diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index c18651999..294abbc35 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -169,6 +169,13 @@ "type": "eql", "version": 4 }, + "0678bc9c-b71a-433b-87e6-2f664b6b3131": { + "min_stack_version": "8.5", + "rule_name": "Unusual Remote File Size", + "sha256": "4474648fdc8f0b955f03bda5337ba2f2645db4f902f82c9b5f399502684d327d", + "type": "machine_learning", + "version": 1 + }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", @@ -806,6 +813,13 @@ "type": "eql", "version": 100 }, + "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { + "min_stack_version": "8.5", + "rule_name": "Spike in Number of Connections Made to a Destination IP", + "sha256": "eea67da7d863bb4da8802088e97d3e0f188941c8484338c6e17099c6f9c88450", + "type": "machine_learning", + "version": 1 + }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", @@ -820,6 +834,13 @@ "type": "machine_learning", "version": 106 }, + "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { + "min_stack_version": "8.5", + "rule_name": "Spike in Number of Processes in an RDP Session", + "sha256": "c2a98c086c35d0e6339615bc26c449c6e6e2a3cb850572c19b445f22fd02d3bc", + "type": "machine_learning", + "version": 1 + }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "8.8", "rule_name": "Suspicious Network Tool Launched Inside A Container", @@ -1120,6 +1141,13 @@ "type": "eql", "version": 105 }, + "2377946d-0f01-4957-8812-6878985f515d": { + "min_stack_version": "8.5", + "rule_name": "Remote File Creation on a Sensitive Directory", + "sha256": "6c62d2b1221abd06ad64acfcf05620adc52bc244fa55a8eccf63b284d974ab08", + "type": "eql", + "version": 1 + }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", @@ -1447,6 +1475,13 @@ "type": "eql", "version": 106 }, + "301571f3-b316-4969-8dd0-7917410030d3": { + "min_stack_version": "8.5", + "rule_name": "Malicious Remote File Creation", + "sha256": "a77b63c0cec99d37a8e4a3609137a34580f0cca84198c663fb6adcb5efb462bf", + "type": "eql", + "version": 1 + }, "30562697-9859-4ae0-a8c5-dab45d664170": { "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Creation", @@ -1607,6 +1642,13 @@ "type": "eql", "version": 104 }, + "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { + "min_stack_version": "8.5", + "rule_name": "High Mean of Process Arguments in an RDP Session", + "sha256": "5e13a7be5f8a00aa914acf030478774a709c75e65e739272b194674bebf33f1d", + "type": "machine_learning", + "version": 1 + }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious File Edit", @@ -1780,6 +1822,13 @@ "type": "query", "version": 106 }, + "3e0561b5-3fac-4461-84cc-19163b9aaa61": { + "min_stack_version": "8.5", + "rule_name": "Spike in Number of Connections Made from a Source IP", + "sha256": "65fe46f9242a840f6c97a70fa3782f5c6b4b016bf458fecb8460e3ca8e3e17f3", + "type": "machine_learning", + "version": 1 + }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Windows Subsystem for Linux", @@ -1852,6 +1901,13 @@ "type": "eql", "version": 2 }, + "3f4e2dba-828a-452a-af35-fe29c5e78969": { + "min_stack_version": "8.5", + "rule_name": "Unusual Time or Day for an RDP Session", + "sha256": "616e8eb4fc391b32d81e6e8219a3c053453306a6048116d1e837b55ec439363f", + "type": "machine_learning", + "version": 1 + }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", @@ -3614,6 +3670,13 @@ "type": "query", "version": 101 }, + "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { + "min_stack_version": "8.5", + "rule_name": "Unusual Remote File Extension", + "sha256": "6e54a46cf82894aa5484fcd4379b15fedf0c9cb10afb88344a3035f32f6a5727", + "type": "machine_learning", + "version": 1 + }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", @@ -3911,6 +3974,13 @@ "type": "eql", "version": 7 }, + "8d366588-cbd6-43ba-95b4-0971c3f906e5": { + "min_stack_version": "8.3", + "rule_name": "File with Suspicious Extension Downloaded", + "sha256": "4aee04fcae9856c8db9a767d12e37c08a83d89f0665b4be03150aa01c6e03b4b", + "type": "eql", + "version": 1 + }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "min_stack_version": "8.8", "rule_name": "Suspicious Interactive Shell Spawned From Inside A Container", @@ -4689,6 +4759,13 @@ "type": "eql", "version": 104 }, + "a74c60cb-70ee-4629-a127-608ead14ebf1": { + "min_stack_version": "8.5", + "rule_name": "High Mean of RDP Session Duration", + "sha256": "261e95ec78136218300b4b17a48e642b472f7a6cd692487fb36e3a707b6ce56a", + "type": "machine_learning", + "version": 1 + }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", @@ -4717,6 +4794,13 @@ "type": "eql", "version": 1 }, + "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { + "min_stack_version": "8.5", + "rule_name": "High Variance in RDP Session Duration", + "sha256": "7b577644248850837c58cfb8850fdce3df772501393676bb090118f5ca4c3f22", + "type": "machine_learning", + "version": 1 + }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", "sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf", @@ -5357,6 +5441,13 @@ "type": "eql", "version": 105 }, + "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { + "min_stack_version": "8.5", + "rule_name": "Unusual Remote File Directory", + "sha256": "031fe3c29bbf87093165028e79236de7553cdf3f3f10ab76a86289f3e6dfa1f6", + "type": "machine_learning", + "version": 1 + }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.3", "rule_name": "Searching for Saved Credentials via VaultCmd", @@ -6374,6 +6465,13 @@ "type": "threshold", "version": 105 }, + "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { + "min_stack_version": "8.3", + "rule_name": "Potentially Suspicious Process Started via tmux or screen", + "sha256": "b30b5b205b4d258de4072197ae2f131b0716891f4297ffc36e6a2549b7ca66fc", + "type": "eql", + "version": 1 + }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "min_stack_version": "7.16", "rule_name": "Whitespace Padding in Process Command Line", @@ -6586,11 +6684,20 @@ "version": 105 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "Suspicious WMI Event Subscription Created", + "sha256": "ab002c02bd96a6d77776ccb1b5fe96cb19d8ee3fa408b8c5853d7a4580f3fc18", + "type": "eql", + "version": 5 + } + }, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", "type": "eql", - "version": 4 + "version": 105 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "min_stack_version": "8.3", @@ -6669,6 +6776,13 @@ "type": "eql", "version": 104 }, + "e9b0902b-c515-413b-b80b-a8dcebc81a66": { + "min_stack_version": "8.5", + "rule_name": "Spike in Remote File Transfers", + "sha256": "0f4119237d356fe2c032c074c5de136fb71aec5533ecac64a6152b49c3b3f92a", + "type": "machine_learning", + "version": 1 + }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", "sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",