security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14 (#3676)

Browse Source
This commit is contained in:
github-actions[bot]
2024-05-15 17:04:22 +05:30
committed by GitHub
parent 50a8b52cd5
commit f3585da503
1 changed files with 277 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+277 -94
View File
@@ -119,6 +119,13 @@
"type": "eql",
"version": 208
},
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
"min_stack_version": "8.3",
"rule_name": "Potential Ransomware Note File Dropped via SMB",
"sha256": "dafd8f85b8e37f96aaabd0405826cb232ac4c2f22571f2878d3a875a0e141da8",
"type": "eql",
"version": 1
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"min_stack_version": "8.3",
"rule_name": "Dumping Account Hashes via Built-In Commands",
@@ -322,9 +329,9 @@
"080bc66a-5d56-4d1f-8071-817671716db9": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Browser Child Process",
"sha256": "5b13ba56ec5300968f85a5f227c4c6b88229685601a785c495aca18463a83564",
"sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be",
"type": "eql",
"version": 106
"version": 107
},
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
"min_stack_version": "8.3",
@@ -404,9 +411,9 @@
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"min_stack_version": "8.3",
"rule_name": "Malware - Detected - Elastic Endgame",
"sha256": "1d54e7fa05f9055911fdd08afc440de0282fbecfe9baa76fdc9cf4c99b627eb9",
"sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2",
"type": "query",
"version": 102
"version": 103
},
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
"min_stack_version": "8.10",
@@ -622,6 +629,13 @@
"type": "query",
"version": 106
},
"10445cf0-0748-11ef-ba75-f661ea17fbcc": {
"min_stack_version": "8.9",
"rule_name": "AWS IAM Login Profile Added to User",
"sha256": "aa8a7eac601e73065c58f11ee43537d79be77a14b5a766d34772f5b1cc74c2e9",
"type": "query",
"version": 1
},
"10754992-28c7-4472-be5b-f3770fd04f2d": {
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
@@ -629,11 +643,20 @@
"version": 100
},
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
"min_stack_version": "8.3",
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "WebProxy Settings Modification",
"sha256": "6a6fc5b28bc33810532d1d7a900fbf07ff13f612317d5e8518f9b19104567c0a",
"type": "query",
"version": 106
}
},
"rule_name": "WebProxy Settings Modification",
"sha256": "6a6fc5b28bc33810532d1d7a900fbf07ff13f612317d5e8518f9b19104567c0a",
"sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af",
"type": "query",
"version": 106
"version": 206
},
"11013227-0301-4a8c-b150-4db924484475": {
"min_stack_version": "8.3",
@@ -803,6 +826,13 @@
"type": "machine_learning",
"version": 104
},
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"min_stack_version": "8.3",
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "c119669a028d3ccf727586836356bcd2113986db9358089ed57907330b748a73",
"type": "threshold",
"version": 1
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
@@ -935,9 +965,9 @@
"16a52c14-7883-47af-8745-9357803f0d4c": {
"min_stack_version": "8.3",
"rule_name": "Component Object Model Hijacking",
"sha256": "3d8695589654d6d7e54c53f1ff0699ba0c8246a2e2bb9779621fec8d881676d6",
"sha256": "0895ba08cf37c96cf8d9fa25aa47f21883cbb621246244853ae74168e9818f08",
"type": "eql",
"version": 112
"version": 113
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"min_stack_version": "8.3",
@@ -1329,9 +1359,9 @@
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"min_stack_version": "8.3",
"rule_name": "Exploit - Detected - Elastic Endgame",
"sha256": "2233e5ea218dfd0eb681e5eda22661045a5d6f2fc43bfd51a8e46a02691404ad",
"sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2",
"type": "query",
"version": 102
"version": 103
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"min_stack_version": "8.3",
@@ -1371,11 +1401,20 @@
"version": 206
},
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"min_stack_version": "8.3",
"rule_name": "Access of Stored Browser Credentials",
"sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563",
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Access of Stored Browser Credentials",
"sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563",
"type": "eql",
"version": 107
}
},
"rule_name": "Suspicious Web Browser Sensitive File Access",
"sha256": "adddb3826db0faf4df285ffe2b662f510557180d3576a19d570b65606facbd90",
"type": "eql",
"version": 107
"version": 207
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"min_stack_version": "8.3",
@@ -1513,6 +1552,13 @@
"type": "eql",
"version": 108
},
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
"min_stack_version": "8.3",
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "cbf8a4fc5c8f2ee86365483602e84f800fbd791c3e29fe467f20a6333d47dfc3",
"type": "query",
"version": 1
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Background Process",
@@ -1661,6 +1707,13 @@
"type": "eql",
"version": 114
},
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"min_stack_version": "8.13",
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
"sha256": "65f2ba3cdd922a26ebd11dc207df001dc6debc22457618e24e8b3862b80dd36e",
"type": "esql",
"version": 1
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.3",
"rule_name": "Account Discovery Command via SYSTEM Account",
@@ -1671,9 +1724,9 @@
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"min_stack_version": "8.3",
"rule_name": "Exploit - Prevented - Elastic Endgame",
"sha256": "4783ea1c871e136da712f699297b8bf091b1796196bd60a91f318d9118146e90",
"sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d",
"type": "query",
"version": 102
"version": 103
},
"28738f9f-7427-4d23-bc69-756708b5f624": {
"min_stack_version": "8.3",
@@ -2237,11 +2290,20 @@
"version": 209
},
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"min_stack_version": "8.3",
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598",
"type": "eql",
"version": 106
}
},
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598",
"sha256": "858e1ed186fb82e360626319ec5bcc00cd623d9b58317239f8e44049e46d4916",
"type": "eql",
"version": 106
"version": 206
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.10",
@@ -2267,11 +2329,20 @@
"version": 111
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"min_stack_version": "8.3",
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "5b889bbfa953251d11d08f3f3b13847eb4b5f05777c8cc9d80806943bc1e3d08",
"type": "eql",
"version": 107
}
},
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "5b889bbfa953251d11d08f3f3b13847eb4b5f05777c8cc9d80806943bc1e3d08",
"sha256": "3032a13d5103580a7a71c386fb3b0871d65a29e3b195d7c15ef594679579b277",
"type": "eql",
"version": 107
"version": 207
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"min_stack_version": "8.3",
@@ -2361,9 +2432,9 @@
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"min_stack_version": "8.3",
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "e780bae977385affaf7a29979e4b42d96948ee5c5143d445e328977e47e0ad76",
"sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442",
"type": "query",
"version": 102
"version": 103
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.3",
@@ -2692,12 +2763,19 @@
"type": "eql",
"version": 10
},
"453183fa-f903-11ee-8e88-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "Route53 Resolver Query Log Configuration Deleted",
"sha256": "98d3f47b38a2e490eb32fe435fb1a3cdc74636dabc5fe7a97b731551b87ec8cd",
"type": "query",
"version": 1
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"min_stack_version": "8.3",
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
"sha256": "9cfb02a6c3d0cf6058f5cb24d68214a4eaf071af1b155fe7bebdf74a8d64b823",
"sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a",
"type": "query",
"version": 102
"version": 103
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"min_stack_version": "8.3",
@@ -2908,9 +2986,9 @@
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"min_stack_version": "8.8",
"rule_name": "Container Workload Protection",
"sha256": "7dc1df259f2559b82c60fd64135e3a8b31538897e166eb5e423a3487b860e4d7",
"sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24",
"type": "query",
"version": 3
"version": 4
},
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"min_stack_version": "8.3",
@@ -3294,11 +3372,20 @@
"version": 104
},
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"min_stack_version": "8.3",
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Potential Admin Group Account Addition",
"sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4",
"type": "query",
"version": 106
}
},
"rule_name": "Potential Admin Group Account Addition",
"sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4",
"sha256": "1e416a23a57946cd76fb3a0d31a22ba04b7d13ed78b7ea1c9beb9728961216f9",
"type": "query",
"version": 106
"version": 206
},
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"min_stack_version": "8.3",
@@ -3356,9 +3443,9 @@
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"min_stack_version": "8.3",
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
"sha256": "464173343b15452c0508079b2d1b419ba63394f705a0a4cd524b33d261d192db",
"sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234",
"type": "query",
"version": 102
"version": 103
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"min_stack_version": "8.3",
@@ -3684,6 +3771,13 @@
"type": "esql",
"version": 1
},
"5f2f463e-6997-478c-8405-fb41cc283281": {
"min_stack_version": "8.3",
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "30c24a512438771d6de13cf9fbc3b909d451f6017b033ea015c1a99fc779f8b5",
"type": "eql",
"version": 1
},
"60884af6-f553-4a6c-af13-300047455491": {
"min_stack_version": "8.3",
"rule_name": "Azure Command Execution on Virtual Machine",
@@ -3894,9 +3988,9 @@
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "e84ba56d6d8e91ca39c85b7d46288b10add00a1a5c9fffae67a1f5212410be6b",
"sha256": "fd8374f717cf2af735052c2e6070cf34a2f345ffc0817d3633deedef52e54e18",
"type": "eql",
"version": 112
"version": 113
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"min_stack_version": "8.3",
@@ -3906,11 +4000,20 @@
"version": 3
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"min_stack_version": "8.3",
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489",
"type": "eql",
"version": 106
}
},
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489",
"sha256": "e420ac04ef84bb4a8ad93985e785758ffd16b4e0b44d969bc6f749df31add04b",
"type": "eql",
"version": 106
"version": 206
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.3",
@@ -4140,6 +4243,13 @@
"type": "query",
"version": 206
},
"6a309864-fc3f-11ee-b8cc-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "EC2 AMI Shared with Another Account",
"sha256": "269a6ce9b13aedfce015a85a679e1a55ebf3974fdd7cb9b3c9f84411ed85cafc",
"type": "query",
"version": 1
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"min_stack_version": "8.3",
"rule_name": "Unusual Service Host Child Process - Childless Service",
@@ -4241,11 +4351,20 @@
"version": 106
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"min_stack_version": "8.3",
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "6b4e00cd0749f89148010473d62893477290a0438ab07894e38b445ce10c7b3e",
"type": "eql",
"version": 107
}
},
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "6b4e00cd0749f89148010473d62893477290a0438ab07894e38b445ce10c7b3e",
"sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd",
"type": "eql",
"version": 107
"version": 207
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"min_stack_version": "8.3",
@@ -4466,11 +4585,20 @@
"version": 111
},
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"min_stack_version": "8.3",
"rule_name": "Modification of Environment Variable via Launchctl",
"sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb",
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Modification of Environment Variable via Launchctl",
"sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb",
"type": "query",
"version": 106
}
},
"rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent",
"sha256": "b170681fb44115e54ae79d975287efafd1d43ef7e8ee33af103b33ab76025f0e",
"type": "query",
"version": 106
"version": 206
},
"745b0119-0560-43ba-860a-7235dd8cee8d": {
"min_stack_version": "8.3",
@@ -4598,9 +4726,9 @@
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"min_stack_version": "8.3",
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
"sha256": "218a6c64a0a6ca81daa448015ce3939bf8dc52af526230c34665f979786b8e59",
"sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d",
"type": "query",
"version": 103
"version": 104
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"min_stack_version": "8.3",
@@ -4655,6 +4783,13 @@
"type": "eql",
"version": 1
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Renamed via SMB",
"sha256": "fc6be263784c700668a9eb4f67231f1786f1750bc929af29d6655989375915c0",
"type": "eql",
"version": 1
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Loaded by Svchost",
@@ -4884,9 +5019,9 @@
"80c52164-c82a-402c-9964-852533d58be1": {
"min_stack_version": "8.3",
"rule_name": "Process Injection - Detected - Elastic Endgame",
"sha256": "661387b1e6ccd6656a40df519444a4dbea7f5c8fc82c4e4688368f9625bc1371",
"sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be",
"type": "query",
"version": 102
"version": 103
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"min_stack_version": "8.9",
@@ -4932,11 +5067,20 @@
"version": 7
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"min_stack_version": "8.3",
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a",
"type": "eql",
"version": 107
}
},
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a",
"sha256": "e0f594ae73315999d039f6afdb74b17b186b2daeab2d37cf12f364225219128a",
"type": "eql",
"version": 107
"version": 207
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"min_stack_version": "8.3",
@@ -4965,6 +5109,13 @@
"type": "eql",
"version": 7
},
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role",
"sha256": "ca0cdbc0af36d4bf4a78a1a5f82fca391580b9507566dd67dd281c61cd510c7a",
"type": "new_terms",
"version": 2
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Transport Agent Install Script",
@@ -5299,9 +5450,9 @@
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"min_stack_version": "8.3",
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "15476273cd0025f1ff7fa6376ac4edbcf6651d4dc99c824ddbdbb6d2918271c1",
"sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2",
"type": "query",
"version": 102
"version": 103
},
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"min_stack_version": "8.3",
@@ -5412,9 +5563,9 @@
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"min_stack_version": "8.3",
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "d840381331d67563c745889e2cbbd47273b7f92250ff5f51de65a7108a762efb",
"sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3",
"type": "eql",
"version": 107
"version": 108
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"min_stack_version": "8.3",
@@ -5693,11 +5844,20 @@
"version": 9
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"min_stack_version": "8.3",
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "2860753d4532b37b174d6b8e3e1314b0a7a0b3f54b74a7899205e53bacbae0de",
"type": "eql",
"version": 107
}
},
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "2860753d4532b37b174d6b8e3e1314b0a7a0b3f54b74a7899205e53bacbae0de",
"sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63",
"type": "eql",
"version": 107
"version": 207
},
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"min_stack_version": "8.3",
@@ -5857,16 +6017,16 @@
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"min_stack_version": "8.3",
"rule_name": "Process Injection - Prevented - Elastic Endgame",
"sha256": "3eb61b0c1f450cb261c64e332f3b607245dcae89bf60a1b375b61b21f7173d1d",
"sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa",
"type": "query",
"version": 102
"version": 103
},
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"min_stack_version": "8.3",
"rule_name": "MacOS Installer Package Spawns Network Event",
"sha256": "3307efa82a9f01aac2ec0e12a8268b9ab1498a83ef8e3f14b82fec6bbb5855fc",
"sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584",
"type": "eql",
"version": 106
"version": 107
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.9",
@@ -5901,9 +6061,9 @@
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
"min_stack_version": "8.3",
"rule_name": "Endpoint Security",
"sha256": "8c02160e083a13d6519e4b952e3d3890879d81fb7b014cd29461f8c5e1e5dee4",
"sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d",
"type": "query",
"version": 102
"version": 103
},
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"min_stack_version": "8.3",
@@ -6492,9 +6652,9 @@
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Login Hook",
"sha256": "c840e0e433c076d6a236cb3c1e1ae89eb1d04d77a7694aff0ef3e1a8ea113e36",
"sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9",
"type": "query",
"version": 107
"version": 108
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.3",
@@ -7272,9 +7432,9 @@
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"min_stack_version": "8.3",
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
"sha256": "7f80160a2380217fd12e0e78168b9e338d949cc363715f8dd70315ae2851abcd",
"sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3",
"type": "query",
"version": 102
"version": 103
},
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"min_stack_version": "8.5",
@@ -7332,9 +7492,9 @@
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Folder Action Script",
"sha256": "210d7d5cb38258eb525416e4eccb8c8745589c950955d3cb69cc8fe518aee6a6",
"sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa",
"type": "eql",
"version": 106
"version": 107
},
"c296f888-eac6-4543-8da5-b6abb0d3304f": {
"min_stack_version": "8.11",
@@ -7353,9 +7513,9 @@
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"min_stack_version": "8.3",
"rule_name": "Permission Theft - Detected - Elastic Endgame",
"sha256": "9cb45ad573eafeafd9e21598e49127644f544e5cb1628581ac2754286d08b78b",
"sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5",
"type": "query",
"version": 102
"version": 103
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.3",
@@ -7533,9 +7693,9 @@
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Docker Shortcut Modification",
"sha256": "3c6f0a24da299813261489fdb038d377f036e11f903b4fb30e3b5adac2ffc3b3",
"sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37",
"type": "query",
"version": 106
"version": 107
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"min_stack_version": "8.3",
@@ -7602,9 +7762,9 @@
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"min_stack_version": "8.3",
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
"sha256": "ebbc74d9d6ab1c4883f29df435efd99f5bc2f437b6bcb6e39be3216015224a67",
"sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3",
"type": "query",
"version": 102
"version": 103
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"min_stack_version": "8.8",
@@ -7989,9 +8149,9 @@
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"min_stack_version": "8.3",
"rule_name": "Shell Execution via Apple Scripting",
"sha256": "0534c21b8c262912cebae6a5c387a1b04dad425ce8b3dc73f7af5906f64cc2be",
"sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd",
"type": "eql",
"version": 106
"version": 107
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.10",
@@ -8171,11 +8331,20 @@
"version": 2
},
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"min_stack_version": "8.3",
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "SystemKey Access via Command Line",
"sha256": "48b8b3a40209f6422060e3de267b79054f2ad0313fc42c4cef21decadf490f4d",
"type": "query",
"version": 106
}
},
"rule_name": "SystemKey Access via Command Line",
"sha256": "48b8b3a40209f6422060e3de267b79054f2ad0313fc42c4cef21decadf490f4d",
"sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091",
"type": "query",
"version": 106
"version": 206
},
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"min_stack_version": "8.3",
@@ -8293,9 +8462,9 @@
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"min_stack_version": "8.3",
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
"sha256": "4ac4208ee21dfa91e465866f8ae0f0ef0c13d7290d2aed48430ab0aeb3d7bfaf",
"sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65",
"type": "query",
"version": 102
"version": 103
},
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"min_stack_version": "8.3",
@@ -8673,9 +8842,9 @@
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"min_stack_version": "8.3",
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "0fdbe989334d90ab57d6fb689e66d0c649482dfaeba4d2ee9513172bbc186535",
"sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462",
"type": "query",
"version": 102
"version": 103
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"min_stack_version": "8.3",
@@ -8760,9 +8929,9 @@
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"min_stack_version": "8.3",
"rule_name": "Authorization Plugin Modification",
"sha256": "49df6c7a2f8d17da42d1a479125a20cab0466898ffa5f51252397610194c88ad",
"sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e",
"type": "query",
"version": 106
"version": 107
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.10",
@@ -8838,6 +9007,13 @@
"type": "eql",
"version": 4
},
"e760c72b-bb1f-44f0-9f0d-37d51744ee75": {
"min_stack_version": "8.3",
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35",
"type": "eql",
"version": 1
},
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Credential Dumping via Unshadow",
@@ -9017,9 +9193,9 @@
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
"min_stack_version": "8.3",
"rule_name": "External Alerts",
"sha256": "987ec9abd74221c9ba9d74c421bc291c1a711da2030aac49cf842693483d9849",
"sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6",
"type": "query",
"version": 102
"version": 103
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"min_stack_version": "8.3",
@@ -9270,10 +9446,10 @@
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Remove File Quarantine Attribute",
"sha256": "d680e44d9c8fd89a36b30adc0af3cde9bb7b495ed986c92ad8be0b210c648e94",
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
"sha256": "5182f386430f01d4b91371a123d7323d6c786af55e661ca361224b7e1abaab5c",
"type": "eql",
"version": 107
"version": 108
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"min_stack_version": "8.3",
@@ -9888,6 +10064,13 @@
"type": "query",
"version": 206
},
"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": {
"min_stack_version": "8.3",
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb",
"type": "eql",
"version": 1
},
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
"min_stack_version": "8.3",
"rule_name": "GCP Firewall Rule Deletion",