diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 414de5a88..d28d74a83 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -119,6 +119,13 @@ "type": "eql", "version": 208 }, + "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { + "min_stack_version": "8.3", + "rule_name": "Potential Ransomware Note File Dropped via SMB", + "sha256": "dafd8f85b8e37f96aaabd0405826cb232ac4c2f22571f2878d3a875a0e141da8", + "type": "eql", + "version": 1 + }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "min_stack_version": "8.3", "rule_name": "Dumping Account Hashes via Built-In Commands", @@ -322,9 +329,9 @@ "080bc66a-5d56-4d1f-8071-817671716db9": { "min_stack_version": "8.3", "rule_name": "Suspicious Browser Child Process", - "sha256": "5b13ba56ec5300968f85a5f227c4c6b88229685601a785c495aca18463a83564", + "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", "type": "eql", - "version": 106 + "version": 107 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "min_stack_version": "8.3", @@ -404,9 +411,9 @@ "0a97b20f-4144-49ea-be32-b540ecc445de": { "min_stack_version": "8.3", "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "1d54e7fa05f9055911fdd08afc440de0282fbecfe9baa76fdc9cf4c99b627eb9", + "sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2", "type": "query", - "version": 102 + "version": 103 }, "0ab319ef-92b8-4c7f-989b-5de93c852e93": { "min_stack_version": "8.10", @@ -622,6 +629,13 @@ "type": "query", "version": 106 }, + "10445cf0-0748-11ef-ba75-f661ea17fbcc": { + "min_stack_version": "8.9", + "rule_name": "AWS IAM Login Profile Added to User", + "sha256": "aa8a7eac601e73065c58f11ee43537d79be77a14b5a766d34772f5b1cc74c2e9", + "type": "query", + "version": 1 + }, "10754992-28c7-4472-be5b-f3770fd04f2d": { "rule_name": "Linux Restricted Shell Breakout via awk Commands", "sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969", @@ -629,11 +643,20 @@ "version": 100 }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { - "min_stack_version": "8.3", + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "WebProxy Settings Modification", + "sha256": "6a6fc5b28bc33810532d1d7a900fbf07ff13f612317d5e8518f9b19104567c0a", + "type": "query", + "version": 106 + } + }, "rule_name": "WebProxy Settings Modification", - "sha256": "6a6fc5b28bc33810532d1d7a900fbf07ff13f612317d5e8518f9b19104567c0a", + "sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af", "type": "query", - "version": 106 + "version": 206 }, "11013227-0301-4a8c-b150-4db924484475": { "min_stack_version": "8.3", @@ -803,6 +826,13 @@ "type": "machine_learning", "version": 104 }, + "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { + "min_stack_version": "8.3", + "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", + "sha256": "c119669a028d3ccf727586836356bcd2113986db9358089ed57907330b748a73", + "type": "threshold", + "version": 1 + }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", "sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7", @@ -935,9 +965,9 @@ "16a52c14-7883-47af-8745-9357803f0d4c": { "min_stack_version": "8.3", "rule_name": "Component Object Model Hijacking", - "sha256": "3d8695589654d6d7e54c53f1ff0699ba0c8246a2e2bb9779621fec8d881676d6", + "sha256": "0895ba08cf37c96cf8d9fa25aa47f21883cbb621246244853ae74168e9818f08", "type": "eql", - "version": 112 + "version": 113 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.3", @@ -1329,9 +1359,9 @@ "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "min_stack_version": "8.3", "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "2233e5ea218dfd0eb681e5eda22661045a5d6f2fc43bfd51a8e46a02691404ad", + "sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2", "type": "query", - "version": 102 + "version": 103 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.3", @@ -1371,11 +1401,20 @@ "version": 206 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { - "min_stack_version": "8.3", - "rule_name": "Access of Stored Browser Credentials", - "sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563", + "min_stack_version": "8.11", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Access of Stored Browser Credentials", + "sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563", + "type": "eql", + "version": 107 + } + }, + "rule_name": "Suspicious Web Browser Sensitive File Access", + "sha256": "adddb3826db0faf4df285ffe2b662f510557180d3576a19d570b65606facbd90", "type": "eql", - "version": 107 + "version": 207 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "min_stack_version": "8.3", @@ -1513,6 +1552,13 @@ "type": "eql", "version": 108 }, + "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { + "min_stack_version": "8.3", + "rule_name": "Potential PowerShell HackTool Script by Author", + "sha256": "cbf8a4fc5c8f2ee86365483602e84f800fbd791c3e29fe467f20a6333d47dfc3", + "type": "query", + "version": 1 + }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Background Process", @@ -1661,6 +1707,13 @@ "type": "eql", "version": 114 }, + "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { + "min_stack_version": "8.13", + "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", + "sha256": "65f2ba3cdd922a26ebd11dc207df001dc6debc22457618e24e8b3862b80dd36e", + "type": "esql", + "version": 1 + }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", "rule_name": "Account Discovery Command via SYSTEM Account", @@ -1671,9 +1724,9 @@ "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "min_stack_version": "8.3", "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "4783ea1c871e136da712f699297b8bf091b1796196bd60a91f318d9118146e90", + "sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d", "type": "query", - "version": 102 + "version": 103 }, "28738f9f-7427-4d23-bc69-756708b5f624": { "min_stack_version": "8.3", @@ -2237,11 +2290,20 @@ "version": 209 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { - "min_stack_version": "8.3", + "min_stack_version": "8.11", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Finder Sync Plugin Registered and Enabled", + "sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598", + "type": "eql", + "version": 106 + } + }, "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598", + "sha256": "858e1ed186fb82e360626319ec5bcc00cd623d9b58317239f8e44049e46d4916", "type": "eql", - "version": 106 + "version": 206 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.10", @@ -2267,11 +2329,20 @@ "version": 111 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { - "min_stack_version": "8.3", + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Prompt for Credentials with OSASCRIPT", + "sha256": "5b889bbfa953251d11d08f3f3b13847eb4b5f05777c8cc9d80806943bc1e3d08", + "type": "eql", + "version": 107 + } + }, "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "5b889bbfa953251d11d08f3f3b13847eb4b5f05777c8cc9d80806943bc1e3d08", + "sha256": "3032a13d5103580a7a71c386fb3b0871d65a29e3b195d7c15ef594679579b277", "type": "eql", - "version": 107 + "version": 207 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "min_stack_version": "8.3", @@ -2361,9 +2432,9 @@ "3b382770-efbb-44f4-beed-f5e0a051b895": { "min_stack_version": "8.3", "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "e780bae977385affaf7a29979e4b42d96948ee5c5143d445e328977e47e0ad76", + "sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442", "type": "query", - "version": 102 + "version": 103 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.3", @@ -2692,12 +2763,19 @@ "type": "eql", "version": 10 }, + "453183fa-f903-11ee-8e88-f661ea17fbce": { + "min_stack_version": "8.9", + "rule_name": "Route53 Resolver Query Log Configuration Deleted", + "sha256": "98d3f47b38a2e490eb32fe435fb1a3cdc74636dabc5fe7a97b731551b87ec8cd", + "type": "query", + "version": 1 + }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "min_stack_version": "8.3", "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "9cfb02a6c3d0cf6058f5cb24d68214a4eaf071af1b155fe7bebdf74a8d64b823", + "sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a", "type": "query", - "version": 102 + "version": 103 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "min_stack_version": "8.3", @@ -2908,9 +2986,9 @@ "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "min_stack_version": "8.8", "rule_name": "Container Workload Protection", - "sha256": "7dc1df259f2559b82c60fd64135e3a8b31538897e166eb5e423a3487b860e4d7", + "sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24", "type": "query", - "version": 3 + "version": 4 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "min_stack_version": "8.3", @@ -3294,11 +3372,20 @@ "version": 104 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { - "min_stack_version": "8.3", + "min_stack_version": "8.11", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Potential Admin Group Account Addition", + "sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4", + "type": "query", + "version": 106 + } + }, "rule_name": "Potential Admin Group Account Addition", - "sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4", + "sha256": "1e416a23a57946cd76fb3a0d31a22ba04b7d13ed78b7ea1c9beb9728961216f9", "type": "query", - "version": 106 + "version": 206 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "min_stack_version": "8.3", @@ -3356,9 +3443,9 @@ "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "min_stack_version": "8.3", "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "464173343b15452c0508079b2d1b419ba63394f705a0a4cd524b33d261d192db", + "sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234", "type": "query", - "version": 102 + "version": 103 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { "min_stack_version": "8.3", @@ -3684,6 +3771,13 @@ "type": "esql", "version": 1 }, + "5f2f463e-6997-478c-8405-fb41cc283281": { + "min_stack_version": "8.3", + "rule_name": "Potential File Download via a Headless Browser", + "sha256": "30c24a512438771d6de13cf9fbc3b909d451f6017b033ea015c1a99fc779f8b5", + "type": "eql", + "version": 1 + }, "60884af6-f553-4a6c-af13-300047455491": { "min_stack_version": "8.3", "rule_name": "Azure Command Execution on Virtual Machine", @@ -3894,9 +3988,9 @@ "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "e84ba56d6d8e91ca39c85b7d46288b10add00a1a5c9fffae67a1f5212410be6b", + "sha256": "fd8374f717cf2af735052c2e6070cf34a2f345ffc0817d3633deedef52e54e18", "type": "eql", - "version": 112 + "version": 113 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "min_stack_version": "8.3", @@ -3906,11 +4000,20 @@ "version": 3 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { - "min_stack_version": "8.3", + "min_stack_version": "8.11", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Suspicious macOS MS Office Child Process", + "sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489", + "type": "eql", + "version": 106 + } + }, "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489", + "sha256": "e420ac04ef84bb4a8ad93985e785758ffd16b4e0b44d969bc6f749df31add04b", "type": "eql", - "version": 106 + "version": 206 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.3", @@ -4140,6 +4243,13 @@ "type": "query", "version": 206 }, + "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { + "min_stack_version": "8.9", + "rule_name": "EC2 AMI Shared with Another Account", + "sha256": "269a6ce9b13aedfce015a85a679e1a55ebf3974fdd7cb9b3c9f84411ed85cafc", + "type": "query", + "version": 1 + }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.3", "rule_name": "Unusual Service Host Child Process - Childless Service", @@ -4241,11 +4351,20 @@ "version": 106 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { - "min_stack_version": "8.3", + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Enumeration of Users or Groups via Built-in Commands", + "sha256": "6b4e00cd0749f89148010473d62893477290a0438ab07894e38b445ce10c7b3e", + "type": "eql", + "version": 107 + } + }, "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "6b4e00cd0749f89148010473d62893477290a0438ab07894e38b445ce10c7b3e", + "sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd", "type": "eql", - "version": 107 + "version": 207 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.3", @@ -4466,11 +4585,20 @@ "version": 111 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { - "min_stack_version": "8.3", - "rule_name": "Modification of Environment Variable via Launchctl", - "sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb", + "min_stack_version": "8.11", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Modification of Environment Variable via Launchctl", + "sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb", + "type": "query", + "version": 106 + } + }, + "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent", + "sha256": "b170681fb44115e54ae79d975287efafd1d43ef7e8ee33af103b33ab76025f0e", "type": "query", - "version": 106 + "version": 206 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "min_stack_version": "8.3", @@ -4598,9 +4726,9 @@ "77a3c3df-8ec4-4da4-b758-878f551dee69": { "min_stack_version": "8.3", "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "218a6c64a0a6ca81daa448015ce3939bf8dc52af526230c34665f979786b8e59", + "sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d", "type": "query", - "version": 103 + "version": 104 }, "781f8746-2180-4691-890c-4c96d11ca91d": { "min_stack_version": "8.3", @@ -4655,6 +4783,13 @@ "type": "eql", "version": 1 }, + "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { + "min_stack_version": "8.3", + "rule_name": "Suspicious File Renamed via SMB", + "sha256": "fc6be263784c700668a9eb4f67231f1786f1750bc929af29d6655989375915c0", + "type": "eql", + "version": 1 + }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "min_stack_version": "8.4", "rule_name": "Unsigned DLL Loaded by Svchost", @@ -4884,9 +5019,9 @@ "80c52164-c82a-402c-9964-852533d58be1": { "min_stack_version": "8.3", "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "661387b1e6ccd6656a40df519444a4dbea7f5c8fc82c4e4688368f9625bc1371", + "sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be", "type": "query", - "version": 102 + "version": 103 }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { "min_stack_version": "8.9", @@ -4932,11 +5067,20 @@ "version": 7 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { - "min_stack_version": "8.3", + "min_stack_version": "8.11", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Apple Scripting Execution with Administrator Privileges", + "sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a", + "type": "eql", + "version": 107 + } + }, "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a", + "sha256": "e0f594ae73315999d039f6afdb74b17b186b2daeab2d37cf12f364225219128a", "type": "eql", - "version": 107 + "version": 207 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "min_stack_version": "8.3", @@ -4965,6 +5109,13 @@ "type": "eql", "version": 7 }, + "8446517c-f789-11ee-8ad0-f661ea17fbce": { + "min_stack_version": "8.3", + "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", + "sha256": "ca0cdbc0af36d4bf4a78a1a5f82fca391580b9507566dd67dd281c61cd510c7a", + "type": "new_terms", + "version": 2 + }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Transport Agent Install Script", @@ -5299,9 +5450,9 @@ "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "min_stack_version": "8.3", "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "15476273cd0025f1ff7fa6376ac4edbcf6651d4dc99c824ddbdbb6d2918271c1", + "sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2", "type": "query", - "version": 102 + "version": 103 }, "8cb84371-d053-4f4f-bce0-c74990e28f28": { "min_stack_version": "8.3", @@ -5412,9 +5563,9 @@ "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "min_stack_version": "8.3", "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "d840381331d67563c745889e2cbbd47273b7f92250ff5f51de65a7108a762efb", + "sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3", "type": "eql", - "version": 107 + "version": 108 }, "90babaa8-5216-4568-992d-d4a01a105d98": { "min_stack_version": "8.3", @@ -5693,11 +5844,20 @@ "version": 9 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { - "min_stack_version": "8.3", + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Access to Keychain Credentials Directories", + "sha256": "2860753d4532b37b174d6b8e3e1314b0a7a0b3f54b74a7899205e53bacbae0de", + "type": "eql", + "version": 107 + } + }, "rule_name": "Access to Keychain Credentials Directories", - "sha256": "2860753d4532b37b174d6b8e3e1314b0a7a0b3f54b74a7899205e53bacbae0de", + "sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63", "type": "eql", - "version": 107 + "version": 207 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "min_stack_version": "8.3", @@ -5857,16 +6017,16 @@ "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "min_stack_version": "8.3", "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "3eb61b0c1f450cb261c64e332f3b607245dcae89bf60a1b375b61b21f7173d1d", + "sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa", "type": "query", - "version": 102 + "version": 103 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "min_stack_version": "8.3", "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "3307efa82a9f01aac2ec0e12a8268b9ab1498a83ef8e3f14b82fec6bbb5855fc", + "sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584", "type": "eql", - "version": 106 + "version": 107 }, "994e40aa-8c85-43de-825e-15f665375ee8": { "min_stack_version": "8.9", @@ -5901,9 +6061,9 @@ "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "min_stack_version": "8.3", "rule_name": "Endpoint Security", - "sha256": "8c02160e083a13d6519e4b952e3d3890879d81fb7b014cd29461f8c5e1e5dee4", + "sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d", "type": "query", - "version": 102 + "version": 103 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { "min_stack_version": "8.3", @@ -6492,9 +6652,9 @@ "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Login Hook", - "sha256": "c840e0e433c076d6a236cb3c1e1ae89eb1d04d77a7694aff0ef3e1a8ea113e36", + "sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9", "type": "query", - "version": 107 + "version": 108 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.3", @@ -7272,9 +7432,9 @@ "c0be5f31-e180-48ed-aa08-96b36899d48f": { "min_stack_version": "8.3", "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "7f80160a2380217fd12e0e78168b9e338d949cc363715f8dd70315ae2851abcd", + "sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3", "type": "query", - "version": 102 + "version": 103 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "min_stack_version": "8.5", @@ -7332,9 +7492,9 @@ "c292fa52-4115-408a-b897-e14f684b3cb7": { "min_stack_version": "8.3", "rule_name": "Persistence via Folder Action Script", - "sha256": "210d7d5cb38258eb525416e4eccb8c8745589c950955d3cb69cc8fe518aee6a6", + "sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa", "type": "eql", - "version": 106 + "version": 107 }, "c296f888-eac6-4543-8da5-b6abb0d3304f": { "min_stack_version": "8.11", @@ -7353,9 +7513,9 @@ "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "min_stack_version": "8.3", "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "9cb45ad573eafeafd9e21598e49127644f544e5cb1628581ac2754286d08b78b", + "sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5", "type": "query", - "version": 102 + "version": 103 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.3", @@ -7533,9 +7693,9 @@ "c81cefcb-82b9-4408-a533-3c3df549e62d": { "min_stack_version": "8.3", "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "3c6f0a24da299813261489fdb038d377f036e11f903b4fb30e3b5adac2ffc3b3", + "sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37", "type": "query", - "version": 106 + "version": 107 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "min_stack_version": "8.3", @@ -7602,9 +7762,9 @@ "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "min_stack_version": "8.3", "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "ebbc74d9d6ab1c4883f29df435efd99f5bc2f437b6bcb6e39be3216015224a67", + "sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3", "type": "query", - "version": 102 + "version": 103 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "min_stack_version": "8.8", @@ -7989,9 +8149,9 @@ "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "min_stack_version": "8.3", "rule_name": "Shell Execution via Apple Scripting", - "sha256": "0534c21b8c262912cebae6a5c387a1b04dad425ce8b3dc73f7af5906f64cc2be", + "sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd", "type": "eql", - "version": 106 + "version": 107 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.10", @@ -8171,11 +8331,20 @@ "version": 2 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { - "min_stack_version": "8.3", + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "SystemKey Access via Command Line", + "sha256": "48b8b3a40209f6422060e3de267b79054f2ad0313fc42c4cef21decadf490f4d", + "type": "query", + "version": 106 + } + }, "rule_name": "SystemKey Access via Command Line", - "sha256": "48b8b3a40209f6422060e3de267b79054f2ad0313fc42c4cef21decadf490f4d", + "sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091", "type": "query", - "version": 106 + "version": 206 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.3", @@ -8293,9 +8462,9 @@ "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "min_stack_version": "8.3", "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "4ac4208ee21dfa91e465866f8ae0f0ef0c13d7290d2aed48430ab0aeb3d7bfaf", + "sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65", "type": "query", - "version": 102 + "version": 103 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "min_stack_version": "8.3", @@ -8673,9 +8842,9 @@ "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "min_stack_version": "8.3", "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "0fdbe989334d90ab57d6fb689e66d0c649482dfaeba4d2ee9513172bbc186535", + "sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462", "type": "query", - "version": 102 + "version": 103 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "min_stack_version": "8.3", @@ -8760,9 +8929,9 @@ "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "min_stack_version": "8.3", "rule_name": "Authorization Plugin Modification", - "sha256": "49df6c7a2f8d17da42d1a479125a20cab0466898ffa5f51252397610194c88ad", + "sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e", "type": "query", - "version": 106 + "version": 107 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.10", @@ -8838,6 +9007,13 @@ "type": "eql", "version": 4 }, + "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { + "min_stack_version": "8.3", + "rule_name": "Unusual Execution via Microsoft Common Console File", + "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", + "type": "eql", + "version": 1 + }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Unshadow", @@ -9017,9 +9193,9 @@ "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "min_stack_version": "8.3", "rule_name": "External Alerts", - "sha256": "987ec9abd74221c9ba9d74c421bc291c1a711da2030aac49cf842693483d9849", + "sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6", "type": "query", - "version": 102 + "version": 103 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { "min_stack_version": "8.3", @@ -9270,10 +9446,10 @@ }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "min_stack_version": "8.3", - "rule_name": "Attempt to Remove File Quarantine Attribute", - "sha256": "d680e44d9c8fd89a36b30adc0af3cde9bb7b495ed986c92ad8be0b210c648e94", + "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", + "sha256": "5182f386430f01d4b91371a123d7323d6c786af55e661ca361224b7e1abaab5c", "type": "eql", - "version": 107 + "version": 108 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "min_stack_version": "8.3", @@ -9888,6 +10064,13 @@ "type": "query", "version": 206 }, + "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { + "min_stack_version": "8.3", + "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", + "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", + "type": "eql", + "version": 1 + }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Deletion",