e2537",
"sha256": "9da761d681a4afa141f5edaffb870d0fcb0f18117dc031fbb50e7e3f0c718742",
"type": "eql",
"version": 108
"version": 109
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"min_stack_version": "8.3",
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "027498bcace88695c3b5e09df27735c8b2063701ea3b27328d0fb52f8c6533b7",
"sha256": "d69ede40621f9394c675ab79f8f227e9f655fa33a83542e9dc49ef1c0e18f3a0",
"type": "eql",
"version": 107
"version": 108
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"min_stack_version": "8.3",
@@ -5849,23 +6003,23 @@
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.3",
"rule_name": "Remotely Started Services via RPC",
"sha256": "57036ece2d16588ff5db14cfef90686fb253e824740a435cd77099efb522ead8",
"sha256": "ae79bdba08fd0d993c81cf99262e5013df74389cad877e333dd2760bc07912f2",
"type": "eql",
"version": 108
"version": 109
},
"aab184d3-72b3-4639-b242-6597c99d8bca": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel Hash Indicator Match",
"sha256": "67453761dd40533419f89a508cf05c8bf7e992831ad5f324e18f2b3b19929e59",
"sha256": "65feb9de6214f63b609e468ff830ceb54b824a8d5c170bf0bcb729bb79a7e2a6",
"type": "threat_match",
"version": 5
"version": 6
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"min_stack_version": "8.3",
"rule_name": "Remote Execution via File Shares",
"sha256": "d0dd83e403bca3f7f3d1950d5015f30d849b5fcd9227445946baf01306304def",
"sha256": "9d9d197ea4f0b08c172e8d6c9ebbf5dd1ce90db4d68c73badd25410b2187b17b",
"type": "eql",
"version": 109
"version": 110
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.3",
@@ -5944,9 +6098,9 @@
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"min_stack_version": "8.3",
"rule_name": "Potential macOS SSH Brute Force Detected",
"sha256": "717b98ebd28d44eb41e239b4c1fce9a077b804fb2fa74887e44db8abf8a9d984",
"sha256": "e2d5aaa14adce5d3edef5c2878f96a6193c5805eea425e8004b91d9d6a831b2a",
"type": "threshold",
"version": 106
"version": 107
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"min_stack_version": "8.3",
@@ -5958,9 +6112,9 @@
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"min_stack_version": "8.3",
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "aab56ec768cc094769d54446314b0acd0757ae4db3a9da69e5099246b4710246",
"sha256": "29f84a5a0a32118cb2f436d97ed35f3666bf97fb09b76724beb49dee5d4b3db4",
"type": "eql",
"version": 106
"version": 107
},
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
"rule_name": "Proxy Port Activity to the Internet",
@@ -6015,9 +6169,9 @@
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Creation via Kworker",
"sha256": "4d4e79da63198cef34c6daa28263e65a117d300b3526620cda6075a9a6532a45",
"sha256": "e16b4400106935d2e647c6809da5ebd20b8bb5321fe99b56a8371c045098d5eb",
"type": "eql",
"version": 1
"version": 2
},
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"min_stack_version": "8.3",
@@ -6029,9 +6183,9 @@
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"min_stack_version": "8.6",
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
"sha256": "93e731444b08dd8f1dbc6e88f457ee9aacbf61c1f988464f84cf5db0e056ff51",
"sha256": "93d1f7b87af4cbf3e570105779fa64a035a4dfbf8722a72a9f51ab8426b0956e",
"type": "new_terms",
"version": 5
"version": 6
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"min_stack_version": "8.3",
@@ -6064,9 +6218,9 @@
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"min_stack_version": "8.3",
"rule_name": "Timestomping using Touch Command",
"sha256": "2079a604f3faff6cc6b6b781db98c42700096fb46d6944292c62c13c01a7810a",
"sha256": "49cdb820a25852de696d39b218df30f8b82ac01a4696bbbf5ca7aa0c5df3d0dc",
"type": "eql",
"version": 104
"version": 105
},
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"min_stack_version": "8.3",
@@ -6119,9 +6273,9 @@
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "dae5acefb06a64476ec330f3a9e199d0829f858f37e1a80b9f611ae9ecf0a42f",
"sha256": "e8e9639034967a9e5d52426676e6b17b2db0a5dc5486e95811962f4c94b42933",
"type": "eql",
"version": 105
"version": 106
},
"b347b919-665f-4aac-b9e8-68369bf2340c": {
"min_stack_version": "8.3",
@@ -6140,9 +6294,9 @@
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"min_stack_version": "8.3",
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "cf799c7c2e95e99b29012536ac50ca736dbaaa029b937b73985d8f4b31b30e9c",
"sha256": "88b124d798fdc009c75ce590cb5313122089d2ac66fb58e6c2e75eec66b367be",
"type": "eql",
"version": 5
"version": 6
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"min_stack_version": "8.3",
@@ -6200,16 +6354,16 @@
"b5877334-677f-4fb9-86d5-a9721274223b": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Console History",
"sha256": "3887ad885e0ebf5e37828d1e8dde4d5183e83f831a2a4c6c6d00a77cb3d15e0c",
"sha256": "4f1edbc2a0759248f18fff799e917c82a93edefae6afa469993a0d4a9d474235",
"type": "eql",
"version": 108
"version": 109
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "ca11a431744e13425dc24b1f98000a04346735be332e41061ba730bbcf3eee37",
"sha256": "2d9ef207293a121119cb59ae49cccdfe032686bc735a7041220c3001324a641d",
"type": "eql",
"version": 108
"version": 109
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"min_stack_version": "8.3",
@@ -6248,6 +6402,13 @@
"type": "query",
"version": 206
},
"b7c05aaf-78c2-4558-b069-87fa25973489": {
"min_stack_version": "8.3",
"rule_name": "Potential Buffer Overflow Attack Detected",
"sha256": "5b54f0d64a5e64f33ac533f79ae2dd7e813de6bc48b4f70016a81d4c984cb56d",
"type": "threshold",
"version": 1
},
"b8075894-0b62-46e5-977c-31275da34419": {
"min_stack_version": "8.10",
"previous": {
@@ -6309,9 +6470,9 @@
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"min_stack_version": "8.3",
"rule_name": "Chkconfig Service Add",
"sha256": "c6ecd8ef206d0f32e3bc9b72cf1a808affd09aa72bd8443c3a359bf000480e3f",
"sha256": "1412fcfb756b1912fd57e9ed3d178e435ddc67e6d38a2dc35e415fb4d4479c6a",
"type": "eql",
"version": 109
"version": 110
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"min_stack_version": "8.3",
@@ -6337,9 +6498,9 @@
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "b62ce757409f5b83483a6178edf83f96ca9f2694c59261960462d1d5aa5c823e",
"sha256": "6d865b15c3674b78e2d9de64bec58d2deacaffeddce4099ecf15fd02b52261f4",
"type": "eql",
"version": 107
"version": 108
},
"b9960fef-82c6-4816-befa-44745030e917": {
"min_stack_version": "8.3",
@@ -6355,6 +6516,13 @@
"type": "machine_learning",
"version": 103
},
"ba81c182-4287-489d-af4d-8ae834b06040": {
"min_stack_version": "8.3",
"rule_name": "Kernel Driver Load by non-root User",
"sha256": "bd4ce205bb988bb06084a9673646c8c684685ecef659dfa4c881ed82df863856",
"type": "eql",
"version": 1
},
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
@@ -6395,9 +6563,9 @@
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"min_stack_version": "8.3",
"rule_name": "Potential SYN-Based Network Scan Detected",
"sha256": "2425bfd3bc54bb802d2646cf30575b92b6de9f1768145e593f3640a9ed1ba450",
"sha256": "8413e204b3d4d4145ea9cfe859daf5ecaf39fd776bf87f7090a82205de0b5b52",
"type": "threshold",
"version": 4
"version": 5
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"min_stack_version": "8.3",
@@ -6429,6 +6597,13 @@
"type": "query",
"version": 104
},
"bc0fc359-68db-421e-a435-348ced7a7f92": {
"min_stack_version": "8.11",
"rule_name": "Potential Privilege Escalation via Enlightenment",
"sha256": "2d4413810fd1b937b7c2f98d7a0efbae3a424df43c7a361e4938d8cec9c1ad19",
"type": "eql",
"version": 1
},
"bc1eeacf-2972-434f-b782-3a532b100d67": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Install Root Certificate",
@@ -6588,9 +6763,9 @@
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"min_stack_version": "8.3",
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
"sha256": "f02b1ea97087aa0c75d168aafd1e53a360542cea5e0cebd4afb31782da226cbd",
"sha256": "7f80160a2380217fd12e0e78168b9e338d949cc363715f8dd70315ae2851abcd",
"type": "query",
"version": 101
"version": 102
},
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"min_stack_version": "8.5",
@@ -6634,9 +6809,9 @@
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"min_stack_version": "8.3",
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "e5ae5f0e597165278b0ee70abc0aaaf7bfa067cc6b731e26e4d4a9f8c130d70d",
"sha256": "c5160b48d049f36f37cd3527935cbbfd3a23d0c6b08c651976db41d4dfd30970",
"type": "eql",
"version": 107
"version": 108
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"min_stack_version": "8.3",
@@ -6652,6 +6827,13 @@
"type": "eql",
"version": 105
},
"c296f888-eac6-4543-8da5-b6abb0d3304f": {
"min_stack_version": "8.11",
"rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE",
"sha256": "4a7e44dd5204c7cb662ea2895fa3552d2e38749207926da9e4dd815e179ca7c8",
"type": "eql",
"version": 1
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"min_stack_version": "8.3",
"rule_name": "Mshta Making Network Connections",
@@ -6662,9 +6844,9 @@
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"min_stack_version": "8.3",
"rule_name": "Permission Theft - Detected - Elastic Endgame",
"sha256": "a4c5424046eadd416d5c7852d917b60abbeedce771b7e1ffd2bc0bbbb6649b0e",
"sha256": "9cb45ad573eafeafd9e21598e49127644f544e5cb1628581ac2754286d08b78b",
"type": "query",
"version": 101
"version": 102
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.3",
@@ -6760,9 +6942,9 @@
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "142247d62f7891a9ca33735f3b0dccfb8715548c603ac42fda40d37b4d391fe7",
"sha256": "be23ef78feeedf2bf773d37a42f9a25739d2b6dc284897cf1c11b32ec7ccfd0f",
"type": "eql",
"version": 109
"version": 110
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
@@ -6856,9 +7038,9 @@
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"min_stack_version": "8.3",
"rule_name": "Direct Outbound SMB Connection",
"sha256": "60e36bac49806489006bf776593fb6782d3af26d927558c032d5c6cc16be7340",
"sha256": "2aae80db3c5ce4330cf16e46ae51d5f30f8b1f6daf03d46e89140bd829f2a83b",
"type": "eql",
"version": 108
"version": 109
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"min_stack_version": "8.3",
@@ -6911,9 +7093,9 @@
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"min_stack_version": "8.3",
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
"sha256": "91b2db5824ba03638ae1b10d6b60a2cb0825c1aa43b80768357bf49d2dee514d",
"sha256": "ebbc74d9d6ab1c4883f29df435efd99f5bc2f437b6bcb6e39be3216015224a67",
"type": "query",
"version": 101
"version": 102
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"min_stack_version": "8.3",
@@ -6947,9 +7129,9 @@
}
},
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "55ab77b10e0bcb868314e0a9c77ad2c6b64b6a3dc98daa287fc5d3318225afe1",
"sha256": "aad6fb6bc27f0c41cacae00cfe6779a476dd10294ad53cfce1318b06b13bf7bc",
"type": "new_terms",
"version": 211
"version": 212
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"min_stack_version": "8.4",
@@ -7125,9 +7307,16 @@
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.3",
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "2eb8c5c3eeddd0af42ec3046f59499ed54cf8d1fda03bf20e935a69f2bcfd306",
"sha256": "3aeec76d82469713fa7b0e28ac67ac6f48ba3943dee884876631e032559b42bc",
"type": "query",
"version": 8
"version": 9
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca",
"type": "new_terms",
"version": 1
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.3",
@@ -7176,9 +7365,9 @@
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"min_stack_version": "8.3",
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "63f22faabb2c7cdd85b0f0550ea39855fbcdbb14b96b274cd260a985e747a7a9",
"sha256": "4c2f771d71d8c07da4530685c547a5b1d02c9a5d4f92f8e4fa89aa4d3493636a",
"type": "eql",
"version": 109
"version": 110
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"min_stack_version": "8.3",
@@ -7204,9 +7393,9 @@
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"min_stack_version": "8.3",
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "283072265b8d9a5eb1ce5e409ca6923c251b01d80294784d68db0745ea03ff46",
"sha256": "7c325aaff53fd8a664cbc5b7c77dc9dfa9eaa5e698ca9e432c0f39bfdf1755fa",
"type": "eql",
"version": 107
"version": 108
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"min_stack_version": "8.3",
@@ -7218,9 +7407,9 @@
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"min_stack_version": "8.3",
"rule_name": "Expired or Revoked Driver Loaded",
"sha256": "bcc8530ce8aa18d4efbc4c6c3709e6308cacb5408758aa722e8a7c30dca27138",
"sha256": "0d684b691957fc890cd55538f666f64f489388c1a1dc12a1be16a5bc3b4de1ee",
"type": "eql",
"version": 3
"version": 4
},
"d197478e-39f0-4347-a22f-ba654718b148": {
"min_stack_version": "8.3",
@@ -7252,9 +7441,9 @@
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Event Logs",
"sha256": "8a73c10ef60c4773647f268027e24eae42f6ade586978349bdf9041116d0e531",
"sha256": "cff3aae2b2a1a2d291769ae54965c51a5c298c67c7d004d2a9e969d4265ccad1",
"type": "eql",
"version": 109
"version": 110
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"min_stack_version": "8.3",
@@ -7328,6 +7517,13 @@
"type": "eql",
"version": 4
},
"d55abdfb-5384-402b-add4-6c401501b0c3": {
"min_stack_version": "8.11",
"rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities",
"sha256": "b07dbc77b8f4bfd154ce8d14ca9df9f80d7953d60caef71fc5167d9136db5ec0",
"type": "eql",
"version": 1
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Windir Environment Variable",
@@ -7411,9 +7607,9 @@
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"min_stack_version": "8.3",
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "75e96d95e76853c07370e086de891f29c8521f0570f5afbc6c674fb8ff2e13df",
"sha256": "10445d751b6b8f9f630b91ec75209dedae0814b17f36bc8228c2801927b0ed30",
"type": "eql",
"version": 108
"version": 109
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"min_stack_version": "8.3",
@@ -7483,9 +7679,9 @@
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "35cec24c6f40b74359e76b1c0b8b19ada3b0c73c18fdc5f92b4fc732bb168c40",
"sha256": "cba5bc9b4297cb5764434a05356401948cb36e9dfcd0232bb40e6b59ae947a58",
"type": "eql",
"version": 108
"version": 109
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"min_stack_version": "8.3",
@@ -7517,9 +7713,9 @@
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
"min_stack_version": "8.4",
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "297e315306142cee4a09811f704f80247b099304aaedca726a6b155b0a285b02",
"sha256": "fb420a72b427d67311f02098a93854b2a6bd5c733b6cbca4275ee920329b9b9e",
"type": "new_terms",
"version": 2
"version": 3
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"min_stack_version": "8.3",
@@ -7538,16 +7734,16 @@
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"min_stack_version": "8.3",
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "17af58de4b6c1966f11b602f2971c9d50764e0dd5a201bdaacbca05fb50d7f66",
"sha256": "6787d79433584e75afd2d32b2e0f9b054030958c1d82150a5ee9f0a5f5122b3a",
"type": "eql",
"version": 4
"version": 5
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"min_stack_version": "8.3",
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
"sha256": "2f96b5a3c80cb7302384f5ad110eb5b90940fd4f578994b45253302d52e07936",
"sha256": "4ac4208ee21dfa91e465866f8ae0f0ef0c13d7290d2aed48430ab0aeb3d7bfaf",
"type": "query",
"version": 101
"version": 102
},
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"min_stack_version": "8.3",
@@ -7595,9 +7791,9 @@
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "e530308b262a81ac2d4d51105ec00c5574674221ede76c621d967f3bafa48e67",
"sha256": "6f5f7a6cfcaa1257d531efd9068625980be3884a9960c90a3894be9c4711f295",
"type": "eql",
"version": 5
"version": 6
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"min_stack_version": "8.3",
@@ -7616,9 +7812,9 @@
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "1b4652f974e6422672d712e10f16590cdee1527efd0cc592e2cfacaf6ab10754",
"sha256": "be18461b14118a93ca765dc844a04b51ef1c1a3f4a5d77bc0d2ff0ffd0355082",
"type": "eql",
"version": 107
"version": 108
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"min_stack_version": "8.3",
@@ -7667,9 +7863,9 @@
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
"min_stack_version": "8.3",
"rule_name": "Dynamic Linker Copy",
"sha256": "ad16600cea0282022eecee3a9321b3df7956ff9592e8c777caedaaf750b505c9",
"sha256": "4039bacc00f88fc6604592073a813ddafde9c45c858f9c38f7558074ab949385",
"type": "eql",
"version": 106
"version": 107
},
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
"min_stack_version": "8.4",
@@ -7727,15 +7923,15 @@
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "71bc21a2e39ae429903f27a300a650a34aed1adfba8e5ce63f527c8362e23d02",
"sha256": "8e33c2c08ab3335a16db298608f1b8b793646a2abf1362acb2c0f316433293d0",
"type": "threshold",
"version": 107
"version": 108
}
},
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "10ee903471646d3de3429f99b45cf5e5d7fadc3fda75e3d87f0d1f495d30f511",
"sha256": "19b34876e0825396f2b8927609d08f7ba1b4401e0db2baf6f757df3fc826c18e",
"type": "threshold",
"version": 207
"version": 208
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"min_stack_version": "8.3",
@@ -7821,9 +8017,16 @@
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.3",
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "f96c27d17387a29f3c9e0a76e761e50f58980ca2e8c5c47c750c1112b007a612",
"sha256": "3631eec8b7e657c858f9db2112b704e63512120da05b175252387b382bbcb022",
"type": "query",
"version": 110
"version": 111
},
"e28b8093-833b-4eda-b877-0873d134cf3c": {
"min_stack_version": "8.11",
"rule_name": "Network Traffic Capture via CAP_NET_RAW",
"sha256": "72ea14abe07f2662330f07e0538c4adc01ee5ff3cc03b7e54944232b04fd7e8e",
"type": "new_terms",
"version": 1
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"min_stack_version": "8.9",
@@ -7851,9 +8054,9 @@
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"min_stack_version": "8.3",
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "c6f1cf145ff3b061a79e8ace80cc5733fae16573c3ddb49f83073f52ee86ad31",
"sha256": "a5106b1d322ebadff7f28fbf1c711accfdc2a15bc9eb9040d4a3d09bd1aae28e",
"type": "eql",
"version": 5
"version": 6
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.3",
@@ -7895,9 +8098,9 @@
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"min_stack_version": "8.3",
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "c3d5155da5baae86f8ea73fe2f45b44e3012406d9fc61cd2169142c81be06631",
"sha256": "0fdbe989334d90ab57d6fb689e66d0c649482dfaeba4d2ee9513172bbc186535",
"type": "query",
"version": 101
"version": 102
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"min_stack_version": "8.3",
@@ -7909,9 +8112,9 @@
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"min_stack_version": "8.3",
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "2e2da840f77c57538857f88568962b68c7ed2da6036ccc86ed73e23d95b97f90",
"sha256": "4d6ca2e4725bb0de7ec42fdce8151ddf8eb9a2bb110ae8b637e91a0499259fba",
"type": "eql",
"version": 108
"version": 109
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"min_stack_version": "8.4",
@@ -8093,9 +8296,9 @@
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"min_stack_version": "8.3",
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
"sha256": "dc2992b1a27eba7999a488081a344e7546a35fed9138ada9a18fcca55cead2d4",
"sha256": "a8952957c0680157040a50a1ff1bcab9f214af635f0af771a27add2226762fca",
"type": "eql",
"version": 4
"version": 5
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"min_stack_version": "8.6",
@@ -8119,15 +8322,15 @@
"8.3": {
"max_allowable_version": 206,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "94f8f87bf5279e92dae5e3f1a86adcc88c5e03a1ddc2d3ee3878b1ef488abd08",
"sha256": "36586610b72fd3df43dda1d0bfca8e2b7a439cde98a6b85da439993e98b9978d",
"type": "threshold",
"version": 107
"version": 108
}
},
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "bb06cc2e64669d793dd0ab51b8f596cf9ed9f9454f861ae51504837bb3552d10",
"sha256": "6634f9bec3320679b3bd0b35bff114eac9820ee185c7345ca2d15e8cd1d53bce",
"type": "threshold",
"version": 207
"version": 208
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"min_stack_version": "8.9",
@@ -8205,15 +8408,15 @@
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "d8fbba1e46a7add1e78c5e5e8efbbd07526667d98224a35765adf2574e4c6e80",
"sha256": "b067b05efba5deb9be05f4eb293d71270aec223640f2d617f1a365f86c41524c",
"type": "threshold",
"version": 108
"version": 109
}
},
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "c03ce8fcb77809e7578333b7e52f0fe9d851c9f6687eb1a7d20a33e2b642ed3f",
"sha256": "9483354a3f2036153d547ffd891d4d16c6e0bf7ca283943e90aa19c54a8d8282",
"type": "threshold",
"version": 208
"version": 209
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"min_stack_version": "8.3",
@@ -8267,9 +8470,9 @@
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"min_stack_version": "8.3",
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "4bf7615c712ba6551f11469f116ac403329d8282ac9506d5ccd5b57da83c51b6",
"sha256": "9aa567d8580a93323215449d5492c7a5b7b740efa224493cb75bcbd035fb592d",
"type": "eql",
"version": 107
"version": 108
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"min_stack_version": "8.3",
@@ -8325,9 +8528,9 @@
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"min_stack_version": "8.3",
"rule_name": "AdFind Command Activity",
"sha256": "8a1027b9ad2f5361439241c61ece4bf8059f137a0718d154612fc6bc4e1582b6",
"sha256": "226818ce709035fdbed2f6dbedf8c230644515040ad03188f0bb46f02131878f",
"type": "eql",
"version": 108
"version": 109
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.10",
@@ -8348,9 +8551,9 @@
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"min_stack_version": "8.3",
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "b08b05384865af516f9051b9fda7a2e86423e826268d86119d94bed51a40ae68",
"sha256": "e6d1060e542ac53b1c8f6caf61b77d58e0bad0d0c102ddd3cba42938808d036f",
"type": "eql",
"version": 109
"version": 110
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"min_stack_version": "8.3",
@@ -8378,9 +8581,9 @@
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "1b81a42027a994ad37e3fd6a68e0cca9c1f3620c0ec4479d34cc05a33c94986c",
"sha256": "4f859dde0472f9c982423e2c3b8cf77c09b9684c563ab9adaae5fe7976953937",
"type": "eql",
"version": 105
"version": 106
},
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
"min_stack_version": "8.3",
@@ -8416,12 +8619,19 @@
"type": "eql",
"version": 5
},
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
"min_stack_version": "8.8",
"rule_name": "Potential Container Escape via Modified notify_on_release File",
"sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04",
"type": "eql",
"version": 1
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"min_stack_version": "8.3",
"rule_name": "Whoami Process Activity",
"sha256": "69d5354c891fc163e1c5ade3bb65daff48c54108062356e2608bbe10b4bc33dd",
"sha256": "e8eb1fccce9dadced67339d7460c79a9bc079f20f5ab4d623f6a58fd9aa8d3a9",
"type": "eql",
"version": 108
"version": 109
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"min_stack_version": "8.9",
@@ -8570,23 +8780,23 @@
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"min_stack_version": "8.3",
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
"sha256": "115660e13a810016b291f195725e24a486fef4f4a29c1b6ea99e35462af86691",
"sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c",
"type": "threshold",
"version": 103
"version": 104
},
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel URL Indicator Match",
"sha256": "15e6c5f162e68e3e99d55f3e56f8e12ff21a337b3225df19df18e23d5223c734",
"sha256": "80f795877a01c622597d9568febd834907a357d9616f6efa11b237bd37e3086d",
"type": "threat_match",
"version": 4
"version": 5
},
"f41296b4-9975-44d6-9486-514c6f635b2d": {
"min_stack_version": "8.6",
"rule_name": "Potential curl CVE-2023-38545 Exploitation",
"sha256": "ad7d073b51e1fa98d9af62232945217608d7cb3996a06e33226a4dcd83b222ef",
"sha256": "d090083f56c2a8a47be9e243913af8404099dd7996a86d0ff748af86600d4632",
"type": "eql",
"version": 3
"version": 4
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"min_stack_version": "8.3",
@@ -8618,9 +8828,9 @@
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"min_stack_version": "8.3",
"rule_name": "Windows Script Executing PowerShell",
"sha256": "98f9b2395052ffc073feec29bc55c3952eae38faa5304ab59098692287a2995e",
"sha256": "6d969c70752f3186e202fdd6bd7fedbc1bef49494886b4b058c82ca4c92e3233",
"type": "eql",
"version": 108
"version": 109
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"min_stack_version": "8.8",
@@ -8653,9 +8863,9 @@
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"min_stack_version": "8.3",
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "39e23b5edd4a250cfcefb9fd66eebd1876f9a408c1ca69902bad707c1ccfa236",
"sha256": "04e88d1efaa5ae3e206042b0db002f52a0ebb9b868a7e91b77539c05cc94fad1",
"type": "eql",
"version": 3
"version": 4
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.9",
@@ -8688,9 +8898,9 @@
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"min_stack_version": "8.3",
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "cee57a655fce6db9f5c07b5bed43fda69027de2fad8e578801e6811bab06077f",
"sha256": "8c281efdd7ae17ef1dcf2df2b466453e0c5a6df40e5d5431f4389d20b1a438a0",
"type": "eql",
"version": 107
"version": 108
},
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"min_stack_version": "8.3",
@@ -8743,12 +8953,19 @@
"type": "eql",
"version": 109
},
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
"min_stack_version": "8.11",
"rule_name": "Potential Privilege Escalation via Linux DAC permissions",
"sha256": "600e6c5252be4fb155fd1e49ed6aa627d8c5e9d7f501e56f88baf2b4c10cf999",
"type": "eql",
"version": 1
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "eaf1fe196b0fd766b9dd3e92a9dea8ee67510efe613dff0483b398abdcf91389",
"sha256": "6031d2492f38e34f83fec99639ddbfd371b2ac54d22bafc1b14c5f342be17c1b",
"type": "eql",
"version": 106
"version": 107
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"min_stack_version": "8.3",
@@ -8764,6 +8981,13 @@
"type": "eql",
"version": 108
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0",
"type": "new_terms",
"version": 1
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Network Configuration Discovery",
@@ -8811,9 +9035,9 @@
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"min_stack_version": "8.3",
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "07cb5a601ba090bd310db66dc7a01f3be28530f661533672dc80eae9361219ca",
"sha256": "61ce9acd0f52132d2ad2fc33398ebed27e1327f3a0b539903c77921e5e025fc0",
"type": "eql",
"version": 106
"version": 107
},
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"min_stack_version": "8.3",
@@ -8866,6 +9090,13 @@
"type": "eql",
"version": 106
},
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
"min_stack_version": "8.8",
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234",
"type": "threshold",
"version": 1
},
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
"rule_name": "Auditd Max Failed Login Attempts",
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
@@ -8895,6 +9126,20 @@
"type": "eql",
"version": 107
},
"fc909baa-fb34-4c46-9691-be276ef4234c": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf",
"type": "new_terms",
"version": 1
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"min_stack_version": "8.3",
"rule_name": "GitHub App Deleted",
"sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960",
"type": "eql",
"version": 1
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
@@ -8904,16 +9149,16 @@
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"min_stack_version": "8.3",
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "1b6fb7fa94a0e738049d247dc04b6264f0be47b0bcd5ad5a93807de37e0d5f67",
"sha256": "a60cf2c503576ded45100fe195a32e1f3d9864c591677059a7189e389ee5e8fb",
"type": "eql",
"version": 107
"version": 108
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"min_stack_version": "8.3",
"rule_name": "Suspicious CertUtil Commands",
"sha256": "fd88b16bea9e60d003cfb12c298738c8c7c185dcbe2daa2b7efe66e7bc09b023",
"sha256": "828207753a4524cab2f050a270a6c7daae8f14ef3bc46fdddabeb6e5a4fbaf9c",
"type": "eql",
"version": 106
"version": 107
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"min_stack_version": "8.6",
@@ -8927,9 +9172,9 @@
}
},
"rule_name": "Svchost spawning Cmd",
"sha256": "7848efd45bcbe0c34fac7bba24931d7f0cafe07c08a91af0e478d23d723a0bfd",
"sha256": "841bc6ffda6b09e02cd5cc63a0841ded1da19a19dd35723df34f55b0c4151f1a",
"type": "new_terms",
"version": 208
"version": 209
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"min_stack_version": "8.3",
@@ -8941,9 +9186,9 @@
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"min_stack_version": "8.3",
"rule_name": "System Binary Copied and/or Moved to Suspicious Directory",
"sha256": "9e0d8bd2ea5e365a73509a4d11f7cf61209d79e01d70d9fe086c66b920dde083",
"sha256": "759181917690fc8b164537ae1754768a85a84855c58bb9f2895f687a62a3c0ce",
"type": "eql",
"version": 4
"version": 5
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.3",
@@ -9004,9 +9249,9 @@
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"min_stack_version": "8.6",
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
"sha256": "616a82f9d56e96eca039a36156317b57f3ad06c109ee04f3772e1acd1fb66457",
"sha256": "dccd31effbd0339a694902a69408abc2f6abe7377040ac828582aefe16e7ba89",
"type": "new_terms",
"version": 7
"version": 8
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"min_stack_version": "8.7",