diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index 10f2580eb..8716873ab 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -184,6 +184,11 @@ "rule_name": "Linux Restricted Shell Breakout via the mysql command", "stack_version": "7.16" }, + "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { + "deprecation_date": "2024/02/22", + "rule_name": "Potential Linux Reverse Connection through Port Knocking", + "stack_version": "8.3" + }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "deprecation_date": "2021/04/15", "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 670e52b1a..a8b2b2a5d 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -18,14 +18,14 @@ "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "456e5ed43e056841aea460851e9e496aa85a9828fcb4bebade3a4f8b1d2a637e", + "sha256": "d6e135893b61752bf5e9ade6841683b593b05b98ac25bc8b6e6da7b35c4a2b42", "type": "eql", - "version": 110 + "version": 111 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.3", "rule_name": "System Shells via Services", - "sha256": "d72a2228f26b816836305d763e5f5d9e903ab000038bc927f5d10e28df155280", + "sha256": "d72a2228f26b816836305d763e5f5d9e903ab000038bc927f5d10e28df155280", "type": "eql", "version": 109 }, @@ -41,7 +41,7 @@ "rule_name": "Microsoft 365 User Restricted from Sending Email", "sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f", "type": "query", - "version": 103 + "version": 105 }, "015cca13-8832-49ac-a01b-a396114809f6": { "min_stack_version": "8.9", @@ -76,9 +76,9 @@ "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.3", "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "5717d643abdcfef9a6d60fff6d57720c82151980bb8e27c67620f86f538f9a1a", + "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", "type": "eql", - "version": 104 + "version": 105 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { "min_stack_version": "8.8", @@ -106,44 +106,44 @@ } }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "e194561c4501f18810b36c5747c2d6cdddb401d1dc29d19507a4af173c85ef22", + "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", "type": "eql", - "version": 207 + "version": 208 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "min_stack_version": "8.3", "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "6995ce3fd849830e0591d6419fc8b53d604990cd30316594c1a70f032d3115a1", + "sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb", "type": "query", - "version": 105 + "version": 106 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573", "type": "query", - "version": 103 + "version": 105 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "min_stack_version": "8.3", "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "ca908726d59b4cf703f6581eb6f0a4c16fb229de48c658e6bba676c7d9361eba", + "sha256": "92dfb9997f9e81ca6045204e4c1b3ece1606c26102e22d7ee77e2de74583e5ee", "type": "threshold", - "version": 107 + "version": 108 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { "min_stack_version": "8.3", "rule_name": "Potential Memory Seeking Activity", - "sha256": "cf7288d5a8b54dbec325b6a09a60bfe6e15ec568f36d383957de4e52d825d740", + "sha256": "4fa0b41dabe97414e45d4ae961a4c4fd9c445bca04d51659e7251547e80fe258", "type": "eql", - "version": 1 + "version": 2 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { "min_stack_version": "8.3", "rule_name": "Suspicious Dynamic Linker Discovery via od", - "sha256": "ee4583e8996395a3e208c355990b54a0e05d19c2189888df9e14c2a5ae96d52d", + "sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8", "type": "eql", - "version": 1 + "version": 2 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "min_stack_version": "8.8", @@ -155,16 +155,16 @@ "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { "min_stack_version": "8.3", "rule_name": "Potential Network Scan Executed From Host", - "sha256": "ec82385a8fee3e9b8a3e2bfe0b4a9678a7cd9d31611bbc8c5538214912a0831d", + "sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4", "type": "threshold", - "version": 2 + "version": 3 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "min_stack_version": "8.3", "rule_name": "Modification of OpenSSH Binaries", - "sha256": "785439b8acfcb7be5e877bbadd7b188c28a7885da00919345b3b34e66078913d", + "sha256": "ceef6d0c728c9575da9bd78da19050dc7e02eaee57eca642272639b91d863494", "type": "query", - "version": 108 + "version": 109 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "min_stack_version": "8.3", @@ -183,9 +183,9 @@ "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "e916c4a76f7f4724dde59c0d5c7fadb93add0c6ad283f0e1d57ae6305853886f", + "sha256": "f30003f79a8a0e9dccbf5624b0938ece537c035677b4ce15bf5f88523a387123", "type": "eql", - "version": 108 + "version": 109 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "min_stack_version": "8.6", @@ -197,37 +197,37 @@ "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.3", "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "80b8bb48b4fce2dd59b11697d5479583573647d553b1d1d3d0ca963201efefcc", + "sha256": "eb124d112db3baf26a4dc6bc4e87e095d0e6e734155fd9b36dd78637d465e0e5", "type": "eql", - "version": 108 + "version": 109 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.3", "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "73ca1614ed192b3b473355db2817b5f0a68bdd630741d03fa3c3ac9fb6596bfc", + "sha256": "23256a2ac31f12c8f6094b66ec8171c0591a4ff3519d174a53c5324467e2ce0d", "type": "eql", - "version": 108 + "version": 109 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "min_stack_version": "8.3", "rule_name": "Tainted Kernel Module Load", - "sha256": "f667ec2eb15d89e90cf9ae3a10a6976e2b6d29d27d4638c580872961d8ceacf8", + "sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4", "type": "query", - "version": 3 + "version": 4 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "c509bf24e613999a96e9f6e7ec6a6754b69d21683106ac3528a730fb635ad675", + "sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754", "type": "query", - "version": 107 + "version": 108 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.3", "rule_name": "Remote System Discovery Commands", - "sha256": "3ff2e26f26973251308b3a47b92955b2d31e844b07905f658b693e4464638cc1", + "sha256": "3d344eb978705ac0e25885898c67ade3ea3a02d52dcb020ec9eb4b253f2a0ef2", "type": "eql", - "version": 110 + "version": 111 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "min_stack_version": "8.3", @@ -239,9 +239,9 @@ "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "min_stack_version": "8.9", "rule_name": "Unusual Remote File Size", - "sha256": "9e8ce2ede438524fde20e36cf675fed67bdb8b9f33c673b0573c7ab9c8ef476d", + "sha256": "db958e84da3e58cefee53ec77d608ff51199a4e721318451ce091585bb908cc1", "type": "machine_learning", - "version": 2 + "version": 3 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.3", @@ -253,16 +253,16 @@ "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.3", "rule_name": "Potential Evasion via Filter Manager", - "sha256": "a5be493d23c3644249db774ca160524b0b3548ce18b1df4b5de264c3669e6040", + "sha256": "6b91e61058491288a8ad9c3c19c977a9b530d25111ab834806df3e86fd57ae48", "type": "eql", - "version": 108 + "version": 109 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.3", "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "46d41b236b25880398aac6dea334d1bc51952f1d572e60c41b5ab3a788e131e0", + "sha256": "eeb82061ab01c63344201c4e0400988c1da110014c984e8d9021397e5e66a185", "type": "eql", - "version": 108 + "version": 109 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { "min_stack_version": "8.3", @@ -274,16 +274,16 @@ "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", - "sha256": "c1b6e6aa892be3945036add52e7bd2f08908e60aeed4c6315a65552df23ecc67", + "sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5", "type": "threshold", - "version": 6 + "version": 7 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.3", "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "89428d0f0fc36a5b1ff0704bcfaf222c5592e066c0a1179e4d851b02b8384d67", + "sha256": "ad1cf76b56835697ba2f77f6e4bb1a718528a7b567d45179449defd6cd4d7788", "type": "eql", - "version": 6 + "version": 7 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "min_stack_version": "8.4", @@ -304,30 +304,30 @@ "080bc66a-5d56-4d1f-8071-817671716db9": { "min_stack_version": "8.3", "rule_name": "Suspicious Browser Child Process", - "sha256": "c250a73408b1392c937770c4ced1fb28a2703649fe04cdb78b0e5b7b4cf63ec8", + "sha256": "5b13ba56ec5300968f85a5f227c4c6b88229685601a785c495aca18463a83564", "type": "eql", - "version": 105 + "version": 106 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "min_stack_version": "8.3", "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "3e3611a0cd7131c9e8caba18a69dab717a16cf76442be2888fb39623e7a310bf", + "sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879", "type": "eql", - "version": 105 + "version": 106 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "min_stack_version": "8.3", "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "102bf6dbf633ea578191b0cba7f03a80e733a63b307a563d2287868c832d13c4", + "sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece", "type": "query", - "version": 105 + "version": 106 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "min_stack_version": "8.4", "rule_name": "First Time Seen Removable Device", - "sha256": "8f68357de02e845b6234f38e1867817fe26ebc0f260faded9b8c6d2be88b2ae0", + "sha256": "23f0a48d6fa3383a6840a42d5ef0d207b51657c45464929d5b0cff2d720668d8", "type": "new_terms", - "version": 2 + "version": 3 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "min_stack_version": "8.3", @@ -345,9 +345,9 @@ "092b068f-84ac-485d-8a55-7dd9e006715f": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "a1faf99442ff04d9e895ed0ef988840ddea9fafcb839a00391dd27152099ecf8", + "sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993", "type": "eql", - "version": 106 + "version": 107 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "min_stack_version": "8.3", @@ -372,9 +372,9 @@ "09bc6c90-7501-494d-b015-5d988dc3f233": { "min_stack_version": "8.3", "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", - "sha256": "41f9768d8739cf9cff0a5ab80f5ac4056209af12abd8a87456875d5fabd271ee", + "sha256": "bdc3b02c0073ad81ac689ad056327c1e74d84408ac65b51b4738e1fc7c3b5d13", "type": "eql", - "version": 3 + "version": 4 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "min_stack_version": "8.3", @@ -393,16 +393,16 @@ "0ab319ef-92b8-4c7f-989b-5de93c852e93": { "min_stack_version": "8.10", "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", - "sha256": "2151e8b13ed3dce7a9030f388097dc3817f5ab5278a2c55f95b73e9555b04803", + "sha256": "75554ce3cf2084385c71f589a49912d97a3565e845b92ef27fa2638bc05ac2ff", "type": "query", - "version": 3 + "version": 4 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "476a0edd057a4e2d08908bf18854969a1f8160a17b8197ca8011a73923904063", + "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", "type": "query", - "version": 5 + "version": 6 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.3", @@ -414,37 +414,37 @@ "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "min_stack_version": "8.3", "rule_name": "User account exposed to Kerberoasting", - "sha256": "4d9914b3179a3e81042daf2378c760535c3b1fe6a90367a9f939f8427e1c4500", + "sha256": "830231e34039027f460477ed025efa9ef0a7efb45b9d97d43080f7d9deceeec3", "type": "query", - "version": 108 + "version": 109 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "min_stack_version": "8.3", "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "4de1162d4124823c1b08df4e7630411d08269eb515c9cfc8179d1eb8a06327ae", + "sha256": "d23957bdc3e4530971529039105978c60ef34d1dda87b408528c03a1d39da1ca", "type": "eql", - "version": 4 + "version": 5 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "min_stack_version": "8.3", "rule_name": "Processes with Trailing Spaces", - "sha256": "e4ad46e5487eedd9a600516e6aaaef43bfdd74f9bab9254376a7ab03846dbdf1", + "sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286", "type": "eql", - "version": 1 + "version": 2 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "min_stack_version": "8.5", "rule_name": "Threat Intel IP Address Indicator Match", - "sha256": "bc71d46cc38c3a7272c00864dffb0f4e5823f7e5ca227e353c03222f5b495d47", + "sha256": "cd59f82b14abfb2a445bdd96682846602eb2f8abc1ef27f64dda99f452f99290", "type": "threat_match", - "version": 5 + "version": 6 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.3", "rule_name": "Peripheral Device Discovery", - "sha256": "9453d6d14110a5bd8e263b6c8438683e2151cdb64a07cc0497960ca3ce991b4e", + "sha256": "ddcc25632228b69f04cb0077f4837da1a67e20ba2b4503efd99e94cb254a4203", "type": "eql", - "version": 107 + "version": 108 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "min_stack_version": "8.5", @@ -467,7 +467,7 @@ "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", "sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746", "type": "query", - "version": 103 + "version": 105 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "min_stack_version": "8.3", @@ -479,16 +479,16 @@ "0d69150b-96f8-467c-a86d-a67a3378ce77": { "min_stack_version": "8.3", "rule_name": "Nping Process Activity", - "sha256": "affd117afc6ebeb37b988f85e144c43ebcadc77ed73c48470478dd749dd593f3", + "sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec", "type": "eql", - "version": 107 + "version": 108 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "0f8793b32099bcedee8142d49e3265c81daa7a103fd8a4005b61e56aeeb487f4", + "sha256": "35d7c86905c491f7aaa616dc6addc861d534b1c4fc511bb07efc6b60d2bd8086", "type": "eql", - "version": 108 + "version": 109 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { "min_stack_version": "8.8", @@ -502,7 +502,7 @@ "rule_name": "SharePoint Malware File Upload", "sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393", "type": "query", - "version": 103 + "version": 105 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "min_stack_version": "8.3", @@ -514,9 +514,9 @@ "0e79980b-4250-4a50-a509-69294c14e84b": { "min_stack_version": "8.3", "rule_name": "MsBuild Making Network Connections", - "sha256": "d1a94c81e85a1b9fb1aba526d7729eed01b427fbefaec5199b72c052d1997e54", + "sha256": "701a943332292d3362c7d6526d2424e65e81768d57a45e983232712722f31a98", "type": "eql", - "version": 107 + "version": 108 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "min_stack_version": "8.6", @@ -530,16 +530,16 @@ } }, "rule_name": "Potential Persistence Through Run Control Detected", - "sha256": "7c22691e28a23660a7113e885a7fecbca37a2f17d4754aba5a241c67c583c6cf", + "sha256": "6feb69680930d9a84dce295a56510b4938d7455565609a55b6f340a60f9eee5b", "type": "new_terms", - "version": 109 + "version": 110 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { "min_stack_version": "8.3", "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "709341b184f3833219d910074fc3df6035266d8b90c5cdcf213a48afbcdcc538", + "sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147", "type": "eql", - "version": 2 + "version": 3 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -559,16 +559,16 @@ } }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "202c9c176a43f16620bdff4bf9d03665053b52c262d0277462afd841a08c623c", + "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", "type": "threshold", - "version": 207 + "version": 208 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "667a8075ceb2fd14308a5c021811d4dadc06be89300c4eb74d8fc02268962810", + "sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895", "type": "query", - "version": 105 + "version": 106 }, "10754992-28c7-4472-be5b-f3770fd04f2d": { "rule_name": "Linux Restricted Shell Breakout via awk Commands", @@ -579,9 +579,9 @@ "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { "min_stack_version": "8.3", "rule_name": "WebProxy Settings Modification", - "sha256": "8d0a544fd454889ae996a250c40de6b79ca174a55887fc883a6c0f1d6fb672b4", + "sha256": "6a6fc5b28bc33810532d1d7a900fbf07ff13f612317d5e8518f9b19104567c0a", "type": "query", - "version": 105 + "version": 106 }, "11013227-0301-4a8c-b150-4db924484475": { "min_stack_version": "8.3", @@ -593,16 +593,16 @@ "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "8b1466a22fc9368899862a84bebbbc8304df306ba80857e8857991f935d82953", + "sha256": "0dc9f4e57a7bc59df2f633d8c4e2610b1d538c37126f67d3090c09ce4b6ba73d", "type": "eql", - "version": 108 + "version": 109 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "b49dd643b78ce80ed0ff86c6b03d206c7922e4364a738c813cb0d96194b9e53d", + "sha256": "e1a2f2164b858641ec8d28ac37bbc63ab7ecb4a201cb990859818dc99e0bc780", "type": "eql", - "version": 109 + "version": 110 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "min_stack_version": "8.9", @@ -629,16 +629,16 @@ "11dd9713-0ec6-4110-9707-32daae1ee68c": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "9e7a7c40caec4ca683ed1aad64cea12a7f3d4fae3015ca523b447c1a93362aa4", + "sha256": "049b0cbfdd71a4ec9ecdce8350842eb7d32d60c45681f6342878de029adf212a", "type": "query", - "version": 10 + "version": 11 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.3", "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "af3455c52f4b99f05a1427f15471253761c36723cb4172a84145388e407cfcb8", + "sha256": "4502ceb6ad5ec2578d2604033ee78aad4096d0462f454b834f610dfcfc7291a2", "type": "eql", - "version": 110 + "version": 111 }, "12051077-0124-4394-9522-8f4f4db1d674": { "min_stack_version": "8.9", @@ -665,9 +665,9 @@ "1224da6c-0326-4b4f-8454-68cdc5ae542b": { "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "3271476794a96692c0bcef81fe8cac64f7f9b72274691a91d92f0075be7a8bba", + "sha256": "ed42dc14705443ce7e86a7f3971eb8dc07c29cbbddcbe3b7f6b38089aff6e457", "type": "machine_learning", - "version": 2 + "version": 3 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", @@ -687,9 +687,9 @@ } }, "rule_name": "Suspicious Lsass Process Access", - "sha256": "9a0adebc4688de3fd5a514af5e63944ea533f9a6b3a1b9832c1736e34b9ff2a9", + "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", "type": "eql", - "version": 106 + "version": 107 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "min_stack_version": "8.4", @@ -733,16 +733,16 @@ "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.3", "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "ab075d8ca064a4111f9af869e8e288dd7fd899530f0ae335a2000922ab11f85e", + "sha256": "cb9c9bf880cbdb45311b832bfea90ff69ff754cf1dfbfc61c504fa8df6c954b4", "type": "eql", - "version": 109 + "version": 110 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.3", "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "d357bcec8f40c28fa9de55b73371d9c960ec6b9f2459165eb5c088cd4d80e104", + "sha256": "bed9e8d75e78762c904ad3bcbdd17b1629297363bf702e2afa19036c4c5def6c", "type": "eql", - "version": 106 + "version": 107 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "min_stack_version": "8.3", @@ -760,9 +760,9 @@ "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", - "sha256": "551d15b4a76aa3a0932077f553cdd60ad02d13b2aada4d46cb9d343b7d8ffcc3", + "sha256": "7e3a75c384a3aa4c32bba8e583878109e3a0599e3224d8e59163c1d940b3ebdc", "type": "eql", - "version": 2 + "version": 3 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "min_stack_version": "8.3", @@ -804,9 +804,9 @@ "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "e76175d8ec5046e1a55cd0f4b4d1e8618673be71fd72dd869baa6319f3318ba9", + "sha256": "35ce91b43c0e63015d8b8c07ed81c3f0f95c7a0c0efdd0e48a0502ce31093e07", "type": "eql", - "version": 107 + "version": 108 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "min_stack_version": "8.3", @@ -818,23 +818,23 @@ "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.3", "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "7429e9a1ede15a8d3ef3f9c969e435fd27f290eba5d56942784d6b43291cb85b", + "sha256": "6bc3367c8bea5ce3680aa60ee8341e332dc12fe82786393e1b98fa8130a817c4", "type": "query", - "version": 109 + "version": 110 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.3", "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "bab7586b9982960e9ed0d58cbc50190eb1ced3d84619eb875ab0f08530a36e46", + "sha256": "5874fd05ebf55673785abd8a4e83eac604f30bf58a18b2978747f099a47d8375", "type": "eql", - "version": 110 + "version": 111 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "min_stack_version": "8.3", "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "91a1712e57b935ca9c222118c8d99f2ca99aa936eea6677ad83d308946976166", + "sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0", "type": "eql", - "version": 106 + "version": 107 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "min_stack_version": "8.8", @@ -853,16 +853,16 @@ "166727ab-6768-4e26-b80c-948b228ffc06": { "min_stack_version": "8.3", "rule_name": "File Creation Time Changed", - "sha256": "731a20072629af54217aa058ebf32b818df5a5da9a254a9bdd66ddbc015f54d7", + "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", "type": "eql", - "version": 4 + "version": 5 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "min_stack_version": "8.3", "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "62f4c4c7d614af2f638274d716d37e705bfa849a15b241efb9a779e1eea0b8c0", + "sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d", "type": "query", - "version": 105 + "version": 106 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "min_stack_version": "8.9", @@ -883,16 +883,16 @@ "16a52c14-7883-47af-8745-9357803f0d4c": { "min_stack_version": "8.3", "rule_name": "Component Object Model Hijacking", - "sha256": "9666ca9229a5a528a88f0720ea9efd02000c9b61d3067bbcc19ea7a828b113cd", + "sha256": "1d9e06ec8fe7b0d0eec41e2a4d5a9f2c6aa6f685194c5b715d6fb5754fe3c05e", "type": "eql", - "version": 110 + "version": 111 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.3", "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "c1962ed3ad486c1c8ab7837d32854ef5d5c1026a407b61542db8e9886def0da4", + "sha256": "59d27ffb2150faa1ebe4b4b332f29ed9b1a561166aa568c6b699a55de0aec81f", "type": "query", - "version": 108 + "version": 109 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.3", @@ -932,16 +932,16 @@ "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "min_stack_version": "8.6", "rule_name": "New Systemd Service Created by Previously Unknown Process", - "sha256": "ab0f76e6ff9d332fa33d758e475549d77bb91d4546829680176822bace816c5f", + "sha256": "a5967e9202be0f4e0df4d0f82dfd5f067e8bc9eea60585cbc5664b744761966d", "type": "new_terms", - "version": 8 + "version": 9 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.3", "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "333e76901898def53aa58c45b53af5fa36c5089a44572e8677b626c99d9e9864", + "sha256": "e90a5a8670e27a8eaa2704728a15f92785a494fa148c12dffcad2a8bd96118f6", "type": "eql", - "version": 107 + "version": 108 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "min_stack_version": "8.3", @@ -966,16 +966,16 @@ "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made to a Destination IP", - "sha256": "871f128810304fd883353470a5d1c2aac984a262de2c216b6d8b94e64fd8615c", + "sha256": "3e6623fdaad77b45863a2c6f198c7624d4b02fa0f1934011776802944a3348fb", "type": "machine_learning", - "version": 2 + "version": 3 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", - "sha256": "8806cde9bf6f85d4dbf7c642a37a0723d2c9cda4383535560b018b1ab8eb2df1", + "sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f", "type": "eql", - "version": 3 + "version": 4 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "min_stack_version": "8.9", @@ -996,9 +996,9 @@ "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "min_stack_version": "8.9", "rule_name": "Spike in Number of Processes in an RDP Session", - "sha256": "0eae02bca1aa24bba6aa6420f05401d4890c290ff47f2be34bbc1ed4cf55881b", + "sha256": "fc1329361d122f9fce2eca535c54dd0b8a1fee4f8d33775b225227e2d4084002", "type": "machine_learning", - "version": 2 + "version": 3 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "8.8", @@ -1017,9 +1017,9 @@ "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "min_stack_version": "8.3", "rule_name": "Execution of COM object via Xwizard", - "sha256": "f0bed76a611cf637f400967119419ac503bb528123d294a8a6b149fdcd8cfabf", + "sha256": "274c5d83ba69799b1b71490d04a15e288cefe59ae05c7609c9cda49fcfc4ce0a", "type": "eql", - "version": 107 + "version": 108 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "min_stack_version": "8.9", @@ -1040,9 +1040,9 @@ "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.3", "rule_name": "User Account Creation", - "sha256": "e9425321d9364d0c69d31c985962e0e5af2b19bb9d6ccea2c92aec82e0f73f6d", + "sha256": "6d3d2de6bf958ba713b77e53d33cf74251bba8751f17193256696fbd09939ed3", "type": "eql", - "version": 107 + "version": 108 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "min_stack_version": "8.4", @@ -1054,9 +1054,9 @@ "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.3", "rule_name": "Connection to Internal Network via Telnet", - "sha256": "1a9795116a97f7bc045cbda5a8af5e8e78f0d62a88cd641583e3838f293c26b6", + "sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e", "type": "eql", - "version": 106 + "version": 107 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "min_stack_version": "8.9", @@ -1077,9 +1077,9 @@ "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "min_stack_version": "8.3", "rule_name": "Potential Internal Linux SSH Brute Force Detected", - "sha256": "38c57c420c15a1f0758f68c979f680379cd78121e64ea43be7600b11823ed5f6", + "sha256": "adb03450ce940d93270413ee4211f33bcbefbc94ec549c6de5d858270806b036", "type": "eql", - "version": 9 + "version": 10 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { "min_stack_version": "8.3", @@ -1093,14 +1093,14 @@ "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", "type": "query", - "version": 107 + "version": 109 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "605d61a4fee6349c89182c783e73678a38f5f4705bca65b99a1a5a0307664fea", + "sha256": "dde38b44453671943b7ae6cb4d6fef20e85307ac3723a158fe57ee96d8b1f29d", "type": "eql", - "version": 112 + "version": 113 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "min_stack_version": "8.3", @@ -1119,9 +1119,9 @@ "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "38ff22d9612874236bb0fdc1ac65f9f649734272e2484b7058245985ecadd621", + "sha256": "60a215ef5aa075a861936f82ee97680319d20350b0ea4856cbea6c57fb9d2a51", "type": "eql", - "version": 106 + "version": 107 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "min_stack_version": "8.10", @@ -1133,9 +1133,9 @@ "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.3", "rule_name": "Remote File Download via Script Interpreter", - "sha256": "9b721a8bd708e3ba1c854f032771bd1fa175535e5dc546a07be290e5c156c6d3", + "sha256": "832060e257db6ee9888b735d2c5547f3a6f1f10f262604b9222ddd3ea1c16ccf", "type": "eql", - "version": 108 + "version": 109 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "min_stack_version": "8.3", @@ -1147,16 +1147,16 @@ "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", - "sha256": "a8152d99c80a969cc7354a42c0e8265cfaec6d349d3e41e85f38049db45a1755", + "sha256": "56bbf0cae42f67fdd41f149363a1891554948e2dbd182c1e0c9fed1a39f36100", "type": "query", - "version": 5 + "version": 6 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "c279117a6a19806a1041da8d0f6481b5ab1616f90ad686a58746bfbcc1341cf9", + "sha256": "d9e48c241bc31b9994d46c3c2a1a0186e25fb744c9da0059f117a7fae8c0030a", "type": "eql", - "version": 107 + "version": 108 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "min_stack_version": "8.4", @@ -1168,23 +1168,23 @@ "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "2a864a262ee617027d2731c9da168a2d0d477cb915904829e10eb863ad881d85", + "sha256": "9a227ba0760d3b8989f89767b53f66fd4968b5f2e9b34006af48b1e5d9b7cb32", "type": "eql", - "version": 106 + "version": 107 }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { "min_stack_version": "8.3", "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "03227f8f005fd0a6e2824b8615533828cdad806c0d69e6d5f11c0504f4ceb316", + "sha256": "d83c19a46e9401aef5cd62ba06786de63e0ea6448479965630475a6b00667731", "type": "eql", - "version": 2 + "version": 3 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "4e8f5265298debd75d88f29bc50550406da7325514321ca41560e53e4a216081", + "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", "type": "query", - "version": 5 + "version": 6 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "min_stack_version": "8.3", @@ -1217,9 +1217,9 @@ "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "min_stack_version": "8.3", "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "90ed2f95452d78c897f5ff0a9109393db93bf7b6131cf7ab1f265ec52a86a3f1", + "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", "type": "query", - "version": 7 + "version": 8 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "min_stack_version": "8.3", @@ -1238,9 +1238,9 @@ "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.3", "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "8ec035184478d2650916a571216dd1d6f03c7c0eaac4a894f81390ff1663c2bd", + "sha256": "81d0001b73c9d80fde270c788e6a904cc6c3b79db4c4aed85323e65d2440ef94", "type": "eql", - "version": 109 + "version": 110 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "min_stack_version": "8.3", @@ -1252,23 +1252,23 @@ "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.3", "rule_name": "Suspicious .NET Code Compilation", - "sha256": "38254e10c94b71503f642eb25ccf9bd0e66542f343d369ab1cfe7cc1e0d8729a", + "sha256": "62b3243701eaf818aa660cdcf7e9349322ee81f633aa0084e3c524e3d32ba4e4", "type": "eql", - "version": 108 + "version": 109 }, "202829f6-0271-4e88-b882-11a655c590d4": { "min_stack_version": "8.3", "rule_name": "Executable Masquerading as Kernel Process", - "sha256": "9040a822ed47ef2d3bf89675fe2fdb67018a559f75c854ee80ad84714ff4fc4c", + "sha256": "fa7e58294659262a26ba947cc59044854477a5a49edc98f0d6f896d91e1d9f6d", "type": "eql", - "version": 1 + "version": 2 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of Root Certificate", - "sha256": "c2204e192d86865e713663390b2fb1c3859f2871ce24908f5899475a741571c4", + "sha256": "d07f6dd2837e924ff6de33cd32baf79e1da77761b30b28a595cc98b0190bcf53", "type": "eql", - "version": 108 + "version": 109 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "min_stack_version": "8.9", @@ -1289,9 +1289,9 @@ "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.3", "rule_name": "Access of Stored Browser Credentials", - "sha256": "3e3f5aec51ac2d4bed5a22f8ab0e6bc87db4da5c76f3e93dd107ed6f15e2c5a2", + "sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563", "type": "eql", - "version": 106 + "version": 107 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "min_stack_version": "8.3", @@ -1303,9 +1303,9 @@ "208dbe77-01ed-4954-8d44-1e5751cb20de": { "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "a1c0793e46ef70df7a07d937496dac757813e319583a4835ca03b7889dc59aab", + "sha256": "407aa36a170976cc90021ba2e2b10b9d211b7142cb685d4fcdede10a65073287", "type": "eql", - "version": 109 + "version": 110 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -1323,9 +1323,9 @@ "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Child", - "sha256": "a000ef62eb0c4260a2c35b773be14845533597b5363d8762a9dc78b65a342149", + "sha256": "cda609fdc97eb250f4f9c03ad3abf9c6760ae78ab03cc3f8fad23789f6ca8ade", "type": "eql", - "version": 1 + "version": 2 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "min_stack_version": "8.4", @@ -1337,9 +1337,9 @@ "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "min_stack_version": "8.3", "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "c54e0fcc5ec27640dfa0db638f45805ad4749c78972fa33cc061cab3f04f13d8", + "sha256": "a5cc59d7cf2e2fa059c0b9764eea066885103f00f02d4d447a130f44e15b452a", "type": "eql", - "version": 5 + "version": 6 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "min_stack_version": "8.6", @@ -1353,9 +1353,9 @@ } }, "rule_name": "SSH Authorized Keys File Modification", - "sha256": "005f7835fa070f7f885e2383bf737e042e166aa86438d213922d52e82ff0cd91", + "sha256": "093ec92b83608b188904a800b2dc5dc20b93d5e0b11e10e6da27f754f44a18e0", "type": "new_terms", - "version": 204 + "version": 205 }, "22599847-5d13-48cb-8872-5796fee8692b": { "min_stack_version": "8.3", @@ -1397,15 +1397,22 @@ "2339f03c-f53f-40fa-834b-40c5983fc41f": { "min_stack_version": "8.3", "rule_name": "Kernel Module Load via insmod", - "sha256": "e8a71f53507413121ff82ca2496d461255f41f8c86c0027ce2fa487f9b157cdd", + "sha256": "3327b2f3c9c739028f181cd20b7cf3e768c7eae5f4363b478ef982fee21b8eb2", "type": "eql", - "version": 108 + "version": 109 }, "2377946d-0f01-4957-8812-6878985f515d": { "min_stack_version": "8.9", - "rule_name": "Remote File Creation on a Sensitive Directory", - "sha256": "d175835a59f26f5a7a7607eec8ec9be98bff92a092fcb817859b99170ad0ddd6", + "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", + "sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4", "type": "eql", + "version": 2 + }, + "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { + "min_stack_version": "8.6", + "rule_name": "Unknown Execution of Binary with RWX Memory Region", + "sha256": "b160874aab9501cba7d0344a3fcb2181a25f3d7a5067a23804bc3f8abb705dd1", + "type": "new_terms", "version": 1 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { @@ -1418,23 +1425,23 @@ "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", - "sha256": "d8e20705353d3835109854dff70bf6bcec1d3cc3959cb9434fc53f2e46925c1b", + "sha256": "3e1f1dcee9be8b47adb401cfd92323f482f7e22611ecb85b8d301af019b18653", "type": "eql", - "version": 106 + "version": 107 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "707d343409c8eb1b73e83d906c6564b4401912393e9d157bd4913b267dd1c108", + "sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5", "type": "eql", - "version": 3 + "version": 4 }, "25d917c4-aa3c-4111-974c-286c0312ff95": { "min_stack_version": "8.6", "rule_name": "Network Activity Detected via Kworker", - "sha256": "38aef430c59433edfc458d3cfef8619dba63a6c1d681d6680c5d864aec8f5fc4", + "sha256": "f9452cfd3dd6898a8e874ba512f1348b0914cd30dd59bda481fa9b8f7932ac94", "type": "new_terms", - "version": 2 + "version": 3 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { "min_stack_version": "8.10", @@ -1446,9 +1453,9 @@ "2605aa59-29ac-4662-afad-8d86257c7c91": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "e7d2c248c0ef9948b7461ecd30161e9e5fae46a1bd58ce87073cb10b5b354b85", + "sha256": "412a8490a6178fe02adf3eb8d88b4b119d8af57a0e8583ca4a61a6504c554ab5", "type": "eql", - "version": 4 + "version": 5 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "min_stack_version": "8.3", @@ -1460,9 +1467,9 @@ "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.3", "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "22c2959b31f776a92a435478b6ab0d09b9f9faaaee332d070e0e0a5236352c97", + "sha256": "126645c0dd5cdade08a0e700f459414da0f7ddf0b26b61817e7c6f1171d959fa", "type": "eql", - "version": 109 + "version": 110 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "min_stack_version": "8.3", @@ -1483,35 +1490,35 @@ "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633", "type": "threshold", - "version": 104 + "version": 106 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "3a7e860d0d7d4932d1765d9a9890853d23ee8dbe1726f151accf8ed96efd88c2", + "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", "type": "query", - "version": 4 + "version": 5 }, "2724808c-ba5d-48b2-86d2-0002103df753": { "min_stack_version": "8.3", "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "effa27b5c3262001b53cad02b8704357c550fc2a33d2186bd1412e8b631859ff", + "sha256": "b84e6128363d24d3503b13f1a618bc430f08140f5a82611c3c3e4f3a5271d2b5", "type": "eql", - "version": 3 + "version": 4 }, "272a6484-2663-46db-a532-ef734bf9a796": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Transport Rule Modification", "sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e", "type": "query", - "version": 103 + "version": 105 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "06a344a111e75594161e3a08c78be77d29fd146dec8b6ce48d5cc9330a9166f1", + "sha256": "f282273c006e841c6c64f909e05053110d210e1205f0a504977cd4e701a175a7", "type": "eql", - "version": 107 + "version": 108 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "min_stack_version": "8.3", @@ -1525,21 +1532,21 @@ "rule_name": "Microsoft 365 Teams External Access Enabled", "sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56", "type": "query", - "version": 103 + "version": 105 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.3", "rule_name": "Account Password Reset Remotely", "sha256": "bd56a7406f9eb92ed5ae5f56f3b907b56ac2f13892cb6f81d1fc8810651fbedb", "type": "eql", - "version": 109 + "version": 111 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "257b3fb90d62c5183542dcff6f0968b2b4c05ab2ff444c13476f8b16b2b4eec1", + "sha256": "1fb55bf7b692e5b95ce37d95f3fdaa6ad25e99035e5b7b66e15c874b197e9da7", "type": "eql", - "version": 109 + "version": 110 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "min_stack_version": "8.3", @@ -1551,9 +1558,9 @@ "28738f9f-7427-4d23-bc69-756708b5f624": { "min_stack_version": "8.3", "rule_name": "Suspicious File Changes Activity Detected", - "sha256": "748d22c0d796641d48a1bc6cc42284615cf7f1682f6204efa1dc80e97ca715ac", + "sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67", "type": "eql", - "version": 7 + "version": 8 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", @@ -1564,16 +1571,16 @@ "28bc620d-b2f7-4132-b372-f77953881d05": { "min_stack_version": "8.11", "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", - "sha256": "94ac13353f3fecc614b24c287794d0db40f30741b295beb613566a654b053e1b", + "sha256": "50b88f12b91fe3feb9118bf703666cee8eef3f3a6c36a426e7b43936ed0e50e2", "type": "eql", - "version": 1 + "version": 2 }, "28d39238-0c01-420a-b77a-24e5a7378663": { "min_stack_version": "8.3", "rule_name": "Sudo Command Enumeration Detected", - "sha256": "7812955eb756c08f5d9f17dbf1d672b0f9a1587bf4d1f8fb36bbd42fab2a4a82", + "sha256": "70ed05b5053d1ac43542f1f8ffef64b0cfb2cb35c0a94eb8be86882438034320", "type": "eql", - "version": 4 + "version": 5 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "min_stack_version": "8.9", @@ -1594,16 +1601,16 @@ "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "24dbe0a7ac74484f64918efe29bea45e8ad8b0e96d100b3bd08873b85aaabd45", + "sha256": "40ce924fa3299f63687bf28ba5a09ffe6142e56f64010f766f3350db86522cf6", "type": "eql", - "version": 110 + "version": 111 }, "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.3", "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "7dd6d1e390ebfd93e78b9641381617dbb41f9a5bc0eabdc6182027ccbfca46fd", + "sha256": "042c84534e3f2e42aaad622b511e2a606ed267b5ea9d48a1e289c2ced981af4a", "type": "eql", - "version": 109 + "version": 110 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.6", @@ -1617,9 +1624,9 @@ } }, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "91640b4675f4fedbb77041e83d0aa845ecf1a343fbaa533835e78afe90aa97f8", + "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", "type": "new_terms", - "version": 210 + "version": 211 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "min_stack_version": "8.10", @@ -1638,16 +1645,16 @@ "29f0cf93-d17c-4b12-b4f3-a433800539fa": { "min_stack_version": "8.3", "rule_name": "Potential Linux SSH X11 Forwarding", - "sha256": "5033fd4d9756e3c485f90e5526da651406b9805f178469b7a8ae4cbd0903d60b", + "sha256": "359e41830e4fd4bfc9775176917b335b3c9188c05a983a056b52e796d20b6fd7", "type": "eql", - "version": 2 + "version": 3 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "min_stack_version": "8.3", "rule_name": "Potential Code Execution via Postgresql", - "sha256": "304872798cec74b70f3b39512a44006ab49849897e5b760c45f57663f6cbb753", + "sha256": "8bfe7f061ea6409e5ec8657a58cc81d8fd705e930ef358d31347a1ee67035391", "type": "eql", - "version": 5 + "version": 6 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "min_stack_version": "8.4", @@ -1668,30 +1675,30 @@ "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Grep", - "sha256": "60b8604133b04c233608035975acff3e5c7ffae33d7e6f65d97cca37326561a3", + "sha256": "7f6bc06878f5c089508b21b556ed4a227c059d655b54717af4863db317dd6504", "type": "eql", - "version": 5 + "version": 6 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.3", "rule_name": "Adobe Hijack Persistence", - "sha256": "d4540f314ef044ee0c2fbf1fbfe559d927eaadd79f9cedfbad924a877eb3a5ca", + "sha256": "9511519552dcac359dd785ad280b824b18f30b72c8776b5c13589adecd28db7e", "type": "eql", - "version": 109 + "version": 110 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.3", "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "ec77422daee02355d42a51e3660c24d0e608ef82ff3d92169665ed6149496dce", + "sha256": "43fda5bff6b8024187994b386ff239f5b34a3dbc20d13cac44e186e7ad26bb7b", "type": "eql", - "version": 108 + "version": 109 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "min_stack_version": "8.3", "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "6240a5e2945d67deadb4e2ae6462053f9659a0144f048bc91767c92e390ffe30", + "sha256": "7583ab195e69ad5b71c92d119b7e50b25df405d9af54fd263467de71829c7a12", "type": "eql", - "version": 107 + "version": 108 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "min_stack_version": "8.6", @@ -1705,9 +1712,9 @@ } }, "rule_name": "Enumeration of Kernel Modules", - "sha256": "481aae41195f6dc58cb3f76032ffbfc5fe4f6940245db16f6e4d42cd0a735879", + "sha256": "4f8354117b7013f27de2b6338d831ecebb494b5dd5dc310f3d36de2e9df3e46e", "type": "new_terms", - "version": 208 + "version": 209 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.8", @@ -1721,23 +1728,23 @@ } }, "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "02194b622839ad66b2931225a725b2013f5ba1b1ae524083ede33369dc018840", + "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", "type": "eql", - "version": 210 + "version": 211 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { "min_stack_version": "8.3", "rule_name": "Potential SSH-IT SSH Worm Downloaded", - "sha256": "65f4f675acd03a58a2f89697fff8a4bd8c77099a91215437f4453ac89851caef", + "sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c", "type": "eql", - "version": 2 + "version": 3 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "min_stack_version": "8.3", "rule_name": "O365 Excessive Single Sign-On Logon Errors", "sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46", "type": "threshold", - "version": 104 + "version": 106 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "min_stack_version": "8.3", @@ -1749,16 +1756,16 @@ "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.3", "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "0d68982c3ad2c66fe584668a2a911d7ba89c1e7a8e876b33f359f2f58a1094d8", + "sha256": "3c1ac65899b1c8a54368d0242926e71b84970c3d3525c102b8fc3212e2fe5a28", "type": "eql", - "version": 108 + "version": 109 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.3", "rule_name": "Potential Process Injection via PowerShell", - "sha256": "265f859057d32706bc44115c2b619366f405b94b82a1930e01559999ad451bc1", + "sha256": "81ff8ad3429868b3ae4e62b20cdf7861c5912ea5ea56a373eb053a9ba8cafb2d", "type": "query", - "version": 109 + "version": 110 }, "2e311539-cd88-4a85-a301-04f38795007c": { "min_stack_version": "8.3", @@ -1784,9 +1791,9 @@ "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.3", "rule_name": "Creation of a Hidden Local User Account", - "sha256": "de2e56710056a8b6da9dc0876399c464d483cd8d86b9960d864a3012ab56e30e", + "sha256": "9b9c9894727201ffd4c48acd3806088c597cc81ae8b85f9dd6a9d88587a6c292", "type": "eql", - "version": 108 + "version": 109 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "min_stack_version": "8.3", @@ -1798,23 +1805,23 @@ "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "63a0240e890b59f4e0d8ef6057b38f2c59f013ac31f0899372ea40782b935ee2", + "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", "type": "query", - "version": 109 + "version": 110 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable Syslog Service", - "sha256": "b5c037e4028ed9b2148058177b53b6f8cd416c2002692c954030a5797c8c08b9", + "sha256": "8780262dbf51119a57e1482fdc257e16b74e0e78063f08f70039f0e84bd8e10e", "type": "eql", - "version": 108 + "version": 109 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { "min_stack_version": "8.3", "rule_name": "Suspicious /proc/maps Discovery", - "sha256": "6ff711bf9210efc3644140457f78037989cc2a13cc4d303260183a696d07acb8", + "sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93", "type": "eql", - "version": 1 + "version": 2 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "min_stack_version": "8.3", @@ -1826,9 +1833,9 @@ "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.3", "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "1db13a5ac155b6497736f067e6755417f99f9cf5b5245f36c2b96437eebc703c", + "sha256": "8e9618108b6191ca96f5028c7ebad3b970904705f93ef91cc05da0a39a35841b", "type": "eql", - "version": 109 + "version": 110 }, "301571f3-b316-4969-8dd0-7917410030d3": { "min_stack_version": "8.9", @@ -1847,16 +1854,16 @@ "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "min_stack_version": "8.5", "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "41a17a81e7dbbf1e337709a394e0be029ac4d83690a5bae894f24d09e5939b60", + "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", "type": "eql", - "version": 7 + "version": 8 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection via Sudo Binary", - "sha256": "ddb98f4f685bbcea91b63f3f1c66d834819a438573a2789c94db0f944a2d6507", + "sha256": "7c7f71f10f08bbfa8f116046faf6e9487e82a654dc7c8ff4155bbb67fb267058", "type": "eql", - "version": 1 + "version": 2 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "min_stack_version": "8.3", @@ -1875,9 +1882,9 @@ "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.3", "rule_name": "Bypass UAC via Event Viewer", - "sha256": "d103eb4b3b70bcb7218f6d5ee253d330f07d90b75d10bfcaaab675d5d44ab6f6", + "sha256": "80d0b61b700c1596bf6c6190a1fc56d04324e5a1f0c3b74c6e06f559810308f7", "type": "eql", - "version": 110 + "version": 111 }, "3202e172-01b1-4738-a932-d024c514ba72": { "min_stack_version": "8.3", @@ -1886,6 +1893,13 @@ "type": "query", "version": 104 }, + "32300431-c2d5-432d-8ec8-0e03f9924756": { + "min_stack_version": "8.6", + "rule_name": "Network Connection from Binary with RWX Memory Region", + "sha256": "2037bc6827adab74cd7f5d34cc9724885806f9d8b3ca6aad279ca53096b8b6f6", + "type": "eql", + "version": 1 + }, "323cb487-279d-4218-bcbd-a568efe930c6": { "min_stack_version": "8.3", "rule_name": "Azure Network Watcher Deletion", @@ -1903,16 +1917,16 @@ "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.3", "rule_name": "Program Files Directory Masquerading", - "sha256": "06de85209a1b0dde5bc8b4f17f289dac52ac59beb2bb0e35c4dec8c8c2a29cb5", + "sha256": "c5aa7db35a6cc9e3919372237fa8dffc8e397027df0c591dca62a660c3c826d2", "type": "eql", - "version": 107 + "version": 108 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "a2f256cc9ea71c50440bbb4867ab2f6f5f0a35d610c0cd90a07dfa83ad7bdb22", + "sha256": "c62185b1fbe63d5cfa6260c4c2a4b70f8de70a803a1847d7d6ef4d320688dbc8", "type": "eql", - "version": 109 + "version": 110 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "min_stack_version": "8.9", @@ -1933,9 +1947,9 @@ "33a6752b-da5e-45f8-b13a-5f094c09522f": { "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Find", - "sha256": "e78c45bd7a967de7c4defaf1dd745c826bfec1fd5423a3925426ae981a8822ac", + "sha256": "65285808d7e3a2abc4e4eafa9288e8e9c5d82f2dc7fd8f2cf160f7c224988f04", "type": "eql", - "version": 5 + "version": 6 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "min_stack_version": "8.3", @@ -1968,30 +1982,30 @@ "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "min_stack_version": "8.3", "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "b91e01cbd654f79bb65cb81f07f055521e97ddb636f27bcb5c55ba7c599d55f0", + "sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934", "type": "query", - "version": 105 + "version": 106 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.3", "rule_name": "Port Forwarding Rule Addition", - "sha256": "291793bdb267500bb51af75132d44acbe6c3514e74d3fac34ce187ef4cc58d43", + "sha256": "a29be1699ea98079497ab6f9dbcda467f70d809fb84a0d405bd02035d126342a", "type": "eql", - "version": 108 + "version": 109 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device", - "sha256": "32a12fdccb57725b598715c3cf122e2068cf259b449fb15047fb9b0fc99a5fcd", + "sha256": "67a35f156241abf955e83450c9f9e4de70743aa2b982ae6e96fe95b1734847ac", "type": "machine_learning", - "version": 2 + "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.3", "rule_name": "Unusual Parent-Child Relationship", - "sha256": "0098a7a7001a8e52c8fd405da22d8b74b7752a3abc6c72ce58a3c1b4bc87a00e", + "sha256": "0fe48302bd069b376d0c0125b9b99b6e6bc78713aa8f3ded6f2dc4d5d7c198a7", "type": "eql", - "version": 109 + "version": 110 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "min_stack_version": "8.3", @@ -2009,23 +2023,23 @@ "3688577a-d196-11ec-90b0-f661ea17fbce": { "min_stack_version": "8.3", "rule_name": "Process Started from Process ID (PID) File", - "sha256": "954fc970c7c982de04f1ec41cdd8c4c8f00fe8b2bbc5507e42e9e255d9150c96", + "sha256": "299fc2aae27ca710fe1c8e92af61046ea6040c245173fc7572644fa2aa4a9b1e", "type": "eql", - "version": 108 + "version": 109 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.3", "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "dabff5221c0b2f406165374af490dcdb04a568295196b805962ea4b2e88e734e", + "sha256": "105ca4a083fb2c40d09d028b90dc636ffb2ef5d20a4ebc06fa2bfd135a0c2a85", "type": "eql", - "version": 105 + "version": 106 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "min_stack_version": "8.9", "rule_name": "High Mean of Process Arguments in an RDP Session", - "sha256": "296e8ed0e6066e7b702fcf4311d2217ba39f5c0799f3226fad2477b5424210d1", + "sha256": "9fa7888003d814e16febe8363b55e5c5d98fbebc187b1134b988a70bfa227457", "type": "machine_learning", - "version": 2 + "version": 3 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "min_stack_version": "8.3", @@ -2082,9 +2096,9 @@ "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.3", "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "b41ece736909738d8ea437111abfff24846ce37e0dbf28c436ad918ae7056fc5", + "sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598", "type": "eql", - "version": 105 + "version": 106 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.10", @@ -2105,16 +2119,16 @@ "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.3", "rule_name": "Network Connection via Certutil", - "sha256": "ff32cd3ea3d3f5aa49fb8c8bcc7368b8211ee44bcad1809ab55e3874291c4274", + "sha256": "5414bbe55d4a1b7968cdfe547ef66a16e2ea14fb2d57b9e982376fececd8c951", "type": "eql", - "version": 109 + "version": 110 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "min_stack_version": "8.3", "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "8ad731c423f1a7a201eea63221fa6f1c19645b46b39421558ced549ddda00f7d", + "sha256": "5b889bbfa953251d11d08f3f3b13847eb4b5f05777c8cc9d80806943bc1e3d08", "type": "eql", - "version": 106 + "version": 107 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "min_stack_version": "8.3", @@ -2156,9 +2170,9 @@ "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "2d7c95cdf099081d29fe694938ae75a1e1e05d03d14e2314b91abcf074cb3d2a", + "sha256": "a95a8deb33c605f49071b6760943f92eb999d304ed26cbb4ecff1b05fdd79c5d", "type": "eql", - "version": 105 + "version": 106 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.3", @@ -2170,9 +2184,9 @@ "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "min_stack_version": "8.3", "rule_name": "Suspicious Module Loaded by LSASS", - "sha256": "bb7e77e182b27492c362583686a193391f56ca19f0c2663ade4d1b95e4fab26c", + "sha256": "fdd555efd8dd322e1a61baac6b914d2c1413a0cd235e63b81bd359e5699bece9", "type": "eql", - "version": 6 + "version": 7 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -2211,16 +2225,16 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "373baf17283c276e152b141c68c56eee4698cd1a52b9fb64f8343325b5e7d7b0", + "sha256": "0cc9b4c66d9e04312246894acad762bceae4aecf2c325f9a58d7c3bd3f42a05a", "type": "eql", - "version": 108 + "version": 109 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", "rule_name": "NTDS or SAM Database File Copied", - "sha256": "4d3a67e13e1dbd3a56db47d759dd9a345c503a88359029cd2cbed24aae2f2da3", + "sha256": "3d513821b853d8c2375e5387149c85a0a5ed409ab49bc51e03da3056957874e3", "type": "eql", - "version": 110 + "version": 111 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "8.3", @@ -2232,9 +2246,9 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "d9d09e692225a41f36175b833c81800c8d1406c6a21c6806f6cbadb83703de20", + "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", "type": "query", - "version": 4 + "version": 5 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "min_stack_version": "8.9", @@ -2255,9 +2269,9 @@ "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made from a Source IP", - "sha256": "1d9b0dc7353a9d3f8bfc169a53aed8e05d122ae303c184d2ef1de2baf411c76b", + "sha256": "e0f94b4cfe4ca344a1904651585a27509c31993709b1767adc5d92d1e020eb62", "type": "machine_learning", - "version": 2 + "version": 3 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.3", @@ -2276,9 +2290,9 @@ "3e3d15c6-1509-479a-b125-21718372157e": { "min_stack_version": "8.3", "rule_name": "Suspicious Emond Child Process", - "sha256": "712b5f698a3cdac28ddf24ce2c91dff930454f6cb82e79b2c623129ba42ac23b", + "sha256": "7d78dc70f6217f921486f43f26839cb0fe33c9dcd5bfc983e0a3117ce260f1db", "type": "eql", - "version": 105 + "version": 106 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "min_stack_version": "8.3", @@ -2290,9 +2304,9 @@ "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "186e976103d3e2b613b34b59023ffb3714c57d1af81a74cdc5f6f5d820c3eff1", + "sha256": "628d69badc4c7cac5d27f8b5e345a0f678ff14a21da4d553f6415fc9f62d61e5", "type": "eql", - "version": 108 + "version": 109 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "min_stack_version": "8.8", @@ -2306,16 +2320,16 @@ } }, "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "7cb2b7500b86c37fa3f51926431b8f44f6c119d48cf37e143cfa176f9facadb8", + "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", "type": "eql", - "version": 207 + "version": 208 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "min_stack_version": "8.3", "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", "sha256": "3ee6a597bfe462c8b9132d7ca83768025a28634b18c009db462cb0c3bd7bfe39", "type": "threshold", - "version": 104 + "version": 106 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { "min_stack_version": "8.3", @@ -2327,37 +2341,37 @@ "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "096a86b65506d41f82036e1d4ea0151a295eefc548fe5ba3f7c38995c83f088b", + "sha256": "506ac5257e3fbd5947ce89f51b4a1154eea0e4245f3b8d26f1579ed36d7de792", "type": "eql", - "version": 4 + "version": 5 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "min_stack_version": "8.3", "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "cfed2c9b938c13970e3b6df4bc955a28ef3093ee600d6f2cd4b5cab3cc39200f", + "sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d", "type": "eql", - "version": 109 + "version": 110 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "min_stack_version": "8.3", "rule_name": "Process Discovery via Built-In Applications", - "sha256": "f0fbc9841d89528d4653aecdb898606cdec1a669cbf73110c4cc05ec417c4ad2", + "sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07", "type": "eql", - "version": 2 + "version": 3 }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { "min_stack_version": "8.9", "rule_name": "Unusual Time or Day for an RDP Session", - "sha256": "9b471f8864eedbbad89dffb8d15a22628f08b9e1a67dd5221d1766d6eba59e57", + "sha256": "2d41f9c292e0cfb545738b9fefb92890c35a74f559c525d8882ff69abb589281", "type": "machine_learning", - "version": 2 + "version": 3 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a User", - "sha256": "b50af272ff3b6b7eb7b333f0c8d267b51bfdd83586ee5b0691748862fd2c3923", + "sha256": "6f137c74ed8f940e891bb2048f8df801d3cc8a5b7adba6e3734f2c9da5394f68", "type": "machine_learning", - "version": 2 + "version": 3 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { "min_stack_version": "8.3", @@ -2369,9 +2383,9 @@ "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", - "sha256": "9c63624a50b10038636b37c3c2924f1d5de7987ca84d3f9faad86e420ec3c09d", + "sha256": "913b7ece64e8615edbf3d142cc711bdb73bd123721616e96628eba23c172a0e9", "type": "eql", - "version": 106 + "version": 107 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "min_stack_version": "8.6", @@ -2385,23 +2399,23 @@ } }, "rule_name": "Suspicious Modprobe File Event", - "sha256": "3023790e7b7a847fa8ec6fe47f0279307de8e1d4a2153a86caee8a3f11a98e70", + "sha256": "2a6caaea58f921647c925b776c5a3263205f0e14402adfb96fe9784742822f0c", "type": "new_terms", - "version": 106 + "version": 107 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "min_stack_version": "8.3", "rule_name": "Unix Socket Connection", - "sha256": "38561d8ce173227b49b1459ae11d38bfba76385fa68298e1ddb7b8603d57a8b6", + "sha256": "3205e8361a1f086b49b3af871c969ed11481015e0dff4ac8a9a0d72db9843e22", "type": "eql", - "version": 1 + "version": 2 }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.3", "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "76d4c434f999b25ec34bbcbe809f0b6533b9d500519280f6a0558cca94ccf418", + "sha256": "0ffed8b229232fa659665f4b08e7fc2bf4925814c0faea7b4334187b8e75ca10", "type": "eql", - "version": 109 + "version": 110 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { "min_stack_version": "8.8", @@ -2420,9 +2434,9 @@ "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "min_stack_version": "8.3", "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "473f098ef25c7659b7ec2c953c7fe83d29d17210bae3f18a76e7aabe5ef9aa31", + "sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a", "type": "query", - "version": 105 + "version": 106 }, "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { "min_stack_version": "8.10", @@ -2457,9 +2471,9 @@ "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.3", "rule_name": "Process Creation via Secondary Logon", - "sha256": "65781e6a82dfba3a861174decf22fa460a0930a12169646ca3d6d4aa7eaa7c6a", + "sha256": "02389fa2b314a4c1b09a7516f22580f4b91f255f5f87e61cad90039acb6a26b0", "type": "eql", - "version": 8 + "version": 9 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "min_stack_version": "8.3", @@ -2478,16 +2492,16 @@ "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { "min_stack_version": "8.3", "rule_name": "Linux User Added to Privileged Group", - "sha256": "8b01aed5f72d886c28700069c04c106550f8803094c43e8fb5f458bba3e843ff", + "sha256": "3d53c3cf46875865535f808e7c6c2ef22a6d516d653fd23e37c8faaf4d477438", "type": "eql", - "version": 5 + "version": 6 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.3", "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "dd409ade4fd40ee77479589620573779b153ec9c46ba6ecd32a0b3878b417730", + "sha256": "e912c188a61231bfdcc366e62f89eb1c6885c298e56a48db3d8d955f6307b0ac", "type": "eql", - "version": 108 + "version": 109 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.3", @@ -2506,9 +2520,9 @@ "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.3", "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "d1dc99f54476ef81bf7b7a1b8a5ea2e40a3c58ee6cad0f93459808bc06d3fae9", + "sha256": "24ee5dd513d2411aadcf6700b279d44bb0d803d6514f3d920e7071076e34d242", "type": "eql", - "version": 9 + "version": 10 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "min_stack_version": "8.3", @@ -2527,9 +2541,9 @@ "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.3", "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "87876e96cffd8fcaa7701a062020cde8d6ada8f48aeed13a7b7153b0274318f5", + "sha256": "0e8838bdb203c5d2583b224ce04df505c6a540eaf32e201a73e500d67873a354", "type": "eql", - "version": 109 + "version": 110 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.3", @@ -2541,9 +2555,9 @@ "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.3", "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "990b886b92cb87798246a158ca46bf1b61eb1ac09d2e34d3744dee85300efb72", + "sha256": "83b8afb55578a79b9e61c0f4dc9589bb9fb7ab8bdac3c35dcca2eee7b4c89aaa", "type": "eql", - "version": 107 + "version": 108 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "8.3", @@ -2555,9 +2569,9 @@ "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through init.d Detected", - "sha256": "f81a299ab73bc88e675dad5dc2c317be157e02699f1149c411af6c0aac00899c", + "sha256": "cd769b23546bc7c66a492fb80d7c336f31823e527982f3185a9ad7b4c3686ee1", "type": "new_terms", - "version": 8 + "version": 9 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "min_stack_version": "8.8", @@ -2569,9 +2583,9 @@ "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.3", "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "b3e13c97d0c0bff23ce9255d93a0a60d4aed4d262d14236423927bff1458d583", + "sha256": "78feac62454588684cd56fc409cf666bba314b8537b67f5c8c1ee01afada874f", "type": "eql", - "version": 109 + "version": 110 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -2582,51 +2596,51 @@ "47f76567-d58a-4fed-b32b-21f571e28910": { "min_stack_version": "8.3", "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "0707726336298da0eacdb012ecfd3d5a1d4db190cc8b010ea63e32319a591bd7", + "sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a", "type": "eql", - "version": 105 + "version": 106 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "b50b2e234ba9baff98a048befd56242a0342a5ef08704dd5a631a993128dda42", + "sha256": "de1531fede6b492b18663d799128c21faafc14bd82543c7cb449129e0e9a9b83", "type": "eql", - "version": 107 + "version": 108 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "min_stack_version": "8.6", "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "sha256": "25daf6eb0539fcc0694b22088a27dd0f67fcba06669cc69450e34b994cc642ea", "type": "new_terms", - "version": 2 + "version": 4 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell", - "sha256": "89cb7506c40c363e3a341bf80a940b915a41f7abbf4c1e2889967a5a1c18b485", + "sha256": "d2d12619cc88da5d442a1f223e4ccf1cdb06d037c5ab3440a7814cb9d6b11736", "type": "eql", - "version": 7 + "version": 8 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "b4fb37e1e7527312d0819a95373e8bdd68e9b4b4f4cbfb074007c7fbe3cb736f", + "sha256": "9ab25d365ce5c55e8b3447548326215241c5e3e269772cfda3d53460a796bd70", "type": "eql", - "version": 8 + "version": 9 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "min_stack_version": "8.3", "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "9a234c8cffcb67324557459f70bc5644b48f12b78ddc226765d69211e2034ced", + "sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312", "type": "eql", - "version": 106 + "version": 107 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "3c035219a5681c2514f111063f313c5e3108fc0d98ca2ab089aa72eb6f519951", + "sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6", "type": "query", - "version": 105 + "version": 106 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "min_stack_version": "8.3", @@ -2645,9 +2659,9 @@ "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "min_stack_version": "8.3", "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "5b5bf047bef61d90083e4c43c267c4ec7b4769ca32b5928ea33b8ddd31fc7530", + "sha256": "13db3c2d1fc38751e03a07125ee9720d077032ecc780b0474951dcffa438ece8", "type": "eql", - "version": 5 + "version": 6 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "min_stack_version": "8.4", @@ -2689,9 +2703,9 @@ "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "min_stack_version": "8.3", "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "854656d39824472174625ba831a52a49485204da2450fdca9db0362d785b2ca6", + "sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea", "type": "eql", - "version": 4 + "version": 5 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "min_stack_version": "8.3", @@ -2710,9 +2724,9 @@ "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.3", "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "fa53a5c480d782e5ee5318fbf10402858e82c0ff4b2eba5cdf7d989c51400fb2", + "sha256": "f6ea79ffc24fc77b0b670584c9aa5ca184d1b9c530ad1e7835b22c26877e8123", "type": "eql", - "version": 108 + "version": 109 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "min_stack_version": "8.8", @@ -2724,37 +2738,37 @@ "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "min_stack_version": "8.3", "rule_name": "ProxyChains Activity", - "sha256": "57ef2c8bafe0c644017773b4793d326d1eaa88d8b6cc8a764ce142cbd468a448", + "sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3", "type": "eql", - "version": 3 + "version": 4 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "min_stack_version": "8.9", "rule_name": "Unusual Process Writing Data to an External Device", - "sha256": "b86e21f533a8abbe681d8e714d35bff6b31ec9354bf3751ee7d5f488940e6bd3", + "sha256": "3659127431f2145c49922aa110bbe7be12f4776825ee1a24f2409945b3f414f0", "type": "machine_learning", - "version": 2 + "version": 3 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.3", "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "65b0598c0219095da6c676a23367d47d583e6c011bb811f52d8d45057bdfc6ab", + "sha256": "4c3132cd12e5b050d008e9dda6a69bb2b2711b0f9596232fc8173985858ddd79", "type": "eql", - "version": 107 + "version": 108 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.3", "rule_name": "PowerShell Share Enumeration Script", - "sha256": "8912807ab7734bcfcf236a07a04964d896253b8066febf03afd16256f013020e", + "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", "type": "query", - "version": 8 + "version": 9 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "min_stack_version": "8.3", "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "53f533ffdd9d2d9f7c1a5cba374de00d7db74d814cde9706d3750390086f3c78", + "sha256": "8cdb4afadd73272dc07ee9b31b8a8f1e2ab6d9ba07e75a228d827eb5cedf236e", "type": "eql", - "version": 5 + "version": 6 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "min_stack_version": "8.9", @@ -2775,44 +2789,44 @@ "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "8d66b86897c0f7e9f90e2ab46d46d6734db7e1fd64cdf5c5c9926e164ccef324", + "sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba", "type": "query", - "version": 105 + "version": 106 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.3", "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "012dcc784a14d30933595f8e32cf14a838ed2fbbfa50b2f89917ee06a761fe39", + "sha256": "124e5da33a22b0f85d527b9d8d7b6e77344775624ac22f9f7877357295bfcd58", "type": "eql", - "version": 110 + "version": 111 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "5fc006866645843af182ca61acac0199ac14da30181a0da5371c2bde0902ec72", + "sha256": "8ed9b11012b3ceb54e839102d8ba6f90c8bc6f8e9c7d2069f8c01d504d8b13ce", "type": "eql", - "version": 9 + "version": 10 }, "4ec47004-b34a-42e6-8003-376a123ea447": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Spawned from MOTD Detected", - "sha256": "2e853ef0a4b3eea2270e8d8fc0910e0cfd526c79682e1776dbf7500c6d825341", + "sha256": "5c74f520f2356f579a86fc666a87af41bd62c8e52f1edc1521b9f7bd58b3f461", "type": "eql", - "version": 7 + "version": 8 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.3", "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "53f2c0931c84562d99448bf354579e8eb99b5da5a53f8c4f362b42a9fc23eca7", + "sha256": "1f58dea69a64bf4b35c2649ad0d707aa3acebce847cb0690b19d53233f956e5f", "type": "eql", - "version": 109 + "version": 110 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.3", "rule_name": "Suspicious Script Object Execution", - "sha256": "8db69fc49940b524199c4fc60605ef12797755543bf966dcb698d7ea10ce6ade", + "sha256": "604ff31b37bb88ec61794d51e66317597ae32e1b24ffcd6bc110afddaf9259ed", "type": "eql", - "version": 106 + "version": 107 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.10", @@ -2833,9 +2847,9 @@ "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.3", "rule_name": "Execution via TSClient Mountpoint", - "sha256": "675fe51d000d7b660cd1a39a19d74d93f2ee7341be001e5ad5e10cd547cdf869", + "sha256": "4800eb590fd93d7cfee2891f85ca1700e4d1b6151e4525ebbe6d01fb4b7a6737", "type": "eql", - "version": 107 + "version": 108 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "min_stack_version": "8.10", @@ -2854,23 +2868,23 @@ "5124e65f-df97-4471-8dcb-8e3953b3ea97": { "min_stack_version": "8.3", "rule_name": "Hidden Files and Directories via Hidden Flag", - "sha256": "77af208d8070c7123775d9c7708d351a1d4ae579a13d0190e489642b5810f639", + "sha256": "997601d0253b1c3fc65712c6e0e2784ffba03a5f7b3926a5cf5e183aea3006d7", "type": "eql", - "version": 1 + "version": 2 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "6f0e1ffcea5865ac47fd6f0f59001b4cf947d26aefdeeb3eda27d545d84820e3", + "sha256": "64fddd9615abe7545e62a0eb47f20a024c23decd8daaea1c670e1e4f518d9789", "type": "eql", - "version": 106 + "version": 107 }, "514121ce-c7b6-474a-8237-68ff71672379": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87", "type": "query", - "version": 103 + "version": 105 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "min_stack_version": "8.3", @@ -2889,16 +2903,16 @@ "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "298d203a01db67a0653310a2665d704f81a97db74789cbe2fdf632ebe7574155", + "sha256": "3bb0daad18a9bb9f1c5014056a849623263d9a097b91b0a8e5d52ea4d636131a", "type": "eql", - "version": 106 + "version": 107 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", - "sha256": "ba6f6235a7b0a8e6655ecc8e374d2babccf8db929b8f1c864ce81a77ebeedaf5", + "sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325", "type": "eql", - "version": 6 + "version": 7 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "min_stack_version": "8.9", @@ -2919,9 +2933,9 @@ "52376a86-ee86-4967-97ae-1a05f55816f0": { "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "24bd83686da07cb3f3459249f9eb34318aaa69517e06082b9df92f5456b93485", + "sha256": "1bda048bcd9c1bf57b4b123d710a6c78eb505e8a06f8d13ced365be3a3abfa5d", "type": "eql", - "version": 111 + "version": 112 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { "min_stack_version": "8.3", @@ -2933,9 +2947,9 @@ "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "ed4bedce5bbc1788f21c4a7cf33af783dbfc0a12fcc6a88df03c97257eed9e7a", + "sha256": "40ece191efd016ebfb044b7230e0f376d6a8aa416a6e0fde39cbee724c7bef0f", "type": "eql", - "version": 107 + "version": 108 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "min_stack_version": "8.3", @@ -2959,16 +2973,16 @@ "530178da-92ea-43ce-94c2-8877a826783d": { "min_stack_version": "8.3", "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "27807c0b1bbc5c951feb992b0d6326af2b457c21ea661e1cc745995c25745e21", + "sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab", "type": "eql", - "version": 105 + "version": 106 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "min_stack_version": "8.6", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "2230b608e14905ab59a03345d40c4316f05604472bff811a58169a5d635033a0", + "sha256": "f88c3c6d45fbe0bb6e1869423ab9e7667f5019abcead82c85039f1775a2b37ca", "type": "new_terms", - "version": 7 + "version": 8 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "min_stack_version": "8.9", @@ -2996,16 +3010,16 @@ "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { "min_stack_version": "8.10", "rule_name": "Statistical Model Detected C2 Beaconing Activity", - "sha256": "1b87bd4ff716c3bfcb0481e0db133d5ed6a99a9fc0e405796be2b43a2a5d6bcc", + "sha256": "ff6da7f331dcfa0385d733fe7af34367b7a5772236336e8196677506dc53fa02", "type": "query", - "version": 3 + "version": 4 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.3", "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "740a3469ba041ca4f12509b7a293c6506daa3b69237686b4d407c20e3300931e", + "sha256": "90fb6b5b747e2c33656a728d3ded9f2e44a82bf4beac024c8f53e31fd8e0a03e", "type": "eql", - "version": 108 + "version": 109 }, "53dedd83-1be7-430f-8026-363256395c8b": { "min_stack_version": "8.3", @@ -3017,37 +3031,37 @@ "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.3", "rule_name": "Uncommon Registry Persistence Change", - "sha256": "470d8e6c5c1dfd3564bd5f3b59d7853db9137942de25c38e4281b2d16df70ede", + "sha256": "fc2a119aff01368fe7e6e9b4d6c90db7715a088bc7da33d27985eb8062ed03a7", "type": "eql", - "version": 105 + "version": 106 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.3", "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "8b8b47b60cf612754dc318d5963e5f915e3a9a6cc52152d9e3211eeb0155b2c2", + "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", "type": "query", - "version": 7 + "version": 8 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.3", "rule_name": "Network Logon Provider Registry Modification", - "sha256": "7181c9bb9bcebc8e25b18d6dabbedd9cbf39592c805512606e418ec028f4003b", + "sha256": "0d2d7574f0cce64196c045d6a82209834616721007ea1fd7bed902cd6cb8863a", "type": "eql", - "version": 107 + "version": 108 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.3", "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "89aec2e14544effd2f05878927d6c65bda26642bea2827c7a323265202fb46d9", + "sha256": "522f9edf21b4768c2f43e0e448fb38e2603d76177730b764dd66e50b145aa56c", "type": "query", - "version": 107 + "version": 108 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.3", "rule_name": "PsExec Network Connection", - "sha256": "ea9ce524558142eeb928e1288478f70877cf06e9b9344009845c85f0257329e7", + "sha256": "9027e8682b8b7ad7e0aaf6ae8383aab2fe403067262c1ff87cfcd7606334fcf0", "type": "eql", - "version": 107 + "version": 108 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { "min_stack_version": "8.3", @@ -3059,9 +3073,9 @@ "56004189-4e69-4a39-b4a9-195329d226e9": { "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Host", - "sha256": "096b9a5a676e3ff07deaf9518e90a65b1b738c50f20cd0599281e782282da58f", + "sha256": "ca08c87c1c1ebfbf7d02d83341733370de9f73bc116ee4557642d0149a432182", "type": "machine_learning", - "version": 2 + "version": 3 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { "min_stack_version": "8.10", @@ -3073,23 +3087,23 @@ "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.3", "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "602c658a04190e27d27abced9d3265d8025a5a5173c8381cdaf432a69eef80ff", + "sha256": "aac24b839c4f5e1399effca0ee9a8800cd8ceebd4467a9a2785fab8cf4ae6576", "type": "query", - "version": 103 + "version": 104 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "min_stack_version": "8.3", "rule_name": "Potential Admin Group Account Addition", - "sha256": "8bc8501a6ddd8f64743ca0b9449b6827723b051c90177dc1d95977ec71d638f3", + "sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4", "type": "query", - "version": 105 + "version": 106 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "min_stack_version": "8.3", "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "b61fe6deed081a783eadb490bf3de817c38a34b3369fb4393f17e1e058370e7d", + "sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb", "type": "eql", - "version": 106 + "version": 107 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "min_stack_version": "8.3", @@ -3101,9 +3115,9 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.3", "rule_name": "PowerShell PSReflect Script", - "sha256": "b61f13daa6709718b5efc18e44952a5b335d296a74a6958432dbc67304d4c731", + "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", "type": "query", - "version": 109 + "version": 110 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "min_stack_version": "8.6", @@ -3145,9 +3159,9 @@ "577ec21e-56fe-4065-91d8-45eb8224fe77": { "min_stack_version": "8.3", "rule_name": "PowerShell MiniDump Script", - "sha256": "35dd040100009d246bc9f9a4dceafd8567877a83869db407986601d55633e369", + "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", "type": "query", - "version": 107 + "version": 108 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "min_stack_version": "8.3", @@ -3159,23 +3173,23 @@ "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.3", "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "1aee67afb99246ef2de3ff6b98de2a7e529122c7d55d36b64fbb50403eee1812", + "sha256": "8f3c1355379a529b94f98cc0e27d42505f77c22b44f920fbb6f2237c96008767", "type": "eql", - "version": 109 + "version": 110 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.3", "rule_name": "RDP Enabled via Registry", - "sha256": "ce293530acf459b922e5fc59532707e9f1aa5a0c2d302c835cc83e427a9937af", + "sha256": "e12182f0d2be63bfab11f485ecbb25e37f35b4b4736b3be8022379a95fb50937", "type": "eql", - "version": 109 + "version": 110 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "min_stack_version": "8.3", "rule_name": "Zoom Meeting with no Passcode", - "sha256": "bdc5d37d933591a9e749303f4d0da889d2fd76c0cc51bec4152b74f1518bd85e", + "sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff", "type": "query", - "version": 102 + "version": 103 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "min_stack_version": "8.3", @@ -3187,9 +3201,9 @@ "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "304917eeb1af9702d87f54af173823bfcc8f3c5dd3212076b77290bce0667d28", + "sha256": "89d94e88b9dbd7a623d75c682c8ca3f5572371f7bb77a9995add825d2f18c57b", "type": "eql", - "version": 109 + "version": 110 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "min_stack_version": "8.3", @@ -3203,7 +3217,7 @@ "rule_name": "O365 Email Reported by User as Malware or Phish", "sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef", "type": "query", - "version": 103 + "version": 105 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "min_stack_version": "8.9", @@ -3231,58 +3245,58 @@ "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "124e2a2505d5c7c0a21c7253177b086db714b6d1ae3ba8ea59bbf20adf715237", + "sha256": "1d981e59f3d02e064f6cd8379e9c9900be5705a0cbdcc0c596b866ae5809bcca", "type": "eql", - "version": 107 + "version": 108 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Java", - "sha256": "d823d6d2ef1fdf34aa36794f0b7cd7c6897423510a0d6c77184faf205c7eb97a", + "sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1", "type": "eql", - "version": 7 + "version": 8 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { "min_stack_version": "8.3", "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "5c459c5221a6e2ba5f5e6fc56527730e829e106f36af310b02de97f2826c6805", + "sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc", "type": "eql", - "version": 1 + "version": 2 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "min_stack_version": "8.3", "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "0468696a45e242d7e3e71b093c8c41a2a2e0318d204b64572529c03774829201", + "sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058", "type": "query", - "version": 105 + "version": 106 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.3", "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "b57b1fa14361058e949c21cc407ad8e502c41b901b2f7b5a575ffb1d9fb460bd", + "sha256": "cae0c739475e3022d321d0703176431dbaf1792d9e3f628f9cafaa57d986d412", "type": "eql", - "version": 107 + "version": 108 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting", - "sha256": "7fa5c6ec0c42f301e37556a06ef4523f6ce815cae9e248f5928dbf04495f7c47", + "sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2", "type": "query", - "version": 107 + "version": 108 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "min_stack_version": "8.3", "rule_name": "SUID/SGUID Enumeration Detected", - "sha256": "41cd9d8a7f6fb679feae8b8bfb68140693c08e8c276e33b6eeb919788312d60a", + "sha256": "9374dc2038bb7999021a8e926287cd2cda2bd1abfa06f2f01d0af8be01679b40", "type": "eql", - "version": 4 + "version": 5 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "min_stack_version": "8.3", "rule_name": "Suspicious which Enumeration", - "sha256": "69d468e7d20c3791c53b93dada74a299db61b105a4bc22ed3b5e08711a47bfd7", + "sha256": "ffbcf6b936ee4ef4c9b312ca9bb5da9d942f9a8680301b5f0debf394ad42c5fa", "type": "eql", - "version": 4 + "version": 5 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "min_stack_version": "8.3", @@ -3294,9 +3308,9 @@ "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.3", "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "64936778fc675a7134a1e258d68825febdbe5f0b92e5a17ac102f1eb4fafdd77", + "sha256": "653114ab86902fd8f4c8ee2dad60eda337ba0cea3f366a5da9d2eddce611bf0e", "type": "eql", - "version": 106 + "version": 107 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "min_stack_version": "8.9", @@ -3317,16 +3331,23 @@ "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "min_stack_version": "8.11", "rule_name": "Process Capability Enumeration", - "sha256": "3f955af7035ed1c28ba10841d9d87b58de34c51c9146ed0ba4bf0d76ec560575", + "sha256": "05b761407363be97b58f3300673822b50467a2bde6e9040bed06c9132d77729a", "type": "eql", + "version": 2 + }, + "5c602cba-ae00-4488-845d-24de2b6d8055": { + "min_stack_version": "8.3", + "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", + "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", + "type": "query", "version": 1 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.4", "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "60c5c2f2a9749a79720ee47e2e930a9f80242258293a89a271aa2721701939fd", + "sha256": "efaf2b94fb44203864342cbbad263757cf61dfe7c9be647fe038694e810170f4", "type": "new_terms", - "version": 9 + "version": 10 }, "5c81fc9d-1eae-437f-ba07-268472967013": { "min_stack_version": "8.3", @@ -3338,9 +3359,9 @@ "5c895b4f-9133-4e68-9e23-59902175355c": { "min_stack_version": "8.6", "rule_name": "Potential Meterpreter Reverse Shell", - "sha256": "ad5eeef0b7620188e2de743a8794671ea257a4c72445a2d45c4f12096f612bae", + "sha256": "eba0d9a274b902396a98f70bf3464b3faba30514532b52d48f11de4f46572076", "type": "eql", - "version": 5 + "version": 6 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", @@ -3352,51 +3373,51 @@ "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "be2a9109a8b40a08a25097540efd4d1ffafe3c26095cc25b462030b39462392d", + "sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4", "type": "eql", - "version": 6 + "version": 7 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.3", "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "c0fd1feebe4607a5b3db25454a63e6c46b64c43070cd6c6487fac57bfd65b53c", + "sha256": "c1db8c178bc05b8761de8f9b5eb2a539cde7eae8471c23a6f2dcd60aad668b67", "type": "eql", - "version": 105 + "version": 106 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.3", "rule_name": "User Added to Privileged Group", - "sha256": "7884adba746a934e4698623cb4c2553c24162fb3cb42176f7939bd3b0abb7ea5", + "sha256": "b33d6cc34a4b101cc79bc0c7f84cb361bcd02e5318b2295a57ebf4505ef0824d", "type": "eql", - "version": 108 + "version": 109 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.3", "rule_name": "Persistence via PowerShell profile", - "sha256": "bcad25e05d53aa35c64eed0d265c87d015b8da21345be33534265a037330e687", + "sha256": "72a57bee7c2bd77cf45d4286782cdf3feb1c3f97ea5f10f077794593e289807f", "type": "eql", - "version": 7 + "version": 8 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "min_stack_version": "8.3", "rule_name": "Persistence via Login or Logout Hook", - "sha256": "4b664dd5877d1ea41aa62988945b0551c37d895fe86546e544ee732f93985f78", + "sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8", "type": "eql", - "version": 106 + "version": 107 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "ee93ccc7c656e52fd7841c8332e970ea5217ce16621e6044e8fe23e5c775ca70", + "sha256": "7f563f78e16e0d63433ac2b46218f66fc5ad3ac544c1e6b037b8c025db8eaca2", "type": "eql", - "version": 106 + "version": 107 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "min_stack_version": "8.3", "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "2f1b66054ac5bbc100d284a9f0ceda0c965b47881c9787c1945b8e466f298324", + "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", "type": "eql", - "version": 105 + "version": 106 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { "min_stack_version": "8.4", @@ -3419,7 +3440,7 @@ "rule_name": "Microsoft 365 Teams Guest Access Enabled", "sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838", "type": "query", - "version": 103 + "version": 105 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -3446,14 +3467,14 @@ "rule_name": "Microsoft 365 Exchange DLP Policy Removed", "sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9", "type": "query", - "version": 103 + "version": 105 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "min_stack_version": "8.3", "rule_name": "Unusual Process Network Connection", - "sha256": "fd5996be6b2f46fc713908920b4d06537ad841086cb3b09c6c3e163cab734e9a", + "sha256": "4a08fcb6969163f3185960eff8e6f857bccc8b6b58bb4012c974122f821c8433", "type": "eql", - "version": 106 + "version": 107 }, "61336fe6-c043-4743-ab6e-41292f439603": { "min_stack_version": "8.3", @@ -3465,16 +3486,16 @@ "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "min_stack_version": "8.3", "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "c1ecce5f4f3b0d7eaff18f79bffa18faefea70a9b382c04dc2906d33aae8c613", + "sha256": "371c92a53ff6fe2812871b685def6102afb58b89c536d718eb67344227d117d2", "type": "eql", - "version": 2 + "version": 3 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "e38e7929eb1850d3a951bfc7accd55279ec17d943ffec88463263308ad74f4c4", + "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", "type": "query", - "version": 112 + "version": 113 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -3485,9 +3506,9 @@ "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "min_stack_version": "8.3", "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "0c65d784e165a4fcbc42ac4338574c946caae6bd23afccceeb079c4f7346a467", + "sha256": "596066dff727c29d10294ff6d205113bf4bc37e185127d4586a4a53eb1ed9cb0", "type": "eql", - "version": 109 + "version": 110 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "min_stack_version": "8.10", @@ -3499,9 +3520,9 @@ "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "c34b60cbe2278701b99e658f035d05af7f68558251b332622334022f982c367c", + "sha256": "9aeb2b172981c284928fcafa5ba3a36cf1ad533f528d660525e3565ab131fe7a", "type": "eql", - "version": 105 + "version": 106 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.3", @@ -3513,9 +3534,9 @@ "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", - "sha256": "89ccb4bcf9974d7efeab3cd8f2c79c351f07bbe779369d826e8946ee6ef084fb", + "sha256": "cda94f2b58b70076662143a46548455aa8e987cf042b4b051776a276aa0c495f", "type": "eql", - "version": 3 + "version": 4 }, "63c05204-339a-11ed-a261-0242ac120002": { "min_stack_version": "8.4", @@ -3541,9 +3562,9 @@ "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "min_stack_version": "8.3", "rule_name": "Network Connection via Signed Binary", - "sha256": "e3f5d9f1f0b68b258714156bb2d6558011e846b2fad3ad178aae26c7c0f6c81e", + "sha256": "938d227bdd5dac89d120e5dc8e065081e1a1a3b549923b3897447a2293306f15", "type": "eql", - "version": 106 + "version": 107 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "min_stack_version": "8.3", @@ -3555,16 +3576,16 @@ "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "min_stack_version": "8.3", "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "df8fdd419ba042425bba4c2b32c414ac9dc05e1980edd08bc04fc4e8d18ead19", + "sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012", "type": "query", - "version": 105 + "version": 106 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "min_stack_version": "8.3", "rule_name": "Network Connection via Recently Compiled Executable", - "sha256": "4b0dcde25fcab555e3f2eb2ea71dbd1f97f28352307fc2018254f7849f996dec", + "sha256": "602b297ae58effa807f0bca106916c4f1902c7fa8f5c62bfd282b5b65de72f7b", "type": "eql", - "version": 4 + "version": 5 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -3591,30 +3612,30 @@ "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "min_stack_version": "8.3", "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "d6221b6ee2915a7b34ad8447f034179710da43b944bec0968235b097e3823ad1", + "sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4", "type": "eql", - "version": 106 + "version": 107 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "min_stack_version": "8.5", "rule_name": "Suspicious Termination of ESXI Process", - "sha256": "0e3ded27dacf0a1e45129b4113f2ffeeff96888a708939d266d839584ea1431c", + "sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2", "type": "eql", - "version": 5 + "version": 6 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.3", "rule_name": "WebServer Access Logs Deleted", - "sha256": "03195d08eb16678c89d37803e31e7a409256687ff2402dfe25c3d36759a3ee10", + "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", "type": "eql", - "version": 104 + "version": 105 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", - "sha256": "7276ea3de496fc30d8ffc602965c04577358f410edf577705d215ceba2541c20", + "sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a", "type": "eql", - "version": 6 + "version": 7 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", @@ -3626,23 +3647,23 @@ "66c058f3-99f4-4d18-952b-43348f2577a0": { "min_stack_version": "8.3", "rule_name": "Linux Process Hooking via GDB", - "sha256": "b3318b7675f46ff6010f0b14354de0fc80b653f22835e38f76217b88dc3ab892", + "sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d", "type": "eql", - "version": 2 + "version": 3 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.3", "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "de9510393c24ff3e139c05854ab2ae53078fd1a040209a8d32e2a781b4429df5", + "sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489", "type": "eql", - "version": 105 + "version": 106 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.3", "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "971d5caa27171542c27406ef2aee1d385c7010cdc026d2ef226d4ea1346ffac4", + "sha256": "9a207172558146d200bc0297376b645cc44023db1b7a8202a16c432936fad1ab", "type": "query", - "version": 8 + "version": 9 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.10", @@ -3665,7 +3686,7 @@ "rule_name": "O365 Mailbox Audit Logging Bypass", "sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb", "type": "query", - "version": 103 + "version": 105 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.10", @@ -3692,9 +3713,9 @@ "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "min_stack_version": "8.3", "rule_name": "High Number of Process Terminations", - "sha256": "4d18f0f9724cf97382b88d3281dd5ed3c2b5c2dd53a7e9c8c5b39ffd7d43cf37", + "sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3", "type": "threshold", - "version": 111 + "version": 112 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -3705,16 +3726,16 @@ "6839c821-011d-43bd-bd5b-acff00257226": { "min_stack_version": "8.3", "rule_name": "Image File Execution Options Injection", - "sha256": "ad88e3a9101259f72a383196f9f474fb828e8dd2b844ef2d61caf9fb986c1028", + "sha256": "dffe42c5ab90869c537ef31605f87399b7061fd6480ca86d291ea97c3e7ad65f", "type": "eql", - "version": 105 + "version": 106 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "min_stack_version": "8.3", "rule_name": "New or Modified Federation Domain", "sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8", "type": "query", - "version": 103 + "version": 105 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.10", @@ -3735,9 +3756,9 @@ "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.3", "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "83d6dccf5b5f0ae4ea178909ae972c10cbc54dbf4a5958187462bbf92d888beb", + "sha256": "fe99222bad976791adb250b94f1a671e2fc854d9e940dcb1774abd08d4e941bf", "type": "eql", - "version": 108 + "version": 109 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "min_stack_version": "8.4", @@ -3758,9 +3779,9 @@ "689b9d57-e4d5-4357-ad17-9c334609d79a": { "min_stack_version": "8.3", "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "ebde0ba43ed054967c01f489cd5f2e45b9dddf79b90351dea7e78c5a5c2edfe6", + "sha256": "7c8ed46851e8daee3bb76f18182fe1a8fdd9ab9833804cc6172b5d8641cd8438", "type": "eql", - "version": 105 + "version": 106 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "min_stack_version": "8.9", @@ -3781,9 +3802,9 @@ "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "cb8466c3025fb4f8c5556eb62e311c02c11b56950756e170960f6bb8c9684090", + "sha256": "54b41030764f446ffff3a1171e5a6ab48b398793afaf92aa0a74f457a0d97ea7", "type": "eql", - "version": 107 + "version": 108 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "min_stack_version": "8.9", @@ -3820,9 +3841,9 @@ "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "min_stack_version": "8.3", "rule_name": "Modification of Boot Configuration", - "sha256": "a66226c5678227263920328ccc24dfca32a0620f02290922dff137101e01a7df", + "sha256": "031efa575d3f85bf37358fccdc85ea7a26833d84a044e2dea0cd340a5b1e783d", "type": "eql", - "version": 107 + "version": 108 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "min_stack_version": "8.9", @@ -3843,23 +3864,23 @@ "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.3", "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "bd2e1f3a638be5723ff0cb90b678f2912a29bc22b31c66b9e6cafa9973e6e64d", + "sha256": "73d8b92d5adacbda2690be1cefec6b5055b8462a0899cefb5721cdb447880250", "type": "eql", - "version": 108 + "version": 109 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.3", "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "482861108067248f10161a39651726c2df97b6d2e8b7c5952cded1053b172ac9", + "sha256": "06d7311a4617060740277c5c255cc10d196a978a6b9d8c791dd4782f14bfafe2", "type": "eql", - "version": 109 + "version": 110 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "min_stack_version": "8.3", "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "2442d8e0afa98b686eab3bcb1903abd546f86596652f60691f6efdfd621713e3", + "sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2", "type": "eql", - "version": 6 + "version": 7 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "min_stack_version": "8.6", @@ -3873,9 +3894,9 @@ } }, "rule_name": "Sensitive Files Compression", - "sha256": "f67a0194e92a6a62746f2344bc677d6a37e9b34cbd8ea2bc5bf99dc15e4050d5", + "sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50", "type": "new_terms", - "version": 207 + "version": 208 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.3", @@ -3894,9 +3915,9 @@ "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "fe55558d2f4c218f2fdfdca871cbaff991aabeb33b6622a44fdefd4d8ae81963", + "sha256": "f2d1dd7ef4bc9e7b8633eaca9e82e9bd3898d9211b31d2315326bdaca05e73f7", "type": "eql", - "version": 106 + "version": 107 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { "min_stack_version": "8.3", @@ -3915,9 +3936,9 @@ "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "min_stack_version": "8.6", "rule_name": "Potential Privilege Escalation via CVE-2023-4911", - "sha256": "d76c1108876f14e891d2625826f200b3eb225ace76c842c366b24949e9c28f73", + "sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0", "type": "eql", - "version": 3 + "version": 4 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.4", @@ -3943,23 +3964,23 @@ "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "min_stack_version": "8.3", "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "470df0c6e17a6b76b3d5dfe11b58055120699d9a00c0cfbb61259400adbc757a", + "sha256": "6b4e00cd0749f89148010473d62893477290a0438ab07894e38b445ce10c7b3e", "type": "eql", - "version": 106 + "version": 107 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.3", "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "bd57722ccc74983106255532898917957a55fafd6c760af95a0650a7a93e5ef4", + "sha256": "cb67e6c4131d3fc5f1752e2baee22974dcdc21c1583a9c159732462b3d7f074f", "type": "eql", - "version": 106 + "version": 107 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery using WMIC", - "sha256": "f6dfe76cfea61ba2324b275dcd960ad3daed43c02c2cddc708af6ef3f3937ae8", + "sha256": "dc54aa513d06e0bce6794ccd0fff26f4918902cd8733faed3f9752ecb27d5f3a", "type": "eql", - "version": 109 + "version": 110 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -3970,9 +3991,9 @@ "6ee947e9-de7e-4281-a55d-09289bdf947e": { "min_stack_version": "8.3", "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "8eb2075e6417e1abd98c79d0219606d314440ac873cfec2cf2f89d99059bfc4a", + "sha256": "eedc4cf7524cdf63ff5577f28828497e02335c1a260f32c37d3a2b4cda6272f7", "type": "eql", - "version": 5 + "version": 6 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -4051,16 +4072,16 @@ "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "min_stack_version": "8.3", "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "cdd0f600e28fdd26a6c761618ed095d7b9956e2064103ee046847872afd934fe", + "sha256": "e25fb2996e2838037ab8ab6de1cb526ff2e6af111288672810cf676904bf4d37", "type": "eql", - "version": 106 + "version": 107 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "min_stack_version": "8.3", "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "72795d027c2e5d95512a10ba9093cc08010fd8b0ca59bb63a4d890ebb975b67c", + "sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47", "type": "query", - "version": 105 + "version": 106 }, "7164081a-3930-11ed-a261-0242ac120002": { "min_stack_version": "8.4", @@ -4081,37 +4102,37 @@ } }, "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "ee370bb455e172738e8297e76bea0e3601dd176b407bb84768a2db8181e6ed4b", + "sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40", "type": "new_terms", - "version": 208 + "version": 209 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.3", "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "460b042ab7e9d150c7f94a033204c22f67fdfe53c7425fedf71ff3765653154e", + "sha256": "ed13a55ea9f9864fa3d8cf2ec597f8c8fd6f62b93c0f4413599d1d75cb17a69e", "type": "eql", - "version": 112 + "version": 113 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.3", "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "b5efd0d5cc03f23a2da9ba8c011e0cc2b84d668ea552d2146366bfddd578e639", + "sha256": "3e328cd1d4443b14c40bd6976483e6b0a46fc4832c5ea51543992f77cb4d976a", "type": "eql", - "version": 107 + "version": 108 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "min_stack_version": "8.3", "rule_name": "Suspicious Passwd File Event Action", - "sha256": "1b2764ccaeebfb5e63fcb98c2a9e754f7fc0abe955e47356b0b4ee9351ac4e0f", + "sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2", "type": "eql", - "version": 2 + "version": 3 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Potential ransomware activity", "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", "type": "query", - "version": 103 + "version": 105 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.10", @@ -4145,16 +4166,16 @@ "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.3", "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "3c39eaa16fbbb098a00adccdbfc303de378e965597565878032ed552bc825043", + "sha256": "ad9e16f4c06eeb3f11eeba4c6b5f6ebbcbd669dae6909a420cc602ada36adf32", "type": "eql", - "version": 109 + "version": 110 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.3", "rule_name": "Modification of Environment Variable via Launchctl", - "sha256": "3db7bef640680a74100f7cb2389b8fa17b1bafa853c727820f3049d568ba79bf", + "sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb", "type": "query", - "version": 105 + "version": 106 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "min_stack_version": "8.3", @@ -4182,9 +4203,9 @@ } }, "rule_name": "Suspicious Sysctl File Event", - "sha256": "b493f247e0861ac433a25a825222313ab55a2ae065aadec697ad0bd00e0bab11", + "sha256": "a98b507603e191d5d7b9018614f89020e94baf48aa9ab69666128517e8a282c8", "type": "new_terms", - "version": 106 + "version": 107 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "min_stack_version": "8.3", @@ -4226,44 +4247,44 @@ "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.3", "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "665e0cbf656dd660a585342d9ca129af8624f7d4926bd110ac065ffa8c2a1895", + "sha256": "1ae31d3cb536669955d44bdf92b5c53dfd9868ad3ff5813fe8acee8502eecc41", "type": "eql", - "version": 9 + "version": 10 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Shared Object File", - "sha256": "206720563a79d6cc24a435a4e574b8ac6f666a690d5b70e18d8aee09cc146701", + "sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa", "type": "eql", - "version": 109 + "version": 110 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "244ab9baa1c9c448b5266b5f61c1aa9a0a2ff4c56704e282a654e2a42221e5f3", + "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", "type": "eql", - "version": 105 + "version": 106 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "0b1d34efa9ae7e3ad725a2070ea832695c414dc144430193559862f9f0b91876", + "sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953", "type": "eql", - "version": 8 + "version": 9 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "0a25436ab1e2f5bac3e48c5faeeda31383d3a1d24fa948ba070025f02583a311", + "sha256": "a810edd1617bc4ef3ae1a664742c5516a727a73fc12d9aa3e001fd9a2fbe07a9", "type": "eql", - "version": 108 + "version": 109 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.3", "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "68070ae4d21b5df8c2d3a557ef4e6ec168133c90cc9738a6eb39dd108f5d585b", + "sha256": "6aeba930f5f44ebe3664c42b528c463e2e6c8ccf360ef292fad035a88e96054b", "type": "eql", - "version": 109 + "version": 110 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "min_stack_version": "8.3", @@ -4275,9 +4296,9 @@ "7787362c-90ff-4b1a-b313-8808b1020e64": { "min_stack_version": "8.6", "rule_name": "UID Elevation from Previously Unknown Executable", - "sha256": "2730756601b3e9c3122bb97458b0f9f58e407913123e9572e2cac648e4ebab2a", + "sha256": "2b60afa9037795b630f1d33a76fcd68f49f3c1ccf9b0da8445765575a2508534", "type": "new_terms", - "version": 1 + "version": 2 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "min_stack_version": "8.3", @@ -4342,9 +4363,9 @@ "79124edf-30a8-4d48-95c4-11522cad94b1": { "min_stack_version": "8.3", "rule_name": "File Compressed or Archived into Common Format", - "sha256": "18b4a7010976c9f689780ad80ae4d9a48f943c15092dea05795d1f861e867648", + "sha256": "be9ac3680ee5c8c008e6e5def969d5d0bebc37f8c3be3d8e1cc2cc215cc3e33b", "type": "eql", - "version": 2 + "version": 3 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "min_stack_version": "8.3", @@ -4370,9 +4391,9 @@ "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.3", "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "5b2bc83ca0b1db8a3ce856ff7e859f4fec413978c1f0ddcd4886820fe2585e16", + "sha256": "696545e871e59971a9c77d60fb7f5cb25cbbec8a62cdf6fd167b9ec939efa675", "type": "query", - "version": 107 + "version": 108 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -4383,9 +4404,9 @@ "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "37b23adf3530355a483eccca0d78d8bb47a4e3700e5cef77ef45018e2b92ecbb", + "sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2", "type": "eql", - "version": 4 + "version": 5 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -4412,9 +4433,9 @@ "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.3", "rule_name": "Windows Network Enumeration", - "sha256": "1393d48866e1f5b0f4b57ee571029deeb6d2324314b1a1f037389847bb510a15", + "sha256": "73a7d70a9efe2589929e776414b415cf7f3b9baf7d9fd4340955d09517d930a7", "type": "eql", - "version": 109 + "version": 110 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.8", @@ -4428,16 +4449,16 @@ } }, "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "f019fa7b9d9928dde2726f094f938de608d17db63b48a3250216ba18df59aa50", + "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", "type": "eql", - "version": 207 + "version": 208 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "min_stack_version": "8.3", - "rule_name": "Tampering of Bash Command-Line History", - "sha256": "85f902935229ecdf379a249362b9275a5392b2e83a4012e4302c874e93861074", + "rule_name": "Tampering of Shell Command-Line History", + "sha256": "106aa939e4c87db6570ee327ed6ca3e7f889aca17a71e09044b0b8dc3bed815c", "type": "eql", - "version": 104 + "version": 105 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "min_stack_version": "8.4", @@ -4471,16 +4492,16 @@ "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { "min_stack_version": "8.3", "rule_name": "Suspicious Kworker UID Elevation", - "sha256": "f6a376457e527734ea6ad8afb21d2c54e93b221f1f2bf986041ff905f2baaf67", + "sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a", "type": "eql", - "version": 1 + "version": 2 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.3", "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "6e1d3e200b1ef78b0f609fb9f6d170ecf1dbbb0aad87854a50124ac68aa8e226", + "sha256": "8f53ee79caceff82b54ee596c4fd3e6377d1ddb889f1ff41a0b6e2c0ce1c37dc", "type": "eql", - "version": 107 + "version": 108 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "min_stack_version": "8.6", @@ -4501,9 +4522,9 @@ "7fb500fa-8e24-4bd1-9480-2a819352602c": { "min_stack_version": "8.6", "rule_name": "New Systemd Timer Created", - "sha256": "8487f4e6a066d9cadee56c12bbe5552ada0fd68af6a3b481ffe92c308184e3be", + "sha256": "c5bf7a856bf289f0687f5916c01098906650541047b786e7a120cd6ec3fbb948", "type": "new_terms", - "version": 8 + "version": 9 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "min_stack_version": "8.6", @@ -4517,9 +4538,9 @@ } }, "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "22fe55cc67764e0781b6c19cc0ac5ae66736e3a22e1ee2fe53f7dbaab789d871", + "sha256": "a673dd1c8988721179c42b0b788a1b229fce05298dfe5664b54ca535750e4587", "type": "new_terms", - "version": 105 + "version": 106 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "min_stack_version": "8.3", @@ -4561,16 +4582,16 @@ "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { "min_stack_version": "8.9", "rule_name": "Unusual Remote File Extension", - "sha256": "b84983a46efbfefb9fee7a305208a049944240b75335512e43271f5a7c3efebd", + "sha256": "e5eeb038f9aa39433fcea8c9410b24a6a1337512da397d2818fc96f5698f767b", "type": "machine_learning", - "version": 2 + "version": 3 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "cd1b53b5cd9aacd751ae8801be77543c716fd21c184f54a776380edd185e8275", + "sha256": "1f86aaab6eae3947a5345279878d86101a66a07e2bc16cc341c0ef0d1694e094", "type": "eql", - "version": 107 + "version": 108 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -4581,9 +4602,9 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "c3b7387b5dcfde107b183b9113a7218cc9cb00b15d06c8d637eee902809f04a3", + "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", "type": "query", - "version": 110 + "version": 111 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.3", @@ -4595,16 +4616,16 @@ "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.3", "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "f9e2397c95b2c307f8a7ed2bf1151fe7306a38ee6b45dce9ef9531b8e455486f", + "sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a", "type": "eql", - "version": 106 + "version": 107 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "min_stack_version": "8.3", "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "e155a8639900413960f4bd12ebce8f9c122312dae7c25f4438034c20e4fca668", + "sha256": "7951c32071a4f27cf235f88d6d4af14655a24aca293681878a970dc3e3973c1f", "type": "eql", - "version": 5 + "version": 6 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "min_stack_version": "8.3", @@ -4622,23 +4643,23 @@ "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "7f84af009ff9448c0b9f76177f86e6e043e7efac677af1511782322b71970a50", + "sha256": "1814e77d691d41da88a1ba4c922ef445c031e653b86b5dd166f99cba587157f1", "type": "eql", - "version": 6 + "version": 7 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Transport Agent Install Script", - "sha256": "2fc30dddfd6bb058fdb2c7cb62eb8c88bfc1859dea0b06dddb7e4df8bd87a205", + "sha256": "4383cbf7c18295b3e2ac4e14842000dc2ceae22523d545c4d807d0ad1e41d2db", "type": "query", - "version": 3 + "version": 4 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { "min_stack_version": "8.3", "rule_name": "Potential Upgrade of Non-interactive Shell", - "sha256": "851087e9141cd70c44f496078e66eaf761bf4622e80e942be61280452391a62e", + "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", "type": "eql", - "version": 2 + "version": 3 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.3", @@ -4650,9 +4671,9 @@ "850d901a-2a3c-46c6-8b22-55398a01aad8": { "min_stack_version": "8.3", "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "014fc8d0bc9296aba032766dc003316df6e0c776dd7afbd1eac19022bc646ba0", + "sha256": "01eb8e120deae737d0fc5aabc47de2c2ffb1ae2ad9d91fbda2f67016f9d71261", "type": "eql", - "version": 109 + "version": 110 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "8.6", @@ -4728,16 +4749,16 @@ "870aecc0-cea4-4110-af3f-e02e9b373655": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery via Grep", - "sha256": "a1792aee556816d8473a7ba3c81bb71e4e3f8995d2f02b96380ebc0983c971a5", + "sha256": "de3ae123fbc7d0cb0596b3c5cc6467fdf51f545053665c4f5afdeb758983bc76", "type": "eql", - "version": 108 + "version": 109 }, "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.3", "rule_name": "Enumeration of Administrator Accounts", - "sha256": "08c61e68b49996cff45a5ca3297eff4d18ce1a33c304531ceac1883f33e28cb7", + "sha256": "113a001053d28327c493ecc11edbf7d75e750102e0e8f5d30bcd79d564cf5cb9", "type": "eql", - "version": 110 + "version": 111 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "min_stack_version": "8.9", @@ -4764,23 +4785,23 @@ "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { "min_stack_version": "8.6", "rule_name": "Potential Suspicious Clipboard Activity Detected", - "sha256": "6e05caa1477a9c6b87772ce6b8bd4cb5e5f6a6b3ac3a2aa4bb06fdf531e3fba4", + "sha256": "0177e89bdd890b3651f0d3bc7bb08aa7a71cc97d95e6f965d2131a132599a839", "type": "new_terms", - "version": 3 + "version": 4 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Global Administrator Role Assigned", "sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66", "type": "query", - "version": 103 + "version": 105 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "min_stack_version": "8.3", "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "5c0fc7dd81e04f3fbd1c5c472f0bd727ad065924ec0d714e5bc13c4b6b3e45ff", + "sha256": "e1e70345125002f7b837c9c87a54b449497d0b8a5d4f32f30e24b28185445925", "type": "eql", - "version": 106 + "version": 107 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "min_stack_version": "8.6", @@ -4794,16 +4815,16 @@ } }, "rule_name": "Potential Sudo Hijacking Detected", - "sha256": "23ef2c9b687dd9563523331067722ffb249e171d96bed0cb0aa2f444e2f69e54", + "sha256": "3d49290bdfa2269196ce840768887b0c20588d07f406eef1f33e10c6117246e0", "type": "new_terms", - "version": 104 + "version": 105 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.3", "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "fed96548137a4b9070b314d8dc25e74ad14c31c93a56277474da3a50d52a271b", + "sha256": "45129c0ef751c5a0e94afce6b35dc37357e77b777868036377790f5c4fdf4080", "type": "eql", - "version": 106 + "version": 107 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -4814,37 +4835,37 @@ "897dc6b5-b39f-432a-8d75-d3730d50c782": { "min_stack_version": "8.3", "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "6bf3ed975864635c702041b46dc27221005da366c7bea70255734a81a64a71b6", + "sha256": "e013429a64b9dc5fb19c3b14f924b3a3a20fe2b5d6c7b02c25cc237dc5c6a3f7", "type": "eql", - "version": 108 + "version": 109 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.3", "rule_name": "Command Prompt Network Connection", - "sha256": "c0b4574542b8ac38026cbeac09ec95c20afcf657fdf84c29293c742aa12dd7ea", + "sha256": "1b88c2b79976a9550252e384b74a0b8301dc8ac07eee5df05231dfe40e6181b7", "type": "eql", - "version": 106 + "version": 107 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "min_stack_version": "8.3", "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "abc0977e48e577f93d91ddb156280eb131accdb697133ac9f8e895d66e7ead14", + "sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b", "type": "query", - "version": 105 + "version": 106 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "min_stack_version": "8.3", "rule_name": "Suspicious Symbolic Link Created", - "sha256": "4567be1709664ab3c6b7714b68a3da2e392c751aaba951f50336affeacd7e7b4", + "sha256": "6041852ef2da176bb02a69879e30441c9842802e2b5e06678aaca5653322cf32", "type": "eql", - "version": 4 + "version": 5 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "min_stack_version": "8.10", "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "8700bb27ff54ad56343421ba6fac2f451fb22a01e93bf557ae17c9bf71d3bc7d", + "sha256": "9b0a2839f4cf78cbec03a3af5cacad652fcad5f72e5e9f06e2c3324a6014727c", "type": "eql", - "version": 2 + "version": 3 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { "min_stack_version": "8.3", @@ -4863,9 +4884,9 @@ "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "ac475836b78129386282207de17ce5b3665934cc05cee7e2f8f2a225ad06962e", + "sha256": "9bfce88b49a258d2ab8fb3ec0f60bfbb33b38e761b4cd49784f22e499a372754", "type": "eql", - "version": 106 + "version": 107 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.10", @@ -4895,30 +4916,30 @@ } }, "rule_name": "Suspicious JAVA Child Process", - "sha256": "31161e50d04910648d64045479ad9d715cd57931900d62e347756f6f2c328d7f", + "sha256": "c73d3fa21849f702bf7a08d4182ce1e62bbf2096eef54418fd5faf94e042da75", "type": "new_terms", - "version": 207 + "version": 208 }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { "min_stack_version": "8.3", "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "17f895c23f484acde825286a1ddc686df34874b11ab6f8fe31bb183d6ecb0277", + "sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140", "type": "eql", - "version": 3 + "version": 4 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.3", "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "4198ea79876c82869eb8f56696ccca913c64daa9e44e66fef25cf4092cf41029", + "sha256": "3692dc005e94c6cb81f8745fe73b3dcbdb7ee3c1a9ef6a92579bd1d330ffc35a", "type": "eql", - "version": 106 + "version": 107 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "min_stack_version": "8.3", "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "96398ef66e31c53fd65b2620d26184f54dca1cf241e0f8776db22fb848da94aa", + "sha256": "ea2781111fa286570f40efaaba709a54286c0669cfd802fd50b9f203a72f7fad", "type": "eql", - "version": 107 + "version": 108 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "min_stack_version": "8.3", @@ -4937,9 +4958,9 @@ "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.3", "rule_name": "Unusual Child Process of dns.exe", - "sha256": "50847b0a7904637d6c3c188fe6025061218aaea691f8e17e0eea0b75949cbdce", + "sha256": "c40456bb67141fe6e52ceecbb5652a86c0f2bc25c3569c830c27830775d9d826", "type": "eql", - "version": 108 + "version": 109 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "min_stack_version": "8.3", @@ -4958,9 +4979,9 @@ "8cb84371-d053-4f4f-bce0-c74990e28f28": { "min_stack_version": "8.3", "rule_name": "Potential Successful SSH Brute Force Attack", - "sha256": "468af262f4fb45988c3072a2883f218b9b867218c50bfd7a910fdf553f88feda", + "sha256": "1fa94ce682e693433be3558f19ee8c0d0122db6f6970169bb1cf5775d97f9002", "type": "eql", - "version": 9 + "version": 10 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "min_stack_version": "8.3", @@ -4979,9 +5000,9 @@ "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "d10513c76a16d9b08cc676bb9c075b5cb14a570fc47bbc001974e164a33c7fde", + "sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698", "type": "eql", - "version": 107 + "version": 108 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "min_stack_version": "8.3", @@ -5014,9 +5035,9 @@ "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "9c3c0848659cf6ee23a2450fed6a0492e2de6ef5758060587ab61c498f7a2a26", + "sha256": "255640fff5ed7925f70536c53d8938bf0533206a892d48e893a058e93a20b979", "type": "eql", - "version": 105 + "version": 106 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "min_stack_version": "8.3", @@ -5034,9 +5055,9 @@ "90169566-2260-4824-b8e4-8615c3b4ed52": { "min_stack_version": "8.3", "rule_name": "Hping Process Activity", - "sha256": "74d72e7e3dd68055c5ee97e48e346ba23e5f097eab561f664ba954586941ca4b", + "sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c", "type": "eql", - "version": 107 + "version": 108 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "min_stack_version": "8.9", @@ -5057,9 +5078,9 @@ "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "min_stack_version": "8.3", "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "7ff71544a593f40e8c7261a058bd9edd9c796f925043bb8c917fbdfab7137f94", + "sha256": "d840381331d67563c745889e2cbbd47273b7f92250ff5f51de65a7108a762efb", "type": "eql", - "version": 106 + "version": 107 }, "90babaa8-5216-4568-992d-d4a01a105d98": { "min_stack_version": "8.3", @@ -5128,9 +5149,9 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "56cc019faadb8280664ecf10a42855016007af7f3413a2503ba3216c9b8307aa", + "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", "type": "query", - "version": 7 + "version": 8 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "min_stack_version": "8.3", @@ -5142,9 +5163,9 @@ "92d3a04e-6487-4b62-892d-70e640a590dc": { "min_stack_version": "8.3", "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "7c38b0901885837073d9e0ad209f2c2ffc620ca353882769c852bc2106bdce4c", + "sha256": "030d478f5bddae65e8f04f82a6157ab452650de7a6d0b647848e842651ac9d7c", "type": "eql", - "version": 1 + "version": 2 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "min_stack_version": "8.9", @@ -5197,16 +5218,16 @@ "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.3", "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "f4344ee212e64d34651acd2ebc698995f7ad7e879bff953a02edecf50a2ce80d", + "sha256": "df0ba86beb4118b6f55a5970adbe558c2f9a9845cc50d152084a527067efae03", "type": "eql", - "version": 108 + "version": 109 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.3", "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "3ab5284a9f2ffdcbb1cc8acb795f4da54e219abbd241a58dd7a0797097d55f66", + "sha256": "97a385e0496447ac9bc02ec4f05003b37f913d60778bb33026ee4689321f305b", "type": "eql", - "version": 105 + "version": 106 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "min_stack_version": "8.4", @@ -5243,16 +5264,16 @@ "947827c6-9ed6-4dec-903e-c856c86e72f3": { "min_stack_version": "8.3", "rule_name": "Creation of Kernel Module", - "sha256": "fa5ba6a7b2e6d152888b0d7092c06b5ede38ccd92aafe335279b3db465ec2076", + "sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533", "type": "eql", - "version": 2 + "version": 3 }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { "min_stack_version": "8.3", "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "2bacdc3988548986c2dd070cd0e1df419868ab248ce0c6cb0a2749f274c044c2", + "sha256": "8c675238fbf36a2b6439b67333f1563d27dcfb24f7fd66154eea09190df6d24f", "type": "eql", - "version": 6 + "version": 7 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "min_stack_version": "8.4", @@ -5273,16 +5294,16 @@ "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation", - "sha256": "1df41e4a31085a0992f0810059addf6a2ad7525c1b132d8c8e5396bff9167837", + "sha256": "13fe787d37ebef87d8d7877e4cfa4ff487b7a7929a8ab437a22dd341c40db27a", "type": "eql", - "version": 106 + "version": 107 }, "959a7353-1129-4aa7-9084-30746b256a70": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "e78782a0cdbd987aa3010fccef02313ff6034a0bd881b5c21e14d0e2697e512d", + "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", "type": "query", - "version": 107 + "version": 108 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "min_stack_version": "8.8", @@ -5294,9 +5315,9 @@ "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.3", "rule_name": "File made Immutable by Chattr", - "sha256": "93ea8e110510f4d6b4d6a0d61e3b215308a17725f4f5220c8aded0d71979760f", + "sha256": "c2d2cfe2f74f7c4a8901ab56d95245ba900ce8e18c828bf0a2ad894b6260731e", "type": "eql", - "version": 110 + "version": 111 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.10", @@ -5317,30 +5338,30 @@ "96d11d31-9a79-480f-8401-da28b194608f": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through MOTD File Creation Detected", - "sha256": "44dc1535fd4e7eb81d869d9de8f6cacc76fed22ccd3dd934b014213d9cb3f7c6", + "sha256": "bc9916d1a1cd785c77d6f24073b3b607cdcefc196480e1f09e5e734866ac7fb1", "type": "new_terms", - "version": 8 + "version": 9 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "min_stack_version": "8.3", "rule_name": "Access to Keychain Credentials Directories", - "sha256": "360631a00947fd49eec1f1e5ec2234141c5e18b5d345f84d59ffdbfcf8022c22", + "sha256": "2860753d4532b37b174d6b8e3e1314b0a7a0b3f54b74a7899205e53bacbae0de", "type": "eql", - "version": 106 + "version": 107 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "min_stack_version": "8.3", "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "0406b3af7729bc87f43a01dead08aa82869be209941aa85bc7d4f2bcc959a505", + "sha256": "a3cff32c0bdbd78533b034070c4a270116087312c08ff8511d9bfd520be44f36", "type": "eql", - "version": 6 + "version": 7 }, "97314185-2568-4561-ae81-f3e480e5e695": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", "type": "query", - "version": 103 + "version": 105 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "min_stack_version": "8.3", @@ -5391,9 +5412,9 @@ "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.3", "rule_name": "Suspicious Zoom Child Process", - "sha256": "f82a785c120d52dcd2123f3f9d2f8b7503d520c6ea8e46fd74f310e8a53dd233", + "sha256": "2ffff124b6528b62de29abc5f2e3c94b3f3da565038785122b8fbc2e0a502d46", "type": "eql", - "version": 108 + "version": 109 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -5404,9 +5425,9 @@ "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI Files", - "sha256": "b87b60b05b9803f0259a56de2a7e627e99f798c1c705c13683be2ed8ce2cdfa0", + "sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39", "type": "eql", - "version": 5 + "version": 6 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -5447,7 +5468,7 @@ "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", "sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c", "type": "query", - "version": 103 + "version": 105 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "min_stack_version": "8.9", @@ -5475,16 +5496,16 @@ "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "min_stack_version": "8.3", "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "3716f7ea4026fc8bb71aa2f326ddd6b6d1d47e6e120cf8b992ebdc2dd76ebb95", + "sha256": "3307efa82a9f01aac2ec0e12a8268b9ab1498a83ef8e3f14b82fec6bbb5855fc", "type": "eql", - "version": 105 + "version": 106 }, "994e40aa-8c85-43de-825e-15f665375ee8": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "e793c278c3154d2a7eb15afce2d4936fa72a471bdcdf6df479c3166fcaa95e48", + "sha256": "7d474c1db1e3f8cfa6fc070c3448e092cb34a2592f3dda373c71601ce7875a50", "type": "eql", - "version": 2 + "version": 3 }, "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.8", @@ -5498,9 +5519,9 @@ } }, "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "7c1bfb7ad5929a367b5f379a7dddffadf5d05a96b023c46d9f9dfc0f65c293ff", + "sha256": "2a6ab34b2777b1c0c5811839d0fb72b2778f887ef1ff8f877e8c2a1d8158a292", "type": "eql", - "version": 208 + "version": 209 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "8.3", @@ -5524,7 +5545,7 @@ "version": 1 }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { - "min_stack_version": "8.4", + "min_stack_version": "8.6", "previous": { "8.3": { "max_allowable_version": 104, @@ -5532,26 +5553,33 @@ "sha256": "956ccfb72b0b0545eedcac7869c1de45bcdc05490d5bf7c07da51f94442f4cf8", "type": "eql", "version": 6 + }, + "8.4": { + "max_allowable_version": 207, + "rule_name": "Potential Shadow File Read via Command Line Utilities", + "sha256": "25484718086d5b02486408a92befb4c3f5ad9114ca059168686f84ada6efb1c0", + "type": "new_terms", + "version": 108 } }, "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "25484718086d5b02486408a92befb4c3f5ad9114ca059168686f84ada6efb1c0", + "sha256": "6d3b04cf53c9662f1a011b9b8d0b412aa1fb0f3bfe1771f6a1807b4bf76c1780", "type": "new_terms", - "version": 108 + "version": 208 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.3", "rule_name": "Suspicious Explorer Child Process", - "sha256": "c3d174846da93503bc0c6e8bad7457d78fd6407edb3c26126d26f77f0cfa641c", + "sha256": "59e5a0e0931a902b5c7d386df804a1f9d8a829c127bee7f062d94eae7046c813", "type": "eql", - "version": 107 + "version": 108 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.3", "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "61f8172cb58555796f4e21453eed4c63c104954b1dd8b0c1bc083e27d2cbb30c", + "sha256": "9076dc95ec176da1582e50d30bd0ee68097fdc5a13f6639cd77542543ff32df3", "type": "eql", - "version": 107 + "version": 108 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "min_stack_version": "8.3", @@ -5563,23 +5591,23 @@ "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.3", "rule_name": "Persistence via WMI Event Subscription", - "sha256": "c90bca94072951ac96d248d96623d3f465eb8149589da431958585d65f1b58dd", + "sha256": "7aa7543ffcc5542e1cc4cecc38eea33a5a697662ce334f941845b66396cabdfd", "type": "eql", - "version": 109 + "version": 110 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "min_stack_version": "8.11", "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", - "sha256": "a841eddbb327459aeaf07490f410d4a916c78b996157eff8364de689b0bb3d58", + "sha256": "09a5921aebc2dd2ccaa3c5f1ec3555fe6b3c42684ded88c5f19af5361d9b7bee", "type": "eql", - "version": 1 + "version": 2 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.3", "rule_name": "Hosts File Modified", - "sha256": "50338b66af75925ac6caab0efac8d88389c5fc35d36c0c79d9cf13e6c5216d4d", + "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", "type": "eql", - "version": 107 + "version": 108 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.3", @@ -5598,9 +5626,9 @@ "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.3", "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "7c85cda2ba8c616a49ecb284a9667fff21227a2b0dab8e6841784917cb0f5528", + "sha256": "1557e125020f22f550954a48efb59d63def281e03eedb5aef393445f4df56377", "type": "eql", - "version": 108 + "version": 109 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "min_stack_version": "8.4", @@ -5636,30 +5664,30 @@ } }, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "49ff4c065b98857ff01ee88c9052d337d8e6a1c932b1e257d3a2022da734fa7f", + "sha256": "da0d96328e9305e09c51d864be3b8ccd37f29f0be6110ed14a08805fecbaa285", "type": "new_terms", - "version": 207 + "version": 208 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "72663ce937cfe8297eab4c6f26dd8146c42d0a5c335c22dd556e6c6fda096a26", + "sha256": "6039c4fddc944ad2363c6a8ed087a5f1137650a45d722478e022a34684c6925e", "type": "eql", - "version": 108 + "version": 109 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "0d0e8c94d7ee081e8bc9cc4346749b06acc07871ad4b8e3506d6a50db76a8e8f", + "sha256": "c9187ee2ac090322d625b811f9c9758f1f3f18e52fbe549318d885af07b81912", "type": "eql", - "version": 110 + "version": 111 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "4cf250c89befd6b335e6331fbef794c1a969a7f19e203c159d5a84ff3c54f944", + "sha256": "62bfa3320a728b9d22e217c934dfbfe064bfd12070d28fd4111d641cdc7c66c8", "type": "eql", - "version": 108 + "version": 109 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "min_stack_version": "8.6", @@ -5673,23 +5701,23 @@ } }, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "15fb82f8d4353f95ae6afebc4b4f30ede5ce57b8bed8ddf57dda4453add96880", + "sha256": "7e1573ee5a2439e23df62491f17b161f34b7807f0f35b767ea93b1b40e78af78", "type": "new_terms", - "version": 209 + "version": 210 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.3", "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "b8d4e0bd773e95d96983fb5724ac1405de2f5d491182e453c4dad3af9efe10cd", + "sha256": "91a18c0e34d966e4822caade08e77bf1677f953f76672f72c51ed95c86968438", "type": "query", - "version": 105 + "version": 106 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "min_stack_version": "8.3", "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "a96af71832577dd58427030d8213653dc4e553bed0e3edf06ad87c56ceef6c49", + "sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8", "type": "eql", - "version": 105 + "version": 106 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "min_stack_version": "8.3", @@ -5701,16 +5729,16 @@ "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "fe83625174ae62ca10465c0894c0d81aa59d398c6afe266c565f6f6e18c6d027", + "sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079", "type": "eql", - "version": 109 + "version": 110 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via DCSync", - "sha256": "008b0f6532321a77ee911abe070b818d971c7f5c23e3e4c5b78caf79ea21af08", + "sha256": "d4d6d4838b5cf551986e8f7b4335f15eb0910a85ed8f40f695e52e1141147407", "type": "eql", - "version": 112 + "version": 113 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "min_stack_version": "8.6", @@ -5724,9 +5752,9 @@ } }, "rule_name": "File Permission Modification in Writable Directory", - "sha256": "4ab67b4caab391230f6183fbc044cb1b7175bacef62351a227a5f3d5b2754ebf", + "sha256": "bb48a554acead2212b1c7f843dc9352b7f546a24999c026f249e82bfb88acd46", "type": "new_terms", - "version": 209 + "version": 210 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "min_stack_version": "8.9", @@ -5747,9 +5775,9 @@ } }, "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "7cd0da2ff3ffb5eb309da5e40ce09ddc719465d69413af21aaa59db60bf569ea", + "sha256": "ef816e620eb5e1c235c15a867cc0e00fcdb617192bd0f3bd48b5bde3c920230a", "type": "new_terms", - "version": 308 + "version": 309 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.3", @@ -5761,9 +5789,9 @@ "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Python cap_setuid", - "sha256": "34d3a3910421f8e47718cb1b17c6aba5121961b5615a4efd54311a63be1e1996", + "sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3", "type": "eql", - "version": 2 + "version": 3 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "min_stack_version": "8.3", @@ -5775,30 +5803,30 @@ "a13167f1-eec2-4015-9631-1fee60406dcf": { "min_stack_version": "8.3", "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "5b2271e8146d2aa236084a96b10d1b5a449f721404a7262dc44bde744bac37ec", + "sha256": "e5c1b36f03917a30397453769b11a6d01559d9007fd76710654f23e9d0422ac1", "type": "eql", - "version": 105 + "version": 106 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "min_stack_version": "8.3", "rule_name": "File Deletion via Shred", - "sha256": "9fdb40d449cc37e389ca527d2412f00004449adc3a106b14df51079f903bc912", + "sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48", "type": "eql", - "version": 108 + "version": 109 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.3", "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "3ff59549bc7312fb3e7d7ad2ef2c07ffa133897254e66a01276691c4242bfa47", + "sha256": "90670896181f2ae7afdbd86f7ba48b393d39687df3d9ff84a3061265a8c90486", "type": "eql", - "version": 105 + "version": 106 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "824c61e43e5e5a716f7c86a9bae768ce4ad3d3da5d6151920028b34c4e163889", + "sha256": "9b812a2bfc24c437f4a6867a57dffa0c92f1ded49780da916eac728d36e39a20", "type": "eql", - "version": 5 + "version": 6 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "min_stack_version": "8.3", @@ -5810,30 +5838,30 @@ "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { "min_stack_version": "8.7", "rule_name": "My First Rule", - "sha256": "43d6a8a026423a6d83ae7d5ef0bed2a9cdf07d16f2c3c2f778c6634a42c06617", + "sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29", "type": "threshold", - "version": 2 + "version": 3 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "8f69f6ae427ea73eafb4cf848c309276fe9aca7580196ae73c4ab5c04f17f76d", + "sha256": "abc7a656bb0d4f63a1a6e01241d5070bd79d95767ddf50a96416c4cb1e21c0ea", "type": "eql", - "version": 107 + "version": 108 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "min_stack_version": "8.3", "rule_name": "Linux Group Creation", - "sha256": "82a50a210890c906316f6d24693a3fc54e187dc59bfda67f20fee0bf8d3814e4", + "sha256": "85d788ae6caafcb45540c9a97804b5cd443104831fdd74e17fdf1526979f6fc2", "type": "eql", - "version": 3 + "version": 4 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.3", "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "efe8131f73b131021b975ef3db9981aa32094d89390efd450ec9534e861bed51", + "sha256": "53a5fc5d2f7c5de407de0f33a946575689b70044b0a333985d54afc07788e00d", "type": "eql", - "version": 107 + "version": 108 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "min_stack_version": "8.4", @@ -5854,16 +5882,16 @@ "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "min_stack_version": "8.3", "rule_name": "PowerShell Mailbox Collection Script", - "sha256": "3087ff625a0c9849ca67d67b189bdf8521aef5642122426e1c7503f7c6e0559d", + "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", "type": "query", - "version": 6 + "version": 7 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.3", "rule_name": "Execution via local SxS Shared Module", - "sha256": "afc5e36abc802e9089f1c9b9220fa3199749c285d95ab25286451b2cb0647fe0", + "sha256": "45610db4c1dfb5af66fd7794c88af23acafcc45889a8cdc31535e88522b6b777", "type": "eql", - "version": 106 + "version": 107 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "min_stack_version": "8.3", @@ -5888,16 +5916,16 @@ "a577e524-c2ee-47bd-9c5b-e917d01d3276": { "min_stack_version": "8.11", "rule_name": "CAP_SYS_ADMIN Assigned to Binary", - "sha256": "d5e3e722b643e6532e435b70be6debcd965f9202b481dd6b5338f6ba1c5ae12a", + "sha256": "00f42d57112c89636c565a010538b148ea16560e48c7e77209ae4aea7966ac84", "type": "new_terms", - "version": 1 + "version": 2 }, "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { "min_stack_version": "8.6", "rule_name": "Potential Reverse Shell via UDP", - "sha256": "056330ce15b11c973e70c3e0c1d7bb71f2e6412c067cf08db1ed4428a5dcbd57", + "sha256": "1576ee101633693a68c7a223bc0bf033bf243cde11d3831ca0ba638c6761c681", "type": "eql", - "version": 5 + "version": 6 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "min_stack_version": "8.3", @@ -5932,44 +5960,44 @@ "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "min_stack_version": "8.5", "rule_name": "Threat Intel Windows Registry Indicator Match", - "sha256": "9b269e2592ed655d3f250273bfc1a1116ab23ed32747541270da9a81f0d908bf", + "sha256": "498e400e2ab211c23df18b38f3485b255be2cf09808ae8221fc1f70ecfd680b6", "type": "threat_match", - "version": 5 + "version": 6 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Office Child Process", - "sha256": "a81ed00d0e6066a39fd5a3f427861a0893752d04f344025ac5cf52af3bb89afb", + "sha256": "2ddbd9552fb06d871be6cf3c6df05e82db51c0522c2c1fd0fc57533539f20d00", "type": "eql", - "version": 110 + "version": 111 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "min_stack_version": "8.3", "rule_name": "Emond Rules Creation or Modification", - "sha256": "9c88642e11a43c139d78492404690649488e23d89b508c7de31e65e235630a25", + "sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287", "type": "eql", - "version": 106 + "version": 107 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "min_stack_version": "8.9", "rule_name": "High Mean of RDP Session Duration", - "sha256": "b5ff9202f928ffea90be6b05e0a028c6b37da1aeb007eeba5fb6a7f5f75c92b3", + "sha256": "22baca917bf8d8852f30384b7d4813aa7a370126e0338be3886963d94f2e6b8a", "type": "machine_learning", - "version": 2 + "version": 3 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", - "sha256": "9da761d681a4afa141f5edaffb870d0fcb0f18117dc031fbb50e7e3f0c718742", + "sha256": "d07d1d6f15fe4ec31b7e048901b93e28b9a86c97749f465ae96b0605254edb9b", "type": "eql", - "version": 109 + "version": 110 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "min_stack_version": "8.3", "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "d69ede40621f9394c675ab79f8f227e9f655fa33a83542e9dc49ef1c0e18f3a0", + "sha256": "8be0d29840df5209032b472d52631f3b32a31c84e9f20329ad8cf4e232029535", "type": "eql", - "version": 108 + "version": 109 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "min_stack_version": "8.3", @@ -5988,9 +6016,9 @@ "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "min_stack_version": "8.9", "rule_name": "High Variance in RDP Session Duration", - "sha256": "ae52791c8f4a7d0173fa12bfe257b0386155b7776abe2fe91e4598c465460409", + "sha256": "0c85e6c7047aef4143e8ed835f2d0fcafad301de7eb334082e04ff5a498e5539", "type": "machine_learning", - "version": 2 + "version": 3 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", @@ -6003,7 +6031,7 @@ "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", "sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2", "type": "query", - "version": 103 + "version": 105 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "min_stack_version": "8.4", @@ -6024,9 +6052,9 @@ "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.3", "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "a4fa9c90990fb09a05cf7871a006a72eaebb98589699350427858c062146d05b", + "sha256": "1b00d88e46d2c46a81b2d4ff330ea35d106e96c250135e83c8f9464f7fa4dce9", "type": "eql", - "version": 106 + "version": 107 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "min_stack_version": "8.3", @@ -6045,23 +6073,30 @@ "aa895aea-b69c-4411-b110-8d7599634b30": { "min_stack_version": "8.3", "rule_name": "System Log File Deletion", - "sha256": "13abacac9bff946a2754663dce57296eb4b411ca308e66b45f82112bec190bdb", + "sha256": "88dcf75e81a5a91c9684e0298310a93c5b5106d24091836c69728729c85e6246", "type": "eql", - "version": 109 + "version": 110 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", "rule_name": "Remotely Started Services via RPC", - "sha256": "ae79bdba08fd0d993c81cf99262e5013df74389cad877e333dd2760bc07912f2", + "sha256": "227b14152ef406f1f76685d2ce4eaa7e142e3dccdf9c18cf6244a4dddf55cb07", "type": "eql", - "version": 109 + "version": 110 + }, + "aaab30ec-b004-4191-95e1-4a14387ef6a6": { + "min_stack_version": "8.3", + "rule_name": "Veeam Backup Library Loaded by Unusual Process", + "sha256": "9e919b338b25f9098acdb28f9ac805dd9d43425d8909e4aab5909c4c45f6a148", + "type": "eql", + "version": 1 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "min_stack_version": "8.5", "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "65feb9de6214f63b609e468ff830ceb54b824a8d5c170bf0bcb729bb79a7e2a6", + "sha256": "fabef06c8a2e4298330aaf2e04e9c55737a516954c890d808e5d4a901aace9fe", "type": "threat_match", - "version": 6 + "version": 7 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", @@ -6080,16 +6115,16 @@ "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Login Hook", - "sha256": "5431b29441b0311ce85f05817f1b65afc8e1440be98c43efc808531aceb55b40", + "sha256": "c840e0e433c076d6a236cb3c1e1ae89eb1d04d77a7694aff0ef3e1a8ea113e36", "type": "query", - "version": 106 + "version": 107 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.3", "rule_name": "Suspicious WerFault Child Process", - "sha256": "6db650fd26dc358bff1969f2dddd549f4725e7cb9e13c6037613103125d67d05", + "sha256": "2f8517fcc799e218e702b6dbc5f69ca0a73a8c4829958fa3b4a4017656953c25", "type": "eql", - "version": 110 + "version": 111 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "8.9", @@ -6110,16 +6145,16 @@ "ac8805f6-1e08-406c-962e-3937057fa86f": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Server", - "sha256": "34b6716c496b1178e904c674b9e693a568ca3f5cc14b35679edfebdcbe819cb1", + "sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9", "type": "eql", - "version": 5 + "version": 6 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.3", "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "f9fa4733a750754f6f49fbaeaf98e2523d57e77e5daba2e13bfc9c2d201f92aa", + "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", "type": "query", - "version": 107 + "version": 108 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "min_stack_version": "8.4", @@ -6140,30 +6175,30 @@ "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "min_stack_version": "8.3", "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "abc48431a5b42f5096e7d24ebd4ce9ce57b8f5f4f0edfbfb43583d71546b3e44", + "sha256": "b640ecd8355b7fa8945ad7ac3bb3f0a0d80b32741613c7f79c3ed6cfe566f67d", "type": "eql", - "version": 104 + "version": 105 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "min_stack_version": "8.3", "rule_name": "Potential macOS SSH Brute Force Detected", - "sha256": "e2d5aaa14adce5d3edef5c2878f96a6193c5805eea425e8004b91d9d6a831b2a", + "sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9", "type": "threshold", - "version": 107 + "version": 108 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.3", "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "0a533f32c8d5462d986ae942d838d8fba2be5f9d9d777acbf61864a1fda4b275", + "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", "type": "eql", - "version": 107 + "version": 108 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.3", "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "29f84a5a0a32118cb2f436d97ed35f3666bf97fb09b76724beb49dee5d4b3db4", + "sha256": "692d68785822926e449adf234c3a45035f0a8e73dd87386acac77931c9491543", "type": "eql", - "version": 107 + "version": 108 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -6190,30 +6225,30 @@ "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.3", "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "ece2a16a9368d49618c91e7029dec21e11078bc4c3f43049efcc7a83009a327c", + "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", "type": "query", - "version": 109 + "version": 110 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "min_stack_version": "8.3", "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "a1d0802a3a49d1a2c58175fb38e49b393c12892b0263bc10245b307ccec0d964", + "sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6", "type": "query", - "version": 105 + "version": 106 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { "min_stack_version": "8.3", "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "8b78fc4a9959793ebadb1dd12240e38a6331356b5ce0733f090b31e48fd71b7d", + "sha256": "9cbc1daea47fb821c72c3e512bbb09b857e9a4b44454631dfe45b495c8adc9fa", "type": "eql", - "version": 1 + "version": 2 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "min_stack_version": "8.3", "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "20f29e024f8e2c4bfc4ab6a034eae6d65d6ea9e12e66e31fef4166c5db5a2ae4", + "sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584", "type": "eql", - "version": 109 + "version": 110 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "min_stack_version": "8.3", @@ -6225,65 +6260,65 @@ "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "min_stack_version": "8.3", "rule_name": "Suspicious File Creation via Kworker", - "sha256": "e16b4400106935d2e647c6809da5ebd20b8bb5321fe99b56a8371c045098d5eb", + "sha256": "80da89056385e4d385d191289e923d9442a852f1c96b7aeb235b36a9e4a0ca35", "type": "eql", - "version": 2 + "version": 3 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "a332e02143efbab6ecaf181c31cf786213bf5fa96f20b0248162df6cd92552ab", + "sha256": "e46d6ec23006876133bf7f4911655b998c5f56cffbaef8488e7f9d052cde7391", "type": "eql", - "version": 3 + "version": 4 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "min_stack_version": "8.6", "rule_name": "Shared Object Created or Changed by Previously Unknown Process", - "sha256": "93d1f7b87af4cbf3e570105779fa64a035a4dfbf8722a72a9f51ab8426b0956e", + "sha256": "d43a905984d229cdcd4e06eb6b7f44f165c335ebfb4840dde015f22b680c1f92", "type": "new_terms", - "version": 6 + "version": 7 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "min_stack_version": "8.3", "rule_name": "Unusual User Privilege Enumeration via id", - "sha256": "61d1e232e65d235e74fb2f09d2e3448d548edebd7ed582d6304475ea93299e0d", + "sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123", "type": "eql", - "version": 3 + "version": 4 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.3", "rule_name": "Local Scheduled Task Creation", - "sha256": "4affb2391184f7f15ecce386a97e00cbad45ccfc2b853a118c89fdbe6fc192b0", + "sha256": "f568b0ef55ded0b22b5b7dd6b7b744ee901e68e1a8ec576c5f7c736ca1cb06d0", "type": "eql", - "version": 105 + "version": 106 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "min_stack_version": "8.3", "rule_name": "Network Activity Detected via cat", - "sha256": "273bd88b39f74afde539b7000e0a8c2b3d02c42ec1ddfa6c931a1e59806e1fa5", + "sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6", "type": "eql", - "version": 5 + "version": 6 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", - "sha256": "b3876016cbc0e3a82a911ae80577053bb2c945e539ccb227a3ae520814c476ef", + "sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19", "type": "eql", - "version": 4 + "version": 5 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "min_stack_version": "8.3", "rule_name": "Timestomping using Touch Command", - "sha256": "49cdb820a25852de696d39b218df30f8b82ac01a4696bbbf5ca7aa0c5df3d0dc", + "sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4", "type": "eql", - "version": 105 + "version": 106 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "min_stack_version": "8.3", "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "b919ec7747f8bf3d3a989dbb2894552ecf9eee7139899e68b404a3802c120c3d", + "sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f", "type": "query", - "version": 105 + "version": 106 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "min_stack_version": "8.3", @@ -6315,23 +6350,23 @@ "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "min_stack_version": "8.3", "rule_name": "Remote File Copy via TeamViewer", - "sha256": "e726cfbb1046391cb001954a90288d5b3222d8379b5ae13d58b6e6bc20aec033", + "sha256": "ff89ad4aea94c4e2d244dad812d4839a1f9d5e6e2da0237d8c78ede5a866a855", "type": "eql", - "version": 109 + "version": 110 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Unusual Volume of File Deletion", "sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf", "type": "query", - "version": 103 + "version": 105 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "min_stack_version": "8.3", "rule_name": "Network Connection via Compiled HTML File", - "sha256": "e8e9639034967a9e5d52426676e6b17b2db0a5dc5486e95811962f4c94b42933", + "sha256": "5c31d3ee5a1f3110f563ae65789deccfa6e2606645333b1227a8a143988b46e5", "type": "eql", - "version": 106 + "version": 107 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "min_stack_version": "8.3", @@ -6343,9 +6378,9 @@ "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.3", "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "1febba999144c11d4eda1df90ed6dea43965b2967e98e431fd00fd7678d5f6ab", + "sha256": "c2dd0de863712d8823fec709659ea8a08962a32c4a34cd409a13020217234029", "type": "eql", - "version": 109 + "version": 110 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.3", @@ -6357,9 +6392,9 @@ "b4449455-f986-4b5a-82ed-e36b129331f7": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "c663140ba0d75027a34b394dec5c86633102e0f2514050f99e1d706c97cb9b8e", + "sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900", "type": "query", - "version": 105 + "version": 106 }, "b45ab1d2-712f-4f01-a751-df3826969807": { "min_stack_version": "8.9", @@ -6403,37 +6438,44 @@ "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via OverlayFS", - "sha256": "03a4f6b34b5dd327671e71297f46ad0cedca4be702f6d4e86c8bd886bf03f510", + "sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93", "type": "eql", - "version": 4 + "version": 5 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Console History", - "sha256": "4f1edbc2a0759248f18fff799e917c82a93edefae6afa469993a0d4a9d474235", + "sha256": "f8d74d2c65e451203da1ba4c2ef800514575ffc18fcd3459bbaa537c6c85723c", "type": "eql", - "version": 109 + "version": 110 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "2d9ef207293a121119cb59ae49cccdfe032686bc735a7041220c3001324a641d", + "sha256": "1e1adb586a134fbb525d8e85a924a9ed9fd88a64cf4e00c2a16c9b123248e520", "type": "eql", - "version": 109 + "version": 110 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "min_stack_version": "8.3", "rule_name": "Elastic Agent Service Terminated", - "sha256": "36bd8dcc31b17a81b4108c6de71cf9eda443039b95e0c299255c8a89f2e8499f", + "sha256": "8abfc44bc5f8a00effd8c97c81a841dcc2cbe6cd3e2da51a5b277f96c2baf671", "type": "eql", - "version": 105 + "version": 106 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.3", "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "9fbd1c201afd94da2c21d31f6797a87f96380d6cb42df20af7ad7205ffcd05ac", + "sha256": "c5c19121debb9cac2f24c3fbf25c74adaa63b84384b8ff4dddc802e7f737f263", "type": "eql", - "version": 107 + "version": 108 + }, + "b661f86d-1c23-4ce7-a59e-2edbdba28247": { + "min_stack_version": "8.3", + "rule_name": "Potential Veeam Credential Access Command", + "sha256": "e589053c5a7013b3bb2c3d76d1617fcdda617b6aa8dbfa31adf5e34b95f095d2", + "type": "eql", + "version": 1 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "min_stack_version": "8.3", @@ -6461,9 +6503,9 @@ "b7c05aaf-78c2-4558-b069-87fa25973489": { "min_stack_version": "8.3", "rule_name": "Potential Buffer Overflow Attack Detected", - "sha256": "5b54f0d64a5e64f33ac533f79ae2dd7e813de6bc48b4f70016a81d4c984cb56d", + "sha256": "3e26fdf6574102a4aa2b239c1e4420684c6f3527b1aca67cf62cc4b42858a6f4", "type": "threshold", - "version": 1 + "version": 2 }, "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.10", @@ -6484,58 +6526,58 @@ "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "min_stack_version": "8.3", "rule_name": "Linux System Information Discovery", - "sha256": "0d6d405de797c6c80d2fbc4e4771ff74da4fcec8ef4672510e7906fd491f0185", + "sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61", "type": "eql", - "version": 2 + "version": 3 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { "min_stack_version": "8.3", "rule_name": "PowerShell Invoke-NinjaCopy script", - "sha256": "cb088aadbdd5bf616c55df2573347384815144c281ffc822045be2119b8568c7", + "sha256": "40c977b1f7dad3726a8f0c97749e00256994f75580fd498135538a04857e663d", "type": "query", - "version": 4 + "version": 5 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "d902ba9e2e987d47b2388ca3a51d868c1807f2d5e0b5aa7dfc634c448c664986", + "sha256": "bb62b769a2f4afd8ca4c917f5fd3c32ff9150db63688f907e5df4d2e37e91b70", "type": "eql", - "version": 106 + "version": 107 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.3", "rule_name": "Network Connection via MsXsl", - "sha256": "674552a858e0c108bede8311d70e4461a8f06e600ceccbe2ca598e97a67d2d8d", + "sha256": "3f7d50df91793a78c4c8ebc2a8ee1ee1a99dcbd61338345383e52abce0b51f1d", "type": "eql", - "version": 104 + "version": 105 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.3", "rule_name": "Kirbi File Creation", - "sha256": "c38344254490e667df0c99f72e41895e32340abeed8333e6a5ed6305757ffb6d", + "sha256": "ac09f79864ad4373c578be0ef95a154f24210dc62a17424c2fc90ef3275ef10a", "type": "eql", - "version": 3 + "version": 4 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "4ae1fadfcda3b3eb16cd5ce038f967736e4b625bbc9a7296f347615d21d7725c", + "sha256": "43bf576ded7e0de4ef6ba09eda56e0e82559c76c74254fd774de05559f6b8d5a", "type": "eql", - "version": 107 + "version": 108 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "min_stack_version": "8.3", "rule_name": "Chkconfig Service Add", - "sha256": "1412fcfb756b1912fd57e9ed3d178e435ddc67e6d38a2dc35e415fb4d4479c6a", + "sha256": "762949859141699af6a491db1a4f5b059db590cbadd27aa2267653760c23d23d", "type": "eql", - "version": 110 + "version": 111 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "min_stack_version": "8.3", "rule_name": "Discovery of Domain Groups", - "sha256": "da6f8b65c43fe10336ad0774d7a19fd888def6e0dea1c94eceab12afc0e3fde4", + "sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677", "type": "eql", - "version": 1 + "version": 2 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "min_stack_version": "8.3", @@ -6547,23 +6589,23 @@ "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "min_stack_version": "8.3", "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "e7702b1cb759c6daf40a6f3464d984e9b0b59eb02c5ef8a4b805abddc598d678", + "sha256": "7e1d07811eee139eca2af001c453e529a605e642fafc1cadfeac9817862c3f0c", "type": "query", - "version": 108 + "version": 109 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "4bc5b6a6479dbdf6890629a58ca0e0ec89a67f6a4f02e5c9a27a9cb3ec5f3ede", + "sha256": "bbdba9f735a270571a5a0f1df636cdd573417d76ebf91c3ee006046ae88f685d", "type": "eql", - "version": 109 + "version": 110 }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.3", "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "268cf591802efa58ca8ccc81f92c143605f8684dccee5d40e37775cc905c1ff5", + "sha256": "630c3fd24836df1312da52e9a6f0a374049088974a55d1e8147b02323e80283e", "type": "eql", - "version": 107 + "version": 108 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.3", @@ -6575,16 +6617,16 @@ "ba81c182-4287-489d-af4d-8ae834b06040": { "min_stack_version": "8.3", "rule_name": "Kernel Driver Load by non-root User", - "sha256": "399fbc887cd3dcfac9f551c83064514c087821520af909339cdc11d7461ee18d", + "sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844", "type": "eql", - "version": 2 + "version": 3 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.3", "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "8942d1f095059286fecf8c197b44e975598fc9beee88d0e296402f027b3c4e35", + "sha256": "99cfc367982521de6af65b58f549f4f4c67b5ab33da03ca14f04bab37a3f5b59", "type": "eql", - "version": 107 + "version": 108 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "min_stack_version": "8.3", @@ -6614,7 +6656,7 @@ "rule_name": "OneDrive Malware File Upload", "sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa", "type": "query", - "version": 103 + "version": 105 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "min_stack_version": "8.3", @@ -6628,7 +6670,7 @@ "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", "sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3", "type": "query", - "version": 104 + "version": 106 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "min_stack_version": "8.9", @@ -6656,16 +6698,16 @@ "bc0fc359-68db-421e-a435-348ced7a7f92": { "min_stack_version": "8.11", "rule_name": "Potential Privilege Escalation via Enlightenment", - "sha256": "2d4413810fd1b937b7c2f98d7a0efbae3a424df43c7a361e4938d8cec9c1ad19", + "sha256": "6401927f8fccbd1a2df04a2676ccbbb51a67242c1fed8afcc893fdff0e431642", "type": "eql", - "version": 1 + "version": 2 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "min_stack_version": "8.3", "rule_name": "Attempt to Install Root Certificate", - "sha256": "7f461bbff1e8be89e57d400d6e907b6697dbc783dae396c6d6ee0ce3efd419f1", + "sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972", "type": "query", - "version": 105 + "version": 106 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "min_stack_version": "8.3", @@ -6698,16 +6740,16 @@ "bcaa15ce-2d41-44d7-a322-918f9db77766": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", - "sha256": "f5220068a8eeba34ffc00f96b7aa3a8eebafc48bce2354524c3079da13b3e96a", + "sha256": "37e01c0b463876a5acee70bb565d205c8a2e8c5a7b3d99a24e16939f97360a9f", "type": "query", - "version": 2 + "version": 3 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.3", "rule_name": "PowerShell Keylogging Script", - "sha256": "fa1f00b9443c5ad654f7b853629f4075bf14005339a418325a786b9efeba54ad", + "sha256": "92008de004bfec5733b4d1f7cd48ddbe75ac79f7f3c92d54d71bd7f5447d260d", "type": "query", - "version": 111 + "version": 112 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { "min_stack_version": "8.3", @@ -6719,44 +6761,44 @@ "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "4c15aa93333df41d25b1da7384c925b4d5277eb5694fbb8f7d8f7c794143ef0d", + "sha256": "49000faea36134e08ac5c4ff3d8cc8b84b5988a96fd65e353c45b5dcf1816b59", "type": "eql", - "version": 104 + "version": 105 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "min_stack_version": "8.3", "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "b9d7536fd8c294924c4644cfcc4ee0b8432a0e92eba51894cdc57c6fbb209ac7", + "sha256": "3ebba1b3c0653e611e5c1abc4e917c868371220b6fb55954eafa7a8d7c6cf5fe", "type": "eql", - "version": 6 + "version": 7 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.3", "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "46222aa552fbb0eb3445b6863d48086e14b83f540e63bf7f048bf0e645855756", + "sha256": "c437d0e4938701b867702b775bb69d57f44e45a03be5d63d90f0dcde14ccbf39", "type": "eql", - "version": 107 + "version": 108 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "bfa8f71657fbb8749cf4f5f600a359722956bfa318207c2220ea634fc7403c4e", + "sha256": "ff0debce710d52c303c02bdc17b9b38d4ac32fc6e847d04a076063e6dfd4bb18", "type": "machine_learning", - "version": 2 + "version": 3 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "min_stack_version": "8.9", "rule_name": "Unusual Remote File Directory", - "sha256": "679d1d5d3c635ce79753315c3c3081a592f215406e10e246e3a3fe9e4a2f7c9f", + "sha256": "f6b1ce1e97f8a9dd95bb99809d5d9a7bab6a0922fb0861afadc24970477e3b3f", "type": "machine_learning", - "version": 2 + "version": 3 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.3", "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "729e64a5fe9596b9514a3e5a2b56e8374fb6079ec891f4b85681422fc07671e5", + "sha256": "a1189a1dc60f8e7159d10f793ee8b06a65af312c1fe3716004dbc4f108ed9012", "type": "eql", - "version": 107 + "version": 108 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "min_stack_version": "8.9", @@ -6777,37 +6819,37 @@ "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "min_stack_version": "8.3", "rule_name": "System Owner/User Discovery Linux", - "sha256": "51ab813449dbe6bf71c403d5dffdb662db965a2d42c8049eaac20ba8bf5a9132", + "sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df", "type": "eql", - "version": 2 + "version": 3 }, "bfba5158-1fd6-4937-a205-77d96213b341": { "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", - "sha256": "63fa5830b9e441e960726196461abda7310d4b52b798a96b68b8cb2c717616ce", + "sha256": "385716bc0770d6b023580d5b0a92a34581e351560a3bd43bd4ce2b3b01ef84c1", "type": "machine_learning", - "version": 2 + "version": 3 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.3", "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "a96413f43b35602b04b7947dfc44ba77f545ed0130c1d7c09cae4116e51754f7", + "sha256": "7f05d87c5d2477fe79fb8c9cbce0f3b28ffc41fff1f214a4fdd9833b0705ece6", "type": "eql", - "version": 109 + "version": 110 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "2c9b4244cb4994ff559dfc5ff89df8400a366e4faadd5f8900810fa90b30281e", + "sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579", "type": "eql", - "version": 106 + "version": 107 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "f03d327ae09793a9ec460b44da54cfc1c07d946b2d181da5ec77da0c5d2fa4aa", + "sha256": "0246217f877df40526e3bc741011b89c6efb820aa436be5c3256cd7013db5d8f", "type": "eql", - "version": 107 + "version": 108 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "min_stack_version": "8.3", @@ -6826,9 +6868,9 @@ "c125e48f-6783-41f0-b100-c3bf1b114d16": { "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI index.html File", - "sha256": "2acd7bb084fcacdbb12ec8d9c6a04121f2a5bfd99c81cd043158d03bd202e2fd", + "sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa", "type": "eql", - "version": 5 + "version": 6 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "min_stack_version": "8.9", @@ -6865,9 +6907,9 @@ "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.3", "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "c5160b48d049f36f37cd3527935cbbfd3a23d0c6b08c651976db41d4dfd30970", + "sha256": "bcf33fe084537eed737bc441a6039ec1342b377f77dc505600f40b2ba8666ba4", "type": "eql", - "version": 108 + "version": 109 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "min_stack_version": "8.3", @@ -6879,23 +6921,23 @@ "c292fa52-4115-408a-b897-e14f684b3cb7": { "min_stack_version": "8.3", "rule_name": "Persistence via Folder Action Script", - "sha256": "bb9fad0b65e7bc241670ef85a6bc8750f4bcc92e98888e091f2ca9b30d833ce8", + "sha256": "210d7d5cb38258eb525416e4eccb8c8745589c950955d3cb69cc8fe518aee6a6", "type": "eql", - "version": 105 + "version": 106 }, "c296f888-eac6-4543-8da5-b6abb0d3304f": { "min_stack_version": "8.11", "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", - "sha256": "4a7e44dd5204c7cb662ea2895fa3552d2e38749207926da9e4dd815e179ca7c8", + "sha256": "ea98f3aeb649cfc57e8d9c4a04ecb8f4599dd683fc28415e8146ca925c02d14d", "type": "eql", - "version": 1 + "version": 2 }, "c2d90150-0133-451c-a783-533e736c12d7": { "min_stack_version": "8.3", "rule_name": "Mshta Making Network Connections", - "sha256": "12590f132922a1117fb9cf1c66fb7db25fd6aa692e594ab5e353b1ba010c6298", + "sha256": "c3f61a5354e0122350afca10c2552cf9d657bb9f056b48d165a1401820d7ceff", "type": "eql", - "version": 105 + "version": 106 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "min_stack_version": "8.3", @@ -6907,9 +6949,9 @@ "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.3", "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "331c14e73d76aebdcd4cac4d0fab69ddbb53ef866ef1a68f1868a3755733226f", + "sha256": "b88bece498dfaea5718d4d986625f0145871e56ab8f4101bdf228e4c98842108", "type": "eql", - "version": 105 + "version": 106 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "min_stack_version": "8.3", @@ -6921,16 +6963,16 @@ "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "min_stack_version": "8.3", "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "43fcbbce0e30de8a963685bf58748b27635b19c08af085815f6fff113533bd37", + "sha256": "0d984ea0a0db400769aa7d3f97f7ea303d827c03bc543743cf2e23f2a850d7f0", "type": "eql", - "version": 107 + "version": 108 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "30182cfa6804a26e730d3c6e33a15816fbc229f1b76ba3b0a372388c91434099", + "sha256": "527381ede531c0557419ed0a6bb636ea08e18112216dcaf858ae6256f42aa360", "type": "eql", - "version": 105 + "version": 106 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "min_stack_version": "8.3", @@ -6956,9 +6998,9 @@ "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "ef18c4509361dc748c03f900e0cb04331a3870f4d37673c65632f7edcdc5fe80", + "sha256": "c9fb9f5a4348ebdf5017702511017d62bed61f46499299e4abd56602815228e3", "type": "eql", - "version": 107 + "version": 108 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "min_stack_version": "8.3", @@ -6970,23 +7012,23 @@ "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "7ae96f1df833b14af7547f0e08d6b5b00c9e944fbac39dbceb641ce799daf5e7", + "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", "type": "eql", - "version": 107 + "version": 108 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.3", "rule_name": "Installation of Custom Shim Databases", - "sha256": "b7d3d0eac47540ae843fe1289c5c3b34a1f89e1f292b2990b68cb241983c52aa", + "sha256": "2374c5bb1877f116a333acf337c2c31df95ab45d58c6649a372498f6507b45b9", "type": "eql", - "version": 106 + "version": 107 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "7e7ffc94375f810fc0ec2748a6a096644fcde37cdf4979fb00de46501a74f0c3", + "sha256": "e0090d1a50eac10f4ade38ddb5c37dcedaf650a113144b7796a5c0f982f5b952", "type": "eql", - "version": 108 + "version": 109 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "min_stack_version": "8.3", @@ -6998,9 +7040,9 @@ "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.3", "rule_name": "Remote File Download via MpCmdRun", - "sha256": "be23ef78feeedf2bf773d37a42f9a25739d2b6dc284897cf1c11b32ec7ccfd0f", + "sha256": "a8f12f89203ac9f50f27c410b52db86730251b6f88772a401d2d5dece5460954", "type": "eql", - "version": 110 + "version": 111 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -7043,9 +7085,9 @@ "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via DllHost", - "sha256": "66f9611335e40f84586a2c89a68668f5ad3a0f4f2fded39524a649132ad4360a", + "sha256": "f54fee3b089a5de904d42af0584c381e9c2061bc3467251f0da4fb74dafe891a", "type": "eql", - "version": 105 + "version": 106 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "min_stack_version": "8.4", @@ -7066,9 +7108,9 @@ "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.3", "rule_name": "Unusual File Modification by dns.exe", - "sha256": "29d7cf667acb99a68d444c3d61446d0b3ac071880d4ad6333c3be80645841c97", + "sha256": "b061f8aef46c559f3298c402f159b47b452a82c26a266b003760902b7ebe0059", "type": "eql", - "version": 108 + "version": 109 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "min_stack_version": "8.3", @@ -7080,9 +7122,9 @@ "c81cefcb-82b9-4408-a533-3c3df549e62d": { "min_stack_version": "8.3", "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "4c1848771275a47db363a85fd08d70afa61b85baaca4651d4c823c0accc02d6d", + "sha256": "3c6f0a24da299813261489fdb038d377f036e11f903b4fb30e3b5adac2ffc3b3", "type": "query", - "version": 105 + "version": 106 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "min_stack_version": "8.3", @@ -7101,9 +7143,9 @@ "c85eb82c-d2c8-485c-a36f-534f914b7663": { "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "4e2c160e8b311df59edc07d890988f42898b8ee8467760d2692204ecc13cdede", + "sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827", "type": "eql", - "version": 104 + "version": 105 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", @@ -7121,23 +7163,23 @@ "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "min_stack_version": "8.3", "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "644224b9f3ebd8dc3b7a7d5b2fb1b90cd7142ffb1853bfa847346361c0e952d3", + "sha256": "a6ee22bb7fef22f21c9792186337bc557bd1aaba670d4de8d077fd7892d46ad2", "type": "eql", - "version": 7 + "version": 8 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.3", "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "1d46ce00fb8fa393c7b0122644b3e0a367bb2ce96e5767209a2e3f101b552c52", + "sha256": "244a5e84242633bf3546c512386425c374c6ef20cad83ad6e67b25e99fa3f0b5", "type": "eql", - "version": 108 + "version": 109 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.3", "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "f98a75e410bae28c2958515cf867ad360c55e5628e4074ff04168355fe113ee6", + "sha256": "cb843dd0438b6f8219a949e952ec61f69968fe41c3eec24c9aae7be06defd202", "type": "eql", - "version": 108 + "version": 109 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "min_stack_version": "8.3", @@ -7158,14 +7200,14 @@ "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", "type": "query", - "version": 103 + "version": 105 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "min_stack_version": "8.4", "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "cb3e06584ef3df219502f541a38afdd93024219e4a99f76ed05857f3b96c5772", + "sha256": "677fab8ea10b09bc3d160f2d6ddf60228e80c7b07b65c9b0df182542f4001b4c", "type": "eql", - "version": 6 + "version": 7 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -7185,9 +7227,9 @@ } }, "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "aad6fb6bc27f0c41cacae00cfe6779a476dd10294ad53cfce1318b06b13bf7bc", + "sha256": "b4f2c9fe5dcc43eb113d00600fc6a7ca5091c0957af96c084ee2d9a790aa3a2a", "type": "new_terms", - "version": 212 + "version": 213 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.4", @@ -7208,9 +7250,9 @@ "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "min_stack_version": "8.3", "rule_name": "Suspicious Calendar File Modification", - "sha256": "4020e8d93c52fc49bce77c661a1566c03732a2a74906ceec9c5371f6f0fdecef", + "sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da", "type": "query", - "version": 105 + "version": 106 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -7221,9 +7263,9 @@ "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { "min_stack_version": "8.3", "rule_name": "Attempt to Enable the Root Account", - "sha256": "859a1abd493744516a89a3da4036d0f389decd9a8f56ee51a41b0f3bd7d335bd", + "sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d", "type": "query", - "version": 105 + "version": 106 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "min_stack_version": "8.10", @@ -7235,9 +7277,9 @@ "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", - "sha256": "b5449914c57f3b158b22d6929e85c95b29763e3eb6af772e343f1f4d907efe24", + "sha256": "fe1015d6d9d15270cdedd676b577c3057d2552db4ce585e3c82437e7999cc037", "type": "machine_learning", - "version": 2 + "version": 3 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "min_stack_version": "8.4", @@ -7317,9 +7359,9 @@ "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "min_stack_version": "8.3", "rule_name": "Kernel Module Removal", - "sha256": "ac001f6d06404c3010498800679030f8b4ab7b39e8c10db9a57b6493b7da835f", + "sha256": "8e7fd75b780b1265825a7a783ea3000b983acf3ce3100a49edb797139b01e31f", "type": "eql", - "version": 108 + "version": 109 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "min_stack_version": "8.3", @@ -7363,9 +7405,9 @@ "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.3", "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "3aeec76d82469713fa7b0e28ac67ac6f48ba3943dee884876631e032559b42bc", + "sha256": "3dd4e764e7be53ae0b8b137bef23861b698be87d17b04674b73f347810f11142", "type": "query", - "version": 9 + "version": 10 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { "min_stack_version": "8.8", @@ -7377,9 +7419,9 @@ "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.3", "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "e2c5ca3d894271fd19e6f8f2a1766756db89da4380da5f63313dd2f1843b9589", + "sha256": "1caaa5871fbfa78e0fe8a2323cbd8f452c5b1c8e166f80ae3f04b1efbe27608b", "type": "eql", - "version": 107 + "version": 108 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "min_stack_version": "8.3", @@ -7414,16 +7456,16 @@ "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { "min_stack_version": "8.3", "rule_name": "Trap Signals Execution", - "sha256": "0ba6ec2eec63d471e368b93ff67990a66c3d7e08e08719c6e2ee4eff8f216c81", + "sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4", "type": "eql", - "version": 1 + "version": 2 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "min_stack_version": "8.3", "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "4c2f771d71d8c07da4530685c547a5b1d02c9a5d4f92f8e4fa89aa4d3493636a", + "sha256": "c8491acd12050d86d23ba74328aa0ac1d4f5ac05dee80019a088ee29b63ae3cc", "type": "eql", - "version": 110 + "version": 111 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "min_stack_version": "8.3", @@ -7435,9 +7477,9 @@ "d00f33e7-b57d-4023-9952-2db91b1767c4": { "min_stack_version": "8.3", "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "a856106c03c826b7cc37c298845052a3d071b61fc13d0a7e32d11346c49983b3", + "sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e", "type": "eql", - "version": 8 + "version": 9 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "min_stack_version": "8.8", @@ -7449,16 +7491,16 @@ "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "7c325aaff53fd8a664cbc5b7c77dc9dfa9eaa5e698ca9e432c0f39bfdf1755fa", + "sha256": "85d7491d891f74d1943d6d66829f7f495b2686bf716a2b2eff86964fc2f53af1", "type": "eql", - "version": 108 + "version": 109 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.3", "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "1a8f93e1420657bde476d44178510fe68b66e44c5329c320ca9cad7c4a0a46aa", + "sha256": "5f6a70d2ab2ac48645204e364a9d62da9e1f2834d58ad132edebba377a066615", "type": "eql", - "version": 109 + "version": 110 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "min_stack_version": "8.3", @@ -7483,23 +7525,23 @@ "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { "min_stack_version": "8.3", "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "89e780b8ad04e619a91f21797ef0ad455995889221fac37ccd693f8a9be88e1c", + "sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2", "type": "query", - "version": 105 + "version": 106 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.3", "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "258220c18110c30e13d2bf5c9c5b47b97d2591c38e6a207624eaa1335b384462", + "sha256": "a5cfe995f5e61234b19b795e2e09d04cb07d7e0d5a3ea85415ad9aee106ee259", "type": "eql", - "version": 108 + "version": 109 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Event Logs", - "sha256": "cff3aae2b2a1a2d291769ae54965c51a5c298c67c7d004d2a9e969d4265ccad1", + "sha256": "7ab223b5ae8dccf7fe5e240a84aa15d0c3e7b5fb84756dca29ba288fe1bf6bc7", "type": "eql", - "version": 110 + "version": 111 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "min_stack_version": "8.3", @@ -7518,9 +7560,9 @@ "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "min_stack_version": "8.3", "rule_name": "Shell Execution via Apple Scripting", - "sha256": "692c64fb60537e8d2920f5feaa3ed8a0bbb120fa138fee7526e2698ed2895421", + "sha256": "0534c21b8c262912cebae6a5c387a1b04dad425ce8b3dc73f7af5906f64cc2be", "type": "eql", - "version": 105 + "version": 106 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.10", @@ -7562,30 +7604,30 @@ "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "min_stack_version": "8.3", "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "a52643d7321caf85380a4ed6148bef35c8425b00082a0ae6d7b352f82ecb391b", + "sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06", "type": "eql", - "version": 5 + "version": 6 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "sha256": "225b46731e54716469e060d028dc5a204d7dfeb3ec1062bc93ffdd4663f7acd1", + "sha256": "4408eb01f3714ecf0f5cee312dafd363a2fbbc4a368846ab78b257fdcfef9924", "type": "eql", - "version": 4 + "version": 5 }, "d55abdfb-5384-402b-add4-6c401501b0c3": { "min_stack_version": "8.11", "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", - "sha256": "81a411530dfa4b02f26c004e92004cd7accc1592660c45e38896fdc83888a950", + "sha256": "f6afb5d7d43edf7f2bb60691606cbc408d2e5790f4939177bdf5b9822c465fff", "type": "eql", - "version": 2 + "version": 3 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "7b25d0582e256fb4ce7c470b52e131cce26a826b62117c6ef9ff6f1769b4f003", + "sha256": "0e1e3b5f59d53215ae4432116b3ff34d82492327031fb05030a06a280f0fa027", "type": "eql", - "version": 104 + "version": 105 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.10", @@ -7606,9 +7648,9 @@ "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.3", "rule_name": "Service Command Lateral Movement", - "sha256": "d560df7cdf03af3bf9cb7e30466dd2430565baa3ead05a508a50979884b3b607", + "sha256": "b00b67bc85c0c677343773dfaa0854b7446ae708afc4f763af9dc2ff9b7af24e", "type": "eql", - "version": 105 + "version": 106 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "min_stack_version": "8.9", @@ -7642,58 +7684,58 @@ "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "min_stack_version": "8.3", "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "cc8a7869299dfb327b8a78d1709292c90e765523ecaed24698ec7fff46bb4440", + "sha256": "d6f6ee5a3f017bfc82533f80fc4c74894dc3a406cae5a4f48f246b31511dfa75", "type": "eql", - "version": 8 + "version": 9 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91", "type": "query", - "version": 103 + "version": 105 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "min_stack_version": "8.3", "rule_name": "Modification of WDigest Security Provider", - "sha256": "0d92e00788578df71a3085d97bc9e16656ce1ab64a2d00cefd71d7ede7c98ce2", + "sha256": "b7c8f207268472165a7e8eb713ed3eb05723b6ff76a5933201d0405e647fd390", "type": "eql", - "version": 107 + "version": 108 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "min_stack_version": "8.3", "rule_name": "Command Execution via SolarWinds Process", - "sha256": "10445d751b6b8f9f630b91ec75209dedae0814b17f36bc8228c2801927b0ed30", + "sha256": "e37263b5a6b5f6fad1b0ee0d7becddea5d24c5bbddbd0f16d1af2bc113a0e299", "type": "eql", - "version": 109 + "version": 110 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d", "type": "query", - "version": 103 + "version": 105 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { "min_stack_version": "8.3", "rule_name": "Suspicious Memory grep Activity", - "sha256": "f38af2112e0042344d3102dcb974eff219cdb2192cf7174c291647c0ac09d87c", + "sha256": "b142483255de74b46aa32d1dd3a28f2821bb97997be6bae899e84c0d30fa9165", "type": "eql", - "version": 1 + "version": 2 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "min_stack_version": "8.3", "rule_name": "SystemKey Access via Command Line", - "sha256": "f758f68cb5c44f5582fdf29f91b5ede95c7b692861a950921ce02561e9bddb48", + "sha256": "48b8b3a40209f6422060e3de267b79054f2ad0313fc42c4cef21decadf490f4d", "type": "query", - "version": 105 + "version": 106 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "135ce1e246c6be718c533d4528fb82c9d1798007fda71bb7aa4126f2766cff68", + "sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541", "type": "eql", - "version": 109 + "version": 110 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "min_stack_version": "8.3", @@ -7712,9 +7754,9 @@ "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "min_stack_version": "8.3", "rule_name": "SMTP on Port 26/TCP", - "sha256": "3816b9a7c573ec98806b9cc52fc8e281cd0559c43a7c7fce52c60f63c8a8eb2f", + "sha256": "8bf03857acd5416922cae6018a42266418009a83c60f4fa6388d0ac603af5f0b", "type": "query", - "version": 103 + "version": 104 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "min_stack_version": "8.3", @@ -7742,23 +7784,23 @@ "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "cba5bc9b4297cb5764434a05356401948cb36e9dfcd0232bb40e6b59ae947a58", + "sha256": "ffc3442e6c3cc20722b9c1f1a32d35551a15964ac11f7cdfc592b76719af0cc8", "type": "eql", - "version": 109 + "version": 110 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "45983ba4145383efb62f613aaf8c96bb987077029f26ba1392ed5a802713ee0b", + "sha256": "4fa393159012945bc722ed714aa371599d8c9cff942177209a16fa499c5c32af", "type": "eql", - "version": 7 + "version": 8 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", - "sha256": "6e01111d746a2621fba51d683e3b21a475878fb95b0da75efef8c54f665fb13d", + "sha256": "6ede570261a72bdcdf1e10f2f1fa1f9d331da8df7293f982df1b311120e88083", "type": "query", - "version": 2 + "version": 3 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.3", @@ -7811,9 +7853,9 @@ "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "min_stack_version": "8.3", "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "48b2377c407c6fd267364cd6a28cedd0830236fe92ed4e08111591a7a77999b1", + "sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0", "type": "eql", - "version": 4 + "version": 5 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -7824,16 +7866,16 @@ "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { "min_stack_version": "8.3", "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "e5650e2474aae5fab08118c262adeb299cbaee2b02a70d5ffec40097ada719ca", + "sha256": "abccbf694da0eb306df7f606501df6d3e19475e12fbcd106342e187528d0ecf7", "type": "eql", - "version": 7 + "version": 8 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "6d5c7271ac35ece6b3d5ad727effafd19fad5b0e1fc68ca0ba309bbd0a1ca4c1", + "sha256": "f37ab90a54a6c291b9cd4aa976743cd7ac5deb2abcac55cab6d64b965bfe48e7", "type": "eql", - "version": 108 + "version": 109 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "min_stack_version": "8.9", @@ -7875,23 +7917,23 @@ "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.3", "rule_name": "NullSessionPipe Registry Modification", - "sha256": "6ff22a837ebb0aeecf0c358977ae439d6e5c872e7d002a5a13622b00638fa02a", + "sha256": "81c0aab3146bff977cf56daa4f6b8155b87a26c42990da92e1ead146d5ff2e3c", "type": "eql", - "version": 106 + "version": 107 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.3", "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "be18461b14118a93ca765dc844a04b51ef1c1a3f4a5d77bc0d2ff0ffd0355082", + "sha256": "2cf508d63c723bf1c8a65c682aca188141a400cdc3761094a901e95e793ac9bf", "type": "eql", - "version": 108 + "version": 109 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.3", "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "9e0b0fb6936bd328d5d7b6e23154e6cc371ebce8171a2047be0575e8763fbace", + "sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977", "type": "eql", - "version": 109 + "version": 110 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "min_stack_version": "8.6", @@ -7933,9 +7975,9 @@ "df6f62d9-caab-4b88-affa-044f4395a1e0": { "min_stack_version": "8.3", "rule_name": "Dynamic Linker Copy", - "sha256": "4039bacc00f88fc6604592073a813ddafde9c45c858f9c38f7558074ab949385", + "sha256": "abf419807a9782b1ea278f1682ee0d5be74e340e248aa42cb3303c3a41892725", "type": "eql", - "version": 107 + "version": 108 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "min_stack_version": "8.4", @@ -7976,9 +8018,9 @@ "e052c845-48d0-4f46-8a13-7d0aba05df82": { "min_stack_version": "8.3", "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "b59881ecde4fbb260ada06f008c2bf8ff29a1dd8964b75ba7e4aab3e5d1cfbe2", + "sha256": "13d64c92f3533756a0657f2f8db2a099ab8cf25d1b5d1722dc5b880ec815bf34", "type": "query", - "version": 106 + "version": 107 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.3", @@ -8006,9 +8048,9 @@ "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "min_stack_version": "8.3", "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "0893951b70d630aef74cd34abc894e0ab6951ccac37a819c449f7b459f1a4eb5", + "sha256": "da9fb3e751cf2aca3b76ff6969e48fb1e4f477f4832888b32a57290109f5982a", "type": "eql", - "version": 3 + "version": 4 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "min_stack_version": "7.16", @@ -8036,9 +8078,9 @@ } }, "rule_name": "AWS Route Table Created", - "sha256": "4081dda0ac65323a45109124e0222f68584e912ecdc216ad1e2f5b8f9f431afc", + "sha256": "a1d7f30f2d264fc6fdb0fb5064f0607217c5a23f4310abcf3ed37bbde3c6de43", "type": "query", - "version": 205 + "version": 206 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "min_stack_version": "8.9", @@ -8059,23 +8101,23 @@ "e19e64ee-130e-4c07-961f-8a339f0b8362": { "min_stack_version": "8.3", "rule_name": "Connection to External Network via Telnet", - "sha256": "20d3c6c6a6f6513706a2ebd8383166c55e2c6bbe55be87a27695bc4d93937453", + "sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5", "type": "eql", - "version": 106 + "version": 107 }, "e1db8899-97c1-4851-8993-3a3265353601": { "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", - "sha256": "cc35fa122722a6fb07e287d93ad415f86567f457bfb947fb14a2273427f257f6", + "sha256": "2dfa5553eab948bb3ad46437fda2847c3d2d98e63aa80c10f1b8a179eb44b650", "type": "machine_learning", - "version": 2 + "version": 3 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "f0e1450bcee3627ea25c3f1149f19e23d974096a93f38f4fcb2f8b1f3cbf4760", + "sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9", "type": "eql", - "version": 5 + "version": 6 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "min_stack_version": "8.3", @@ -8087,16 +8129,16 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.3", "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "3631eec8b7e657c858f9db2112b704e63512120da05b175252387b382bbcb022", + "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", "type": "query", - "version": 111 + "version": 112 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "min_stack_version": "8.11", "rule_name": "Network Traffic Capture via CAP_NET_RAW", - "sha256": "72ea14abe07f2662330f07e0538c4adc01ee5ff3cc03b7e54944232b04fd7e8e", + "sha256": "61ed477be4d1a7e3e10f7314a2bca872cc00a47a72fd2bf412db50d3ce3b81ec", "type": "new_terms", - "version": 1 + "version": 2 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "min_stack_version": "8.9", @@ -8117,9 +8159,9 @@ "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "min_stack_version": "8.3", "rule_name": "System Network Connections Discovery", - "sha256": "656484abbd7ea6b41057e6c9b6b267bf1bcf9a7144ec6e07f6fe26948404ab9f", + "sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1", "type": "eql", - "version": 2 + "version": 3 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "min_stack_version": "8.3", @@ -8131,9 +8173,9 @@ "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "66e388663b228b2c8dd94c6fd5c4d2747293af0ad3223e8467b6dff513bfce19", + "sha256": "585acd10a78e513b1329c305c032f10d56c20983fb6b6e247a83f36cbc5dd540", "type": "eql", - "version": 109 + "version": 110 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "min_stack_version": "8.3", @@ -8145,9 +8187,9 @@ "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.3", "rule_name": "Process Activity via Compiled HTML File", - "sha256": "3e2a12fecf522267ef3afeb66114c8854824c72cc1d0e2ae4f0f4bc3a2308f70", + "sha256": "58b1c0d846d88c3860eca433ef5b9a49f46dccbb09d40c042618fb5cab6a109b", "type": "eql", - "version": 108 + "version": 109 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "min_stack_version": "8.9", @@ -8175,16 +8217,16 @@ "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "5c04199205cb13930875dbab67b50a81f6de209289212579901c2a02bec11afe", + "sha256": "71a21b95dc853aa7a9f3bdebacbefd8c18bdae166c17c5eeadf71662eeede388", "type": "eql", - "version": 105 + "version": 106 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "min_stack_version": "8.3", "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "4d6ca2e4725bb0de7ec42fdce8151ddf8eb9a2bb110ae8b637e91a0499259fba", + "sha256": "20a809b0c9d105e502a250b3d41b6934687bf4d74fbbedd98cef83bdf6d2658b", "type": "eql", - "version": 109 + "version": 110 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "min_stack_version": "8.4", @@ -8219,9 +8261,9 @@ "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.3", "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "714940633134a4900fd804da4e9b3e223c9d3ff128f229f7a46599938fe9322d", + "sha256": "f31d2b25f3d2f895e14eab6c7ec29719c97852d5f2f99b2fa9357b9637c2f510", "type": "query", - "version": 109 + "version": 110 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "min_stack_version": "8.4", @@ -8255,9 +8297,9 @@ "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "min_stack_version": "8.3", "rule_name": "Authorization Plugin Modification", - "sha256": "0e60f668e5a539600f5060b2537b7bda7cd79b13c441946455056b809cb95563", + "sha256": "49df6c7a2f8d17da42d1a479125a20cab0466898ffa5f51252397610194c88ad", "type": "query", - "version": 105 + "version": 106 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.10", @@ -8278,9 +8320,9 @@ "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "min_stack_version": "8.3", "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "7180375170c573c1ff2a7287cba28879a2150c8796bb81c12556a08394e87e8f", + "sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51", "type": "eql", - "version": 106 + "version": 107 }, "e7075e8d-a966-458e-a183-85cd331af255": { "min_stack_version": "8.3", @@ -8299,9 +8341,9 @@ "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.3", "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "e6030f17314972964810faa00556377b009451a1f81181856e9cd6099eecbfbc", + "sha256": "1c76bc2a08b06825a177b0a25d39ca39d581ca953d40329e61cf82fd06714d77", "type": "eql", - "version": 105 + "version": 106 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "min_stack_version": "8.8", @@ -8315,9 +8357,9 @@ } }, "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", + "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", "type": "eql", - "version": 105 + "version": 106 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "min_stack_version": "8.3", @@ -8329,9 +8371,9 @@ "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "efb77e476e3e66708e2f7ecbe21f66cf503537cfbd24fd1e39c1532f88bb4050", + "sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393", "type": "eql", - "version": 7 + "version": 8 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "min_stack_version": "8.9", @@ -8345,9 +8387,9 @@ } }, "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "2199bfaa82c73c0e3d8e7c4dd8d7df67b438163716298173157240784ea80fdc", + "sha256": "b11f9cf36b13141493f83a145f1b5fb0cd4f6358fbb7fdd5bfe039e8c1a7ccdd", "type": "query", - "version": 205 + "version": 206 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.3", @@ -8359,16 +8401,16 @@ "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.3", "rule_name": "Installation of Security Support Provider", - "sha256": "8547cdc3808d7f235d3d0abae6b3718604a0f5fd3b25275e55649bcb89548514", + "sha256": "1acfa2f251d1860e05ac5ffd7e0d7fa0801737551ea5e58c102b5caf3fca6c97", "type": "eql", - "version": 106 + "version": 107 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.3", "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "a8952957c0680157040a50a1ff1bcab9f214af635f0af771a27add2226762fca", + "sha256": "11efd3f1317d2a58d6a23697ca3bc3e97915a9f61722e9e6d165309b4235e670", "type": "eql", - "version": 5 + "version": 6 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "min_stack_version": "8.6", @@ -8382,9 +8424,9 @@ } }, "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "db2a5674e261bc84e14f1523a5864fc02bf8d27e779d4bd8b3ef5e0f8c2a77d8", + "sha256": "f180246dbfb2cb7f01f796113f0a1b305d91c244c4989aef63cfc341e4431f35", "type": "new_terms", - "version": 104 + "version": 105 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.10", @@ -8421,16 +8463,16 @@ "e92c99b6-c547-4bb6-b244-2f27394bc849": { "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", - "sha256": "a15543671d4d5fe65bb33045b81836fa6b6701277fde03baed1cfa4128d58b52", + "sha256": "1e89013def66c292205e6328af1471ef4e60e7476f31abb7718f73d3602c3e91", "type": "machine_learning", - "version": 2 + "version": 3 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.3", "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "3f3eec9bc3511f8a7b04c2ea53960d28e2c4cc9c1919b4ac0415627e28f49b80", + "sha256": "c5b7eef8ade7d3485a90b117038e54a8f7a1c4f8dd13df848304bb26845d46a5", "type": "eql", - "version": 109 + "version": 110 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "min_stack_version": "8.3", @@ -8442,9 +8484,9 @@ "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "min_stack_version": "8.9", "rule_name": "Spike in Remote File Transfers", - "sha256": "470e8ced054f1bc59729079e22245fdd3df57ee3c76ad8d61dc913d979c69f89", + "sha256": "c2714b3ba5f14682e3de18a33b34ee32dd30f9b08a177f6d6ff9c79ced3ef5e1", "type": "machine_learning", - "version": 2 + "version": 3 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -8468,9 +8510,9 @@ "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "67bc8b9711b46b277066e6c665fb98446858a64b2fd08257cd3fbfb87dcdf4fd", + "sha256": "9b562c38c4d362ac35e21b39fa028b653058315e266fd5853a388763e141b873", "type": "machine_learning", - "version": 2 + "version": 3 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "min_stack_version": "8.9", @@ -8498,9 +8540,9 @@ "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "min_stack_version": "8.3", "rule_name": "Suspicious APT Package Manager Network Connection", - "sha256": "835b8c13f7ca75ca0c3cbd05603c8ecedda758ee6736f886b793937b40b4cf3d", + "sha256": "e33ef40e6926a8ebb9819b992a678c5cb30b5ca0ec2564ad888d213893eec80c", "type": "eql", - "version": 1 + "version": 2 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "min_stack_version": "8.3", @@ -8512,16 +8554,16 @@ "eb44611f-62a8-4036-a5ef-587098be6c43": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "59511943017b6f3b3d7a961fa15dbae63734417cf74479ac19a17febbd5181b7", + "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", "type": "query", - "version": 3 + "version": 4 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "362b14187d99cc82260552ac8948c4169dfc7a138c656b64536dd43703b67906", + "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", "type": "query", - "version": 110 + "version": 111 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "min_stack_version": "8.3", @@ -8533,30 +8575,30 @@ "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of SELinux", - "sha256": "4b41664ac4de90d5a6911bca73f92933f49cf46f25ba5c3e4852456e8bece7ba", + "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", "type": "eql", - "version": 109 + "version": 110 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.3", "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "76c37cc7a589fe10dfaa88f6b7b661dea40b32593c1b666971619610af0593c6", + "sha256": "288578d5369a79c6373c3c0b0ce30d1e04accf4297f4378905ea03e926ef0304", "type": "eql", - "version": 107 + "version": 108 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "min_stack_version": "8.3", "rule_name": "IIS HTTP Logging Disabled", - "sha256": "9aa567d8580a93323215449d5492c7a5b7b740efa224493cb75bcbd035fb592d", + "sha256": "4a54459a60e0157dbebdb4fa49edc3c3b44da95324d09ce432d90dfadc18cf16", "type": "eql", - "version": 108 + "version": 109 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "min_stack_version": "8.3", "rule_name": "Process Execution from an Unusual Directory", - "sha256": "76315bba25abe84b119f44de4c1b6c4f33fdc53d08a5ea67631b6f821c288236", + "sha256": "07d39ae66d7a091b5542973de8f3a914e6079b735c9af7282ec779f0f6eb0c91", "type": "eql", - "version": 108 + "version": 109 }, "ec604672-bed9-43e1-8871-cf591c052550": { "min_stack_version": "8.8", @@ -8570,7 +8612,7 @@ "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", "sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df", "type": "query", - "version": 103 + "version": 105 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "min_stack_version": "8.3", @@ -8605,9 +8647,9 @@ "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.3", "rule_name": "AdFind Command Activity", - "sha256": "226818ce709035fdbed2f6dbedf8c230644515040ad03188f0bb46f02131878f", + "sha256": "4cd8390b9a5306f1e517291c56dbd8724ce905bf484b914443323165263e92fa", "type": "eql", - "version": 109 + "version": 110 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.10", @@ -8628,16 +8670,16 @@ "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.3", "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "e6d1060e542ac53b1c8f6caf61b77d58e0bad0d0c102ddd3cba42938808d036f", + "sha256": "71c2c3a84c8776d4d55a196976af7988e418dd9269e2d47fbaa5e735f4e2a8b5", "type": "eql", - "version": 110 + "version": 111 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "min_stack_version": "8.3", "rule_name": "Linux User Account Creation", - "sha256": "13b3b537fd8a6d150005572a86b138310ddc48a6341f26efff995090c828b47f", + "sha256": "8c333e1755bb44dd4a24738d80d65fd67a504f1950f8efd1546acee9a50bb0d3", "type": "eql", - "version": 3 + "version": 4 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "min_stack_version": "8.10", @@ -8658,9 +8700,9 @@ "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Print Spooler Child Process", - "sha256": "4f859dde0472f9c982423e2c3b8cf77c09b9684c563ab9adaae5fe7976953937", + "sha256": "407e751c426680a73a9f75665f0416cc6532f6ad24f7abe9cfa304be168522a1", "type": "eql", - "version": 106 + "version": 107 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "min_stack_version": "8.3", @@ -8678,23 +8720,23 @@ "eea82229-b002-470e-a9e1-00be38b14d32": { "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "26d4865a30d6490602a379d7abcba4e5aa0095e306e662d489bb63f80cb57bc9", + "sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc", "type": "eql", - "version": 106 + "version": 107 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "min_stack_version": "8.3", "rule_name": "BPF filter applied using TC", - "sha256": "0ea652ae4056c21deda839089e82be5e8d139fe2a4d663b1c351ea38f5373b52", + "sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2", "type": "eql", - "version": 107 + "version": 108 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "a93c8008dc51bde8313842833bc7faf55795a8b998c830cefdcde94c2a9e4845", + "sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7", "type": "eql", - "version": 6 + "version": 7 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "min_stack_version": "8.8", @@ -8706,30 +8748,30 @@ "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.3", "rule_name": "Whoami Process Activity", - "sha256": "e8eb1fccce9dadced67339d7460c79a9bc079f20f5ab4d623f6a58fd9aa8d3a9", + "sha256": "4367c7704290df656ff19eb3a68c7889e48d56cbce072457becfd69f434e35ba", "type": "eql", - "version": 109 + "version": 110 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", - "sha256": "56cd681da1967f0a220f930eeadbda12546363729b2fa2a955f9c59ac16086a4", + "sha256": "9512995e5dffd053732011c13901b6e07071c98fbf12ad540b632ebf940f2c32", "type": "machine_learning", - "version": 2 + "version": 3 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.3", "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "2c5262665887e553b48f7df98f3d614aefdf59b44a481d0ec6f946a75ba61cab", + "sha256": "4af429bb1a2ee50c8ac17ce95cf78b67a2c514674d9f537ef5476aca56d12721", "type": "eql", - "version": 106 + "version": 107 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "min_stack_version": "8.3", "rule_name": "Suspicious HTML File Creation", - "sha256": "b3a8f746278cc301f6dc58d9f527dea32590a6d76cef0455b4f613d70e2d67a6", + "sha256": "e736532f89f364ec30f47b2f1c7016d26c11d011ecf3aba3ec6609ad1d18f324", "type": "eql", - "version": 105 + "version": 106 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.10", @@ -8750,9 +8792,9 @@ "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "min_stack_version": "8.3", "rule_name": "Attempt to Remove File Quarantine Attribute", - "sha256": "692fa40e6bf4142e039d77a8009d3ffaf73cb02fb0bad253f89a7791b27bb286", + "sha256": "d680e44d9c8fd89a36b30adc0af3cde9bb7b495ed986c92ad8be0b210c648e94", "type": "eql", - "version": 106 + "version": 107 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "min_stack_version": "8.3", @@ -8764,16 +8806,16 @@ "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "min_stack_version": "8.3", "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "86c5bd201fcce02f843be59ad5577b453feab265fb5ace94414dfd794f1083c5", + "sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb", "type": "query", - "version": 105 + "version": 106 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "min_stack_version": "8.3", "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "9879db0ee4eb6fa5d55af57657d48ec0820bae075840304cdd6e403fc3ab1a1f", + "sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7", "type": "eql", - "version": 6 + "version": 7 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "min_stack_version": "8.4", @@ -8792,30 +8834,30 @@ "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "6fb54f1660018d11515f2fbdb198da3ff179bd8c841c93cccdb1fc2e681d5f7e", + "sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3", "type": "eql", - "version": 107 + "version": 108 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.3", "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "401bf25e8e77ccc790d62c63f3b09edebad5cd9b70eac15912db6aaa46127d58", + "sha256": "b10534cda59c460de168c3b9fed3d8899465199770dd6c96f2e2d65358d3cb24", "type": "eql", - "version": 108 + "version": 109 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.3", "rule_name": "SIP Provider Modification", - "sha256": "66bb086ae806373755f3c312b7a40a726c84622d160a5d644fe31f651e50d2b3", + "sha256": "c9dd167236850ac8454b12127e31227e9bec1f9f5fd5a7786a600c1aba78e290", "type": "eql", - "version": 105 + "version": 106 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Creation", - "sha256": "c5245d22a0267264ade24de174cf1032b9c68466730cc42d6e58734984ae0c96", + "sha256": "1753a2eee380188ceaa72056436275f1455b3e3bc6e9068cd318a9b0505cc539", "type": "eql", - "version": 107 + "version": 108 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "min_stack_version": "8.9", @@ -8843,16 +8885,16 @@ "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", - "sha256": "23a660434de3455f0a6de99e5a7da5c45a05eeeffa82698844dcbab5d76c3932", + "sha256": "2c43c3f3a3eab3066a67fa00b1ecf370bbb5c1a7cc41898dabf2a4553b1630ea", "type": "query", - "version": 2 + "version": 3 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.3", "rule_name": "WMI Incoming Lateral Movement", - "sha256": "05dfb891d848215da2bda7c42b5229022f92e80d8ee4f97ea007d57196cfd637", + "sha256": "883630b3f6c3b96cccb79a36ebc7a8390525e3bce7cd70274b7f66666bffa25f", "type": "eql", - "version": 108 + "version": 109 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "min_stack_version": "8.3", @@ -8864,37 +8906,37 @@ "f3818c85-2207-4b51-8a28-d70fb156ee87": { "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection via systemd", - "sha256": "a735567676266d1a679f92125be7cf4a9e43d4da691ed2d93e4365e572aa2440", + "sha256": "52931e3500fd41b92dd905637912dc28861b532e3bf11d6ab79f243237f9573c", "type": "eql", - "version": 1 + "version": 2 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "min_stack_version": "8.5", "rule_name": "Threat Intel URL Indicator Match", - "sha256": "80f795877a01c622597d9568febd834907a357d9616f6efa11b237bd37e3086d", + "sha256": "2e45aadc96febb79204cc0182a5cda5f7b1be5634e47e7c18fc92b429f529471", "type": "threat_match", - "version": 5 + "version": 6 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "min_stack_version": "8.6", "rule_name": "Potential curl CVE-2023-38545 Exploitation", - "sha256": "d090083f56c2a8a47be9e243913af8404099dd7996a86d0ff748af86600d4632", + "sha256": "422469c042fbbd783e6f8aca78c507ba139de7e0aa3e364406f12f16db6db808", "type": "eql", - "version": 4 + "version": 5 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "3532dcb1643708a0b5c5e2ae8f0674579cbb77fe60a022151328d4b38fbb72dd", + "sha256": "5d08c860cfdbbde6caa690f18df854a3f106b160401ffe9bdaef82b0f41d5804", "type": "eql", - "version": 106 + "version": 107 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.3", "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "d98a7e83fa24ec297e90f61de9d4e6781cfc0ba17dc00049f79130145d7ab7c7", + "sha256": "3d559e86203735f531cbbe7a26f5e361236760068e41b0b421f0f5d59a3c5765", "type": "query", - "version": 109 + "version": 110 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -8905,16 +8947,16 @@ "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "min_stack_version": "8.3", "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "cfb1b743b6fa0a445ac73256b1e736171185b9c296f9d73efac25b538d64ea02", + "sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc", "type": "eql", - "version": 5 + "version": 6 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.3", "rule_name": "Windows Script Executing PowerShell", - "sha256": "6d969c70752f3186e202fdd6bd7fedbc1bef49494886b4b058c82ca4c92e3233", + "sha256": "b94e86645b289d8348ed42486795e77da783afb122ec48187d0350f3a20f52b3", "type": "eql", - "version": 109 + "version": 110 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "min_stack_version": "8.8", @@ -8926,16 +8968,16 @@ "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "min_stack_version": "8.3", "rule_name": "Rare SMB Connection to the Internet", - "sha256": "9a94f4d8101faf26b2c6b27adeca58352ce001eed85ee4b6bbb0bdf460045ec5", + "sha256": "b05c4528acef62397c715cb60d9752fa133ecba94e25e996871b92f58378b891", "type": "new_terms", - "version": 1 + "version": 2 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "min_stack_version": "8.3", "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "9d093df26320c45b314e47dc2317d5b84a706d33b570f9b302014671f4b684de", + "sha256": "af58671d98fd5dc17bf1d2f0cf469070084cecd6da4017d0572ca1fcfb6a5b7f", "type": "query", - "version": 2 + "version": 3 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { "min_stack_version": "8.3", @@ -8947,37 +8989,37 @@ "f5c005d3-4e17-48b0-9cd7-444d48857f97": { "min_stack_version": "8.3", "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "04e88d1efaa5ae3e206042b0db002f52a0ebb9b868a7e91b77539c05cc94fad1", + "sha256": "bec5a046d8ac67ff161d518d2ccf53b9138179dfc67759ad5f9078fdc14810a6", "type": "eql", - "version": 4 + "version": 5 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "866744b042cda9a292065f261e1a62d729b5c7aca98c990bd5be1c0dbf04bc39", + "sha256": "841e7e3d259ad21fa37fbfa7cb65713dd10650212ef402434dcd94505006936c", "type": "machine_learning", - "version": 2 + "version": 3 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "min_stack_version": "8.3", "rule_name": "Masquerading Space After Filename", - "sha256": "c008022dcc942aac497e03a345678d4351f22bd37f8df7b55687be5b5ed9ce43", + "sha256": "0bdfb6f39afe789ae9447ea9f33938a24d746c1017ac0646c9f1776272882e37", "type": "eql", - "version": 5 + "version": 6 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "min_stack_version": "8.3", "rule_name": "Account or Group Discovery via Built-In Tools", - "sha256": "402cdc6a8b9fbe4bbda7174be70efe396596bdbc7c8e4adb6b4edffeb52d8334", + "sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135", "type": "eql", - "version": 2 + "version": 3 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "min_stack_version": "8.3", "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "48ce252c07058d2ee1ca0800d2b1fecbe03128d07992d41375ca0c03b6a48f48", + "sha256": "82da4dcd3d85bbbce79c9338731f2d3faabeb93b9f8bd758a346c1bb3844926c", "type": "eql", - "version": 108 + "version": 109 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.3", @@ -8989,16 +9031,16 @@ "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "min_stack_version": "8.3", "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "fb87b9eb3ce642106368e9900a834940914053f852b8fb77bc5c68cc937f3312", + "sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b", "type": "query", - "version": 105 + "version": 106 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { "min_stack_version": "8.3", "rule_name": "System Hosts File Access", - "sha256": "f1c8e65d5f5b64c4daf0001b6c893d1cb6b75923a7d71c1986c7a6366a5fee9b", + "sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571", "type": "eql", - "version": 2 + "version": 3 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "min_stack_version": "8.3", @@ -9033,37 +9075,37 @@ "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.3", "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "cba0ef209d381391715a1d4cc32407099e0cc2826fad303f04e46cf39d3effb6", + "sha256": "a60814f61dac11aa9d05163cc55d8da2b2cfb21fc612ed5f4d4d348060e57e80", "type": "eql", - "version": 109 + "version": 110 }, "f7c70f2e-4616-439c-85ac-5b98415042fe": { "min_stack_version": "8.11", "rule_name": "Potential Privilege Escalation via Linux DAC permissions", - "sha256": "600e6c5252be4fb155fd1e49ed6aa627d8c5e9d7f501e56f88baf2b4c10cf999", - "type": "eql", - "version": 1 + "sha256": "39e51bf1355bc9d55908c45292191667d343c6e7e55bd924acc646c39149c813", + "type": "new_terms", + "version": 2 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "6031d2492f38e34f83fec99639ddbfd371b2ac54d22bafc1b14c5f342be17c1b", + "sha256": "51aacad9edd6ee0e09aa36fcdc008de023969ea682b6b8e0810e61d65a8311f0", "type": "eql", - "version": 107 + "version": 108 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "min_stack_version": "8.3", "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "f27060c1e1635cedb3d4db1d8bb5ddabdf1ffa478643e158e4847d1405cac3ca", + "sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87", "type": "query", - "version": 105 + "version": 106 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.3", "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "902e8a91c828264acc25b9b1ef81880b919f5739fef7a59cc8b1af766f54d38b", + "sha256": "9dd2a2b3b83b8e850ca46a07ef95f7e14a78d5dc1d5e016c069ea25579284240", "type": "eql", - "version": 108 + "version": 109 }, "f94e898e-94f1-4545-8923-03e4b2866211": { "min_stack_version": "8.8", @@ -9096,9 +9138,9 @@ "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "min_stack_version": "8.3", "rule_name": "Privileged Account Brute Force", - "sha256": "36afec4fdbf0b0dbe5dd5f33cf28d0866a711012c96115ea0e205eb6bd791364", + "sha256": "6b7871e9961be78c2d06f1cb08a639f6b4d3dcb022d16261b56fa3472f8f7d70", "type": "eql", - "version": 8 + "version": 9 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.10", @@ -9119,37 +9161,37 @@ "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.3", "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "61ce9acd0f52132d2ad2fc33398ebed27e1327f3a0b539903c77921e5e025fc0", + "sha256": "d32ada1465167b6293df7280629172d0509463e769904db94d5f248237f0f48f", "type": "eql", - "version": 107 + "version": 108 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "min_stack_version": "8.3", "rule_name": "Potential External Linux SSH Brute Force Detected", - "sha256": "218530cac5856894e6aa5cd3de9220598341cf39e21207726a8736e796656132", + "sha256": "976d63084190e20f320e0106f4ad4bc08619d00ea326d685796c9693902a3d7c", "type": "eql", - "version": 5 + "version": 6 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "0614d99e192ebf727ca5211629665791841cb5b9db109bf11e3b8d8c67d84491", + "sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c", "type": "eql", - "version": 6 + "version": 7 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.3", "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "781215a658d1365ecd39d5ce42561c2c2a1db86acac3e8ecc9a2c3348dacc021", + "sha256": "a71e0082cbfb886e234b2dde6fb3a70a5084af0eb33e07cf1a8e2841693cfb67", "type": "eql", - "version": 7 + "version": 8 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of AppArmor", - "sha256": "59fdb01847d36f82c27f340f9e7aaa3aeef098f8f2eb04f77cc178331a36c8e1", + "sha256": "e1fc21035bd0018c82e188c8ebe6241aa878a214edaf3895b806621f5d82d2e3", "type": "eql", - "version": 5 + "version": 6 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "min_stack_version": "8.4", @@ -9170,9 +9212,9 @@ "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.3", "rule_name": "Network Connection via Registration Utility", - "sha256": "43bf761ed99e39883a71417804e95161874113a3d08e64e551fe474bb054586c", + "sha256": "72b6d24fbb5b42bb6bc82d00ec7a7b880b9cf1894cbbd762f64cbca9e5c45d41", "type": "eql", - "version": 106 + "version": 107 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { "min_stack_version": "8.8", @@ -9206,9 +9248,9 @@ "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "695672533f96849fc04744a44bb0c3d2c8ad763e56b29d8e9df74708aa58ec0e", + "sha256": "43cf4780d862e228583a5b86075630c0a699c981a923c89a6d17347b3f9a403b", "type": "eql", - "version": 107 + "version": 108 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { "min_stack_version": "8.8", @@ -9233,9 +9275,9 @@ "fd4a992d-6130-4802-9ff8-829b89ae801f": { "min_stack_version": "8.3", "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "a60cf2c503576ded45100fe195a32e1f3d9864c591677059a7189e389ee5e8fb", + "sha256": "8da3991d43d27d1307bfe952667feeaee10a17f086024460a72695f6a069495a", "type": "eql", - "version": 108 + "version": 109 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.3", @@ -9256,9 +9298,9 @@ } }, "rule_name": "Svchost spawning Cmd", - "sha256": "841bc6ffda6b09e02cd5cc63a0841ded1da19a19dd35723df34f55b0c4151f1a", + "sha256": "0f97a093a060747af65927b28394e233712aca82f61b9e3a0841aba43b6656a7", "type": "new_terms", - "version": 209 + "version": 210 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "min_stack_version": "8.3", @@ -9270,30 +9312,30 @@ "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "min_stack_version": "8.3", "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", - "sha256": "ea4a0401b39029ef4d1b12bf940efeebe5fc61796cc104ec9be7996712141b89", + "sha256": "64a298cfd46dd919d8d6d349126b6a4a90347cf9eb7a23661803b528c1bd2828", "type": "eql", - "version": 6 + "version": 7 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "44dd765994937208cfee2f6b3d0e125111cbe88d94a5c67e840065955d2d3ea3", + "sha256": "1ccbc020df7ccd578a04c6a962cba1a9eb01217fe0325d1ebb52cfcae454276e", "type": "query", - "version": 3 + "version": 4 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "2473b403823acee1746c83419cdd4634fb84599c481a5d10e3b1af3e519f11bc", + "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", "type": "query", - "version": 4 + "version": 5 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.3", "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "c96941a5ebb42e39bd2527bcfd0d2be708992dbdf722a7622a1642525b235ddd", + "sha256": "ca97f32f23e5e5a8a9980f4544b94a40f0c491f70e47c9a5d1bacc9f2acaf0c4", "type": "eql", - "version": 108 + "version": 109 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "min_stack_version": "8.3", @@ -9312,9 +9354,9 @@ "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "min_stack_version": "8.3", "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "df7ad57c972d298da6bf985f44b45cc04e2ebac358b7aa99a0662df6ab2d550b", + "sha256": "0cb2724deeff775fe087f8fc28747011973bfa19b4924546d551ae231cf102e2", "type": "eql", - "version": 106 + "version": 107 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "min_stack_version": "8.3", @@ -9326,16 +9368,16 @@ "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { "min_stack_version": "8.9", "rule_name": "Potential DGA Activity", - "sha256": "589696d2263aedd5164e45823daed51e955d30cab677ac76f94129cb6dba05da", + "sha256": "f1777c34722961e6332a58230876ae5519c4fc7e7a09d1450eb0038aeabe2640", "type": "machine_learning", - "version": 2 + "version": 3 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "min_stack_version": "8.6", "rule_name": "Cron Job Created or Changed by Previously Unknown Process", - "sha256": "dccd31effbd0339a694902a69408abc2f6abe7377040ac828582aefe16e7ba89", + "sha256": "8d0088142351af95023ec0cbec030e26da4de32891f90802ece09174e3446293", "type": "new_terms", - "version": 8 + "version": 9 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "min_stack_version": "8.7", @@ -9349,7 +9391,7 @@ "rule_name": "Microsoft 365 Exchange Transport Rule Creation", "sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88", "type": "query", - "version": 103 + "version": 105 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "min_stack_version": "8.3", @@ -9361,8 +9403,8 @@ "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "min_stack_version": "8.3", "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "0e051f6a89e0dd3e32af0d2331b7ab799d7e1f852849859f6cab82b3b5d8b4d9", + "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", "type": "eql", - "version": 4 + "version": 5 } } \ No newline at end of file