From e3a72c6c4711bc729e358e9e981993eccd765dec Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 11 Jun 2024 20:57:01 +0530 Subject: [PATCH] Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3778) --- detection_rules/etc/version.lock.json | 560 ++++++++++++++++++++------ 1 file changed, 433 insertions(+), 127 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 3a9ef217b..b0b412879 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -22,8 +22,15 @@ "version": 112 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 311, + "rule_name": "System Shells via Services", + "sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783", + "type": "eql", + "version": 212 + }, "8.9": { "max_allowable_version": 209, "rule_name": "System Shells via Services", @@ -35,7 +42,7 @@ "rule_name": "System Shells via Services", "sha256": "f39660853e5b117b27a58684c32fc3028f841c2bfa0676a1716d4775a8fbc5bb", "type": "eql", - "version": 211 + "version": 312 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", @@ -164,10 +171,10 @@ "version": 110 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { - "rule_name": "Potential Persistence Through Systemd-udevd", - "sha256": "f62fb7313ec0d7a280a370adae0caf8ba65410a71d6574ade7ab588a95963763", - "type": "new_terms", - "version": 3 + "rule_name": "Systemd-udevd Rule File Creation", + "sha256": "c460de6633708a3c05bf2968843c4ddbf305a7053f9698f6a1396a20113bb23d", + "type": "eql", + "version": 4 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", @@ -242,8 +249,15 @@ "version": 7 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "Local Account TokenFilter Policy Disabled", + "sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d", + "type": "eql", + "version": 110 + }, "8.9": { "max_allowable_version": 107, "rule_name": "Local Account TokenFilter Policy Disabled", @@ -255,7 +269,7 @@ "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "793a191ad34ae91c56955a490de13ca8298e1f75a10de07ae143ed3766096355", "type": "eql", - "version": 109 + "version": 210 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", @@ -569,6 +583,13 @@ "type": "machine_learning", "version": 5 }, + "1251b98a-ff45-11ee-89a1-f661ea17fbce": { + "min_stack_version": "8.9", + "rule_name": "AWS Lambda Function Created or Updated", + "sha256": "87966613bf1e01dcb3a76da7179be8b64db8e7af206075273d4919a384b5d773", + "type": "query", + "version": 1 + }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960", @@ -606,8 +627,15 @@ "version": 111 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Persistence via Scheduled Job Creation", + "sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29", + "type": "eql", + "version": 210 + }, "8.9": { "max_allowable_version": 207, "rule_name": "Persistence via Scheduled Job Creation", @@ -619,7 +647,7 @@ "rule_name": "Persistence via Scheduled Job Creation", "sha256": "193c901aad4b30bccee51e476e66934d19feb9bf8a576d862630631b848cc323", "type": "eql", - "version": 209 + "version": 310 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "rule_name": "Rare User Logon", @@ -641,9 +669,9 @@ }, "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { "rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", - "sha256": "2df03e6f85b643953de58a6655130f275e8abc58041dc624319fc3047cf03dee", + "sha256": "04d499c91c67372557e3cbc78b24b02370e0591306ea8109820b22cebbdbef42", "type": "eql", - "version": 5 + "version": 6 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Azure External Guest User Invitation", @@ -675,6 +703,13 @@ "type": "eql", "version": 109 }, + "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { + "min_stack_version": "8.9", + "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", + "sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740", + "type": "query", + "version": 1 + }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "rule_name": "Execution from a Removable Media with Network Connection", "sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4", @@ -683,9 +718,9 @@ }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "6bc3367c8bea5ce3680aa60ee8341e332dc12fe82786393e1b98fa8130a817c4", + "sha256": "ba312fcc9ecbf23197da80510b48dfd8b087c772313923a625fcda4cead89183", "type": "query", - "version": 110 + "version": 111 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", @@ -737,9 +772,9 @@ }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "59d27ffb2150faa1ebe4b4b332f29ed9b1a561166aa568c6b699a55de0aec81f", + "sha256": "65906b0af010fdf4397270caea3b93edffa3c141e33daa51499abc0354c8bd68", "type": "query", - "version": 109 + "version": 110 }, "17261da3-a6d0-463c-aac8-ea1718afcd20": { "min_stack_version": "8.13", @@ -779,10 +814,10 @@ "version": 103 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { - "rule_name": "New Systemd Service Created by Previously Unknown Process", - "sha256": "9db1b2c407bc10769394309a57e5e1acb24ac3834a9d1c679e3288ef28b2b546", - "type": "new_terms", - "version": 10 + "rule_name": "Systemd Service Created", + "sha256": "b6d52138336ffdc9944d3309166f6e193ae0cda6f421144245bc69bf4a6559eb", + "type": "eql", + "version": 11 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Renamed Utility Executed with Short Program Name", @@ -808,12 +843,25 @@ "type": "eql", "version": 100 }, + "185c782e-f86a-11ee-9d9f-f661ea17fbce": { + "min_stack_version": "8.9", + "rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", + "sha256": "1d9dfb66a70cf2a0249e4cf7248a0218c0b890257f16a5561378bc176823be8e", + "type": "threshold", + "version": 1 + }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "rule_name": "Spike in Number of Connections Made to a Destination IP", "sha256": "c06e03682393f75d7f4e7c47efac0a2a3bdc53865089656f9628b0e2129f33de", "type": "machine_learning", "version": 4 }, + "192657ba-ab0e-4901-89a2-911d611eee98": { + "rule_name": "Potential Persistence via File Modification", + "sha256": "13724ccfbad7645a55a6148fd2331a0f15181aca09d104bc269cddfeb702bb7d", + "type": "eql", + "version": 1 + }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", "sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f", @@ -935,6 +983,13 @@ "type": "eql", "version": 110 }, + "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { + "min_stack_version": "8.9", + "rule_name": "AWS IAM Roles Anywhere Profile Creation", + "sha256": "f668e7947688e878a2b5f5aa8a3bc7f30cf777776b49855a8b5e2c7e3b8e2449", + "type": "query", + "version": 1 + }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", "sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433", @@ -1253,9 +1308,9 @@ }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633", + "sha256": "d82f7cdce5ff254cd1b94e2f0390bef570efef35250410982b52a2614113ed42", "type": "threshold", - "version": 207 + "version": 208 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.12", @@ -1354,10 +1409,10 @@ "version": 5 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { - "rule_name": "Shell Configuration Modification", - "sha256": "1082bfbb3e988caa2fc49527f3dcd4024a4657a591fb5edc4d08e2ba311ca62c", - "type": "new_terms", - "version": 1 + "rule_name": "Shell Configuration Creation or Modification", + "sha256": "26fb29a8c8c328b8e46ed17a8fda1d07250948bb305e19031173410ae35d3669", + "type": "eql", + "version": 2 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS Security Group Configuration Change Detection", @@ -1372,8 +1427,15 @@ "version": 113 }, "2917d495-59bd-4250-b395-c29409b76086": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 312, + "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", + "sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609", + "type": "eql", + "version": 213 + }, "8.9": { "max_allowable_version": 210, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", @@ -1385,7 +1447,7 @@ "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "cfc96b6991e4924d103a2158af8da2606918fbec5876bff5d93be7653deb2bd5", "type": "eql", - "version": 212 + "version": 313 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.12", @@ -1441,20 +1503,27 @@ "version": 6 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 312, + "rule_name": "Adobe Hijack Persistence", + "sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe", + "type": "eql", + "version": 213 + }, "8.9": { "max_allowable_version": 210, "rule_name": "Adobe Hijack Persistence", - "sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d", + "sha256": "8deb745625f81d1579d5c03b75e701111c6b1b78c8c0be11bef3f51b5214c636", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Adobe Hijack Persistence", - "sha256": "b063bce44c35e4d15cd79869b5732433239a66d51babb5fb8f9d0adbe2001097", + "sha256": "eb4e880bc7d79b0831cdd9063d6745aad9f422d7f4b708a0894c414c790af064", "type": "eql", - "version": 212 + "version": 313 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", @@ -1595,11 +1664,17 @@ "type": "eql", "version": 2 }, + "30fbf4db-c502-4e68-a239-2e99af0f70da": { + "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", + "sha256": "ac674594e4090f28c0defbacf2ab2ab0be02892e8c42781f49ec6b349245a750", + "type": "new_terms", + "version": 1 + }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "rule_name": "Agent Spoofing - Mismatched Agent ID", - "sha256": "edb96a30a9a4b522b0f24c47e6c9e97132020bca3d111e9f0fb2478062ca5c46", + "sha256": "ec70ea76f2b63b214733972e4c42caadfa150fe1b0efa06b5d369bdcf5d80129", "type": "query", - "version": 101 + "version": 102 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", @@ -1644,8 +1719,15 @@ "version": 109 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 312, + "rule_name": "Suspicious MS Outlook Child Process", + "sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172", + "type": "eql", + "version": 213 + }, "8.9": { "max_allowable_version": 210, "rule_name": "Suspicious MS Outlook Child Process", @@ -1657,7 +1739,7 @@ "rule_name": "Suspicious MS Outlook Child Process", "sha256": "a7e4e52230f1a2f269732a45b210a8cded335e4867e2095abbb2d707d4a0e932", "type": "eql", - "version": 212 + "version": 313 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", @@ -1702,8 +1784,15 @@ "version": 106 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 311, + "rule_name": "Port Forwarding Rule Addition", + "sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d", + "type": "eql", + "version": 212 + }, "8.9": { "max_allowable_version": 209, "rule_name": "Port Forwarding Rule Addition", @@ -1715,7 +1804,7 @@ "rule_name": "Port Forwarding Rule Addition", "sha256": "e4d0644e1d41d584ee51527759ef379d2e85441b65044ced77ef38d1e5ee9a29", "type": "eql", - "version": 211 + "version": 312 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "rule_name": "Spike in Bytes Sent to an External Device", @@ -1906,8 +1995,15 @@ "version": 103 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 311, + "rule_name": "Unusual Parent Process for cmd.exe", + "sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b", + "type": "eql", + "version": 212 + }, "8.9": { "max_allowable_version": 209, "rule_name": "Unusual Parent Process for cmd.exe", @@ -1919,7 +2015,7 @@ "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "99fe156012393a6350811a3ccf9ecaf4dc0d399569a90aa01cc5cebe44117352", "type": "eql", - "version": 211 + "version": 312 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", @@ -2087,6 +2183,13 @@ "type": "query", "version": 103 }, + "4182e486-fc61-11ee-a05d-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "AWS EC2 EBS Snapshot Shared with Another Account", + "sha256": "6d2c20fb9ecb3cba051aa0a8f5a8841d3473c6e5d87d50187fe26d3715b32e66", + "type": "esql", + "version": 1 + }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", "sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a", @@ -2160,9 +2263,9 @@ }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", - "sha256": "d9597f07d834346b49d0ec5d44b690415e313ac8d159ee72e5fa8335fd7e85fb", + "sha256": "7b04571af013a3c9cdefd27690c4a402e9f3399a0a5f61ccf9eb8180fe968af5", "type": "eql", - "version": 3 + "version": 4 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "rule_name": "Multiple Vault Web Credentials Read", @@ -2405,10 +2508,10 @@ "version": 10 }, "4ec47004-b34a-42e6-8003-376a123ea447": { - "rule_name": "Suspicious Process Spawned from MOTD Detected", - "sha256": "5b623fb9915bfc946b7d055f8270000bf239fdb2dcd03021f8d03b24d3b28de7", + "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", + "sha256": "dc02518c5ff827d505855e686392c55611d0d5d05b81c9febbb3f9ef60cbbd38", "type": "eql", - "version": 9 + "version": 10 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", @@ -2471,8 +2574,15 @@ "version": 2 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Registry Persistence via AppCert DLL", + "sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d", + "type": "eql", + "version": 210 + }, "8.9": { "max_allowable_version": 207, "rule_name": "Registry Persistence via AppCert DLL", @@ -2484,7 +2594,7 @@ "rule_name": "Registry Persistence via AppCert DLL", "sha256": "f5b43f0f0f3a4cd3823fedc6900054657f8adb7bd85b6cc8097f892872bf6f3b", "type": "eql", - "version": 209 + "version": 310 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", @@ -2586,9 +2696,9 @@ "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { "min_stack_version": "8.10", "rule_name": "Statistical Model Detected C2 Beaconing Activity", - "sha256": "2fe35fc63d94df5fa3980bb4ddb1708b8ef9065b2a9d468329b207be8146385f", + "sha256": "d973fcbb65bfb1114bf7274eec0a49753fc3ac6e545fb635cd87b176b08276cc", "type": "query", - "version": 5 + "version": 6 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", @@ -2851,9 +2961,9 @@ }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", - "sha256": "bd50fb4c4b5ec6a4ebd52c50a505e5dc1fe75637d51ad57a0f0e79dff682aea5", + "sha256": "78ec9be84e9b6970a121017e012905d15e2e20158762c57da7f514ea4d07c5f2", "type": "eql", - "version": 4 + "version": 5 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "rule_name": "Suspicious PrintSpooler Service Executable File Creation", @@ -2918,9 +3028,9 @@ }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "rule_name": "User Added to Privileged Group", - "sha256": "b33d6cc34a4b101cc79bc0c7f84cb361bcd02e5318b2295a57ebf4505ef0824d", + "sha256": "a3c0fbdd5934a6dbac3c5be5d786e317493ccf965c14b2df89454f44fafa2c0a", "type": "eql", - "version": 109 + "version": 110 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "rule_name": "Persistence via PowerShell profile", @@ -3066,6 +3176,12 @@ "type": "eql", "version": 5 }, + "63431796-f813-43af-820b-492ee2efec8e": { + "rule_name": "Network Connection Initiated by SSHD Child Process", + "sha256": "3ad6907db92363c314c35c6ee182f278b6d7de0e04a7d36e14b398a4fcd2146b", + "type": "eql", + "version": 1 + }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", "sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab", @@ -3242,9 +3358,9 @@ }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "New or Modified Federation Domain", - "sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8", + "sha256": "63bfcc3ca67c6279f1ed85c444ec4e840c389f3695e4228ed07f322caf108344", "type": "query", - "version": 206 + "version": 207 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.10", @@ -3335,8 +3451,15 @@ "version": 110 }, "6aace640-e631-4870-ba8e-5fdda09325db": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 312, + "rule_name": "Exporting Exchange Mailbox via PowerShell", + "sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a", + "type": "eql", + "version": 213 + }, "8.9": { "max_allowable_version": 210, "rule_name": "Exporting Exchange Mailbox via PowerShell", @@ -3348,7 +3471,7 @@ "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "9a2bd321243f33c29af8cab474c2a52763818ef4340040453bf1e111f2e47503", "type": "eql", - "version": 212 + "version": 313 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "rule_name": "Suspicious Utility Launched via ProxyChains", @@ -3531,6 +3654,13 @@ "type": "eql", "version": 3 }, + "71de53ea-ff3b-11ee-b572-f661ea17fbce": { + "min_stack_version": "8.9", + "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", + "sha256": "fc40abf7c58386b21b4e7ba3f8d8b900510aeaa86c789defff2aec11c20e707c", + "type": "query", + "version": 1 + }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Microsoft 365 Potential ransomware activity", "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", @@ -3660,8 +3790,15 @@ "version": 9 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 311, + "rule_name": "Potential Remote Desktop Tunneling Detected", + "sha256": "798b0bc1aa4d176b16df395288002a2230428379590ddac8a418f1d42b23d435", + "type": "eql", + "version": 212 + }, "8.9": { "max_allowable_version": 209, "rule_name": "Potential Remote Desktop Tunneling Detected", @@ -3673,7 +3810,7 @@ "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "5dc0aa50792a92d4380b7f0f4e326e624d77e221bc6825424687daac0e26083f", "type": "eql", - "version": 211 + "version": 312 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", @@ -3724,8 +3861,15 @@ "version": 208 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 202, + "rule_name": "Suspicious ScreenConnect Client Child Process", + "sha256": "49a6b4db003e5979ea703d08bd0b70fac84ca643c074a444e673d90ab43d8b3c", + "type": "eql", + "version": 103 + }, "8.9": { "max_allowable_version": 100, "rule_name": "Suspicious ScreenConnect Client Child Process", @@ -3737,7 +3881,7 @@ "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "1cd4ba234bf93cf872872658b01960cdc2fdcd04262dadd0399b738cff42d2e4", "type": "eql", - "version": 102 + "version": 203 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", @@ -3765,9 +3909,9 @@ }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "rule_name": "Potential Masquerading as System32 Executable", - "sha256": "a613c9495f4b8b1cd51df4eac684c578f26aceaa65e6d20faa875e280f3a0912", + "sha256": "649ff4b679f9f2b569f73ad7717ac48ba0bc93da34b650a7bca46243274b37c2", "type": "eql", - "version": 4 + "version": 5 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "rule_name": "Potential File Transfer via Certreq", @@ -3829,6 +3973,12 @@ "type": "eql", "version": 105 }, + "7c2e1297-7664-42bc-af11-6d5d35220b6b": { + "rule_name": "APT Package Manager Configuration File Creation", + "sha256": "258486b4912fda4473895fde9c357e6ffafdb33966d85558b912df16f95cad7c", + "type": "eql", + "version": 1 + }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "rule_name": "Google Workspace Bitlocker Setting Disabled", "sha256": "d876e552704f399012a35ef8ccd37653e6278d558e9904d895f023110f987c55", @@ -3841,12 +3991,25 @@ "type": "query", "version": 104 }, + "7d091a76-0737-11ef-8469-f661ea17fbcc": { + "min_stack_version": "8.9", + "rule_name": "AWS Lambda Layer Added to Existing Function", + "sha256": "26e76de9328e30fd2a1ccfedc25b238243c1c82d255dd6d1e3f7ccc9e67d7898", + "type": "query", + "version": 1 + }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", "sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1", "type": "query", "version": 100 }, + "7df3cb8b-5c0c-4228-b772-bb6cd619053c": { + "rule_name": "SSH Key Generated via ssh-keygen", + "sha256": "2db05f2e3ae056597ccc0da7403d1957ce361a9175866efd0c7e540914d0fded", + "type": "eql", + "version": 1 + }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { "rule_name": "Suspicious Kworker UID Elevation", "sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a", @@ -3866,10 +4029,17 @@ "version": 102 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { - "rule_name": "New Systemd Timer Created", - "sha256": "454dae129a07176b215e4ce8d81df5963eecb9144c6b5605e7f23ad1a0ce8e37", - "type": "new_terms", - "version": 10 + "rule_name": "Systemd Timer Created", + "sha256": "677de35cf201258b8369fc2085f3f72db239e9011cff322e8f5f332afcf46888", + "type": "eql", + "version": 11 + }, + "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", + "sha256": "a98fe6d999a2909e15b551344bcf8abf4c8755341d7daa2ddc121fbdd0f3eec2", + "type": "esql", + "version": 1 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", @@ -4000,6 +4170,12 @@ "type": "query", "version": 5 }, + "84755a05-78c8-4430-8681-89cd6c857d71": { + "rule_name": "At Job Created or Modified", + "sha256": "0b70543d8ab821dcbc89c2c036e27300440bc34c97c569c9e947b3e00de93037", + "type": "eql", + "version": 1 + }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { "rule_name": "Potential Upgrade of Non-interactive Shell", "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", @@ -4060,6 +4236,13 @@ "type": "eql", "version": 112 }, + "873b5452-074e-11ef-852e-f661ea17fbcc": { + "min_stack_version": "8.9", + "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", + "sha256": "f5bb109e123b34f550ec9a57fc0152a04bc3bc4de3e5adc847b07ef34d39fc68", + "type": "query", + "version": 1 + }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", "sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339", @@ -4086,15 +4269,15 @@ }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "e1e70345125002f7b837c9c87a54b449497d0b8a5d4f32f30e24b28185445925", + "sha256": "c982030d976d5caa598abb973577eca20c6a5f49e0f0b746d31b814e3aada81e", "type": "eql", - "version": 107 + "version": 108 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { - "rule_name": "Potential Sudo Hijacking Detected", - "sha256": "3d49290bdfa2269196ce840768887b0c20588d07f406eef1f33e10c6117246e0", - "type": "new_terms", - "version": 105 + "rule_name": "Potential Sudo Hijacking", + "sha256": "5204e29d31ddd9d46708224fe842aa218cd42b2ee9b4dbea4cb00236379c3755", + "type": "eql", + "version": 106 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "rule_name": "Suspicious WMI Image Load from MS Office", @@ -4418,8 +4601,15 @@ "version": 110 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Encoded Executable Stored in the Registry", + "sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4", + "type": "eql", + "version": 209 + }, "8.9": { "max_allowable_version": 206, "rule_name": "Encoded Executable Stored in the Registry", @@ -4431,7 +4621,7 @@ "rule_name": "Encoded Executable Stored in the Registry", "sha256": "8f3a4597c674f9eb6b2fe671fad2a311637f3b34c3ecc371ceb3be4dd1675718", "type": "eql", - "version": 208 + "version": 309 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", @@ -4445,6 +4635,12 @@ "type": "new_terms", "version": 204 }, + "94418745-529f-4259-8d25-a713a6feb6ae": { + "rule_name": "Executable Bit Set for rc.local/rc.common", + "sha256": "7dbae46a5a71705bc609aadd65a6bc77c9d8674e353966fa6c00c152d96f0990", + "type": "eql", + "version": 1 + }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Creation of Kernel Module", "sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533", @@ -4510,10 +4706,10 @@ "version": 205 }, "96d11d31-9a79-480f-8401-da28b194608f": { - "rule_name": "Potential Persistence Through MOTD File Creation Detected", - "sha256": "3f20bb818a986c0e8056585963e3d6541dbf1862727224cb92843599a928c1cb", - "type": "new_terms", - "version": 10 + "rule_name": "Message-of-the-Day (MOTD) File Creation", + "sha256": "d80c76481d619796d4c3699f60527c153deb2cd18dd2c8f9b9c38d9d854488e1", + "type": "eql", + "version": 11 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Access to Keychain Credentials Directories", @@ -4569,8 +4765,15 @@ "version": 209 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 311, + "rule_name": "Suspicious Zoom Child Process", + "sha256": "745bbfc9daf71b081b3cbc422438c9c11dd5c34eee59681b1a8ee21dea74b4a6", + "type": "eql", + "version": 212 + }, "8.9": { "max_allowable_version": 209, "rule_name": "Suspicious Zoom Child Process", @@ -4582,7 +4785,7 @@ "rule_name": "Suspicious Zoom Child Process", "sha256": "ab6c4f09d32014591e2a374947f000d68295f96989a72225b3e4930e37e5bc20", "type": "eql", - "version": 211 + "version": 312 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -4652,9 +4855,9 @@ }, "994e40aa-8c85-43de-825e-15f665375ee8": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "c5069351210fde910d1fd2e5cd136af309fc81ce6510d0828492a2b64ec1e607", + "sha256": "ac8d1b8d4b4f0103c7488acc5edf47ead2336d6cdb351c8012632e8a98e4e2ad", "type": "eql", - "version": 5 + "version": 6 }, "9960432d-9b26-409f-972b-839a959e79e2": { "rule_name": "Potential Credential Access via LSASS Memory Dump", @@ -4698,6 +4901,13 @@ "type": "eql", "version": 109 }, + "9aa4be8d-5828-417d-9f54-7cd304571b24": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", + "sha256": "eff6b294c92c7c35ef4eb29bb794b1411e7565a8c4b583706f2b90fe0eb66bfc", + "type": "esql", + "version": 1 + }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "rule_name": "GitHub Owner Role Granted To User", "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", @@ -4820,10 +5030,11 @@ "version": 210 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { + "min_stack_version": "8.9", "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "9d1d5ae0e9ecf6ff8ef280ff42061f5ea8236a11570ab2d01d97846f396afcc3", + "sha256": "0c2d0945e3f41272d93b2c57b804fd2de409098f64d87e59387ed6edc5f29da9", "type": "new_terms", - "version": 311 + "version": 312 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "rule_name": "A scheduled task was updated", @@ -5006,6 +5217,13 @@ "type": "query", "version": 102 }, + "a8aaa49d-9834-462d-bf8f-b1255cebc004": { + "min_stack_version": "8.9", + "rule_name": "Authentication via Unusual PAM Grantor", + "sha256": "60aa85a93569474f9a1f9615a864f2472923f7f351a0f0a5e4770e668e072e3a", + "type": "new_terms", + "version": 1 + }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { "rule_name": "Suspicious File Downloaded from Google Drive", "sha256": "3d43bb8629f6abf3044732ac8445f0e4aff8492b8f21845bf1d349e73ab15295", @@ -5097,8 +5315,15 @@ "version": 108 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 313, + "rule_name": "Suspicious WerFault Child Process", + "sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10", + "type": "eql", + "version": 214 + }, "8.9": { "max_allowable_version": 211, "rule_name": "Suspicious WerFault Child Process", @@ -5110,7 +5335,7 @@ "rule_name": "Suspicious WerFault Child Process", "sha256": "e36280a1447f2b7856c4f642be26895f8dc0cc6642aa3d21dde3ddf6aad92b09", "type": "eql", - "version": 213 + "version": 314 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", @@ -5198,9 +5423,9 @@ }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", - "sha256": "da78216a16bc023bec70850e08c999466fb372bf4f11fd44445aaed67089a16c", + "sha256": "e8cf6343472cdfd3a91baaa7aed30214af872b0b163555edc8908ffd5d89a675", "type": "eql", - "version": 4 + "version": 5 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "rule_name": "Suspicious File Creation via Kworker", @@ -5457,8 +5682,15 @@ "version": 5 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Creation or Modification of Domain Backup DPAPI private key", + "sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04", + "type": "eql", + "version": 210 + }, "8.9": { "max_allowable_version": 207, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", @@ -5470,7 +5702,7 @@ "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "5b9416b0c074d30e24badf5a0daa0825766bb7ae7d99b88130f7c0999a392af3", "type": "eql", - "version": 209 + "version": 310 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", @@ -5479,8 +5711,15 @@ "version": 106 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 206, + "rule_name": "Kirbi File Creation", + "sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22", + "type": "eql", + "version": 107 + }, "8.9": { "max_allowable_version": 104, "rule_name": "Kirbi File Creation", @@ -5492,7 +5731,7 @@ "rule_name": "Kirbi File Creation", "sha256": "001f917502544177abdc78801aa208266c38c099300c58dbb69e62bb88128594", "type": "eql", - "version": 106 + "version": 207 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", @@ -5520,9 +5759,9 @@ }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "7e1d07811eee139eca2af001c453e529a605e642fafc1cadfeac9817862c3f0c", + "sha256": "539035e01c5e718c2a0b56b03af563f6c8403d9848b52db1781d40aea00dfb86", "type": "query", - "version": 109 + "version": 110 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories via CommandLine", @@ -5635,9 +5874,9 @@ }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", - "sha256": "53c2cffe17c4403ed64f81a175a6f916198441844cb2a3e306c3a31ae7b19b2a", + "sha256": "41097481c1fd5da6e1bd4c66305518ee0a92846e0a69ae89fd936b10338b1c33", "type": "query", - "version": 4 + "version": 5 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "rule_name": "PowerShell Keylogging Script", @@ -5719,9 +5958,9 @@ }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "8020f015d723e31af612bbc7e570f0f7a2bf57c3cc13447eb5bccd3e39385ca8", + "sha256": "db80515372b13521184021a9451c545f6e530fc191866f76eb9a2c1584f99210", "type": "eql", - "version": 109 + "version": 110 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", @@ -5750,9 +5989,9 @@ "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { "min_stack_version": "8.9", "rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance", - "sha256": "d782f312b97d352fb81b3975873dd9a6ce4bfc2ebf5f5163bca2e8bb181d1efb", + "sha256": "e91c1937b74003d85688ec403aaac6adde3afedc30ff608772e3b3f8346e2bdc", "type": "query", - "version": 1 + "version": 2 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "rule_name": "Unsigned DLL Loaded by a Trusted Process", @@ -5798,8 +6037,15 @@ "version": 103 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Persistence via BITS Job Notify Cmdline", + "sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87", + "type": "eql", + "version": 209 + }, "8.9": { "max_allowable_version": 206, "rule_name": "Persistence via BITS Job Notify Cmdline", @@ -5811,7 +6057,7 @@ "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "abe5288a1887c88b0839fec82a8e0a973c1dc3b5346edb10d049b62e679386da", "type": "eql", - "version": 208 + "version": 309 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "rule_name": "Potential JAVA/JNDI Exploitation Attempt", @@ -6009,9 +6255,9 @@ }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "b8c86e533a37c36a2eaef8f1d48ca8aa5a24b6665dc2328de3b3cc5eb1d2ad51", + "sha256": "de1eb0970073590a08bf755681e729281d7d797a171493a9134023136554d391", "type": "eql", - "version": 5 + "version": 6 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", @@ -6519,9 +6765,9 @@ }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", - "sha256": "1713570247f2e1bb7b031c190b7546980f369ec8973ea723bb30be25038cc2dd", + "sha256": "84e89ef6464acb25c59d3bbb6ebd82d470bd3a6ad2ea4cb023ea9406ce17b797", "type": "query", - "version": 4 + "version": 5 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "rule_name": "Suspicious Service was Installed in the System", @@ -6607,6 +6853,12 @@ "type": "eql", "version": 7 }, + "dd52d45a-4602-4195-9018-ebe0f219c273": { + "rule_name": "Network Connections Initiated Through XDG Autostart Entry", + "sha256": "33706216d4262064ec48b546b6ffdf38bed77bb6eb5accc6f3c50dfcfdaf3123", + "type": "eql", + "version": 1 + }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "rule_name": "Reverse Shell Created via Named Pipe", "sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c", @@ -6619,6 +6871,13 @@ "type": "eql", "version": 108 }, + "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", + "sha256": "19d99e61768ab16b134e882ec4962306af32019e01915f7ab3e1cf5f2133b998", + "type": "esql", + "version": 1 + }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "0a0a64ff02f4040cf251994361f673fa3c6618edb6d38387c8adf5f5749f4b5a", @@ -6667,6 +6926,13 @@ "type": "query", "version": 203 }, + "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", + "sha256": "a504729c3998dc3923862276128db6af723328cdce3b98391d9578e95419b28d", + "type": "esql", + "version": 1 + }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", "sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d", @@ -7008,6 +7274,13 @@ "type": "eql", "version": 7 }, + "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { + "min_stack_version": "8.9", + "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", + "sha256": "5b1937ed0f1a2ea8d8b793ad31baa79ae277d949a84917d1c7a94395daa4a29b", + "type": "eql", + "version": 1 + }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", "sha256": "f180246dbfb2cb7f01f796113f0a1b305d91c244c4989aef63cfc341e4431f35", @@ -7133,8 +7406,15 @@ "version": 110 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 310, + "rule_name": "Mimikatz Memssp Log File Detected", + "sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140", + "type": "eql", + "version": 211 + }, "8.9": { "max_allowable_version": 208, "rule_name": "Mimikatz Memssp Log File Detected", @@ -7146,7 +7426,7 @@ "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "bb5fb845d12c3bbf263c579168a458134eef80318f4ee0ceb6feccd45e0d75f2", "type": "eql", - "version": 210 + "version": 311 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", @@ -7346,6 +7626,12 @@ "type": "eql", "version": 7 }, + "f18a474c-3632-427f-bcf5-363c994309ee": { + "rule_name": "Process Capability Set via setcap Utility", + "sha256": "d33378c5ef77b55469ab49d5282bcb0e357dc6b4cf3f8ff308937bc39f50f0e2", + "type": "eql", + "version": 1 + }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "rule_name": "Forwarded Google Workspace Security Alert", "sha256": "4c73b09f4b3001484895476ebe7fa98e28d4b4ade73a8bc8cae1bf26c22cf8af", @@ -7366,9 +7652,9 @@ }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "b10534cda59c460de168c3b9fed3d8899465199770dd6c96f2e2d65358d3cb24", + "sha256": "54bc98f1c6f0db859bc9db57ce3fa7033db199f814bbc55ce03bc6940bd8efe2", "type": "eql", - "version": 109 + "version": 110 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "rule_name": "SIP Provider Modification", @@ -7396,9 +7682,9 @@ }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", - "sha256": "a8184398fcf77152899052a0cdf43691c84de0fa4cf53167476870150736e064", + "sha256": "5111cc2b59ff5a00ad2e2d02625d13fb2da0a6e5c8a7c7cf41cb0c023d1f0321", "type": "query", - "version": 4 + "version": 5 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", @@ -7436,6 +7722,12 @@ "type": "eql", "version": 108 }, + "f48ecc44-7d02-437d-9562-b838d2c41987": { + "rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration", + "sha256": "93c96b13d7d31467aad7b9c5c4f5f7d57d901aef4bc28ba0aa3435056d1fcac8", + "type": "eql", + "version": 1 + }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "sha256": "3d559e86203735f531cbbe7a26f5e361236760068e41b0b421f0f5d59a3c5765", @@ -7653,8 +7945,15 @@ "version": 7 }, "fa488440-04cc-41d7-9279-539387bf2a17": { - "min_stack_version": "8.11", + "min_stack_version": "8.13", "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Suspicious Antimalware Scan Interface DLL", + "sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc", + "type": "eql", + "version": 111 + }, "8.9": { "max_allowable_version": 108, "rule_name": "Suspicious Antimalware Scan Interface DLL", @@ -7666,7 +7965,7 @@ "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "a2061359bd190293621c8e71ff1e35c08834d74f598fc6364b28a74c8af177de", "type": "eql", - "version": 110 + "version": 211 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "rule_name": "Potential Disabling of AppArmor", @@ -7676,9 +7975,9 @@ }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "rule_name": "Potential Masquerading as System32 DLL", - "sha256": "1af8edb01a1cfb710c926f5d006909a5e7139b1a95763ed5fbc88147f1eab9bc", + "sha256": "24ba6424357603cfc73404dbf3312ba7865f04447af416631ded8fec2599f2fd", "type": "eql", - "version": 104 + "version": 105 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Registration Utility", @@ -7722,6 +8021,13 @@ "type": "eql", "version": 1 }, + "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { + "min_stack_version": "8.9", + "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", + "sha256": "100db09c2d29764aa7b946d7b316cc9a17183ce57593ca72f84d578faa490b68", + "type": "new_terms", + "version": 1 + }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", "sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032", @@ -7753,10 +8059,10 @@ "version": 2 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { - "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", - "sha256": "b9d527481d2f38c0ce84090af0cc336bd1a6bca87741cfbbce058b6c037349ae", + "rule_name": "System Binary Moved or Copied", + "sha256": "7dde3a1e0411df154e689f9f2cf9df0b84e51b6f97f7f0c86121d90c0ee8c602", "type": "eql", - "version": 8 + "version": 9 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "rule_name": "PowerShell Kerberos Ticket Dump", @@ -7802,16 +8108,16 @@ }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { "rule_name": "Potential DGA Activity", - "sha256": "15260ab808d90ba91587244049c852e308788b4c23ecc6cbb64956384b8d7532", + "sha256": "a6828508851318616e927d9f819f6d7c5130b830e0f3eba41135daf75ac99758", "type": "machine_learning", - "version": 4 + "version": 5 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "min_stack_version": "8.9", - "rule_name": "Cron Job Created or Changed by Previously Unknown Process", - "sha256": "e27c9640a969826e48e3a8fd9117ba8a8761dcbce584297813d634e6f5423886", - "type": "new_terms", - "version": 10 + "rule_name": "Cron Job Created or Modified", + "sha256": "8b90331ba2cd07c2de41d17ca68bee336ea36c749c9c78f7dc5187704d786cc4", + "type": "eql", + "version": 11 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "min_stack_version": "8.9",