From f2291e0261d966bac3e0dccc0c72153b694f19db Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 1 Sep 2025 23:19:12 +0530 Subject: [PATCH] Lock versions for releases: 8.18,8.19,9.0,9.1 (#5049) --- detection_rules/etc/version.lock.json | 616 ++++++++++++++++---------- docs-dev/ATT&CK-coverage.md | 6 + pyproject.toml | 2 +- 3 files changed, 388 insertions(+), 236 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 06f9b6532..f690cbba2 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -143,11 +143,17 @@ "type": "threshold", "version": 6 }, + "03d856c2-7f74-4540-a530-e20af5e39789": { + "rule_name": "Multi-Base64 Decoding Attempt from Suspicious Location", + "sha256": "85f6ccd81f36a92f7718a52d0838520307a344ee3c5d3b2cd65ce190375f97ab", + "type": "eql", + "version": 1 + }, "0415258b-a7b2-48a6-891a-3367cd9d4d31": { - "rule_name": "First Time AWS Cloudformation Stack Creation by User", - "sha256": "07114abfce80c7aa9a9f8cb39ad2415dd0cae3778839c72e41829c6f097c12f2", + "rule_name": "First Time AWS CloudFormation Stack Creation", + "sha256": "c14f634ac8d501f56487a54ce3e10ac740ec26bf38940489dbec0b47239e883a", "type": "new_terms", - "version": 4 + "version": 5 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Modification of OpenSSH Binaries", @@ -181,9 +187,9 @@ }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "84d5531bdbf795107ecae61736bf7b63596d94893801151c749ee0c8f4e084b0", + "sha256": "30d23f6e345652ddecf8a6ccafdc4a3f18af50c9a8ecef16578e14094e8d3d55", "type": "eql", - "version": 214 + "version": 215 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", @@ -253,9 +259,9 @@ }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", - "sha256": "949a6bb4b164236463f95b2e101167c0be11c0d5be963eb728236f41699f3484", + "sha256": "6ca7734eae8382f1a540c93eb25ee68b216e6cafef14039079486562079a8960", "type": "eql", - "version": 217 + "version": 218 }, "06f3a26c-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Memory Threat - Prevented- Elastic Defend", @@ -283,9 +289,9 @@ }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "229c0112fc3dcc1af967f9b118e40ca8535f64878b204c8a2bc9a6e12bb8d6c1", + "sha256": "0ac96c06799e64900c4d1cc6dc9d7375c5be2979e8aa15d398cefbd5a2eb8f08", "type": "eql", - "version": 316 + "version": 317 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", @@ -511,9 +517,9 @@ }, "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { "rule_name": "Microsoft Entra ID Suspicious Session Reuse to Graph Access", - "sha256": "5d51cd77e355a15effce25681d7c34951a0d647ed54067f8a00cecb2d06c3894", + "sha256": "b32f370c015bc87d3327691efb6c5857e5df2ea848afca06a613dea840949d2c", "type": "esql", - "version": 4 + "version": 5 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", @@ -655,9 +661,9 @@ }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "dcc2089c76b526dda1a6a6eba845429ae0b03d49758084f7bf47b81196fb4d22", + "sha256": "2f9c6ebcc168fd73263677e3306698c105ac5996bf07026b2d5b29808c561a63", "type": "eql", - "version": 215 + "version": 216 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", @@ -685,9 +691,9 @@ }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "c675b428cb1b5e8315898c4e8c81f1c75fc231bce329e171d1c9627bb26b3ab5", + "sha256": "064c4ddec156a1b2ea065455a460a17c81974239e07c623f01ea2d4f20bba2d5", "type": "eql", - "version": 215 + "version": 216 }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", @@ -739,9 +745,9 @@ }, "12de29d4-bbb0-4eef-b687-857e8a163870": { "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "d203097f58b8e168bcc093a670446920cb532d84655f7900920c31ab3a2e2681", + "sha256": "505e0b601d7587cbd3f1b7ee9245a75299117258243f44320f661a6adb73c77f", "type": "eql", - "version": 208 + "version": 209 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "rule_name": "Suspicious Cmd Execution via WMI", @@ -805,9 +811,9 @@ }, "14dab405-5dd9-450c-8106-72951af2391f": { "rule_name": "Office Test Registry Persistence", - "sha256": "72e2d00d033be843d021b8bb2c9920a168036a2fc2fcf132cdbbe88886ddeefc", + "sha256": "1f2420c1ad0345dcb66852c413a62f765e3499a3c4dbb67f3b14a010ae460a3f", "type": "eql", - "version": 106 + "version": 107 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "rule_name": "Kubernetes User Exec into Pod", @@ -817,9 +823,9 @@ }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "bdb4c9f8d8a8ac1a86aff12628c863543653b5d6411c5238aad5b1497d764179", + "sha256": "233001ab1d4e9b16df6638802a83a9ccf377e3ef2380ef7d548ee980f5dcaee6", "type": "eql", - "version": 314 + "version": 315 }, "14fa0285-fe78-4843-ac8e-f4b481f49da9": { "rule_name": "Microsoft Entra ID OAuth Phishing via Visual Studio Code Client", @@ -979,9 +985,9 @@ }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "6c0b709419e710b9953271ff0aa4b3e8b65f2d986d5c626cd89a69f0d43d4fba", + "sha256": "6a4e0d226a0e94d9c32967bd9845977a3fafe731a2a258747c1b249a55c4b049", "type": "eql", - "version": 214 + "version": 215 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", @@ -991,9 +997,9 @@ }, "181f6b23-3799-445e-9589-0018328a9e46": { "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "8e9050616bc785d696c0a88bef0934bebc593c6d8d175e23e21d7e9021e4a63b", + "sha256": "132e35479cdc72c87bced9eb39159645e0dac333bed9e051208ed8838a8863bc", "type": "eql", - "version": 206 + "version": 207 }, "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { "rule_name": "Simple HTTP Web Server Connection", @@ -1073,11 +1079,17 @@ "type": "query", "version": 105 }, + "1a3f2a4c-12d0-4b88-961a-2711ee295637": { + "rule_name": "Potential System Tampering via File Modification", + "sha256": "7c83bc5eaa2a069cb0d447c66e1c513d530dd45bc557a9d026acd112fe4dc407", + "type": "eql", + "version": 1 + }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "rule_name": "Execution of COM object via Xwizard", - "sha256": "1a3e8476d4f29cc1926353b07c1fdd031fdbb1f8b96af2e5d52b171b37919c51", + "sha256": "0755b62a96de7d1a62ad93b17b76d05e799c2288c120223dc3afbfaece5d8c4c", "type": "eql", - "version": 316 + "version": 317 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", @@ -1147,9 +1159,9 @@ }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "921f844de42402e057a22237ec95b488f34123e89ca610c7e7ea344ef489406e", + "sha256": "6acfd449e15d1064ff19e9f8a3ed2f814e77e39a7baa5be696eb049d192e2fe6", "type": "eql", - "version": 212 + "version": 213 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "rule_name": "Okta Sign-In Events via Third-Party IdP", @@ -1189,9 +1201,9 @@ }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "85c47614e49fdd4cc5e906d6689c5bba31ef6955b8deea8762efdeca71bd3a36", + "sha256": "1aa8b91518fa800db672ea1885139d417ebbaaee15004144118a44663c79ea1b", "type": "eql", - "version": 315 + "version": 316 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "rule_name": "Suspicious Inter-Process Communication via Outlook", @@ -1279,9 +1291,9 @@ }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "38724353e2d175e82b9c7c4753a791e19c86f84761694f541d34bdee579710e2", + "sha256": "4464c8de4f4905d81bb1c5f492987ef4c8032d9738d50bf6d5b533da1da754a2", "type": "eql", - "version": 217 + "version": 218 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", @@ -1321,9 +1333,9 @@ }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "89d7847a3db1044dc8f26c9801b942c6a1f47e95d22d2f7efbe3fe29b1ec8b13", + "sha256": "5268893db28ba2b8355e2703a825d92212770bc7a639a48c747da8fe62a6814c", "type": "eql", - "version": 205 + "version": 206 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "rule_name": "LSASS Memory Dump Handle Access", @@ -1427,6 +1439,13 @@ "type": "eql", "version": 2 }, + "23e5407a-b696-4433-9297-087645f2726c": { + "min_stack_version": "8.18", + "rule_name": "Potential NTLM Relay Attack against a Computer Account", + "sha256": "49224a1d4f9dd6793aaf01e3e60bbd0e26b0c0efa3fdd05e7a58bac235c0d5f0", + "type": "eql", + "version": 1 + }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", "sha256": "7bd6191d375f8df11be8e1f01eb80fe5ccf783a1431539a5f1a404e9b571a5f6", @@ -1482,10 +1501,10 @@ "version": 10 }, "263481c8-1e9b-492e-912d-d1760707f810": { - "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "17d89e56d6719312b3e23d3e490ba96ba592165822f93f400684d9ce19d1151b", + "rule_name": "Potential Computer Account Relay Activity", + "sha256": "7af6eb523b372859247ef0451c75064ef4ca7565d53c8411bf0e615e646bc87a", "type": "eql", - "version": 107 + "version": 108 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Container Access Level Modification", @@ -1567,9 +1586,9 @@ }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "26034bdbca84819d08621e81f45335b6b0a5a4b72080897d89583cfad64df74d", + "sha256": "0b92fa2b539cd8298139f4fc871d9deaf90e1cfeee5e16fdca9e0246f72e12f3", "type": "eql", - "version": 213 + "version": 214 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", @@ -1723,9 +1742,9 @@ }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", - "sha256": "d20b930d0698bcfde127293a8d380235b942f25939ffd596b4d87e38d458783c", + "sha256": "5cabd557042d3452a4bd6b95008843d8d496d4c913bc33f5c9109c6df32a7080", "type": "eql", - "version": 417 + "version": 418 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", @@ -1735,9 +1754,9 @@ }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "1b2f902bc0a8a236c2c2b108edff984f97860387104c74f5adff4df977b1268b", + "sha256": "94590de540b69a69312f51d1f069adec57f1c9744166166497c75c55d812574e", "type": "eql", - "version": 213 + "version": 214 }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "rule_name": "Potential Foxmail Exploitation", @@ -1751,11 +1770,18 @@ "type": "new_terms", "version": 1 }, + "2d58f67c-156e-480a-a6eb-a698fd8197ff": { + "min_stack_version": "8.18", + "rule_name": "Potential Kerberos Relay Attack against a Computer Account", + "sha256": "f447ca71b251486b3b8cedd1c5d1c3fd8ef2cc2d6d7fff0d4869dbe86bd982df", + "type": "eql", + "version": 1 + }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "rule_name": "Command and Scripting Interpreter via Windows Scripts", - "sha256": "a8452b808ef5b2d08e80de2855c7e515669631992be43640d6a9180a9e02c7d6", + "sha256": "02ff68c3e74a02dd1c10175b332be482843ce4eccac1fb124a8ca96b399b8705", "type": "eql", - "version": 205 + "version": 206 }, "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { "rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected", @@ -1795,15 +1821,15 @@ }, "2e0051cb-51f8-492f-9d90-174e16b5e96b": { "rule_name": "Potential File Transfer via Curl for Windows", - "sha256": "3d473967a6e3fcdccd67003f1811a136991bcf4f2b4607d126f17bf6fc6a17b5", + "sha256": "24a5a79f109f05bf21d2f754c52ffc6b254ada0f09dc5a17a35dc19a34885963", "type": "eql", - "version": 4 + "version": 5 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { - "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "346cfb86eb74a1e77bd73e70d038d603a95b362a252c0cdbe98266cdeee937f9", + "rule_name": "Renamed Automation Script Interpreter", + "sha256": "6a560a6ffcbba02c197efbaa1459015a7ee1a9f0dc30546961d0c558b4c86638", "type": "eql", - "version": 215 + "version": 216 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", @@ -1831,9 +1857,9 @@ }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "rule_name": "Creation of a Hidden Local User Account", - "sha256": "b0040f38df0acd85061a162fd169552246f048373fcd3905d357f07fc127a73f", + "sha256": "fa987929fc52327c1216c3eb0cdeb12ad53aec394acd16dff1a1e3ade053edb0", "type": "eql", - "version": 313 + "version": 314 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "rule_name": "GCP Kubernetes Rolebindings Created or Patched", @@ -1907,11 +1933,17 @@ "type": "eql", "version": 7 }, + "30f9d940-7d55-4fff-a8b9-4715d20eb204": { + "rule_name": "Windows Script Execution from Archive", + "sha256": "9aa5c9aced2b2c00f42c467774366d05a2b8edd0dd84dcb6df6ffbac36efbebe", + "type": "eql", + "version": 1 + }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", - "sha256": "1e189d3fcfca63a6954d1c40800925fde0ad17a519c40b5597d485549a7eba69", + "sha256": "d0a538eca3e53a0b766d51bc2e1cfd3c7c34e55419b44ff625875fe71b156609", "type": "new_terms", - "version": 6 + "version": 7 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "rule_name": "Agent Spoofing - Mismatched Agent ID", @@ -1927,9 +1959,9 @@ }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", - "sha256": "500112ebb5a353695212139f9c2760832e232aa188e2881236150702af2b0931", + "sha256": "22a7b42cd7db90c18eec4376c4b459b6c966d9abf31f08e91303adf90d243eee", "type": "eql", - "version": 319 + "version": 320 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", @@ -1975,15 +2007,15 @@ }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", - "sha256": "7470d9183ce2433624a34e3d26ef66ef89f44a88977db1b7cc0d60171ae98b2a", + "sha256": "a03ccf37c802b63d09323758b889879448364d3ce1787e95db677ef788265161", "type": "eql", - "version": 317 + "version": 318 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { - "rule_name": "Microsoft 365 Portal Login from Rare Location", - "sha256": "35696542d8565de72f72a07f8a3a81fc2761810088644fc2747203faf9780641", + "rule_name": "M365 Portal Login (Atypical Travel)", + "sha256": "cd8506a92089084d040969a20d1ccc5b2fb5736e176ba3fb3e6339a0ea066f53", "type": "new_terms", - "version": 5 + "version": 6 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", @@ -2053,9 +2085,9 @@ }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", - "sha256": "4b113b58bce04a2270ce67f7fbac427613ef2d026106531156a6faf540ba1041", + "sha256": "1cfa7770bfca864df1b18fd84d7c054c4f56be21ec171828d78e7b892f66e45d", "type": "eql", - "version": 415 + "version": 416 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "rule_name": "Spike in Bytes Sent to an External Device", @@ -2107,9 +2139,9 @@ }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "bca658ce7637c35a01605a65f695b375dbcf56589332a3c26fca2e34a6ee1f21", + "sha256": "8490f06845e72c6453d237d605f6cf7d0ad70db3477dc1eae14b87f8fb9dc42c", "type": "eql", - "version": 312 + "version": 313 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "rule_name": "High Mean of Process Arguments in an RDP Session", @@ -2155,9 +2187,9 @@ }, "37cb6756-8892-4af3-a6bd-ddc56db0069d": { "rule_name": "Disabling Lsa Protection via Registry Modification", - "sha256": "da16b682e3af6a8ba8b753f079facc33cfc6e4632d6cc699a30659325a41d493", + "sha256": "bcda7d22eba2491baa39d158b4381eec6d1df82b9d2b4c534e474a7f7c384b0b", "type": "eql", - "version": 1 + "version": 2 }, "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": { "rule_name": "Spike in User Account Management Events", @@ -2190,10 +2222,10 @@ "version": 213 }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { - "rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations", - "sha256": "33d6a0523227e9bb8e19454e1c8d2e7e330d45eb4dbce157314f6cad2b3ac50f", + "rule_name": "M365 Portal Login (Impossible Travel)", + "sha256": "c0b3fdff344187ba74e33c839e4148dff4b058f036d74c25ecf27ff52d71bedd", "type": "threshold", - "version": 5 + "version": 6 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "User Added as Owner for Azure Service Principal", @@ -2227,9 +2259,9 @@ }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "7a32a8e2700cb4587a3cc51702ac6a764cc0441c391b6ae55d99490f243f2b59", + "sha256": "faeda0ecc334d9a83831ab6154315aeb7c2686fd6f4cd6f8244eefe72f46dd30", "type": "eql", - "version": 310 + "version": 311 }, "39c06367-b700-4380-848a-cab06e7afede": { "rule_name": "Systemd Generator Created", @@ -2263,9 +2295,9 @@ }, "3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": { "rule_name": "WDAC Policy File by an Unusual Process", - "sha256": "4439ecd338f9a33cce80c2f71b0422c5156ebb8eee0403018a944aa8e8291670", + "sha256": "2f64969093014bc671fc8724aeb9018b2690f30500934734c6a4a0b25bc995f3", "type": "eql", - "version": 3 + "version": 4 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", @@ -2669,6 +2701,12 @@ "type": "eql", "version": 315 }, + "46b01bb5-cff2-4a00-9f87-c041d9eab554": { + "rule_name": "Browser Process Spawned from an Unusual Parent", + "sha256": "7a34269b905c935b622166cefde9ec843b43f40a4c1f33fea3cf3b297c84d4bc", + "type": "eql", + "version": 1 + }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", "sha256": "6c4cc176cfcf4e1333279896e4a7af3d18d9b540a8dde255d48339baeeba33b8", @@ -2713,9 +2751,9 @@ }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "e0a081f5e6e5c677861f9b0f317aa19891c2e334c139bef664dced713e46cc81", + "sha256": "efe13789f0e114a22962a031a630587a9068815b16a6fecfd9212043b5c8e175", "type": "eql", - "version": 315 + "version": 316 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "rule_name": "Suspicious Microsoft 365 Mail Access by Unusual ClientAppId", @@ -2741,6 +2779,12 @@ "type": "eql", "version": 111 }, + "48e60a73-08e8-42aa-8f51-4ed92c64dbea": { + "rule_name": "Suspicious Microsoft HTML Application Child Process", + "sha256": "ca1b5ca19262980e5766116e70f08a65f1eed7775f88a4c285ba663ed4106a12", + "type": "eql", + "version": 1 + }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", "sha256": "20d159f7d05efe06ca199cdaaa7dbfd309d575bb0863bb8a3abb182ce79e8ac5", @@ -2807,6 +2851,12 @@ "type": "eql", "version": 2 }, + "4ae94fc1-f08f-419f-b692-053d28219380": { + "rule_name": "Connection to Common Large Language Model Endpoints", + "sha256": "c76a051731982498c30d4de759dd360f9f9dd6617102e0143a3ed622b1280d5c", + "type": "eql", + "version": 1 + }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", "sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982", @@ -2875,9 +2925,9 @@ }, "4d169db7-0323-4157-9ad3-ea5ece9019c9": { "rule_name": "Potential NetNTLMv1 Downgrade Attack", - "sha256": "b4d688bb17f571660796ae95fb0496f32e1a568a228a67a2f4c97a8e0307cf84", + "sha256": "8dc9a67886d1c45cb259c5bc2ca6d2a2b56e44b4afdaae58c692f7b3a58b3d6a", "type": "eql", - "version": 2 + "version": 3 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "rule_name": "Kernel Load or Unload via Kexec Detected", @@ -2983,9 +3033,9 @@ }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "abfe30615e82bd0b98663fa6ebdd49e33b40784ae35bf5d0879bb0734d92fe97", + "sha256": "1210bd635a5f10b91c32ed2675bbce9dd1590f829d331d1646fc29bef344b08f", "type": "eql", - "version": 415 + "version": 416 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", @@ -3043,9 +3093,9 @@ }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "9a11f66a5f52ddf8e32658df86dc2ad920a342a4f635228e92331ddee8942239", + "sha256": "90812c1c9901f3f69bc370a453a057fbf7475807091099873d900dc451e7c486", "type": "eql", - "version": 212 + "version": 213 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", @@ -3139,9 +3189,9 @@ }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", - "sha256": "8f693b1858ded9952036f70acff24f2c72cf5f32deb5ea99809a7b452fe61b74", + "sha256": "e668e79265b55406cd93383522749d6bce039b43589478b9a489a0a5b77b8b67", "type": "eql", - "version": 211 + "version": 212 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { "rule_name": "Windows Installer with Suspicious Properties", @@ -3149,6 +3199,12 @@ "type": "eql", "version": 4 }, + "55f711c1-6b4d-4787-930d-c9317a885adf": { + "rule_name": "Suspicious Execution with NodeJS", + "sha256": "703c739baa06c65f081e0a6f4d49107b415aef292f2d9e69d0ee75fe9768e379", + "type": "eql", + "version": 1 + }, "56004189-4e69-4a39-b4a9-195329d226e9": { "rule_name": "Unusual Process Spawned by a Host", "sha256": "eca5395ab95a933bd111e9188d2ae22c48eb93cb47655489d123e4414dabfe5f", @@ -3241,9 +3297,9 @@ }, "57bfa0a9-37c0-44d6-b724-54bf16787492": { "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "29c100fa0b406a91db128be6392d1b8e72d502078241b52d1354693613bf1735", + "sha256": "45f445274735262eed52517014047be86ee5efa40278bfde4ec07e09ad01577a", "type": "eql", - "version": 206 + "version": 207 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Backup Deletion with Wbadmin", @@ -3259,9 +3315,9 @@ }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", - "sha256": "8d8c264f3c828e6bbfef2b4d20ae146ff9be9f011e3755c642210ed001c6c1a8", + "sha256": "572350cc1b7ee9eb743fe3f4cfba0c9b6316477ce99490cc1ccffdf8a74bb4ab", "type": "eql", - "version": 314 + "version": 315 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", @@ -3319,9 +3375,9 @@ }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "e651c47059e3d5740aa4794b0763000aa1ba400b356c14c01cb6f4459f0a1bdb", + "sha256": "af550c49b54fdde4f457b46291419fcce1a52c87f48f17702fea4f9f646df8a7", "type": "eql", - "version": 312 + "version": 313 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "rule_name": "Potential Reverse Shell via Java", @@ -3355,9 +3411,9 @@ }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "1fab57a66d2a22bdfd3a4915e08b00ff237b7b81889c82c04c44856595197042", + "sha256": "52e50adab24a9c98ab490445823f19da1c977fbb1095aa36f198857a03f478f5", "type": "eql", - "version": 311 + "version": 312 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", @@ -3487,9 +3543,9 @@ }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "rule_name": "Persistence via PowerShell profile", - "sha256": "e62863ee2e1a09791d8e7cd28006350131ba2e295dbff49be51cb22b856ca839", + "sha256": "1de4421d5b5299213d99591da32512ca3a1acf592d3d8a5e9f9f512812cf976d", "type": "eql", - "version": 212 + "version": 213 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", @@ -3499,9 +3555,9 @@ }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "bf01bdf03f06bbfd9d8b5107e6467d382300ca71f5ed5bbcd15bd5577881d4a4", + "sha256": "fa2a33e6373f41cd2d51778ba3915f14895dec9843ce9e39e1d6f507a3f383d8", "type": "eql", - "version": 213 + "version": 214 }, "5d676480-9655-4507-adc6-4eec311efff8": { "rule_name": "Unsigned DLL loaded by DNS Service", @@ -3569,6 +3625,12 @@ "type": "eql", "version": 4 }, + "5f73aef2-7abc-4fd9-ac0d-ab8ec3e13891": { + "rule_name": "NetSupport Manager Execution from an Unusual Path", + "sha256": "c80b105dcd79c80989bff9ac24cf5177de43e229e7d10b6401345ba38e066596", + "type": "eql", + "version": 1 + }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Command Execution on Virtual Machine", "sha256": "220ed9f1c624434cc370940d6cee814b44493918f6d6ac305b251398fc63ff58", @@ -3581,6 +3643,12 @@ "type": "query", "version": 108 }, + "60c814fc-7d06-11f0-b326-f661ea17fbcd": { + "rule_name": "M365 Threat Intelligence Signal", + "sha256": "aff5572a6b6ac9bb499203df4a6dd207f564d69215adcf84c625763e0ff03e7c", + "type": "query", + "version": 1 + }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Microsoft 365 Exchange DLP Policy Removed", "sha256": "ce9ed4361e91b450cd43a5fbe9083995234c321108418dda2702a5239066b816", @@ -3589,9 +3657,9 @@ }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", - "sha256": "fa18b1a5f47edc2407e0810ed087e38658b7e37ad77f1f9e76da5a7169e7d712", + "sha256": "eedf094a7798099e64d10398f58d50331624cf7b56aa5b1d6cf30a6ac7ee5c40", "type": "eql", - "version": 210 + "version": 211 }, "61336fe6-c043-4743-ab6e-41292f439603": { "rule_name": "New User Added To GitHub Organization", @@ -3691,9 +3759,9 @@ }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", - "sha256": "30e54bc7048db8d32d33a0c88b73115941f31ffe303c5e6b3c437d6c881f02c1", + "sha256": "9dc44d0287d85742433a237643de326b02cb67b5850c7c1cb67d39e39ff29d97", "type": "eql", - "version": 211 + "version": 212 }, "640f79d1-571d-4f96-a9af-1194fc8cf763": { "rule_name": "Dynamic Linker Creation or Modification", @@ -3701,6 +3769,12 @@ "type": "eql", "version": 6 }, + "642ce354-4252-4d43-80c9-6603f16571c1": { + "rule_name": "System Public IP Discovery via DNS Query", + "sha256": "5eed6d39b3ff549f9fad07deb25f6b9f17ef4b11d01d6291bea126940dfea36e", + "type": "eql", + "version": 1 + }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", "sha256": "58734d751552517001b8693378f42770573d4d066dc38f676bd455a29192c217", @@ -3739,9 +3813,9 @@ }, "65432f4a-e716-4cc1-ab11-931c4966da2d": { "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "e1ec85539db13ab9489ec04ef9e0af48873633b8531bc0eb6bd188fb01f47356", + "sha256": "f57dea79c94f721b7f8cbc38f822f95a03a7020cbcef7591ff7b6834bf00038e", "type": "eql", - "version": 204 + "version": 205 }, "65613f5e-0d48-4b55-ad61-2fb9567cb1ad": { "rule_name": "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments", @@ -3859,9 +3933,9 @@ }, "6839c821-011d-43bd-bd5b-acff00257226": { "rule_name": "Image File Execution Options Injection", - "sha256": "ea1779558654cec44f1fc3b4e1b1843dbcb5c025cef9e487e434358fc58ac682", + "sha256": "c27202eab20774ab1eb8e25fda99113ea2cdb28f9e3dc0dbc5cea32eff56ace4", "type": "eql", - "version": 312 + "version": 313 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "New or Modified Federation Domain", @@ -4073,6 +4147,12 @@ "type": "machine_learning", "version": 211 }, + "6e4f6446-67ca-11f0-a148-f661ea17fbcd": { + "rule_name": "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)", + "sha256": "305c77756be1aa3ebef6c4519ccf07b2c84119e59377b3bba5a957090f6843c9", + "type": "query", + "version": 1 + }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", "sha256": "49503ed912d9968186dd5b4b47de003255aa7ca2b4311d8cd8d0102e65ac3e56", @@ -4567,10 +4647,10 @@ "version": 100 }, "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": { - "rule_name": "First Occurrence of STS GetFederationToken Request by User", - "sha256": "3dc2caebb922a0decc83d1a09fc3d9f0c0fda3c921f16025db6dc292d015e00d", + "rule_name": "AWS First Occurrence of STS GetFederationToken Request by User", + "sha256": "c1ad2b67bc76a44043c0d9cc9a233a0291e39e29cb490fbe01115d9b9d342503", "type": "new_terms", - "version": 4 + "version": 5 }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "rule_name": "Potential Privilege Escalation through Writable Docker Socket", @@ -4656,6 +4736,12 @@ "type": "query", "version": 100 }, + "7dc45430-7407-4790-b89e-c857c3f6bf23": { + "rule_name": "Potential Execution via FileFix Phishing Attack", + "sha256": "3a1b732e8be3a1cf4952a67727c6163f1f442150dc53f09939833ae406ce4ab2", + "type": "eql", + "version": 1 + }, "7df3cb8b-5c0c-4228-b772-bb6cd619053c": { "rule_name": "SSH Key Generated via ssh-keygen", "sha256": "53ba04010f20edbac2f1dd089f6e59d5828a9c6462083b10b69251dd20b2e843", @@ -4670,9 +4756,9 @@ }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "907b1064906824a13db895c523dbef4d97c481746813c0fd74ce91d7e659d087", + "sha256": "8bd90f260cdbeb5d6567c41d2954e4ee3d028c6594291717fab5917b67d1358f", "type": "eql", - "version": 311 + "version": 312 }, "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", @@ -4680,6 +4766,12 @@ "type": "eql", "version": 3 }, + "7eb54028-ca72-4eb7-8185-b6864572347db": { + "rule_name": "System File Onwership Change", + "sha256": "81a9e544cead76ee7b81192939ed74e86ec20a6e1ace52d27147aaaa2aa0cc93", + "type": "eql", + "version": 1 + }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { "rule_name": "Security File Access via Common Utilities", "sha256": "629e259fc95453f3de0e1fa2134039f0371043cc2b4fa9703296a46ef7d8dc69", @@ -4778,9 +4870,9 @@ }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "c21246a4390e985fe639c73d06b845ffd8a86744834565cfb9a614a61ebc0a22", + "sha256": "cfe3053df0db70d67a72023180094f2722668f0335e1ad4d7a844576c4da0d23", "type": "eql", - "version": 313 + "version": 314 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -4838,9 +4930,9 @@ }, "83bf249e-4348-47ba-9741-1202a09556ad": { "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "d735d2babf46df807a11f9b74d63af45871886e7e814b0ebdcc72455f852dd6d", + "sha256": "8cde4f0e13db1dfbeaf85432fcc0c28798349173efe32eb81bfd38c946484bf4", "type": "eql", - "version": 207 + "version": 208 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "rule_name": "Attempt to Disable IPTables or Firewall", @@ -5024,9 +5116,9 @@ }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Command Prompt Network Connection", - "sha256": "b56f0706a429be4247b946fd3e3ce51307208562762d199e3f192a923920d389", + "sha256": "49bfbc43dd89ec3bafeff899df67ba47d7277ba6fe766a6d712ab996f5e26918", "type": "eql", - "version": 211 + "version": 212 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", @@ -5096,9 +5188,9 @@ }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "0270aa0ec7e5ce0a73aa1de6c8d405300747d98d7f9455e3f7cf7b20cc7ee4ae", + "sha256": "795dc8b265d22118111f0d5222bd9a7cd27f3afa85be0ed6cf1a82ebeeeff7b5", "type": "eql", - "version": 312 + "version": 313 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "rule_name": "Enable Host Network Discovery via Netsh", @@ -5154,6 +5246,12 @@ "type": "new_terms", "version": 5 }, + "8cd49fbc-a35a-4418-8688-133cc3a1e548": { + "rule_name": "Proxy Execution via Windows OpenSSH", + "sha256": "b2cbea79be7cb1bdd6745a9aa091c6bab2f473f2dbbb56db20f761cb3b44584d", + "type": "eql", + "version": 1 + }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "rule_name": "File with Suspicious Extension Downloaded", "sha256": "f9b8f99ec26b989e24f1152d9ad42ab9af8e41d40acd404ef8667b07cb6f0ac4", @@ -5384,9 +5482,9 @@ }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "c077fd358e34c58739a837e5a1fcf8aa23aff5df6e8e0fddd08e05fafc3d9869", + "sha256": "28e1eea911bb6da17c9e7545b44f86927de6020e8e4ea22af960a2610cd011e3", "type": "eql", - "version": 414 + "version": 415 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", @@ -5444,9 +5542,9 @@ }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", - "sha256": "65a3953f3ee8c584dd03b7d6350f9917e9e7f8ffc7fcd0b7c5a2d482a974ed9d", + "sha256": "8cd15104409a97fd4438abc212c1c0ff0707de6458eeb1e1d8f7420e40c241c2", "type": "eql", - "version": 212 + "version": 213 }, "9563dace-5822-11f0-b1d3-f661ea17fbcd": { "rule_name": "Suspicious Entra ID OAuth User Impersonation Scope Detected", @@ -5682,6 +5780,12 @@ "type": "eql", "version": 105 }, + "99c9af5a-67cf-11f0-b69e-f661ea17fbcd": { + "rule_name": "Potential VIEWSTATE RCE Attempt on SharePoint/IIS", + "sha256": "bb8b21db9e5d74586d51fb821124a37c98917348d26a72bccecddea93d210c28", + "type": "query", + "version": 1 + }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "rule_name": "Spike in Failed Logon Events", "sha256": "f86fdfd7f9e5f3789e9063903170f36e24b74691d8e3c80a274cb3ad7158f35e", @@ -5720,9 +5824,9 @@ }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "4b91494419375f075074641d265c9472249db37ae1bd4883afff77746fac5ae9", + "sha256": "a18589e10e7f28f4117607f6677da79ad0fff040ad5c9d28e93f837471c51963", "type": "eql", - "version": 313 + "version": 314 }, "9aa4be8d-5828-417d-9f54-7cd304571b24": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", @@ -5811,9 +5915,9 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "10b96f4738dafa6bded0fab598bd190860ba5bad82262b599f9db0e32d0effec", + "sha256": "f6ac7fc8d32860bef59151f6f6bd9f35f7f4a0d8c9b4030c1f4ece5e3958cfaf", "type": "eql", - "version": 217 + "version": 218 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Potential Credential Access via Trusted Developer Utility", @@ -5895,9 +5999,9 @@ }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "78cf85d6536b19e741c62becfacd4370da9fdab104f8ddd0a84e50c7898f9fa7", + "sha256": "5acc1b7578cb1c9aa94b918567c2c4f457ec1f3f9e675ad3f8a027688bb51ed3", "type": "new_terms", - "version": 315 + "version": 316 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "rule_name": "Unusual Scheduled Task Update", @@ -5919,9 +6023,9 @@ }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "086dc4807cbf1f48caca0445d974b5a37b7cec9d9d3a9846285ffdb5d8201bc1", + "sha256": "422c5f78e61e61a60f06cc1a38e9759242687246cda0c59c36ef24db0cbd5359", "type": "eql", - "version": 210 + "version": 211 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", @@ -5937,9 +6041,9 @@ }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "4fe6bdaf69ba585df7b896751085ecb0c7b1688f21b8cfee2adbef2d723cf71d", + "sha256": "12fb13bd4b276eee68b30f7ce5743d3f6da9f2da1f47d5c77aee0fb852f1eab0", "type": "eql", - "version": 211 + "version": 212 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", @@ -5967,9 +6071,9 @@ }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "3ec206923a9a0c92c2d1194d072f0615f9d8081e8e4a70000eff0c8d0f6b6828", + "sha256": "f5f6233b37a46200c93eabea190aaca9549c10deb5f9d832bc8cbff7479e5302", "type": "eql", - "version": 314 + "version": 315 }, "a22b8486-5c4b-4e05-ad16-28de550b1ccc": { "rule_name": "Unusual Preload Environment Variable Process Execution", @@ -5979,9 +6083,9 @@ }, "a22f566b-5b23-4412-880d-c6c957acd321": { "rule_name": "AWS STS AssumeRole with New MFA Device", - "sha256": "98a780b0582321ca0e2af48aa11a7bf9ebda24e2fcb7704240517bb44ffceac3", + "sha256": "9d63088e2b97717ca7c8c9b31b18c2ff3c6c8828c47e29e07b65de8806351bf0", "type": "new_terms", - "version": 4 + "version": 5 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", @@ -6009,9 +6113,9 @@ }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", - "sha256": "be27eb9ce31990ab750298238c182e7525e554dcd7e2cc6e8f4df99b787e93e0", + "sha256": "15ce53d9971d69e0cce8aa48ed7d5d0e8f07262067920ed25643ff74947439cd", "type": "eql", - "version": 311 + "version": 312 }, "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { "rule_name": "AWS EC2 Instance Interaction with IAM Service", @@ -6172,9 +6276,9 @@ }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "415ba0865fbed68118f60f0d62fae9749bf5d8eab1cd8dabc18942be248f84ba", + "sha256": "544161a59a89370ab4438a8bd397acb36f3567b1c2af131d5856d084531ea717", "type": "eql", - "version": 212 + "version": 213 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", @@ -6262,9 +6366,9 @@ }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "rule_name": "Outlook Home Page Registry Modification", - "sha256": "6a545cb482f00a99599a606fd89ec0320635566a5f5c7cbc39245111e68d2c2e", + "sha256": "e9af0100dd5e405bec735bd4a058de9c52e7f4715ba7f3d5594024939f5744ae", "type": "eql", - "version": 205 + "version": 206 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "rule_name": "WPS Office Exploitation via DLL Hijack", @@ -6316,9 +6420,9 @@ }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "0df9fe5aae220286f3a078f34f6732a4e8e91b150ebc98859ceba01f917e6f62", + "sha256": "08722f5e5dd94f6aa3a6b9f961dc93e655489cf429a7bcc8d18387cad4c6ff0d", "type": "eql", - "version": 313 + "version": 314 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -6370,9 +6474,9 @@ }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", - "sha256": "4dd926efe49fd806e22c5d0294e28655370604c5b7d73e7499fba2a4d567406a", + "sha256": "2e3d15a9795d39424cf69ef915f4bfee102eb97d82de899b1efb894591a4b11f", "type": "eql", - "version": 10 + "version": 11 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "rule_name": "Suspicious File Creation via Kworker", @@ -6455,15 +6559,15 @@ }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "rule_name": "Netsh Helper DLL", - "sha256": "8658cbded3bfbcd50d0505b70fda58de04f8037859cd8807b64b329d7a21da7e", + "sha256": "a50c04fdc476c71125eea0ba039cb89bf18e557653c7d2c893bd62b964d5d703", "type": "eql", - "version": 205 + "version": 206 }, "b07f0fba-0a78-11f0-8311-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Web Service", - "sha256": "94e123836c688e9ca2dc1cade245ceeb9445053f786e74efc0fa28cdefc7bf7a", + "sha256": "fc7f704d5dcc9301e09f1db4409626544ca1a2e150ffe2ee6a7a384bc67bd015", "type": "new_terms", - "version": 3 + "version": 4 }, "b0c98cfb-0745-4513-b6f9-08dddb033490": { "rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables", @@ -6521,9 +6625,9 @@ }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", - "sha256": "f3a4935d073ab0277be480a86f2e9477d530022133c21b58983135ca8227edb8", + "sha256": "5ae46136e4a5238cfa794a88f7f0b05e83998ae1b1211edf89c69ad05cf6b4d0", "type": "eql", - "version": 211 + "version": 212 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", @@ -6623,9 +6727,9 @@ }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "c42fc62c166c6edcdbec578558ee9fd7bafee2cc285988816b1afd11c66184b6", + "sha256": "eccf507bc8d95b170c3c8fe97c0d64f5c18cbd98f12ad13d52942d956fd7fd65", "type": "eql", - "version": 105 + "version": 106 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", @@ -6671,9 +6775,9 @@ }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", - "sha256": "b5c31154e4f9ca841f4cff4ee16d54a4e720ad7a53d13934aa477b8db12b89ef", + "sha256": "bcdd20128f5b5f6c161154d5df0b9bd8f96456e094845f30e33f1b159aad6694", "type": "eql", - "version": 209 + "version": 210 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "rule_name": "Kirbi File Creation", @@ -6719,9 +6823,9 @@ }, "b9960fef-82c6-4816-befa-44745030e917": { "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "b8e66af487be6c7321eeb3190b3b36a66fc78fe1ecf416e32b23d6635f193174", + "sha256": "6c98718e177cba9e677d5be51571ab9cd59f1a48d6a9d7d1f9e6267b56b26095", "type": "eql", - "version": 314 + "version": 315 }, "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { "rule_name": "File Creation by Cups or Foomatic-rip Child", @@ -6875,9 +6979,9 @@ }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "b247c53050c8bddc99af9a4493fb2981eb2c343ff730674bb3aab6fcaee788e3", + "sha256": "86aa1bc737f26987d86809d8f763aff7982e416bef5dc2bbd44444cf72678bf3", "type": "eql", - "version": 211 + "version": 212 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "rule_name": "Potential Pspy Process Monitoring Detected", @@ -6893,9 +6997,9 @@ }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "6fd7fa052007bc92b0bda3696e42796c69f9137576829cbea0252e6b29224919", + "sha256": "5f00835a9adee4dd9a68ab262fb2d6cd7b32fbbd1331cc6a295e623d98be5d8e", "type": "eql", - "version": 107 + "version": 108 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { "rule_name": "Host Detected with Suspicious Windows Process(es)", @@ -6941,9 +7045,9 @@ }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "daa3134d44070e9b2e92a5b1b3b54adc512807adddf724617180b23c4c8ad666", + "sha256": "40a67d2ab241cbd5ebfe99c7aa5d275edd57de9dfe029fe46a3b3fc90c202e26", "type": "eql", - "version": 217 + "version": 218 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", @@ -7019,9 +7123,9 @@ }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "rule_name": "Unsigned DLL Loaded by a Trusted Process", - "sha256": "ed69a0aa73e3375f24b9ec86bacc6ff5e538e05119616cf5514057696690e747", + "sha256": "90f4cf252faaaac2dc8deed5c5717b0be78711928ecc299a039b6460196f7be4", "type": "eql", - "version": 105 + "version": 106 }, "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", @@ -7061,9 +7165,9 @@ }, "c2d90150-0133-451c-a783-533e736c12d7": { "rule_name": "Mshta Making Network Connections", - "sha256": "94bfb7d9a5d1586ff7b4054cc750b57beb571baf108461ee3e416b6f659573ca", + "sha256": "6f3c1e9edde89e9c1fa7f4cec717c23b7fd08815ed56edde594db70cebd5207c", "type": "eql", - "version": 211 + "version": 212 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", @@ -7151,9 +7255,9 @@ }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", - "sha256": "256450331ca286a1357c0bbc23eee2f9061a55893598b9092ce47672e3145363", + "sha256": "2c5071fe46db0c491dbbe580964a42198e0d9e80cf5e02cb790b52b95aa3346b", "type": "eql", - "version": 312 + "version": 313 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", @@ -7229,9 +7333,9 @@ }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "rule_name": "Unusual Network Connection via DllHost", - "sha256": "6d8ea7a3be99e8dc423a861e8a98507d463ddd8f5035cf99218ab1d854007d2e", + "sha256": "3048fb1cb33c9d61e64c57c88bc310c6f76330a531c1a04fc2cbf5fa9a962e53", "type": "eql", - "version": 210 + "version": 211 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", @@ -7295,9 +7399,9 @@ }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "fca308ed6f058a71cd6b78103e5eee6a34d2bf71d691d3e755f4b871b63b781e", + "sha256": "d8df42b3b1ae015ff855bf033f6d9c5600ea1e6fc0a453067fd1db55845d46eb", "type": "eql", - "version": 316 + "version": 317 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", @@ -7307,9 +7411,15 @@ }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "23228fc4c56544cbca69f1ef27c24aa3f0f936b8efc3ef9cda8e2a21e324185e", + "sha256": "e121b0d971bf1150d175b424f345d7bb227f5ecc94ecf2b77c8090e60871fa76", "type": "eql", - "version": 10 + "version": 11 + }, + "c9847fe9-3bed-4e6b-b319-f9956d6dd02a": { + "rule_name": "Potential Remote Install via MsiExec", + "sha256": "3ea4b2750fc23762da8a0f57f1cbbb92a984c24550de5eacd33590b75b809f69", + "type": "eql", + "version": 1 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", @@ -7331,9 +7441,9 @@ }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "450f3d520b866abfd27610f1c45d9cf2cc29f0a81d0a16e658c0974032285355", + "sha256": "62c7199540ac150e45c1a00f4151cb763f421b6664f72d0d6c05eed2593e63b0", "type": "eql", - "version": 12 + "version": 13 }, "caaa8b78-367c-11f0-beb8-f661ea17fbcd": { "rule_name": "Microsoft Entra ID User Reported Suspicious Activity", @@ -7554,9 +7664,9 @@ }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "6cbcf01bb3458b6000435a2ecea083a1c9dfde643c56aae79dab1e13e3a30e06", + "sha256": "2c64f99b095d83c721adcf4da78d8dbb39c650eff71ecaf8b311d50c750be7ae", "type": "eql", - "version": 314 + "version": 315 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "rule_name": "Symbolic Link to Shadow Copy Created", @@ -7614,9 +7724,9 @@ }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "2c79861e96db0d9c585c157bb02525ce6af7a5357f8771196dedc88a00f4df25", + "sha256": "4afd57a339d41912ae7ad833a7198061d9c2c8b8d84ef2755fe3994daabfa5c3", "type": "eql", - "version": 314 + "version": 315 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", @@ -7705,9 +7815,9 @@ }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "28bc09946d2b6132d3e5e98773782cb227094f7699ffa2ce263542e556fde471", + "sha256": "7494f21c1a6239837a702192482b3b6e108643fa3a163d51904e903ef6c1a780", "type": "eql", - "version": 311 + "version": 312 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", @@ -7829,6 +7939,12 @@ "type": "eql", "version": 12 }, + "d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6": { + "rule_name": "Potential REMCOS Trojan Execution", + "sha256": "5edbe0cfcce77f5741297489ab7cd3d0b6fbc30eff4c47b9695617e90a279504", + "type": "eql", + "version": 1 + }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", "sha256": "e3aa8dd0f5cf3941fcbd532ba48689e04c30276c78f3c8eb76b4a025c1f0ed4a", @@ -7855,9 +7971,9 @@ }, "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "62022718b483616657be41e5147c1d967dcc106316a29b4d5ecf401ef65966c2", + "sha256": "aff7d38b73a0e95e989acef5b99c298a4ee9a1cb09ef6eb7a3eda510ac03edcd", "type": "eql", - "version": 205 + "version": 206 }, "da0d4bae-33ee-11f0-a59f-f661ea17fbcd": { "rule_name": "Microsoft Entra ID Protection - Risk Detections", @@ -7867,9 +7983,9 @@ }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "4465a0b284dd1be9c6a5f56ece22af068c8a61e9af4e7a72e9fc3f614980fd77", + "sha256": "de90093e93bac48091417fa26435ce13733ef66d348b2ee5fcbe5c2ca5699a20", "type": "eql", - "version": 214 + "version": 215 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", @@ -7896,22 +8012,22 @@ "version": 110 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { - "rule_name": "Multi-Factor Authentication Disabled for an Azure User", - "sha256": "0fc801c721b322f2fc95a38ebb88926fda4b19b3f0ae2d0673e32cc00122ce1d", + "rule_name": "Entra ID MFA Disabled for User", + "sha256": "d9319ceb9da40cec88c21a7d267fdb0cb63da883fbf7f093b124f8ccb2566f39", "type": "query", - "version": 107 + "version": 108 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "8b48df7f491d5d594729db6f0bd279a6e725e80636d6e9a773ee15f6deb01c4e", + "sha256": "e8a375d2c92b79dbedd319eb4d79fe9a66efc3263210f4b629ec811cb642db64", "type": "eql", - "version": 206 + "version": 207 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "5dffb6c3e6267b2c7e7ccd8e2209fa27105015ba460f6d999e81d82c0a437ac7", + "sha256": "ed9f706184fc5034e51bb0a6bee7ee427e2f4a69479c5d6d7a813a3e26977c55", "type": "eql", - "version": 212 + "version": 213 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", @@ -7963,15 +8079,15 @@ }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "rule_name": "Suspicious Execution from INET Cache", - "sha256": "aad3f2edfeab00967b91f256a1ef81c35d59ea0b2eb9d105805634dff69c010d", + "sha256": "9d191d331a016f26d74e6a8ff918ea6da71312840a3f8c9a1bcad323ad7cfcd8", "type": "eql", - "version": 208 + "version": 209 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "ad6641c2979809ae9b25092358af973336691aabe040d8e64085590c5ef506c0", + "sha256": "ab7d16c803fc15c77dc6801a94c2476e64591720f62dd9bcc56d4896f4b14a6e", "type": "eql", - "version": 213 + "version": 214 }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", @@ -7993,9 +8109,9 @@ }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", - "sha256": "b49690c6d0cd84759eb0f4fcc892028261761446f3ac9a03d31d0d4acbc0ceaa", + "sha256": "1216996a5132262ba297122d42364ea18a50edcf869b1069489c8a412c0adb3d", "type": "eql", - "version": 313 + "version": 314 }, "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", @@ -8077,9 +8193,9 @@ }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "5a9d7d6d9f7c066df0fcdf16f6b3e03a439acd386c8d490925db0bf6ef5fce2a", + "sha256": "28291ea5acbadc2b2f130aa01a4f9e6aa7a20a78a50c745da103073bf77febd3", "type": "eql", - "version": 206 + "version": 207 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", @@ -8203,9 +8319,9 @@ }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "6c61c69e5a43bcb87d6fc65f9582b72bb95f5ee8f4dd63f417ee7989e276ebe8", + "sha256": "c5dd1640be638638d42328b63e8b36a12443ad1dead6923ba13d075ad7d13001", "type": "eql", - "version": 215 + "version": 216 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", @@ -8292,6 +8408,12 @@ "type": "eql", "version": 217 }, + "e516bf56-d51b-43e8-91ec-9e276331f433": { + "rule_name": "Network Activity to a Suspicious Top Level Domain", + "sha256": "80233c232a063297a6d2d98af570a6f67133069809ce4ac8b5bb2d49e1ff9b59", + "type": "eql", + "version": 1 + }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "8d84f71e1bd9d53371b05b590f59d4d7625f35ddc50596b9e85358d04a9ea3d6", @@ -8396,9 +8518,9 @@ }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", - "sha256": "9ae24d03709feee8090747609ba8e099a8b5b1a9589e7f66525543b5568614fa", + "sha256": "8f41ce2cba95e21cdd0446de79cfee143daa1fac5ca9af0a52476dc70dda83e4", "type": "eql", - "version": 312 + "version": 313 }, "e882e934-2aaa-11f0-8272-f661ea17fbcc": { "rule_name": "Suspicious Email Access by First-Party Application via Microsoft Graph", @@ -8408,9 +8530,9 @@ }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "1e96b9c195bd7e985d54a7ebce9b7d3769f220cf8075ff16bc5572bae23b6fa7", + "sha256": "570f50040e4c5830eda8d9d4d63e5472233a96b0aac24dcd32a887779944a110", "type": "eql", - "version": 110 + "version": 111 }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", @@ -8456,9 +8578,9 @@ }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "3d63ab76c06af9336734264f46d43ce5e6e9f6b17a0511816fe79aaa15c4fb5e", + "sha256": "d0d79e029dbc2c30f3d6e94335597e07feda824c2751b442c658b9aa9867d635", "type": "eql", - "version": 314 + "version": 315 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", @@ -8552,9 +8674,9 @@ }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "4ac1434045431edb914fee89119060e5c04b0167329f8438adec6d3b61936209", + "sha256": "15a0fd7044827c36f60417515284afb4f6fe23e1dbae54a45a6b44e8ae0887fd", "type": "eql", - "version": 414 + "version": 415 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", @@ -8648,9 +8770,9 @@ }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "rule_name": "Unusual Print Spooler Child Process", - "sha256": "0ab6c4d5e507ec4a4855c152b4f4877c174c9e3d598ea7eea243a0783c1ef999", + "sha256": "94421dbaf4b818996b818ce7add2fff5f19b3361bc746e84bf7b001c6f22a107", "type": "eql", - "version": 213 + "version": 214 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "rule_name": "Shortcut File Written or Modified on Startup Folder", @@ -8664,6 +8786,12 @@ "type": "eql", "version": 100 }, + "ee7726cc-babc-4885-988c-f915173ac0c0": { + "rule_name": "Suspicious Execution from a WebDav Share", + "sha256": "c5748ea3783ef8a9981c04d76db7206edabc9aeec804a0174f7827ef1b46c95b", + "type": "eql", + "version": 1 + }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", "sha256": "ea81b8be42aac46fe858037a08802a107f542b90f33471e6fc3a43c0b3467395", @@ -8714,9 +8842,9 @@ }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "b38b45cb340ce26c11c6845525f90bf3f24d61b736af9798d56249d3ab3547bd", + "sha256": "73689aac5e6dab00ff9d9e0b6cb0a4cf94ded423187205e46947d23a6b8fe7af", "type": "eql", - "version": 212 + "version": 213 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "rule_name": "Suspicious HTML File Creation", @@ -8816,9 +8944,9 @@ }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "rule_name": "SIP Provider Modification", - "sha256": "ca8cea7c5e28ef020ab6ef1d43f0807ffa09c0edf8a7e0f068d152a00af6010d", + "sha256": "47389d060af838e9b3ab54a6aa1da8ef352339436cef82bf5ad8b528326c1857", "type": "eql", - "version": 313 + "version": 314 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", @@ -8882,9 +9010,9 @@ }, "f401a0e3-5eeb-4591-969a-f435488e7d12": { "rule_name": "Remote Desktop File Opened from Suspicious Path", - "sha256": "dd624c8915f63e9d39e7d1afa5cf7d6809f56765a2c82be549cca6ad834ec8d0", + "sha256": "26f9f4f5c8a08b36972822b6f7cb3ab8523673772d71d9c8284730bf427c7345", "type": "eql", - "version": 5 + "version": 6 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Potential curl CVE-2023-38545 Exploitation", @@ -8894,9 +9022,9 @@ }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "8d81c6dd9a34b1fd2cd1be47a36319507ad5345eef75533b9dda3b04e5b4c1eb", + "sha256": "cba4b95ced426d90a06aeb6a7c29ed69852042fa8e4104dfcd4ba0c44c6ed44b", "type": "eql", - "version": 311 + "version": 312 }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration", @@ -9117,9 +9245,9 @@ }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "63505ce859860281882c80c0bb83dcb09905c0eac4278f1d8709b591eeac82f4", + "sha256": "3d21669e611960932ce8953bc186daa36ad6fa5e5de719f84cc5ea2bbf58bdf6", "type": "eql", - "version": 314 + "version": 315 }, "f87e6122-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Malicious File - Prevented - Elastic Defend", @@ -9207,9 +9335,9 @@ }, "fa488440-04cc-41d7-9279-539387bf2a17": { "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "81e3b29bed0ef07c810cc38dc585d1364d27e82d36f56beb75829bab7bdfd7ed", + "sha256": "0cd027bc2a6c875c929dcf7cc81896925357907008c382104fa069cdb024cb9a", "type": "eql", - "version": 318 + "version": 319 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "rule_name": "Potential Disabling of AppArmor", @@ -9219,9 +9347,9 @@ }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "rule_name": "Potential Masquerading as System32 DLL", - "sha256": "627186aa4c8cd46c699f0dfa1e7aac501e8b503fa2fb1224a6c09fcfe8769fc9", + "sha256": "43e8b63eb9570e74bea2bd40c0278bb6bd6689e146817245638379783aeb1e04", "type": "eql", - "version": 108 + "version": 109 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Registration Utility", @@ -9253,6 +9381,12 @@ "type": "query", "version": 100 }, + "fbad57ec-4442-48db-a34f-5ee907b44a22": { + "rule_name": "Potential Fake CAPTCHA Phishing Attack", + "sha256": "8e3289b4539e63e0d4bbe85963ed47f490894e78c1b8e45d5b57da403063d53f", + "type": "eql", + "version": 1 + }, "fbb10f1e-77cb-42f9-994e-5da17fc3fc15": { "rule_name": "Unusual Source IP for Okta Privileged Operations Detected", "sha256": "f1169e957a20125ed74336cc3fa63c1c0f4d95f9affb1dff7262a2ab43453162", @@ -9283,6 +9417,12 @@ "type": "new_terms", "version": 206 }, + "fcd16fe8-eb29-42b3-8aee-6c9ad777a2f6": { + "rule_name": "Proxy Execution via Console Window Host", + "sha256": "71c27f7195ec6a29dadac01c5679565bdbb368f049b138fb1a4ea088756ec63a", + "type": "eql", + "version": 1 + }, "fcd2e4be-6ec4-482f-9222-6245367cd738": { "rule_name": "Microsoft 365 OAuth Redirect to Device Registration for User Principal", "sha256": "1d02af55b664c31f3cc24f4d2d7dd45c93c876b21c5782043ca1b237fbd4ff9e", @@ -9363,9 +9503,9 @@ }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "f87a7a993f500dfcee7a84bcb6fddc4fa63da13ca2bf621a5d2e53491e10ec09", + "sha256": "90aa76c4f7daef4acec489e280a63032de791c9a2a5fe91e3474bb593165a881", "type": "eql", - "version": 316 + "version": 317 }, "fe8d6507-b543-4bbc-849f-dc0da6db29f6": { "rule_name": "Spike in host-based traffic", @@ -9375,9 +9515,9 @@ }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", - "sha256": "41ec550b3078839de7f19bf83a042b3438322accc41dc05b6cb5c9d2f2e18d8e", + "sha256": "3320b98061416b20df553034b2646b78bd829976cada58d78368d3de8d58d807", "type": "eql", - "version": 8 + "version": 9 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", @@ -9387,9 +9527,9 @@ }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "8de3ae4f247ac65b48ad2e27d928f11a9804bbfdd79432652296d618f84340fd", + "sha256": "0ff563e99da750acf3e694ad34679010f0fa64883c84a72877f2fcefe7b762c6", "type": "eql", - "version": 310 + "version": 311 }, "fef62ecf-0260-4b71-848b-a8624b304828": { "rule_name": "Potential Process Name Stomping with Prctl", @@ -9427,6 +9567,12 @@ "type": "eql", "version": 13 }, + "ff46eb26-0684-4da3-9dd6-21032c9878e1": { + "rule_name": "Active Directory Discovery using AdExplorer", + "sha256": "5498c911565a0f24b7ec48e5e494dd62b58ee7efebfd30ae802acb1a12829893", + "type": "eql", + "version": 1 + }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation", "sha256": "4de818584a14719ee372d29a3d4d9e6cbbd31ba9e20ab6d702cd75ce35f29336", diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index 64bc99fe3..9fcbd1a88 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -95,6 +95,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-c2-beaconing-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-c2-beaconing-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-cloud-threat-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cloud-threat-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-cloud](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cloud.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-cloudformation](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cloudformation.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-cobalt-strike](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cobalt-strike.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-collection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-collection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-command-and-control](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-command-and-control.json&leave_site_dialog=false&tabs=false)| @@ -116,6 +117,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-entra-id](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-entra-id.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-execution](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-execution.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-exfiltration](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-exfiltration.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-exploit-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-exploit-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-file-integrity-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-file-integrity-monitoring.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-gcp](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-gcp.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-github](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-github.json&leave_site_dialog=false&tabs=false)| @@ -142,6 +144,8 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-microsoft-365-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-365-audit-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-365.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-defender-for-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-for-endpoint.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-microsoft-defender-threat-intelligence](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-threat-intelligence.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-microsoft-defender](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-entra-id-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-audit-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-entra-id-protection-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-protection-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-entra-id-sign-in-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-sign-in-logs.json&leave_site_dialog=false&tabs=false)| @@ -151,6 +155,8 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-microsoft-graph](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-ml](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-ml.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-network-security-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-security-monitoring.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-network-traffic-http-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-traffic-http-logs.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-network-traffic](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-traffic.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-network](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-okta](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-okta.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-onedrive](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-onedrive.json&leave_site_dialog=false&tabs=false)| diff --git a/pyproject.toml b/pyproject.toml index 88543297b..969005a71 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.3.27" +version = "1.3.28" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"