security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3778)

Browse Source
This commit is contained in:
github-actions[bot]
2024-06-11 20:57:01 +05:30
committed by GitHub
parent 0a69c19c83
commit e3a72c6c47
1 changed files with 433 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+433 -127
View File
@@ -22,8 +22,15 @@
"version": 112
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 311,
"rule_name": "System Shells via Services",
"sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783",
"type": "eql",
"version": 212
},
"8.9": {
"max_allowable_version": 209,
"rule_name": "System Shells via Services",
@@ -35,7 +42,7 @@
"rule_name": "System Shells via Services",
"sha256": "f39660853e5b117b27a58684c32fc3028f841c2bfa0676a1716d4775a8fbc5bb",
"type": "eql",
"version": 211
"version": 312
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"rule_name": "Google Workspace Suspended User Account Renewed",
@@ -164,10 +171,10 @@
"version": 110
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"rule_name": "Potential Persistence Through Systemd-udevd",
"sha256": "f62fb7313ec0d7a280a370adae0caf8ba65410a71d6574ade7ab588a95963763",
"type": "new_terms",
"version": 3
"rule_name": "Systemd-udevd Rule File Creation",
"sha256": "c460de6633708a3c05bf2968843c4ddbf305a7053f9698f6a1396a20113bb23d",
"type": "eql",
"version": 4
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"rule_name": "Microsoft IIS Service Account Password Dumped",
@@ -242,8 +249,15 @@
"version": 7
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 209,
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d",
"type": "eql",
"version": 110
},
"8.9": {
"max_allowable_version": 107,
"rule_name": "Local Account TokenFilter Policy Disabled",
@@ -255,7 +269,7 @@
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "793a191ad34ae91c56955a490de13ca8298e1f75a10de07ae143ed3766096355",
"type": "eql",
"version": 109
"version": 210
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
@@ -569,6 +583,13 @@
"type": "machine_learning",
"version": 5
},
"1251b98a-ff45-11ee-89a1-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "AWS Lambda Function Created or Updated",
"sha256": "87966613bf1e01dcb3a76da7179be8b64db8e7af206075273d4919a384b5d773",
"type": "query",
"version": 1
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
@@ -606,8 +627,15 @@
"version": 111
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 309,
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29",
"type": "eql",
"version": 210
},
"8.9": {
"max_allowable_version": 207,
"rule_name": "Persistence via Scheduled Job Creation",
@@ -619,7 +647,7 @@
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "193c901aad4b30bccee51e476e66934d19feb9bf8a576d862630631b848cc323",
"type": "eql",
"version": 209
"version": 310
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"rule_name": "Rare User Logon",
@@ -641,9 +669,9 @@
},
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity",
"sha256": "2df03e6f85b643953de58a6655130f275e8abc58041dc624319fc3047cf03dee",
"sha256": "04d499c91c67372557e3cbc78b24b02370e0591306ea8109820b22cebbdbef42",
"type": "eql",
"version": 5
"version": 6
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"rule_name": "Azure External Guest User Invitation",
@@ -675,6 +703,13 @@
"type": "eql",
"version": 109
},
"151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
"min_stack_version": "8.9",
"rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
"sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740",
"type": "query",
"version": 1
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"rule_name": "Execution from a Removable Media with Network Connection",
"sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4",
@@ -683,9 +718,9 @@
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "6bc3367c8bea5ce3680aa60ee8341e332dc12fe82786393e1b98fa8130a817c4",
"sha256": "ba312fcc9ecbf23197da80510b48dfd8b087c772313923a625fcda4cead89183",
"type": "query",
"version": 110
"version": 111
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
@@ -737,9 +772,9 @@
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "59d27ffb2150faa1ebe4b4b332f29ed9b1a561166aa568c6b699a55de0aec81f",
"sha256": "65906b0af010fdf4397270caea3b93edffa3c141e33daa51499abc0354c8bd68",
"type": "query",
"version": 109
"version": 110
},
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
"min_stack_version": "8.13",
@@ -779,10 +814,10 @@
"version": 103
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"rule_name": "New Systemd Service Created by Previously Unknown Process",
"sha256": "9db1b2c407bc10769394309a57e5e1acb24ac3834a9d1c679e3288ef28b2b546",
"type": "new_terms",
"version": 10
"rule_name": "Systemd Service Created",
"sha256": "b6d52138336ffdc9944d3309166f6e193ae0cda6f421144245bc69bf4a6559eb",
"type": "eql",
"version": 11
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"rule_name": "Renamed Utility Executed with Short Program Name",
@@ -808,12 +843,25 @@
"type": "eql",
"version": 100
},
"185c782e-f86a-11ee-9d9f-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager",
"sha256": "1d9dfb66a70cf2a0249e4cf7248a0218c0b890257f16a5561378bc176823be8e",
"type": "threshold",
"version": 1
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "c06e03682393f75d7f4e7c47efac0a2a3bdc53865089656f9628b0e2129f33de",
"type": "machine_learning",
"version": 4
},
"192657ba-ab0e-4901-89a2-911d611eee98": {
"rule_name": "Potential Persistence via File Modification",
"sha256": "13724ccfbad7645a55a6148fd2331a0f15181aca09d104bc269cddfeb702bb7d",
"type": "eql",
"version": 1
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
"sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f",
@@ -935,6 +983,13 @@
"type": "eql",
"version": 110
},
"1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "AWS IAM Roles Anywhere Profile Creation",
"sha256": "f668e7947688e878a2b5f5aa8a3bc7f30cf777776b49855a8b5e2c7e3b8e2449",
"type": "query",
"version": 1
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433",
@@ -1253,9 +1308,9 @@
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633",
"sha256": "d82f7cdce5ff254cd1b94e2f0390bef570efef35250410982b52a2614113ed42",
"type": "threshold",
"version": 207
"version": 208
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.12",
@@ -1354,10 +1409,10 @@
"version": 5
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"rule_name": "Shell Configuration Modification",
"sha256": "1082bfbb3e988caa2fc49527f3dcd4024a4657a591fb5edc4d08e2ba311ca62c",
"type": "new_terms",
"version": 1
"rule_name": "Shell Configuration Creation or Modification",
"sha256": "26fb29a8c8c328b8e46ed17a8fda1d07250948bb305e19031173410ae35d3669",
"type": "eql",
"version": 2
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"rule_name": "AWS Security Group Configuration Change Detection",
@@ -1372,8 +1427,15 @@
"version": 113
},
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 312,
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609",
"type": "eql",
"version": 213
},
"8.9": {
"max_allowable_version": 210,
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
@@ -1385,7 +1447,7 @@
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "cfc96b6991e4924d103a2158af8da2606918fbec5876bff5d93be7653deb2bd5",
"type": "eql",
"version": 212
"version": 313
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.12",
@@ -1441,20 +1503,27 @@
"version": 6
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 312,
"rule_name": "Adobe Hijack Persistence",
"sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe",
"type": "eql",
"version": 213
},
"8.9": {
"max_allowable_version": 210,
"rule_name": "Adobe Hijack Persistence",
"sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d",
"sha256": "8deb745625f81d1579d5c03b75e701111c6b1b78c8c0be11bef3f51b5214c636",
"type": "eql",
"version": 111
"version": 112
}
},
"rule_name": "Adobe Hijack Persistence",
"sha256": "b063bce44c35e4d15cd79869b5732433239a66d51babb5fb8f9d0adbe2001097",
"sha256": "eb4e880bc7d79b0831cdd9063d6745aad9f422d7f4b708a0894c414c790af064",
"type": "eql",
"version": 212
"version": 313
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"rule_name": "Windows Defender Exclusions Added via PowerShell",
@@ -1595,11 +1664,17 @@
"type": "eql",
"version": 2
},
"30fbf4db-c502-4e68-a239-2e99af0f70da": {
"rule_name": "AWS STS GetCallerIdentity API Called for the First Time",
"sha256": "ac674594e4090f28c0defbacf2ab2ab0be02892e8c42781f49ec6b349245a750",
"type": "new_terms",
"version": 1
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"rule_name": "Agent Spoofing - Mismatched Agent ID",
"sha256": "edb96a30a9a4b522b0f24c47e6c9e97132020bca3d111e9f0fb2478062ca5c46",
"sha256": "ec70ea76f2b63b214733972e4c42caadfa150fe1b0efa06b5d369bdcf5d80129",
"type": "query",
"version": 101
"version": 102
},
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
@@ -1644,8 +1719,15 @@
"version": 109
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 312,
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172",
"type": "eql",
"version": 213
},
"8.9": {
"max_allowable_version": 210,
"rule_name": "Suspicious MS Outlook Child Process",
@@ -1657,7 +1739,7 @@
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "a7e4e52230f1a2f269732a45b210a8cded335e4867e2095abbb2d707d4a0e932",
"type": "eql",
"version": 212
"version": 313
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"rule_name": "AWS IAM User Addition to Group",
@@ -1702,8 +1784,15 @@
"version": 106
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 311,
"rule_name": "Port Forwarding Rule Addition",
"sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d",
"type": "eql",
"version": 212
},
"8.9": {
"max_allowable_version": 209,
"rule_name": "Port Forwarding Rule Addition",
@@ -1715,7 +1804,7 @@
"rule_name": "Port Forwarding Rule Addition",
"sha256": "e4d0644e1d41d584ee51527759ef379d2e85441b65044ced77ef38d1e5ee9a29",
"type": "eql",
"version": 211
"version": 312
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"rule_name": "Spike in Bytes Sent to an External Device",
@@ -1906,8 +1995,15 @@
"version": 103
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 311,
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b",
"type": "eql",
"version": 212
},
"8.9": {
"max_allowable_version": 209,
"rule_name": "Unusual Parent Process for cmd.exe",
@@ -1919,7 +2015,7 @@
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "99fe156012393a6350811a3ccf9ecaf4dc0d399569a90aa01cc5cebe44117352",
"type": "eql",
"version": 211
"version": 312
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"rule_name": "NTDS or SAM Database File Copied",
@@ -2087,6 +2183,13 @@
"type": "query",
"version": 103
},
"4182e486-fc61-11ee-a05d-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "AWS EC2 EBS Snapshot Shared with Another Account",
"sha256": "6d2c20fb9ecb3cba051aa0a8f5a8841d3473c6e5d87d50187fe26d3715b32e66",
"type": "esql",
"version": 1
},
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"rule_name": "Potential Hidden Local User Account Creation",
"sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a",
@@ -2160,9 +2263,9 @@
},
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
"rule_name": "Potential Masquerading as VLC DLL",
"sha256": "d9597f07d834346b49d0ec5d44b690415e313ac8d159ee72e5fa8335fd7e85fb",
"sha256": "7b04571af013a3c9cdefd27690c4a402e9f3399a0a5f61ccf9eb8180fe968af5",
"type": "eql",
"version": 3
"version": 4
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"rule_name": "Multiple Vault Web Credentials Read",
@@ -2405,10 +2508,10 @@
"version": 10
},
"4ec47004-b34a-42e6-8003-376a123ea447": {
"rule_name": "Suspicious Process Spawned from MOTD Detected",
"sha256": "5b623fb9915bfc946b7d055f8270000bf239fdb2dcd03021f8d03b24d3b28de7",
"rule_name": "Process Spawned from Message-of-the-Day (MOTD)",
"sha256": "dc02518c5ff827d505855e686392c55611d0d5d05b81c9febbb3f9ef60cbbd38",
"type": "eql",
"version": 9
"version": 10
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
@@ -2471,8 +2574,15 @@
"version": 2
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 309,
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d",
"type": "eql",
"version": 210
},
"8.9": {
"max_allowable_version": 207,
"rule_name": "Registry Persistence via AppCert DLL",
@@ -2484,7 +2594,7 @@
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "f5b43f0f0f3a4cd3823fedc6900054657f8adb7bd85b6cc8097f892872bf6f3b",
"type": "eql",
"version": 209
"version": 310
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
@@ -2586,9 +2696,9 @@
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
"min_stack_version": "8.10",
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
"sha256": "2fe35fc63d94df5fa3980bb4ddb1708b8ef9065b2a9d468329b207be8146385f",
"sha256": "d973fcbb65bfb1114bf7274eec0a49753fc3ac6e545fb635cd87b176b08276cc",
"type": "query",
"version": 5
"version": 6
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"rule_name": "Suspicious PDF Reader Child Process",
@@ -2851,9 +2961,9 @@
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"rule_name": "Potential Masquerading as Browser Process",
"sha256": "bd50fb4c4b5ec6a4ebd52c50a505e5dc1fe75637d51ad57a0f0e79dff682aea5",
"sha256": "78ec9be84e9b6970a121017e012905d15e2e20158762c57da7f514ea4d07c5f2",
"type": "eql",
"version": 4
"version": 5
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
@@ -2918,9 +3028,9 @@
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"rule_name": "User Added to Privileged Group",
"sha256": "b33d6cc34a4b101cc79bc0c7f84cb361bcd02e5318b2295a57ebf4505ef0824d",
"sha256": "a3c0fbdd5934a6dbac3c5be5d786e317493ccf965c14b2df89454f44fafa2c0a",
"type": "eql",
"version": 109
"version": 110
},
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"rule_name": "Persistence via PowerShell profile",
@@ -3066,6 +3176,12 @@
"type": "eql",
"version": 5
},
"63431796-f813-43af-820b-492ee2efec8e": {
"rule_name": "Network Connection Initiated by SSHD Child Process",
"sha256": "3ad6907db92363c314c35c6ee182f278b6d7de0e04a7d36e14b398a4fcd2146b",
"type": "eql",
"version": 1
},
"63c05204-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
"sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab",
@@ -3242,9 +3358,9 @@
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"rule_name": "New or Modified Federation Domain",
"sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8",
"sha256": "63bfcc3ca67c6279f1ed85c444ec4e840c389f3695e4228ed07f322caf108344",
"type": "query",
"version": 206
"version": 207
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"min_stack_version": "8.10",
@@ -3335,8 +3451,15 @@
"version": 110
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 312,
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a",
"type": "eql",
"version": 213
},
"8.9": {
"max_allowable_version": 210,
"rule_name": "Exporting Exchange Mailbox via PowerShell",
@@ -3348,7 +3471,7 @@
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "9a2bd321243f33c29af8cab474c2a52763818ef4340040453bf1e111f2e47503",
"type": "eql",
"version": 212
"version": 313
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"rule_name": "Suspicious Utility Launched via ProxyChains",
@@ -3531,6 +3654,13 @@
"type": "eql",
"version": 3
},
"71de53ea-ff3b-11ee-b572-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA",
"sha256": "fc40abf7c58386b21b4e7ba3f8d8b900510aeaa86c789defff2aec11c20e707c",
"type": "query",
"version": 1
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f",
@@ -3660,8 +3790,15 @@
"version": 9
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 311,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "798b0bc1aa4d176b16df395288002a2230428379590ddac8a418f1d42b23d435",
"type": "eql",
"version": 212
},
"8.9": {
"max_allowable_version": 209,
"rule_name": "Potential Remote Desktop Tunneling Detected",
@@ -3673,7 +3810,7 @@
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "5dc0aa50792a92d4380b7f0f4e326e624d77e221bc6825424687daac0e26083f",
"type": "eql",
"version": 211
"version": 312
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
@@ -3724,8 +3861,15 @@
"version": 208
},
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 202,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "49a6b4db003e5979ea703d08bd0b70fac84ca643c074a444e673d90ab43d8b3c",
"type": "eql",
"version": 103
},
"8.9": {
"max_allowable_version": 100,
"rule_name": "Suspicious ScreenConnect Client Child Process",
@@ -3737,7 +3881,7 @@
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "1cd4ba234bf93cf872872658b01960cdc2fdcd04262dadd0399b738cff42d2e4",
"type": "eql",
"version": 102
"version": 203
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"rule_name": "Suspicious File Renamed via SMB",
@@ -3765,9 +3909,9 @@
},
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
"rule_name": "Potential Masquerading as System32 Executable",
"sha256": "a613c9495f4b8b1cd51df4eac684c578f26aceaa65e6d20faa875e280f3a0912",
"sha256": "649ff4b679f9f2b569f73ad7717ac48ba0bc93da34b650a7bca46243274b37c2",
"type": "eql",
"version": 4
"version": 5
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"rule_name": "Potential File Transfer via Certreq",
@@ -3829,6 +3973,12 @@
"type": "eql",
"version": 105
},
"7c2e1297-7664-42bc-af11-6d5d35220b6b": {
"rule_name": "APT Package Manager Configuration File Creation",
"sha256": "258486b4912fda4473895fde9c357e6ffafdb33966d85558b912df16f95cad7c",
"type": "eql",
"version": 1
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "d876e552704f399012a35ef8ccd37653e6278d558e9904d895f023110f987c55",
@@ -3841,12 +3991,25 @@
"type": "query",
"version": 104
},
"7d091a76-0737-11ef-8469-f661ea17fbcc": {
"min_stack_version": "8.9",
"rule_name": "AWS Lambda Layer Added to Existing Function",
"sha256": "26e76de9328e30fd2a1ccfedc25b238243c1c82d255dd6d1e3f7ccc9e67d7898",
"type": "query",
"version": 1
},
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
"rule_name": "Tor Activity to the Internet",
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
"type": "query",
"version": 100
},
"7df3cb8b-5c0c-4228-b772-bb6cd619053c": {
"rule_name": "SSH Key Generated via ssh-keygen",
"sha256": "2db05f2e3ae056597ccc0da7403d1957ce361a9175866efd0c7e540914d0fded",
"type": "eql",
"version": 1
},
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
"rule_name": "Suspicious Kworker UID Elevation",
"sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a",
@@ -3866,10 +4029,17 @@
"version": 102
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"rule_name": "New Systemd Timer Created",
"sha256": "454dae129a07176b215e4ce8d81df5963eecb9144c6b5605e7f23ad1a0ce8e37",
"type": "new_terms",
"version": 10
"rule_name": "Systemd Timer Created",
"sha256": "677de35cf201258b8369fc2085f3f72db239e9011cff322e8f5f332afcf46888",
"type": "eql",
"version": 11
},
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
"sha256": "a98fe6d999a2909e15b551344bcf8abf4c8755341d7daa2ddc121fbdd0f3eec2",
"type": "esql",
"version": 1
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"rule_name": "Enumeration of Kernel Modules via Proc",
@@ -4000,6 +4170,12 @@
"type": "query",
"version": 5
},
"84755a05-78c8-4430-8681-89cd6c857d71": {
"rule_name": "At Job Created or Modified",
"sha256": "0b70543d8ab821dcbc89c2c036e27300440bc34c97c569c9e947b3e00de93037",
"type": "eql",
"version": 1
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"rule_name": "Potential Upgrade of Non-interactive Shell",
"sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759",
@@ -4060,6 +4236,13 @@
"type": "eql",
"version": 112
},
"873b5452-074e-11ef-852e-f661ea17fbcc": {
"min_stack_version": "8.9",
"rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded",
"sha256": "f5bb109e123b34f550ec9a57fc0152a04bc3bc4de3e5adc847b07ef34d39fc68",
"type": "query",
"version": 1
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339",
@@ -4086,15 +4269,15 @@
},
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "e1e70345125002f7b837c9c87a54b449497d0b8a5d4f32f30e24b28185445925",
"sha256": "c982030d976d5caa598abb973577eca20c6a5f49e0f0b746d31b814e3aada81e",
"type": "eql",
"version": 107
"version": 108
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"rule_name": "Potential Sudo Hijacking Detected",
"sha256": "3d49290bdfa2269196ce840768887b0c20588d07f406eef1f33e10c6117246e0",
"type": "new_terms",
"version": 105
"rule_name": "Potential Sudo Hijacking",
"sha256": "5204e29d31ddd9d46708224fe842aa218cd42b2ee9b4dbea4cb00236379c3755",
"type": "eql",
"version": 106
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"rule_name": "Suspicious WMI Image Load from MS Office",
@@ -4418,8 +4601,15 @@
"version": 110
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 308,
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4",
"type": "eql",
"version": 209
},
"8.9": {
"max_allowable_version": 206,
"rule_name": "Encoded Executable Stored in the Registry",
@@ -4431,7 +4621,7 @@
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "8f3a4597c674f9eb6b2fe671fad2a311637f3b34c3ecc371ceb3be4dd1675718",
"type": "eql",
"version": 208
"version": 309
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"rule_name": "Google Workspace Admin Role Deletion",
@@ -4445,6 +4635,12 @@
"type": "new_terms",
"version": 204
},
"94418745-529f-4259-8d25-a713a6feb6ae": {
"rule_name": "Executable Bit Set for rc.local/rc.common",
"sha256": "7dbae46a5a71705bc609aadd65a6bc77c9d8674e353966fa6c00c152d96f0990",
"type": "eql",
"version": 1
},
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"rule_name": "Creation of Kernel Module",
"sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533",
@@ -4510,10 +4706,10 @@
"version": 205
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"rule_name": "Potential Persistence Through MOTD File Creation Detected",
"sha256": "3f20bb818a986c0e8056585963e3d6541dbf1862727224cb92843599a928c1cb",
"type": "new_terms",
"version": 10
"rule_name": "Message-of-the-Day (MOTD) File Creation",
"sha256": "d80c76481d619796d4c3699f60527c153deb2cd18dd2c8f9b9c38d9d854488e1",
"type": "eql",
"version": 11
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"rule_name": "Access to Keychain Credentials Directories",
@@ -4569,8 +4765,15 @@
"version": 209
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 311,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "745bbfc9daf71b081b3cbc422438c9c11dd5c34eee59681b1a8ee21dea74b4a6",
"type": "eql",
"version": 212
},
"8.9": {
"max_allowable_version": 209,
"rule_name": "Suspicious Zoom Child Process",
@@ -4582,7 +4785,7 @@
"rule_name": "Suspicious Zoom Child Process",
"sha256": "ab6c4f09d32014591e2a374947f000d68295f96989a72225b3e4930e37e5bc20",
"type": "eql",
"version": 211
"version": 312
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
@@ -4652,9 +4855,9 @@
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "c5069351210fde910d1fd2e5cd136af309fc81ce6510d0828492a2b64ec1e607",
"sha256": "ac8d1b8d4b4f0103c7488acc5edf47ead2336d6cdb351c8012632e8a98e4e2ad",
"type": "eql",
"version": 5
"version": 6
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"rule_name": "Potential Credential Access via LSASS Memory Dump",
@@ -4698,6 +4901,13 @@
"type": "eql",
"version": 109
},
"9aa4be8d-5828-417d-9f54-7cd304571b24": {
"min_stack_version": "8.13",
"rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
"sha256": "eff6b294c92c7c35ef4eb29bb794b1411e7565a8c4b583706f2b90fe0eb66bfc",
"type": "esql",
"version": 1
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c",
@@ -4820,10 +5030,11 @@
"version": 210
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"min_stack_version": "8.9",
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "9d1d5ae0e9ecf6ff8ef280ff42061f5ea8236a11570ab2d01d97846f396afcc3",
"sha256": "0c2d0945e3f41272d93b2c57b804fd2de409098f64d87e59387ed6edc5f29da9",
"type": "new_terms",
"version": 311
"version": 312
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"rule_name": "A scheduled task was updated",
@@ -5006,6 +5217,13 @@
"type": "query",
"version": 102
},
"a8aaa49d-9834-462d-bf8f-b1255cebc004": {
"min_stack_version": "8.9",
"rule_name": "Authentication via Unusual PAM Grantor",
"sha256": "60aa85a93569474f9a1f9615a864f2472923f7f351a0f0a5e4770e668e072e3a",
"type": "new_terms",
"version": 1
},
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
"rule_name": "Suspicious File Downloaded from Google Drive",
"sha256": "3d43bb8629f6abf3044732ac8445f0e4aff8492b8f21845bf1d349e73ab15295",
@@ -5097,8 +5315,15 @@
"version": 108
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 313,
"rule_name": "Suspicious WerFault Child Process",
"sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10",
"type": "eql",
"version": 214
},
"8.9": {
"max_allowable_version": 211,
"rule_name": "Suspicious WerFault Child Process",
@@ -5110,7 +5335,7 @@
"rule_name": "Suspicious WerFault Child Process",
"sha256": "e36280a1447f2b7856c4f642be26895f8dc0cc6642aa3d21dde3ddf6aad92b09",
"type": "eql",
"version": 213
"version": 314
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"rule_name": "Unusual AWS Command for a User",
@@ -5198,9 +5423,9 @@
},
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"rule_name": "Suspicious Communication App Child Process",
"sha256": "da78216a16bc023bec70850e08c999466fb372bf4f11fd44445aaed67089a16c",
"sha256": "e8cf6343472cdfd3a91baaa7aed30214af872b0b163555edc8908ffd5d89a675",
"type": "eql",
"version": 4
"version": 5
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"rule_name": "Suspicious File Creation via Kworker",
@@ -5457,8 +5682,15 @@
"version": 5
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 309,
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04",
"type": "eql",
"version": 210
},
"8.9": {
"max_allowable_version": 207,
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
@@ -5470,7 +5702,7 @@
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "5b9416b0c074d30e24badf5a0daa0825766bb7ae7d99b88130f7c0999a392af3",
"type": "eql",
"version": 209
"version": 310
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"rule_name": "Network Connection via MsXsl",
@@ -5479,8 +5711,15 @@
"version": 106
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 206,
"rule_name": "Kirbi File Creation",
"sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22",
"type": "eql",
"version": 107
},
"8.9": {
"max_allowable_version": 104,
"rule_name": "Kirbi File Creation",
@@ -5492,7 +5731,7 @@
"rule_name": "Kirbi File Creation",
"sha256": "001f917502544177abdc78801aa208266c38c099300c58dbb69e62bb88128594",
"type": "eql",
"version": 106
"version": 207
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
@@ -5520,9 +5759,9 @@
},
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "7e1d07811eee139eca2af001c453e529a605e642fafc1cadfeac9817862c3f0c",
"sha256": "539035e01c5e718c2a0b56b03af563f6c8403d9848b52db1781d40aea00dfb86",
"type": "query",
"version": 109
"version": 110
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
@@ -5635,9 +5874,9 @@
},
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"sha256": "53c2cffe17c4403ed64f81a175a6f916198441844cb2a3e306c3a31ae7b19b2a",
"sha256": "41097481c1fd5da6e1bd4c66305518ee0a92846e0a69ae89fd936b10338b1c33",
"type": "query",
"version": 4
"version": 5
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"rule_name": "PowerShell Keylogging Script",
@@ -5719,9 +5958,9 @@
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "8020f015d723e31af612bbc7e570f0f7a2bf57c3cc13447eb5bccd3e39385ca8",
"sha256": "db80515372b13521184021a9451c545f6e530fc191866f76eb9a2c1584f99210",
"type": "eql",
"version": 109
"version": 110
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"rule_name": "Memory Dump File with Unusual Extension",
@@ -5750,9 +5989,9 @@
"c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance",
"sha256": "d782f312b97d352fb81b3975873dd9a6ce4bfc2ebf5f5163bca2e8bb181d1efb",
"sha256": "e91c1937b74003d85688ec403aaac6adde3afedc30ff608772e3b3f8346e2bdc",
"type": "query",
"version": 1
"version": 2
},
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
@@ -5798,8 +6037,15 @@
"version": 103
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 308,
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87",
"type": "eql",
"version": 209
},
"8.9": {
"max_allowable_version": 206,
"rule_name": "Persistence via BITS Job Notify Cmdline",
@@ -5811,7 +6057,7 @@
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "abe5288a1887c88b0839fec82a8e0a973c1dc3b5346edb10d049b62e679386da",
"type": "eql",
"version": 208
"version": 309
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
@@ -6009,9 +6255,9 @@
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"rule_name": "Potential Masquerading as Communication Apps",
"sha256": "b8c86e533a37c36a2eaef8f1d48ca8aa5a24b6665dc2328de3b3cc5eb1d2ad51",
"sha256": "de1eb0970073590a08bf755681e729281d7d797a171493a9134023136554d391",
"type": "eql",
"version": 5
"version": 6
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
@@ -6519,9 +6765,9 @@
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"sha256": "1713570247f2e1bb7b031c190b7546980f369ec8973ea723bb30be25038cc2dd",
"sha256": "84e89ef6464acb25c59d3bbb6ebd82d470bd3a6ad2ea4cb023ea9406ce17b797",
"type": "query",
"version": 4
"version": 5
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"rule_name": "Suspicious Service was Installed in the System",
@@ -6607,6 +6853,12 @@
"type": "eql",
"version": 7
},
"dd52d45a-4602-4195-9018-ebe0f219c273": {
"rule_name": "Network Connections Initiated Through XDG Autostart Entry",
"sha256": "33706216d4262064ec48b546b6ffdf38bed77bb6eb5accc6f3c50dfcfdaf3123",
"type": "eql",
"version": 1
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"rule_name": "Reverse Shell Created via Named Pipe",
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
@@ -6619,6 +6871,13 @@
"type": "eql",
"version": 108
},
"dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
"min_stack_version": "8.13",
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
"sha256": "19d99e61768ab16b134e882ec4962306af32019e01915f7ab3e1cf5f2133b998",
"type": "esql",
"version": 1
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "0a0a64ff02f4040cf251994361f673fa3c6618edb6d38387c8adf5f5749f4b5a",
@@ -6667,6 +6926,13 @@
"type": "query",
"version": 203
},
"df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
"min_stack_version": "8.13",
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
"sha256": "a504729c3998dc3923862276128db6af723328cdce3b98391d9578e95419b28d",
"type": "esql",
"version": 1
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"rule_name": "Unusual Process Execution - Temp",
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
@@ -7008,6 +7274,13 @@
"type": "eql",
"version": 7
},
"e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "AWS S3 Bucket Policy Added to Share with External Account",
"sha256": "5b1937ed0f1a2ea8d8b793ad31baa79ae277d949a84917d1c7a94395daa4a29b",
"type": "eql",
"version": 1
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "f180246dbfb2cb7f01f796113f0a1b305d91c244c4989aef63cfc341e4431f35",
@@ -7133,8 +7406,15 @@
"version": 110
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 310,
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140",
"type": "eql",
"version": 211
},
"8.9": {
"max_allowable_version": 208,
"rule_name": "Mimikatz Memssp Log File Detected",
@@ -7146,7 +7426,7 @@
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "bb5fb845d12c3bbf263c579168a458134eef80318f4ee0ceb6feccd45e0d75f2",
"type": "eql",
"version": 210
"version": 311
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"rule_name": "IIS HTTP Logging Disabled",
@@ -7346,6 +7626,12 @@
"type": "eql",
"version": 7
},
"f18a474c-3632-427f-bcf5-363c994309ee": {
"rule_name": "Process Capability Set via setcap Utility",
"sha256": "d33378c5ef77b55469ab49d5282bcb0e357dc6b4cf3f8ff308937bc39f50f0e2",
"type": "eql",
"version": 1
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"rule_name": "Forwarded Google Workspace Security Alert",
"sha256": "4c73b09f4b3001484895476ebe7fa98e28d4b4ade73a8bc8cae1bf26c22cf8af",
@@ -7366,9 +7652,9 @@
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "b10534cda59c460de168c3b9fed3d8899465199770dd6c96f2e2d65358d3cb24",
"sha256": "54bc98f1c6f0db859bc9db57ce3fa7033db199f814bbc55ce03bc6940bd8efe2",
"type": "eql",
"version": 109
"version": 110
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"rule_name": "SIP Provider Modification",
@@ -7396,9 +7682,9 @@
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"sha256": "a8184398fcf77152899052a0cdf43691c84de0fa4cf53167476870150736e064",
"sha256": "5111cc2b59ff5a00ad2e2d02625d13fb2da0a6e5c8a7c7cf41cb0c023d1f0321",
"type": "query",
"version": 4
"version": 5
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"rule_name": "WMI Incoming Lateral Movement",
@@ -7436,6 +7722,12 @@
"type": "eql",
"version": 108
},
"f48ecc44-7d02-437d-9562-b838d2c41987": {
"rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration",
"sha256": "93c96b13d7d31467aad7b9c5c4f5f7d57d901aef4bc28ba0aa3435056d1fcac8",
"type": "eql",
"version": 1
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "3d559e86203735f531cbbe7a26f5e361236760068e41b0b421f0f5d59a3c5765",
@@ -7653,8 +7945,15 @@
"version": 7
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.11",
"min_stack_version": "8.13",
"previous": {
"8.11": {
"max_allowable_version": 210,
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc",
"type": "eql",
"version": 111
},
"8.9": {
"max_allowable_version": 108,
"rule_name": "Suspicious Antimalware Scan Interface DLL",
@@ -7666,7 +7965,7 @@
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "a2061359bd190293621c8e71ff1e35c08834d74f598fc6364b28a74c8af177de",
"type": "eql",
"version": 110
"version": 211
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"rule_name": "Potential Disabling of AppArmor",
@@ -7676,9 +7975,9 @@
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "1af8edb01a1cfb710c926f5d006909a5e7139b1a95763ed5fbc88147f1eab9bc",
"sha256": "24ba6424357603cfc73404dbf3312ba7865f04447af416631ded8fec2599f2fd",
"type": "eql",
"version": 104
"version": 105
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"rule_name": "Network Connection via Registration Utility",
@@ -7722,6 +8021,13 @@
"type": "eql",
"version": 1
},
"fd332492-0bc6-11ef-b5be-f661ea17fbcc": {
"min_stack_version": "8.9",
"rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"sha256": "100db09c2d29764aa7b946d7b316cc9a17183ce57593ca72f84d578faa490b68",
"type": "new_terms",
"version": 1
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
@@ -7753,10 +8059,10 @@
"version": 2
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"rule_name": "System Binary Copied and/or Moved to Suspicious Directory",
"sha256": "b9d527481d2f38c0ce84090af0cc336bd1a6bca87741cfbbce058b6c037349ae",
"rule_name": "System Binary Moved or Copied",
"sha256": "7dde3a1e0411df154e689f9f2cf9df0b84e51b6f97f7f0c86121d90c0ee8c602",
"type": "eql",
"version": 8
"version": 9
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"rule_name": "PowerShell Kerberos Ticket Dump",
@@ -7802,16 +8108,16 @@
},
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"rule_name": "Potential DGA Activity",
"sha256": "15260ab808d90ba91587244049c852e308788b4c23ecc6cbb64956384b8d7532",
"sha256": "a6828508851318616e927d9f819f6d7c5130b830e0f3eba41135daf75ac99758",
"type": "machine_learning",
"version": 4
"version": 5
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"min_stack_version": "8.9",
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
"sha256": "e27c9640a969826e48e3a8fd9117ba8a8761dcbce584297813d634e6f5423886",
"type": "new_terms",
"version": 10
"rule_name": "Cron Job Created or Modified",
"sha256": "8b90331ba2cd07c2de41d17ca68bee336ea36c749c9c78f7dc5187704d786cc4",
"type": "eql",
"version": 11
},
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
"min_stack_version": "8.9",