security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 7.13,7.14,7.15,7.16,8.0 (#1732)

Browse Source 
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2022-01-26 13:54:18 -09:00
committed by GitHub
parent 84d55c829d
commit e42fee2d84
2 changed files with 244 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files
etc/deprecated_rules.json
+5
View File
@@ -129,6 +129,11 @@
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
"stack_version": "7.14.0"
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"deprecation_date": "2022/01/12",
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"stack_version": "8.0"
},
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
"deprecation_date": "2021/04/15",
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
etc/version.lock.json
+239 -92
View File
@@ -127,8 +127,8 @@
},
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"rule_name": "Malware - Detected - Elastic Endgame",
"sha256": "3a049155b9db34c38b264d58bdfd85d877c43f3e7608b71f9faa6362afb4d0c4",
"version": 6
"sha256": "a721897ba5522f3f80de884490b7ec388a753c8679db97593a1f957a7bff12b2",
"version": 7
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"rule_name": "Anomalous Windows Process Creation",
@@ -140,6 +140,12 @@
"sha256": "499dcd1aa2d62a15f68fa52d95b87511f7f4e14f24ffe83babb3e72e990ff81d",
"version": 3
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"min_stack_version": "8.0",
"rule_name": "Threat Intel Indicator Match",
"sha256": "437c87698788e433f03dba9a4ed5ed87cdedb826faa42b8035ba301cc2e5fed4",
"version": 1
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "88ba94c428250342f829c23c844e0d491354bb5b845c5a8caf1bdc92ab3faeca",
@@ -267,6 +273,11 @@
"sha256": "8817ddfdb38379b4031a751743514e46c8a4e608c68ea79adf13a6aa11a09b2d",
"version": 1
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "e1d80d9e27fd401af4a1b5d71ca3c873fb759d8583008989b4a228c6df687655",
"version": 1
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "50ec2f5b9815c5cc153531c5a3d35d9393e03eb4c668ffd62c97b1e2efd616ff",
@@ -297,6 +308,11 @@
"sha256": "8ca91c7053d3f30c2c76188da11648bbc94aa5c68e2288ceaee0e6d942535fcf",
"version": 5
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "d4ae959f9ad85bcd8081e151eaf495d1b1e6297723b6b7cfecee70697ae4d9ad",
"version": 1
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"rule_name": "Unusual Windows Username",
"sha256": "15ad86ffb8402c2acabbd69bc91cf276320fbefe605de2f336f02d46936242a4",
@@ -384,8 +400,8 @@
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "3d74f5205bbde325b86c72bf634ffba8648e208a314cff8e74be0aed2836eede",
"version": 3
"sha256": "668b31747084485dad1344c6ae9695fbb86ac6b3c11bc427b08cce2b1e9cf791",
"version": 4
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"rule_name": "Remote File Download via Script Interpreter",
@@ -429,8 +445,8 @@
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"rule_name": "Exploit - Detected - Elastic Endgame",
"sha256": "756f8e566860406a290ee07a4ac7b9b2481347bf2d2ec4f6a524d3c65fcb86cb",
"version": 6
"sha256": "f2122f6b1acdab49ad7f6bfc06655f446578271776fd3cf5b24413d055341f10",
"version": 7
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"rule_name": "Suspicious .NET Code Compilation",
@@ -514,8 +530,8 @@
},
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "39f270dbc3e0b1d4c31b5bec7ee74a66f9bf12b4d37023562cf649f4e232e779",
"version": 3
"sha256": "25e969879796bbb0d8b68a24c97e5ec6505eced63d6971bc75ee9454d104b3d4",
"version": 4
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"rule_name": "GCP Firewall Rule Modification",
@@ -539,8 +555,8 @@
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"rule_name": "Exploit - Prevented - Elastic Endgame",
"sha256": "9edd40f31e655a0aecf8ed56d1b078ab5d082338fbe220bcc463b64d0d384ac3",
"version": 6
"sha256": "148f9ae24ebe6ecc8e536ef7c3a01267783438c802cd162447623fe2a303902e",
"version": 7
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
@@ -589,8 +605,8 @@
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "4bc52c3a4d918cc293e0ac2f21ad95122031ace364c0445d22a4f6b3279dadab",
"version": 2
"sha256": "4e5ff52ed8fdbabd1d8fc01191105a74215d848b0181d0c588b5ace7bb0dbf46",
"version": 3
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"rule_name": "Renamed AutoIt Scripts Interpreter",
@@ -599,8 +615,8 @@
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "138fe1b7a99e1fd40f2db4ca5086754aa15d9dadff790a9a0a03cc783b71f003",
"version": 1
"sha256": "5ca7f98d19a4d9431200fdb6eba8a591bb202717b60a130137f203d98c24cf21",
"version": 2
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
@@ -613,14 +629,14 @@
"version": 2
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"rule_name": "GCP Kubernetes Rolebindings Created or Patched ",
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
"sha256": "7610e908f43c07edb189e630d82850923bd31af83e007f3db90a5d6bd62e4536",
"version": 1
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "fc6e63e3e6c873bd2ccac6ea93c2965d107641d4c739c682f6ad19f74d4eeb40",
"version": 2
"sha256": "877044d765d5091e0cefc0b0db367a269916db834ea839d61af7965d888d5611",
"version": 3
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
@@ -800,8 +816,8 @@
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "1e6bcd8c9bc347e916e73bbf5adc8c3bc7b5951a8bd471197b2bd3ef22e72921",
"version": 6
"sha256": "008ca865a5c7a86ce57350c20eed12f164ec20344bf2ac5aa30ba2ac6569884c",
"version": 7
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"rule_name": "Unusual Parent Process for cmd.exe",
@@ -896,8 +912,8 @@
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
"sha256": "be37d4430c577f95dcc6955d7df5454d2ce79665a551e5d27afa5b483049ccb1",
"version": 6
"sha256": "ca60e2e85601f7d1db4c009cc581db67e2f3e9ecae3df43a4713b067f9c9a6fb",
"version": 7
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"rule_name": "Windows Event Logs Cleared",
@@ -1017,8 +1033,8 @@
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "7630fc43d6168922d8fd4af707b3c7778f38e7800a563e631c6d332e7022d42a",
"version": 4
"sha256": "7add00e6f6097cc99daf7fcee026068a09e75a93763bd1b69733f2bc73d53aa4",
"version": 5
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"rule_name": "AWS GuardDuty Detector Deletion",
@@ -1095,6 +1111,11 @@
"sha256": "57391425e8c8e4d0c0c905061d6a9cf78cc26d40e4ff5aaf1afc44d6d4c2761f",
"version": 5
},
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"rule_name": "PowerShell PSReflect Script",
"sha256": "86329a97344d57daff770fd9195eb9f6991826eb7630f321cdc1631692abebca",
"version": 1
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"rule_name": "VNC (Virtual Network Computing) from the Internet",
"sha256": "c683c0a850432bc2e1bc213062d7340c83c0c8ecc6ce14f521ed262124ce52ab",
@@ -1102,8 +1123,8 @@
},
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
"sha256": "adb1c5873c29391a82b5763b8006396d122797154d046175018644669e6855c8",
"version": 6
"sha256": "16a81e4dd634888d573b513f92f341b62b0dd86237883db37a35e77ebf1fde1f",
"version": 7
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"rule_name": "Azure Virtual Network Device Modified or Deleted",
@@ -1112,8 +1133,8 @@
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"rule_name": "PowerShell MiniDump Script",
"sha256": "b999bfa6dc8a8d8f14e743eb6e0302ca11572bd4796276fd7435bb8053c8a539",
"version": 2
"sha256": "39d651294ad23b72fb2617d6b7b25da704b7ebf8b705c19798e2e326d8eda681",
"version": 3
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"rule_name": "Deleting Backup Catalogs with Wbadmin",
@@ -1132,8 +1153,13 @@
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"rule_name": "Lateral Tool Transfer",
"sha256": "837e80276905c148e4debb9b11b169a1b05bfc70fd046da13a7bb9ae8b2ea042",
"version": 3
"sha256": "3879f384221103f101d7c1c2cc0d549e9b6fb16338e554b2fefaa36d2581debb",
"version": 4
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "c4966675fed8b27f672aca65ba0bac58e7c0b6d3f47cfc4805b4d1b9a95e4bba",
"version": 1
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"rule_name": "AWS CloudTrail Log Created",
@@ -1237,8 +1263,8 @@
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "45ec69750e919eff495ec3f4ce1f96597c51759b9130ed238b82dcdc5888ed6a",
"version": 2
"sha256": "00b90b0ba27de6d77f053e3242f675290c5e1ed3b05fafe8db72007267abd075",
"version": 3
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
@@ -1247,8 +1273,8 @@
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "76323de0ef3251b57c93619ffbeb7dfd3363e839a589f393ff44c2f9d86cd92c",
"version": 4
"sha256": "3203c65eec92dee9e1303d21081ea604077f14bd31a3c941ae581c791d450c18",
"version": 5
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"rule_name": "Network Connection via Signed Binary",
@@ -1282,8 +1308,8 @@
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "4e71078c218cc670c114032d04b1a3631cdf38e7c5225829a6268c569fce9bf6",
"version": 5
"sha256": "75262fa3fdb8bf3a911f98cd5eaaa2ba57b2d538692b1b002372f00a8534219b",
"version": 6
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"rule_name": "Suspicious macOS MS Office Child Process",
@@ -1295,6 +1321,11 @@
"sha256": "d93bdd2f8eda2395c9b8ab7c737460f2201732e3176d605b489d38221cd18bfb",
"version": 6
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "4c45673d1e1ee1af8cfda15ceaafcad3f4571383ebfdce45289fa32c4c915d73",
"version": 1
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "d6726a1a5d3a598df105d959b2d8d7b02e10a98c4e8c5f0f47e124bb5d1fab62",
@@ -1332,9 +1363,17 @@
"version": 6
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "a9e5fed2c237cba481fd05a38576032d3cddf5a3b67341030a4a77725c478b22",
"version": 5
}
},
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "a9e5fed2c237cba481fd05a38576032d3cddf5a3b67341030a4a77725c478b22",
"version": 5
"sha256": "afd34ab4f1d7e038c874333fd83de248c0b54d625f489e74359f3ce4ec9ac71b",
"version": 6
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"rule_name": "Scheduled Task Created by a Windows Script",
@@ -1351,6 +1390,12 @@
"sha256": "b5812117895d475376f16cb41ebfb385fdbec5034340b59f60e3dcdf71bc0a6d",
"version": 4
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"min_stack_version": "8.0",
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "f919b1cd06b017360565a34377bada8062d0bf8828ae7faa981a34c5acda69e4",
"version": 1
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"rule_name": "Modification of Boot Configuration",
"sha256": "22d2bd68a5cc0620132227498ac239156162cfc2774f84b41d0ed7c5733f71fe",
@@ -1417,9 +1462,17 @@
"version": 8
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace Role Modified",
"sha256": "4776d80c0d1069ed8363242d7b09b4934c3efc58c9db2b87fb5045eda98284e1",
"version": 5
}
},
"rule_name": "Google Workspace Role Modified",
"sha256": "4776d80c0d1069ed8363242d7b09b4934c3efc58c9db2b87fb5045eda98284e1",
"version": 5
"sha256": "33a6f2e64d79ebfed4fe0f1b4e5c4a7968b9b4941e11fa0cf720ef3810e38a15",
"version": 6
},
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
"rule_name": "AWS CloudTrail Log Deleted",
@@ -1519,13 +1572,21 @@
},
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
"sha256": "19409ce1476a107a8db2f50aa91ed8c037a8bbe6ee70d0977c3fc8292ccf8116",
"version": 6
"sha256": "5380f574b8e648c558fa34254366c5e53eed6065c9b0c722b1c458ac26b01ce3",
"version": 7
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "43a87b2b542b409c6cfbe267485d8b1ba8e32e9ea553f6180b7d0362c46ea2d9",
"version": 5
}
},
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "43a87b2b542b409c6cfbe267485d8b1ba8e32e9ea553f6180b7d0362c46ea2d9",
"version": 5
"sha256": "ab5ac05b1f57b0e9a197d51506441eee921132528fde66e99b64021454556e71",
"version": 6
},
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
"rule_name": "Azure Privilege Identity Management Role Modified",
@@ -1589,14 +1650,19 @@
},
"80c52164-c82a-402c-9964-852533d58be1": {
"rule_name": "Process Injection - Detected - Elastic Endgame",
"sha256": "9797df2e79190ab1940fe7d8adba5122b86c7a24ca42aea3da9e38cff1e60c9c",
"version": 6
"sha256": "1664db594a454af4890a7ec808978fdd268088b8b9f21f3956900c607de66cd3",
"version": 7
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
"version": 8
},
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "93fb092a27b030f89e8c30342d19c565a157fd830768461905c8aaade93a24ce",
"version": 1
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "f77cf6a6f9ef86b2152b36bf3811485d39bf9c62dcaa02fb0df6c2233cdc8019",
@@ -1721,13 +1787,13 @@
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
"sha256": "cab3788fbfcefb5b2d4e6f079053f5ba19197d35730d9544a8bd0dce2ef4a1bb",
"version": 4
"sha256": "314d9edaa3b6514c606e7542ce9913e3b0dde35897bb2a42cd4dde5e4629188b",
"version": 5
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "33de74bdefea7d1b2dad684d309c2eb9374ad0936d168a1b3fbb74680c12c7c4",
"version": 7
"sha256": "8fba9c51ee81de527fa5ed0c36181b73cd00b2bbab183c0e26834e693659d001",
"version": 8
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"rule_name": "Azure Automation Runbook Deleted",
@@ -1741,8 +1807,8 @@
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "0ca71ba980d30920612bc3871064629dccd38832867566b7c179934bb0bf1803",
"version": 4
"sha256": "174652de3ab002293cc1eadd63c13f80a580f0b8310bc45a2ac6cfda75241c3d",
"version": 5
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"rule_name": "GCP Service Account Deletion",
@@ -1820,9 +1886,17 @@
"version": 4
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "3c0f93a51365de485043e4961faba1a74302db6036510abbde8f1b0b60e4de3b",
"version": 5
}
},
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "3c0f93a51365de485043e4961faba1a74302db6036510abbde8f1b0b60e4de3b",
"version": 5
"sha256": "7f3e1672e2c15b1f4386242655493bbd483c0c30d377b65c94cadf17d5dbb100",
"version": 6
},
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
"rule_name": "Modification of Standard Authentication Module or Configuration",
@@ -1831,8 +1905,13 @@
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"rule_name": "Remote Scheduled Task Creation",
"sha256": "e26d4edde4870c10ccebc081c4ee7c5fc5606da903cb53da92b76f355be04871",
"version": 5
"sha256": "403e3baaa2cb611b3b2f78ea9736c8cccf88fe56344b692f47e537258fdf1c83",
"version": 6
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "73d69ad8db402c30d7757ba2ed5bd2a7c3aa182a2bdf601f3a6c968bfb8d0f3a",
"version": 1
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"rule_name": "Attempt to Create Okta API Token",
@@ -1891,8 +1970,8 @@
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"rule_name": "Process Injection - Prevented - Elastic Endgame",
"sha256": "6c9b748e3f01290624bc50f190eed75daed4f30b7e43c92e8259cbeeb8436d60",
"version": 6
"sha256": "c8e41a6bd406b08af3b150d25058d4cd83f887d58e6e7b13f25c6a8cbfe3dba5",
"version": 7
},
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"rule_name": "macOS Installer Spawns Network Event",
@@ -1977,8 +2056,8 @@
},
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
"sha256": "57a21909bc81e2d66277f26faab338f1b36d8a88c1b74f785409bc935b3533ca",
"version": 2
"sha256": "85c51be85ab3d5663e311b2549849c31b9da10cb4e8c76762efa8ef23aa601fe",
"version": 3
},
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
"rule_name": "Unusual Linux Process Calling the Metadata Service",
@@ -2091,9 +2170,17 @@
"version": 4
},
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "cadc95b5eb7938b3b7310150089830d4dad51e3499916cd2f5c82446659b4051",
"version": 6
}
},
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "cadc95b5eb7938b3b7310150089830d4dad51e3499916cd2f5c82446659b4051",
"version": 6
"sha256": "7741aa9c38ba126329fbb075496847374a2dd8d65aadd49aa25b7f0f00e6aeb5",
"version": 7
},
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"rule_name": "Persistence via Hidden Run Key Detected",
@@ -2117,8 +2204,8 @@
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"rule_name": "Remotely Started Services via RPC",
"sha256": "54bef8370cf390fe72e2b52304b62e21884c0c7179d4c13410639871004ac20b",
"version": 3
"sha256": "d9ef79e203bf39157dce4e28b94d8ecc9a2863e1171d5003948421ce236c9a2e",
"version": 4
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"rule_name": "Remote Execution via File Shares",
@@ -2146,9 +2233,17 @@
"version": 7
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
"sha256": "01a8beca2e8f570d63e7614d558243b1d0b9c42d9e0ce9f439b10016f06eaea3",
"version": 5
}
},
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
"sha256": "01a8beca2e8f570d63e7614d558243b1d0b9c42d9e0ce9f439b10016f06eaea3",
"version": 5
"sha256": "3d8eab60bf795ae6756c1c6058a7c1be2eb14e1c1777a7b4bda27e1906206c95",
"version": 6
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"rule_name": "Potential Command and Control via Internet Explorer",
@@ -2171,14 +2266,22 @@
"version": 8
},
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "8b04328630ae74389a2b77d23700d2bfd3900c6008bf0aa9654c2432b427b9c9",
"version": 5
}
},
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "8b04328630ae74389a2b77d23700d2bfd3900c6008bf0aa9654c2432b427b9c9",
"version": 5
"sha256": "72ff218857ba09e7c08970ebc6cdfcba3cd1dd4f0711dbd403b074fee911011c",
"version": 6
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "ba03ecde11ee9756cf4bc61082aacb53ef480e292542908388652d2925356984",
"version": 2
"sha256": "e02ae67b6c66cfc725340e822acb44653e568a7c1b55eb13818f26c296c0e0c2",
"version": 3
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
@@ -2300,6 +2403,11 @@
"sha256": "051717de0f6c9db9ae1ebe6405e072627948848da2868a8c0deb5e624f0cd2e5",
"version": 4
},
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "48033f00317b95d1da86910a9dab3762505133df9f57dbf96a0b2c8655d3a398",
"version": 1
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"min_stack_version": "7.13.0",
"rule_name": "Creation of Hidden Files and Directories",
@@ -2363,8 +2471,8 @@
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"rule_name": "PowerShell Keylogging Script",
"sha256": "6de3949ae76af02e913b9d9e042f0c9be3954889ba3313023c533e1976fa86cf",
"version": 1
"sha256": "18faa21bc0f6c818f73f17476196b45b9c3f95e45e55141708245a7f21667c2e",
"version": 2
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"rule_name": "Suspicious Print Spooler Point and Print DLL",
@@ -2398,8 +2506,8 @@
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
"sha256": "12a78ccad8ab58509933133ec1744e27bf37d404718c54a47f796a7e6eb86180",
"version": 6
"sha256": "b8e01edc11020238557b88b3db52fb1b046d6704ecec3c71606e6d560684c076",
"version": 7
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
@@ -2418,8 +2526,8 @@
},
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"rule_name": "Persistence via Folder Action Script",
"sha256": "7ae7840be1d7ddc5db5b1d13b765d54ab085321f8b3b77ebda3d58548c503573",
"version": 3
"sha256": "ab6c806117ab8f06a992321c114ddfe378ad6f83439ab3b977a52868201c48aa",
"version": 4
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"rule_name": "Mshta Making Network Connections",
@@ -2428,8 +2536,8 @@
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"rule_name": "Permission Theft - Detected - Elastic Endgame",
"sha256": "4a65754dacdcffe2c3607c8b561183da367f3fd7bd366e85fb05d301a7ae07a6",
"version": 6
"sha256": "20cc6568ccfe584a934546ca41589195cc38d5c9c159424b793f04f55910382e",
"version": 7
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"rule_name": "Persistence via BITS Job Notify Cmdline",
@@ -2554,8 +2662,8 @@
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
"sha256": "4bbe86d4477f58024b62e8f44eeea5e38812e479cbde03a5c0c0490faffd3362",
"version": 6
"sha256": "0a3aa3ec4774795554e8be4d9db16b5aa97c1afe8673071bc15ecad2042067df",
"version": 7
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
@@ -2568,9 +2676,17 @@
"version": 1
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "f8496e8188b47da802b79dba6b01c3f9f4e4d7fe9c0adf98503ec33e0a2f6747",
"version": 6
}
},
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "f8496e8188b47da802b79dba6b01c3f9f4e4d7fe9c0adf98503ec33e0a2f6747",
"version": 6
"sha256": "de718fed93c2314061daddd300ddb5e01064210ddc42d687fcdd988aa2595d5a",
"version": 7
},
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"rule_name": "Suspicious Calendar File Modification",
@@ -2638,9 +2754,17 @@
"version": 6
},
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "5cbeb7ba36d4bca274e78516b67aa418552a39af7ff07d0605a306cacb27a1ef",
"version": 5
}
},
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "5cbeb7ba36d4bca274e78516b67aa418552a39af7ff07d0605a306cacb27a1ef",
"version": 5
"sha256": "734ba85eb72a8c8167a1247c75d48bbd9abb0a9954f8a357a20017258da978de",
"version": 6
},
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"rule_name": "Execution from Unusual Directory - Command Line",
@@ -2652,6 +2776,11 @@
"sha256": "8e0d01f097a813b149534720764b6fdbd833f36728870e242c7c1292ba2dc249",
"version": 3
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "67cfb91d3d8841c32d03177a3739af0c3715b1fd530dcb0ed114e0a0eb326dba",
"version": 1
},
"d2053495-8fe7-4168-b3df-dad844046be3": {
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
@@ -2791,8 +2920,8 @@
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
"sha256": "50110a30804c91bf54051c533e4bb8373a0ba5e6aedc4c16effdc46ba981e7b0",
"version": 6
"sha256": "2d8957ba5a8d444bcd904025089be6e4eb710b93e029b4242316d5e95274facb",
"version": 7
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
@@ -2855,7 +2984,7 @@
"7.13.0": {
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "de0b525b55b31026d29a5a835b5e420d95ceaa8d6c6f7e377c3b2cdae2064fdf",
"version": 3
"version": 5
}
},
"rule_name": "Whitespace Padding in Process Command Line",
@@ -2920,8 +3049,8 @@
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "130151f602969550133acea2f7f0a293ceb2a61df7dd0bddab3e6b0e33f57247",
"version": 7
"sha256": "2597f5c35305aefc8016770975bbc727d72230fbabd8c9418d4147741104be0f",
"version": 8
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
@@ -2939,9 +3068,17 @@
"version": 6
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "1b8f18bfcd5ebd6a7ef2cad523000d799d2cba09cde203a94541c9ad03327c82",
"version": 6
}
},
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "1b8f18bfcd5ebd6a7ef2cad523000d799d2cba09cde203a94541c9ad03327c82",
"version": 6
"sha256": "aea30c3bf1eb96e0c6f0c64da484ca2310b1ae26e8679030c0a30a8058982a77",
"version": 7
},
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
@@ -3118,6 +3255,11 @@
"sha256": "0f27489f0578b5596891555022bb25c63bfe725160ab7d93c8c02efb92a40463",
"version": 3
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"rule_name": "Azure Alert Suppression Rule Created or Modified",
"sha256": "f0a670474705007080338bcdc2ff9dec4c682a56928d8d3979de42ce067eb005",
"version": 1
},
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"rule_name": "Execution with Explicit Credentials via Scripting",
"sha256": "4f8fcc4f978c267b58a59c41a4e4f617ba6b8792e2aa22fb26f971279ea9f8cf",
@@ -3150,8 +3292,8 @@
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "627242cc631e03be3dd2bf3eb1450a9307dfa129ca22c999bda6e5f91f9cb8ef",
"version": 3
"sha256": "697265472771d768d277926b42e99b11fc14f495b24c6f2b8aecc0cc10b6409d",
"version": 4
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
@@ -3263,6 +3405,11 @@
"sha256": "3d1669ea32950b0330c14ea0ed19dd4205c656d44f4860b304c3b103c487c717",
"version": 8
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "bb76fcc217e41bd48148eebf78438baeb8f5052ddfbce1cdd316a589d6b5d4a2",
"version": 1
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "20fa3931651c3cd2a65942d63e382bf5e5a7faf3f3274c700fcea9cdcb94e099",