diff --git a/etc/version.lock.json b/etc/version.lock.json index 74d41078d..8f3ac24f1 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -135,6 +135,7 @@ "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", "sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb", + "type": "query", "version": 8 }, "092b068f-84ac-485d-8a55-7dd9e006715f": { @@ -219,6 +220,7 @@ "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", "sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be", + "type": "query", "version": 8 }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { @@ -267,6 +269,7 @@ "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", "sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0", + "type": "query", "version": 2 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { @@ -284,6 +287,7 @@ "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", "sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e", + "type": "query", "version": 7 }, "125417b8-d3df-479f-8418-12d7e034fee3": { @@ -314,6 +318,7 @@ "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", "sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7", + "type": "query", "version": 8 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { @@ -968,6 +973,7 @@ "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", "sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941", + "type": "query", "version": 6 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { @@ -1130,6 +1136,7 @@ "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", "sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578", + "type": "query", "version": 7 }, "47f76567-d58a-4fed-b32b-21f571e28910": { @@ -1538,6 +1545,7 @@ "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", "sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea", + "type": "query", "version": 7 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { @@ -1615,11 +1623,13 @@ "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", "sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d", + "type": "query", "version": 8 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", "sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9", + "type": "eql", "version": 3 }, "6839c821-011d-43bd-bd5b-acff00257226": { @@ -1768,6 +1778,7 @@ "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", "sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5", + "type": "query", "version": 8 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { @@ -1948,6 +1959,7 @@ "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", "sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426", + "type": "query", "version": 7 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { @@ -1983,6 +1995,7 @@ "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", "sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1", + "type": "query", "version": 8 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { @@ -2012,6 +2025,7 @@ "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", "sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86", + "type": "query", "version": 8 }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { @@ -2078,6 +2092,7 @@ "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", "sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7", + "type": "query", "version": 8 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { @@ -2375,6 +2390,7 @@ "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", "sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3", + "type": "query", "version": 7 }, "97fc44d3-8dae-4019-ae83-298c3015600f": { @@ -2465,6 +2481,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { "rule_name": "Trusted Developer Application Usage", "sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349", + "type": "query", "version": 7 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { @@ -2590,6 +2607,7 @@ "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", "sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17", + "type": "eql", "version": 4 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { @@ -2637,6 +2655,7 @@ "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", "sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf", + "type": "query", "version": 7 }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { @@ -2756,6 +2775,7 @@ "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", "sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10", + "type": "query", "version": 8 }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { @@ -2812,6 +2832,7 @@ "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", "sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed", + "type": "query", "version": 1 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { @@ -3167,6 +3188,7 @@ "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", "sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c", + "type": "query", "version": 8 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { @@ -3226,6 +3248,7 @@ "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", "sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d", + "type": "query", "version": 7 }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { @@ -3288,6 +3311,7 @@ "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", "sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3", + "type": "query", "version": 6 }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { @@ -3323,6 +3347,7 @@ "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", "sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25", + "type": "query", "version": 7 }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { @@ -3391,6 +3416,7 @@ "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", "sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6", + "type": "query", "version": 7 }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { @@ -3560,6 +3586,7 @@ "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", "sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095", + "type": "threat_match", "version": 4 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { @@ -3758,6 +3785,7 @@ "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", "sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed", + "type": "query", "version": 8 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { @@ -3847,6 +3875,7 @@ "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", "sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa", + "type": "query", "version": 8 }, "ea248a02-bc47-4043-8e94-2885b19b2636": {