From e42fee2d843fe9dc6bb7a8a7c10212e735ec7626 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 26 Jan 2022 13:54:18 -0900 Subject: [PATCH] Lock versions for releases: 7.13,7.14,7.15,7.16,8.0 (#1732) * Locked versions for releases: 7.13,7.14,7.15,7.16,8.0 Co-authored-by: brokensound77 --- etc/deprecated_rules.json | 5 + etc/version.lock.json | 331 +++++++++++++++++++++++++++----------- 2 files changed, 244 insertions(+), 92 deletions(-) diff --git a/etc/deprecated_rules.json b/etc/deprecated_rules.json index 305c15b92..508992bb8 100644 --- a/etc/deprecated_rules.json +++ b/etc/deprecated_rules.json @@ -129,6 +129,11 @@ "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", "stack_version": "7.14.0" }, + "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { + "deprecation_date": "2022/01/12", + "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", + "stack_version": "8.0" + }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "deprecation_date": "2021/04/15", "rule_name": "RDP (Remote Desktop Protocol) to the Internet", diff --git a/etc/version.lock.json b/etc/version.lock.json index 7ac5bee41..c7c0baacf 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -127,8 +127,8 @@ }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "3a049155b9db34c38b264d58bdfd85d877c43f3e7608b71f9faa6362afb4d0c4", - "version": 6 + "sha256": "a721897ba5522f3f80de884490b7ec388a753c8679db97593a1f957a7bff12b2", + "version": 7 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", @@ -140,6 +140,12 @@ "sha256": "499dcd1aa2d62a15f68fa52d95b87511f7f4e14f24ffe83babb3e72e990ff81d", "version": 3 }, + "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { + "min_stack_version": "8.0", + "rule_name": "Threat Intel Indicator Match", + "sha256": "437c87698788e433f03dba9a4ed5ed87cdedb826faa42b8035ba301cc2e5fed4", + "version": 1 + }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", "sha256": "88ba94c428250342f829c23c844e0d491354bb5b845c5a8caf1bdc92ab3faeca", @@ -267,6 +273,11 @@ "sha256": "8817ddfdb38379b4031a751743514e46c8a4e608c68ea79adf13a6aa11a09b2d", "version": 1 }, + "15a8ba77-1c13-4274-88fe-6bd14133861e": { + "rule_name": "Scheduled Task Execution at Scale via GPO", + "sha256": "e1d80d9e27fd401af4a1b5d71ca3c873fb759d8583008989b4a228c6df687655", + "version": 1 + }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "50ec2f5b9815c5cc153531c5a3d35d9393e03eb4c668ffd62c97b1e2efd616ff", @@ -297,6 +308,11 @@ "sha256": "8ca91c7053d3f30c2c76188da11648bbc94aa5c68e2288ceaee0e6d942535fcf", "version": 5 }, + "16fac1a1-21ee-4ca6-b720-458e3855d046": { + "rule_name": "Startup/Logon Script added to Group Policy Object", + "sha256": "d4ae959f9ad85bcd8081e151eaf495d1b1e6297723b6b7cfecee70697ae4d9ad", + "version": 1 + }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "rule_name": "Unusual Windows Username", "sha256": "15ad86ffb8402c2acabbd69bc91cf276320fbefe605de2f336f02d46936242a4", @@ -384,8 +400,8 @@ }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "3d74f5205bbde325b86c72bf634ffba8648e208a314cff8e74be0aed2836eede", - "version": 3 + "sha256": "668b31747084485dad1344c6ae9695fbb86ac6b3c11bc427b08cce2b1e9cf791", + "version": 4 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", @@ -429,8 +445,8 @@ }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "756f8e566860406a290ee07a4ac7b9b2481347bf2d2ec4f6a524d3c65fcb86cb", - "version": 6 + "sha256": "f2122f6b1acdab49ad7f6bfc06655f446578271776fd3cf5b24413d055341f10", + "version": 7 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "rule_name": "Suspicious .NET Code Compilation", @@ -514,8 +530,8 @@ }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "39f270dbc3e0b1d4c31b5bec7ee74a66f9bf12b4d37023562cf649f4e232e779", - "version": 3 + "sha256": "25e969879796bbb0d8b68a24c97e5ec6505eced63d6971bc75ee9454d104b3d4", + "version": 4 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", @@ -539,8 +555,8 @@ }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "9edd40f31e655a0aecf8ed56d1b078ab5d082338fbe220bcc463b64d0d384ac3", - "version": 6 + "sha256": "148f9ae24ebe6ecc8e536ef7c3a01267783438c802cd162447623fe2a303902e", + "version": 7 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", @@ -589,8 +605,8 @@ }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "4bc52c3a4d918cc293e0ac2f21ad95122031ace364c0445d22a4f6b3279dadab", - "version": 2 + "sha256": "4e5ff52ed8fdbabd1d8fc01191105a74215d848b0181d0c588b5ace7bb0dbf46", + "version": 3 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed AutoIt Scripts Interpreter", @@ -599,8 +615,8 @@ }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", - "sha256": "138fe1b7a99e1fd40f2db4ca5086754aa15d9dadff790a9a0a03cc783b71f003", - "version": 1 + "sha256": "5ca7f98d19a4d9431200fdb6eba8a591bb202717b60a130137f203d98c24cf21", + "version": 2 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -613,14 +629,14 @@ "version": 2 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { - "rule_name": "GCP Kubernetes Rolebindings Created or Patched ", + "rule_name": "GCP Kubernetes Rolebindings Created or Patched", "sha256": "7610e908f43c07edb189e630d82850923bd31af83e007f3db90a5d6bd62e4536", "version": 1 }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "fc6e63e3e6c873bd2ccac6ea93c2965d107641d4c739c682f6ad19f74d4eeb40", - "version": 2 + "sha256": "877044d765d5091e0cefc0b0db367a269916db834ea839d61af7965d888d5611", + "version": 3 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", @@ -800,8 +816,8 @@ }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "1e6bcd8c9bc347e916e73bbf5adc8c3bc7b5951a8bd471197b2bd3ef22e72921", - "version": 6 + "sha256": "008ca865a5c7a86ce57350c20eed12f164ec20344bf2ac5aa30ba2ac6569884c", + "version": 7 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "rule_name": "Unusual Parent Process for cmd.exe", @@ -896,8 +912,8 @@ }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "be37d4430c577f95dcc6955d7df5454d2ce79665a551e5d27afa5b483049ccb1", - "version": 6 + "sha256": "ca60e2e85601f7d1db4c009cc581db67e2f3e9ecae3df43a4713b067f9c9a6fb", + "version": 7 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", @@ -1017,8 +1033,8 @@ }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "7630fc43d6168922d8fd4af707b3c7778f38e7800a563e631c6d332e7022d42a", - "version": 4 + "sha256": "7add00e6f6097cc99daf7fcee026068a09e75a93763bd1b69733f2bc73d53aa4", + "version": 5 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", @@ -1095,6 +1111,11 @@ "sha256": "57391425e8c8e4d0c0c905061d6a9cf78cc26d40e4ff5aaf1afc44d6d4c2761f", "version": 5 }, + "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { + "rule_name": "PowerShell PSReflect Script", + "sha256": "86329a97344d57daff770fd9195eb9f6991826eb7630f321cdc1631692abebca", + "version": 1 + }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", "sha256": "c683c0a850432bc2e1bc213062d7340c83c0c8ecc6ce14f521ed262124ce52ab", @@ -1102,8 +1123,8 @@ }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "adb1c5873c29391a82b5763b8006396d122797154d046175018644669e6855c8", - "version": 6 + "sha256": "16a81e4dd634888d573b513f92f341b62b0dd86237883db37a35e77ebf1fde1f", + "version": 7 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { "rule_name": "Azure Virtual Network Device Modified or Deleted", @@ -1112,8 +1133,8 @@ }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "rule_name": "PowerShell MiniDump Script", - "sha256": "b999bfa6dc8a8d8f14e743eb6e0302ca11572bd4796276fd7435bb8053c8a539", - "version": 2 + "sha256": "39d651294ad23b72fb2617d6b7b25da704b7ebf8b705c19798e2e326d8eda681", + "version": 3 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", @@ -1132,8 +1153,13 @@ }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Lateral Tool Transfer", - "sha256": "837e80276905c148e4debb9b11b169a1b05bfc70fd046da13a7bb9ae8b2ea042", - "version": 3 + "sha256": "3879f384221103f101d7c1c2cc0d549e9b6fb16338e554b2fefaa36d2581debb", + "version": 4 + }, + "58c6d58b-a0d3-412d-b3b8-0981a9400607": { + "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", + "sha256": "c4966675fed8b27f672aca65ba0bac58e7c0b6d3f47cfc4805b4d1b9a95e4bba", + "version": 1 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", @@ -1237,8 +1263,8 @@ }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "45ec69750e919eff495ec3f4ce1f96597c51759b9130ed238b82dcdc5888ed6a", - "version": 2 + "sha256": "00b90b0ba27de6d77f053e3242f675290c5e1ed3b05fafe8db72007267abd075", + "version": 3 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -1247,8 +1273,8 @@ }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "76323de0ef3251b57c93619ffbeb7dfd3363e839a589f393ff44c2f9d86cd92c", - "version": 4 + "sha256": "3203c65eec92dee9e1303d21081ea604077f14bd31a3c941ae581c791d450c18", + "version": 5 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", @@ -1282,8 +1308,8 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "4e71078c218cc670c114032d04b1a3631cdf38e7c5225829a6268c569fce9bf6", - "version": 5 + "sha256": "75262fa3fdb8bf3a911f98cd5eaaa2ba57b2d538692b1b002372f00a8534219b", + "version": 6 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", @@ -1295,6 +1321,11 @@ "sha256": "d93bdd2f8eda2395c9b8ab7c737460f2201732e3176d605b489d38221cd18bfb", "version": 6 }, + "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { + "rule_name": "O365 Mailbox Audit Logging Bypass", + "sha256": "4c45673d1e1ee1af8cfda15ceaafcad3f4571383ebfdce45289fa32c4c915d73", + "version": 1 + }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", "sha256": "d6726a1a5d3a598df105d959b2d8d7b02e10a98c4e8c5f0f47e124bb5d1fab62", @@ -1332,9 +1363,17 @@ "version": 6 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { + "min_stack_version": "8.0", + "previous": { + "7.13.0": { + "rule_name": "Google Workspace Admin Role Assigned to a User", + "sha256": "a9e5fed2c237cba481fd05a38576032d3cddf5a3b67341030a4a77725c478b22", + "version": 5 + } + }, "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "a9e5fed2c237cba481fd05a38576032d3cddf5a3b67341030a4a77725c478b22", - "version": 5 + "sha256": "afd34ab4f1d7e038c874333fd83de248c0b54d625f489e74359f3ce4ec9ac71b", + "version": 6 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", @@ -1351,6 +1390,12 @@ "sha256": "b5812117895d475376f16cb41ebfb385fdbec5034340b59f60e3dcdf71bc0a6d", "version": 4 }, + "699e9fdb-b77c-4c01-995c-1c15019b9c43": { + "min_stack_version": "8.0", + "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", + "sha256": "f919b1cd06b017360565a34377bada8062d0bf8828ae7faa981a34c5acda69e4", + "version": 1 + }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", "sha256": "22d2bd68a5cc0620132227498ac239156162cfc2774f84b41d0ed7c5733f71fe", @@ -1417,9 +1462,17 @@ "version": 8 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { + "min_stack_version": "8.0", + "previous": { + "7.13.0": { + "rule_name": "Google Workspace Role Modified", + "sha256": "4776d80c0d1069ed8363242d7b09b4934c3efc58c9db2b87fb5045eda98284e1", + "version": 5 + } + }, "rule_name": "Google Workspace Role Modified", - "sha256": "4776d80c0d1069ed8363242d7b09b4934c3efc58c9db2b87fb5045eda98284e1", - "version": 5 + "sha256": "33a6f2e64d79ebfed4fe0f1b4e5c4a7968b9b4941e11fa0cf720ef3810e38a15", + "version": 6 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "rule_name": "AWS CloudTrail Log Deleted", @@ -1519,13 +1572,21 @@ }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "19409ce1476a107a8db2f50aa91ed8c037a8bbe6ee70d0977c3fc8292ccf8116", - "version": 6 + "sha256": "5380f574b8e648c558fa34254366c5e53eed6065c9b0c722b1c458ac26b01ce3", + "version": 7 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { + "min_stack_version": "8.0", + "previous": { + "7.13.0": { + "rule_name": "Application Added to Google Workspace Domain", + "sha256": "43a87b2b542b409c6cfbe267485d8b1ba8e32e9ea553f6180b7d0362c46ea2d9", + "version": 5 + } + }, "rule_name": "Application Added to Google Workspace Domain", - "sha256": "43a87b2b542b409c6cfbe267485d8b1ba8e32e9ea553f6180b7d0362c46ea2d9", - "version": 5 + "sha256": "ab5ac05b1f57b0e9a197d51506441eee921132528fde66e99b64021454556e71", + "version": 6 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "rule_name": "Azure Privilege Identity Management Role Modified", @@ -1589,14 +1650,19 @@ }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "9797df2e79190ab1940fe7d8adba5122b86c7a24ca42aea3da9e38cff1e60c9c", - "version": 6 + "sha256": "1664db594a454af4890a7ec808978fdd268088b8b9f21f3956900c607de66cd3", + "version": 7 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", "sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86", "version": 8 }, + "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { + "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", + "sha256": "93fb092a27b030f89e8c30342d19c565a157fd830768461905c8aaade93a24ce", + "version": 1 + }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "f77cf6a6f9ef86b2152b36bf3811485d39bf9c62dcaa02fb0df6c2233cdc8019", @@ -1721,13 +1787,13 @@ }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", - "sha256": "cab3788fbfcefb5b2d4e6f079053f5ba19197d35730d9544a8bd0dce2ef4a1bb", - "version": 4 + "sha256": "314d9edaa3b6514c606e7542ce9913e3b0dde35897bb2a42cd4dde5e4629188b", + "version": 5 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "33de74bdefea7d1b2dad684d309c2eb9374ad0936d168a1b3fbb74680c12c7c4", - "version": 7 + "sha256": "8fba9c51ee81de527fa5ed0c36181b73cd00b2bbab183c0e26834e693659d001", + "version": 8 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", @@ -1741,8 +1807,8 @@ }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "0ca71ba980d30920612bc3871064629dccd38832867566b7c179934bb0bf1803", - "version": 4 + "sha256": "174652de3ab002293cc1eadd63c13f80a580f0b8310bc45a2ac6cfda75241c3d", + "version": 5 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", @@ -1820,9 +1886,17 @@ "version": 4 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { + "min_stack_version": "8.0", + "previous": { + "7.13.0": { + "rule_name": "Google Workspace Admin Role Deletion", + "sha256": "3c0f93a51365de485043e4961faba1a74302db6036510abbde8f1b0b60e4de3b", + "version": 5 + } + }, "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "3c0f93a51365de485043e4961faba1a74302db6036510abbde8f1b0b60e4de3b", - "version": 5 + "sha256": "7f3e1672e2c15b1f4386242655493bbd483c0c30d377b65c94cadf17d5dbb100", + "version": 6 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "rule_name": "Modification of Standard Authentication Module or Configuration", @@ -1831,8 +1905,13 @@ }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", - "sha256": "e26d4edde4870c10ccebc081c4ee7c5fc5606da903cb53da92b76f355be04871", - "version": 5 + "sha256": "403e3baaa2cb611b3b2f78ea9736c8cccf88fe56344b692f47e537258fdf1c83", + "version": 6 + }, + "959a7353-1129-4aa7-9084-30746b256a70": { + "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", + "sha256": "73d69ad8db402c30d7757ba2ed5bd2a7c3aa182a2bdf601f3a6c968bfb8d0f3a", + "version": 1 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", @@ -1891,8 +1970,8 @@ }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "6c9b748e3f01290624bc50f190eed75daed4f30b7e43c92e8259cbeeb8436d60", - "version": 6 + "sha256": "c8e41a6bd406b08af3b150d25058d4cd83f887d58e6e7b13f25c6a8cbfe3dba5", + "version": 7 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "rule_name": "macOS Installer Spawns Network Event", @@ -1977,8 +2056,8 @@ }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "57a21909bc81e2d66277f26faab338f1b36d8a88c1b74f785409bc935b3533ca", - "version": 2 + "sha256": "85c51be85ab3d5663e311b2549849c31b9da10cb4e8c76762efa8ef23aa601fe", + "version": 3 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "rule_name": "Unusual Linux Process Calling the Metadata Service", @@ -2091,9 +2170,17 @@ "version": 4 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { + "min_stack_version": "8.0", + "previous": { + "7.13.0": { + "rule_name": "Google Workspace Password Policy Modified", + "sha256": "cadc95b5eb7938b3b7310150089830d4dad51e3499916cd2f5c82446659b4051", + "version": 6 + } + }, "rule_name": "Google Workspace Password Policy Modified", - "sha256": "cadc95b5eb7938b3b7310150089830d4dad51e3499916cd2f5c82446659b4051", - "version": 6 + "sha256": "7741aa9c38ba126329fbb075496847374a2dd8d65aadd49aa25b7f0f00e6aeb5", + "version": 7 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", @@ -2117,8 +2204,8 @@ }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "rule_name": "Remotely Started Services via RPC", - "sha256": "54bef8370cf390fe72e2b52304b62e21884c0c7179d4c13410639871004ac20b", - "version": 3 + "sha256": "d9ef79e203bf39157dce4e28b94d8ecc9a2863e1171d5003948421ce236c9a2e", + "version": 4 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", @@ -2146,9 +2233,17 @@ "version": 7 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { + "min_stack_version": "8.0", + "previous": { + "7.13.0": { + "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", + "sha256": "01a8beca2e8f570d63e7614d558243b1d0b9c42d9e0ce9f439b10016f06eaea3", + "version": 5 + } + }, "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "sha256": "01a8beca2e8f570d63e7614d558243b1d0b9c42d9e0ce9f439b10016f06eaea3", - "version": 5 + "sha256": "3d8eab60bf795ae6756c1c6058a7c1be2eb14e1c1777a7b4bda27e1906206c95", + "version": 6 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", @@ -2171,14 +2266,22 @@ "version": 8 }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { + "min_stack_version": "8.0", + "previous": { + "7.13.0": { + "rule_name": "Google Workspace Custom Admin Role Created", + "sha256": "8b04328630ae74389a2b77d23700d2bfd3900c6008bf0aa9654c2432b427b9c9", + "version": 5 + } + }, "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "8b04328630ae74389a2b77d23700d2bfd3900c6008bf0aa9654c2432b427b9c9", - "version": 5 + "sha256": "72ff218857ba09e7c08970ebc6cdfcba3cd1dd4f0711dbd403b074fee911011c", + "version": 6 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "ba03ecde11ee9756cf4bc61082aacb53ef480e292542908388652d2925356984", - "version": 2 + "sha256": "e02ae67b6c66cfc725340e822acb44653e568a7c1b55eb13818f26c296c0e0c2", + "version": 3 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", @@ -2300,6 +2403,11 @@ "sha256": "051717de0f6c9db9ae1ebe6405e072627948848da2868a8c0deb5e624f0cd2e5", "version": 4 }, + "b9554892-5e0e-424b-83a0-5aef95aa43bf": { + "rule_name": "Group Policy Abuse for Privilege Addition", + "sha256": "48033f00317b95d1da86910a9dab3762505133df9f57dbf96a0b2c8655d3a398", + "version": 1 + }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "7.13.0", "rule_name": "Creation of Hidden Files and Directories", @@ -2363,8 +2471,8 @@ }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "rule_name": "PowerShell Keylogging Script", - "sha256": "6de3949ae76af02e913b9d9e042f0c9be3954889ba3313023c533e1976fa86cf", - "version": 1 + "sha256": "18faa21bc0f6c818f73f17476196b45b9c3f95e45e55141708245a7f21667c2e", + "version": 2 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", @@ -2398,8 +2506,8 @@ }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "12a78ccad8ab58509933133ec1744e27bf37d404718c54a47f796a7e6eb86180", - "version": 6 + "sha256": "b8e01edc11020238557b88b3db52fb1b046d6704ecec3c71606e6d560684c076", + "version": 7 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", @@ -2418,8 +2526,8 @@ }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", - "sha256": "7ae7840be1d7ddc5db5b1d13b765d54ab085321f8b3b77ebda3d58548c503573", - "version": 3 + "sha256": "ab6c806117ab8f06a992321c114ddfe378ad6f83439ab3b977a52868201c48aa", + "version": 4 }, "c2d90150-0133-451c-a783-533e736c12d7": { "rule_name": "Mshta Making Network Connections", @@ -2428,8 +2536,8 @@ }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "4a65754dacdcffe2c3607c8b561183da367f3fd7bd366e85fb05d301a7ae07a6", - "version": 6 + "sha256": "20cc6568ccfe584a934546ca41589195cc38d5c9c159424b793f04f55910382e", + "version": 7 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "rule_name": "Persistence via BITS Job Notify Cmdline", @@ -2554,8 +2662,8 @@ }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "4bbe86d4477f58024b62e8f44eeea5e38812e479cbde03a5c0c0490faffd3362", - "version": 6 + "sha256": "0a3aa3ec4774795554e8be4d9db16b5aa97c1afe8673071bc15ecad2042067df", + "version": 7 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", @@ -2568,9 +2676,17 @@ "version": 1 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { + "min_stack_version": "8.0", + "previous": { + "7.13.0": { + "rule_name": "Google Workspace MFA Enforcement Disabled", + "sha256": "f8496e8188b47da802b79dba6b01c3f9f4e4d7fe9c0adf98503ec33e0a2f6747", + "version": 6 + } + }, "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "f8496e8188b47da802b79dba6b01c3f9f4e4d7fe9c0adf98503ec33e0a2f6747", - "version": 6 + "sha256": "de718fed93c2314061daddd300ddb5e01064210ddc42d687fcdd988aa2595d5a", + "version": 7 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "rule_name": "Suspicious Calendar File Modification", @@ -2638,9 +2754,17 @@ "version": 6 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { + "min_stack_version": "8.0", + "previous": { + "7.13.0": { + "rule_name": "Domain Added to Google Workspace Trusted Domains", + "sha256": "5cbeb7ba36d4bca274e78516b67aa418552a39af7ff07d0605a306cacb27a1ef", + "version": 5 + } + }, "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "5cbeb7ba36d4bca274e78516b67aa418552a39af7ff07d0605a306cacb27a1ef", - "version": 5 + "sha256": "734ba85eb72a8c8167a1247c75d48bbd9abb0a9954f8a357a20017258da978de", + "version": 6 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "rule_name": "Execution from Unusual Directory - Command Line", @@ -2652,6 +2776,11 @@ "sha256": "8e0d01f097a813b149534720764b6fdbd833f36728870e242c7c1292ba2dc249", "version": 3 }, + "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { + "rule_name": "Symbolic Link to Shadow Copy Created", + "sha256": "67cfb91d3d8841c32d03177a3739af0c3715b1fd530dcb0ed114e0a0eb326dba", + "version": 1 + }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", "sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6", @@ -2791,8 +2920,8 @@ }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "50110a30804c91bf54051c533e4bb8373a0ba5e6aedc4c16effdc46ba981e7b0", - "version": 6 + "sha256": "2d8957ba5a8d444bcd904025089be6e4eb710b93e029b4242316d5e95274facb", + "version": 7 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -2855,7 +2984,7 @@ "7.13.0": { "rule_name": "Whitespace Padding in Process Command Line", "sha256": "de0b525b55b31026d29a5a835b5e420d95ceaa8d6c6f7e377c3b2cdae2064fdf", - "version": 3 + "version": 5 } }, "rule_name": "Whitespace Padding in Process Command Line", @@ -2920,8 +3049,8 @@ }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "130151f602969550133acea2f7f0a293ceb2a61df7dd0bddab3e6b0e33f57247", - "version": 7 + "sha256": "2597f5c35305aefc8016770975bbc727d72230fbabd8c9418d4147741104be0f", + "version": 8 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", @@ -2939,9 +3068,17 @@ "version": 6 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { + "min_stack_version": "8.0", + "previous": { + "7.13.0": { + "rule_name": "MFA Disabled for Google Workspace Organization", + "sha256": "1b8f18bfcd5ebd6a7ef2cad523000d799d2cba09cde203a94541c9ad03327c82", + "version": 6 + } + }, "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "1b8f18bfcd5ebd6a7ef2cad523000d799d2cba09cde203a94541c9ad03327c82", - "version": 6 + "sha256": "aea30c3bf1eb96e0c6f0c64da484ca2310b1ae26e8679030c0a30a8058982a77", + "version": 7 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", @@ -3118,6 +3255,11 @@ "sha256": "0f27489f0578b5596891555022bb25c63bfe725160ab7d93c8c02efb92a40463", "version": 3 }, + "f0bc081a-2346-4744-a6a4-81514817e888": { + "rule_name": "Azure Alert Suppression Rule Created or Modified", + "sha256": "f0a670474705007080338bcdc2ff9dec4c682a56928d8d3979de42ce067eb005", + "version": 1 + }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", "sha256": "4f8fcc4f978c267b58a59c41a4e4f617ba6b8792e2aa22fb26f971279ea9f8cf", @@ -3150,8 +3292,8 @@ }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", - "sha256": "627242cc631e03be3dd2bf3eb1450a9307dfa129ca22c999bda6e5f91f9cb8ef", - "version": 3 + "sha256": "697265472771d768d277926b42e99b11fc14f495b24c6f2b8aecc0cc10b6409d", + "version": 4 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", @@ -3263,6 +3405,11 @@ "sha256": "3d1669ea32950b0330c14ea0ed19dd4205c656d44f4860b304c3b103c487c717", "version": 8 }, + "fe794edd-487f-4a90-b285-3ee54f2af2d3": { + "rule_name": "Microsoft Windows Defender Tampering", + "sha256": "bb76fcc217e41bd48148eebf78438baeb8f5052ddfbce1cdd316a589d6b5d4a2", + "version": 1 + }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "20fa3931651c3cd2a65942d63e382bf5e5a7faf3f3274c700fcea9cdcb94e099",