security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3358)

Browse Source 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2024-01-02 12:25:33 -05:00
committed by GitHub
parent 5a96f4d51a
commit f37d13f29b
2 changed files with 168 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/deprecated_rules.json
+15
View File
@@ -74,6 +74,11 @@
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
"stack_version": "8.3"
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"deprecation_date": "2023/12/14",
"rule_name": "Malicious Remote File Creation",
"stack_version": "8.9"
},
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
"deprecation_date": "2022/08/01",
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
@@ -99,6 +104,11 @@
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
"stack_version": "8.6"
},
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"deprecation_date": "2023/11/02",
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
"stack_version": "8.3"
},
"5e87f165-45c2-4b80-bfa5-52822552c997": {
"deprecation_date": "2022/03/16",
"rule_name": "Potential PrintNightmare File Modification",
@@ -259,6 +269,11 @@
"rule_name": "Process Discovery via Tasklist",
"stack_version": "7.14.0"
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"deprecation_date": "2023/12/15",
"rule_name": "Potential Process Herpaderping Attempt",
"stack_version": "8.3"
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"deprecation_date": "2021/04/15",
"rule_name": "Socat Process Activity",
detection_rules/etc/version.lock.json
+153 -146
View File
@@ -18,7 +18,7 @@
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "456e5ed43e056841aea460851e9e496aa85a9828fcb4bebade3a4f8b1d2a637e",
"sha256": "456e5ed43e056841aea460851e9e496aa85a9828fcb4bebade3a4f8b1d2a637e",
"type": "eql",
"version": 110
},
@@ -211,9 +211,9 @@
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Size",
"sha256": "ad214cde675085b61786dcd969409c869ca6ea48663d0b5227356ec6b1bd906e",
"sha256": "9e8ce2ede438524fde20e36cf675fed67bdb8b9f33c673b0573c7ab9c8ef476d",
"type": "machine_learning",
"version": 1
"version": 2
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.3",
@@ -358,9 +358,9 @@
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
"min_stack_version": "8.10",
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"sha256": "0d74c78086416566df6174db2e219ff1366b37b544a388f89b465f5ca7ef7dda",
"sha256": "9b3055e1c359a21625fd9a6ffb3b15d6ddcc6c9cbce357e0f66d68ba9a2a4164",
"type": "query",
"version": 1
"version": 2
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.3",
@@ -623,9 +623,9 @@
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "dce0a6166ccdba29ec3a03d3fbd91c615057e7615daa7020e5a488304719aa3d",
"sha256": "3271476794a96692c0bcef81fe8cac64f7f9b72274691a91d92f0075be7a8bba",
"type": "machine_learning",
"version": 1
"version": 2
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
@@ -718,9 +718,9 @@
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity",
"sha256": "2841e9117fd834df97cee4f6d7220cf2c5296a604b9e73f4477e8206eb7f78b3",
"sha256": "551d15b4a76aa3a0932077f553cdd60ad02d13b2aada4d46cb9d343b7d8ffcc3",
"type": "eql",
"version": 1
"version": 2
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"min_stack_version": "8.3",
@@ -917,9 +917,9 @@
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "92faf5914bec5a5a185f949112f5ff576d15fd69a5f405d73697602768830d77",
"sha256": "871f128810304fd883353470a5d1c2aac984a262de2c216b6d8b94e64fd8615c",
"type": "machine_learning",
"version": 1
"version": 2
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"min_stack_version": "8.3",
@@ -947,9 +947,9 @@
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "c3869d7536ca507bf986047bad80507a729751302776f5a258810c9a9814c2de",
"sha256": "0eae02bca1aa24bba6aa6420f05401d4890c290ff47f2be34bbc1ed4cf55881b",
"type": "machine_learning",
"version": 1
"version": 2
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"min_stack_version": "8.8",
@@ -1257,6 +1257,13 @@
"type": "eql",
"version": 1
},
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Child",
"sha256": "a000ef62eb0c4260a2c35b773be14845533597b5363d8762a9dc78b65a342149",
"type": "eql",
"version": 1
},
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
@@ -1460,9 +1467,9 @@
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"min_stack_version": "8.3",
"rule_name": "Account Password Reset Remotely",
"sha256": "f21f7b41b32d1c07a79ab7a9be75729b18a0dff1cf744238f305d04f3a862ea6",
"sha256": "a3ad12d5f9099c09f319bd8673a640d823bd711b02d7db6ac84e83966963cfc2",
"type": "eql",
"version": 107
"version": 108
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.3",
@@ -1561,9 +1568,9 @@
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux SSH X11 Forwarding",
"sha256": "8e67f5c7d845b4018e1be6a13d83ea84ba3cf8d5aa448dec49e7e3672158a0fc",
"sha256": "5033fd4d9756e3c485f90e5526da651406b9805f178469b7a8ae4cbd0903d60b",
"type": "eql",
"version": 1
"version": 2
},
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"min_stack_version": "8.3",
@@ -1891,9 +1898,9 @@
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"min_stack_version": "8.9",
"rule_name": "Spike in Bytes Sent to an External Device",
"sha256": "a8debadb004c9ca04fb7f3321cd45dc0ad8f93d6437be72cbbc5d09b84382fd1",
"sha256": "32a12fdccb57725b598715c3cf122e2068cf259b449fb15047fb9b0fc99a5fcd",
"type": "machine_learning",
"version": 1
"version": 2
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"min_stack_version": "8.3",
@@ -1932,9 +1939,9 @@
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"min_stack_version": "8.9",
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "43e809e5064a205d0a1e107068d372415cecef22a677dc5acb3bd91b754772b5",
"sha256": "296e8ed0e6066e7b702fcf4311d2217ba39f5c0799f3226fad2477b5424210d1",
"type": "machine_learning",
"version": 1
"version": 2
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"min_stack_version": "8.3",
@@ -2079,9 +2086,9 @@
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Module Loaded by LSASS",
"sha256": "94f504dbd294572829f124578db222617f24279fa9d20443db1c7497f5f167a5",
"sha256": "bb7e77e182b27492c362583686a193391f56ca19f0c2663ade4d1b95e4fab26c",
"type": "eql",
"version": 5
"version": 6
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
@@ -2120,9 +2127,9 @@
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"min_stack_version": "8.3",
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "4ff0e24875bfb35972c6017f875f3f557a82affb8d01f26b1e841de629d3f418",
"sha256": "aa1f6b51dfaf16ed53025b1b4cb2f73647fb4e83a6da692753a3f319bf43c6e1",
"type": "eql",
"version": 108
"version": 109
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"min_stack_version": "8.3",
@@ -2157,9 +2164,9 @@
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "d02ca6fa6392da7a7d8757ae5757e04feb7e340f9b58af698935f60f077e5b80",
"sha256": "1d9b0dc7353a9d3f8bfc169a53aed8e05d122ae303c184d2ef1de2baf411c76b",
"type": "machine_learning",
"version": 1
"version": 2
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.3",
@@ -2229,9 +2236,9 @@
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via Chisel Client",
"sha256": "cb2bfaf035ed8f6cda1b9f14af8ef78a36f0984d1f3d5baaf375ba1bdfd833f2",
"sha256": "096a86b65506d41f82036e1d4ea0151a295eefc548fe5ba3f7c38995c83f088b",
"type": "eql",
"version": 3
"version": 4
},
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"min_stack_version": "8.3",
@@ -2250,16 +2257,16 @@
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"min_stack_version": "8.9",
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "649d4962dc3c27de65026dd648d4e7b0e8285a58920fe69e4994449af66eac61",
"sha256": "9b471f8864eedbbad89dffb8d15a22628f08b9e1a67dd5221d1766d6eba59e57",
"type": "machine_learning",
"version": 1
"version": 2
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a User",
"sha256": "76ae6142111e83c98205115ae9df5b7be5f1c79187429dbf5dba2f51c0cdb4d6",
"sha256": "b50af272ff3b6b7eb7b333f0c8d267b51bfdd83586ee5b0691748862fd2c3923",
"type": "machine_learning",
"version": 1
"version": 2
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.3",
@@ -2280,9 +2287,9 @@
}
},
"rule_name": "Suspicious Modprobe File Event",
"sha256": "adfdf5e7e2b042ce698eaca7b4100de49ad0b439725a5ae9ed2da41b4164de0c",
"sha256": "e2563182898cd53fd297c35504ad76579440cfef8eabe9d2cfe715150dce74eb",
"type": "new_terms",
"version": 104
"version": 105
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"min_stack_version": "8.3",
@@ -2401,9 +2408,9 @@
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"min_stack_version": "8.3",
"rule_name": "Windows Event Logs Cleared",
"sha256": "841e18ac7c1e4cc6d98cdc33d34094f042f009d80854bb649f2de577141ba843",
"sha256": "fc09cce15ed08c912228c02d8c8a913febbcfde1263a2410a281a5b780cbc1bd",
"type": "query",
"version": 107
"version": 108
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.3",
@@ -2484,9 +2491,9 @@
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell",
"sha256": "63175dac732fef15d41d1dc2201b78948d69e4bb32c1409f60fb541ac7831b56",
"sha256": "89cb7506c40c363e3a341bf80a940b915a41f7abbf4c1e2889967a5a1c18b485",
"type": "eql",
"version": 6
"version": 7
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.3",
@@ -2605,16 +2612,16 @@
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"min_stack_version": "8.3",
"rule_name": "ProxyChains Activity",
"sha256": "afdf629d5be941e88364f49c8fdd9ad2f02b342950996749d59123c3e24ba71e",
"sha256": "b6d4b380b3738c08ae7418cf9bf2094fea2128d43315465e741e17fb6bf6c361",
"type": "eql",
"version": 1
"version": 2
},
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Writing Data to an External Device",
"sha256": "89378fe5870a5d6d2e956d464c722bdba8845495639f22082cb218dfe9c4fbf0",
"sha256": "b86e21f533a8abbe681d8e714d35bff6b31ec9354bf3751ee7d5f488940e6bd3",
"type": "machine_learning",
"version": 1
"version": 2
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"min_stack_version": "8.3",
@@ -2670,9 +2677,9 @@
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "1c8451ec310e430b6d2658e6aa679415e4b0556d560352b9d484325e46721c23",
"sha256": "5fc006866645843af182ca61acac0199ac14da30181a0da5371c2bde0902ec72",
"type": "eql",
"version": 8
"version": 9
},
"4ec47004-b34a-42e6-8003-376a123ea447": {
"min_stack_version": "8.3",
@@ -2691,9 +2698,9 @@
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Script Object Execution",
"sha256": "41b132e87127770048e08a8d65fb63fd3180ee0d52ad69f666c0abe1ab20afd2",
"sha256": "8db69fc49940b524199c4fc60605ef12797755543bf966dcb698d7ea10ce6ade",
"type": "eql",
"version": 105
"version": 106
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"min_stack_version": "8.10",
@@ -2847,9 +2854,9 @@
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"min_stack_version": "8.6",
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "a4ae81b9425df791d01fc8bf3060f56f1f40fc0dbdeeb4756b36b8f1562aead5",
"sha256": "0ca4553577a276a0afb0bbee5fc06fa283385f41dc413ebf23ecd2e4eb1b6e6a",
"type": "new_terms",
"version": 5
"version": 6
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"min_stack_version": "8.9",
@@ -2877,9 +2884,9 @@
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
"min_stack_version": "8.10",
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
"sha256": "852b52290a8f1d6864befff3b58e40a57c50f4a30a58d4415118a26871b6c013",
"sha256": "7b3107911e8c741b9ec3094b7c7a52e543860a937b4ed244eece2b4aa8e5e3e7",
"type": "query",
"version": 1
"version": 2
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"min_stack_version": "8.3",
@@ -2905,16 +2912,16 @@
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.3",
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "b7e3322f384197eb6eef899fcd0dab3032f80e4707f62046e423fe51756f2e9a",
"sha256": "8b8b47b60cf612754dc318d5963e5f915e3a9a6cc52152d9e3211eeb0155b2c2",
"type": "query",
"version": 6
"version": 7
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"min_stack_version": "8.3",
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "576b851afcf1857641d4f721b18a5617a334cc07ab3d60220ac1a8c5fc5ecd46",
"sha256": "7181c9bb9bcebc8e25b18d6dabbedd9cbf39592c805512606e418ec028f4003b",
"type": "eql",
"version": 106
"version": 107
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"min_stack_version": "8.3",
@@ -2940,9 +2947,9 @@
"56004189-4e69-4a39-b4a9-195329d226e9": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "79250afad59e7a34a28a1fc9474da4c16612e73c23032855389f019fa153add8",
"sha256": "096b9a5a676e3ff07deaf9518e90a65b1b738c50f20cd0599281e782282da58f",
"type": "machine_learning",
"version": 1
"version": 2
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"min_stack_version": "8.10",
@@ -3119,9 +3126,9 @@
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Java",
"sha256": "9aed8f99e318764fbd5eddbb31ec2b2f68e3d1f169f6b441ab560dd2a7a9e36f",
"sha256": "101fe62af1dde7632ea69d604f837f167ce9c392ec275f41f97edbf9d32bb888",
"type": "eql",
"version": 5
"version": 6
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"min_stack_version": "8.3",
@@ -3240,9 +3247,9 @@
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"min_stack_version": "8.3",
"rule_name": "Persistence via PowerShell profile",
"sha256": "421c30d4787b7da4cf4496d67084325210732a4aa854db2cac54429840f044c7",
"sha256": "bcad25e05d53aa35c64eed0d265c87d015b8da21345be33534265a037330e687",
"type": "eql",
"version": 6
"version": 7
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"min_stack_version": "8.3",
@@ -3373,9 +3380,9 @@
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"min_stack_version": "8.3",
"rule_name": "Potential Non-Standard Port HTTP/HTTPS connection",
"sha256": "77726aab9988d9e9be93a479e9eddf63e8d156e072e00526fc0df153555e4d58",
"sha256": "89ccb4bcf9974d7efeab3cd8f2c79c351f07bbe779369d826e8946ee6ef084fb",
"type": "eql",
"version": 2
"version": 3
},
"63c05204-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
@@ -3717,9 +3724,9 @@
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "f455bea3a4c14a782b77a9cdb3ec5213825e368ccbdf1c2a55bf0522cd28dca1",
"sha256": "fd2f406746a1331d05c1e2bf2940f233dfaaa7ab24732e3e56902a388363e65f",
"type": "eql",
"version": 3
"version": 4
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"min_stack_version": "8.6",
@@ -3823,9 +3830,9 @@
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "466d37f1b0c5665f804109f5ba5eeb6e361102da2c027522a5cc3ddec2a83be5",
"sha256": "58ce00446ecb88689b8d1b9f52c81a45a77fd09bd0553ddaff0cf1cf19685342",
"type": "eql",
"version": 3
"version": 4
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
@@ -4028,9 +4035,9 @@
}
},
"rule_name": "Suspicious Sysctl File Event",
"sha256": "c8fa3c2ccaa18f3f2c9e8646cd67af9b2878616c81a2bc734f64af0e6f293d9d",
"sha256": "bfc9a20f20463b90faf15152ce6289f0f6144771298c87568ef2133798040a07",
"type": "new_terms",
"version": 104
"version": 105
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"min_stack_version": "8.3",
@@ -4093,9 +4100,9 @@
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "2f44d242c4986efb3033aea6b16548ece740afab086c732a010c52b375b323ec",
"sha256": "551061d1ad90acc7d6514094b3e49c26ca4410c8372871f868166f8e386e17a3",
"type": "eql",
"version": 6
"version": 7
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.3",
@@ -4209,9 +4216,9 @@
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.3",
"rule_name": "Potential File Transfer via Certreq",
"sha256": "a74b9849420ed6b7c23bfb51caa8aad585cf535af48bfd4c11d1d7a16c8560f8",
"sha256": "c33e5d3c93fbcee2f5e36fa7cabf7b38e81c6acc0d71b2fd57c13d5f3946887b",
"type": "eql",
"version": 5
"version": 6
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.3",
@@ -4407,9 +4414,9 @@
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Extension",
"sha256": "1eaf7e432793ec71e4a6924b5d8e2f95b30b4b8042f8aaeee43aed4a24050610",
"sha256": "b84983a46efbfefb9fee7a305208a049944240b75335512e43271f5a7c3efebd",
"type": "machine_learning",
"version": 1
"version": 2
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"min_stack_version": "8.3",
@@ -5061,16 +5068,16 @@
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"min_stack_version": "8.3",
"rule_name": "Creation of Kernel Module",
"sha256": "bc11b02e437e764264346f0fbf206b73fc696e806b497b4465f6df6841315099",
"sha256": "fa5ba6a7b2e6d152888b0d7092c06b5ede38ccd92aafe335279b3db465ec2076",
"type": "eql",
"version": 1
"version": 2
},
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"min_stack_version": "8.3",
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "3eeb11e2e94049e8d1119a4cafd05b0fe2188371b6cfa8a38d62535f57df784f",
"sha256": "2bacdc3988548986c2dd070cd0e1df419868ab248ce0c6cb0a2749f274c044c2",
"type": "eql",
"version": 5
"version": 6
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -5293,9 +5300,9 @@
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "58480532047dc1a5936dce3ece1b30e3643a68fe8d7e2343553008f2a0deab18",
"sha256": "e793c278c3154d2a7eb15afce2d4936fa72a471bdcdf6df479c3166fcaa95e48",
"type": "eql",
"version": 1
"version": 2
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"min_stack_version": "8.8",
@@ -5387,10 +5394,10 @@
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"min_stack_version": "8.3",
"rule_name": "Remote Logon followed by Scheduled Task Creation",
"sha256": "4e0993f31425ff82fe3e63aadcaf70f37978105fffef6e3988effbe42e8e2e2f",
"rule_name": "Remote Scheduled Task Creation via RPC",
"sha256": "22e8e1bb2a6a9366178e012e1811993b0ce5f79b27afc154f93ed760c6489f1e",
"type": "eql",
"version": 6
"version": 7
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.3",
@@ -5498,9 +5505,9 @@
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "374e0e8d1e934d5f1bfea0c8256c5ea2425f5bd9be8374f7728ce60d1545baa4",
"sha256": "fe83625174ae62ca10465c0894c0d81aa59d398c6afe266c565f6f6e18c6d027",
"type": "eql",
"version": 108
"version": 109
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"min_stack_version": "8.3",
@@ -5743,9 +5750,9 @@
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"min_stack_version": "8.9",
"rule_name": "High Mean of RDP Session Duration",
"sha256": "da4ddd46272515e372d09fc4efb2d394cba8e054b0ce9bd555adef5a46d91034",
"sha256": "b5ff9202f928ffea90be6b05e0a028c6b37da1aeb007eeba5fb6a7f5f75c92b3",
"type": "machine_learning",
"version": 1
"version": 2
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"min_stack_version": "8.3",
@@ -5778,9 +5785,9 @@
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"min_stack_version": "8.9",
"rule_name": "High Variance in RDP Session Duration",
"sha256": "c0f263fa0ff7d4e7f059e58dd7c707af412cdea311f76703517ce73844a1267a",
"sha256": "ae52791c8f4a7d0173fa12bfe257b0386155b7776abe2fe91e4598c465460409",
"type": "machine_learning",
"version": 1
"version": 2
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
@@ -5900,9 +5907,9 @@
"ac8805f6-1e08-406c-962e-3937057fa86f": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via Chisel Server",
"sha256": "be83fd066d79be0ffae0c129953fb19a321244c86fd3c8fc46fa0f89905e3ac0",
"sha256": "8c1fcd1ccc01b7c092eac3e49fb246f3f883093d07485ca2528b0212e66d1421",
"type": "eql",
"version": 3
"version": 4
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"min_stack_version": "8.3",
@@ -5944,9 +5951,9 @@
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "7a665dd484eabb4ea95433a9fc76aa6c2f6a5e88e3bf2aa3586eb8624521f396",
"sha256": "0a533f32c8d5462d986ae942d838d8fba2be5f9d9d777acbf61864a1fda4b275",
"type": "eql",
"version": 106
"version": 107
},
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"min_stack_version": "8.3",
@@ -6043,9 +6050,9 @@
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"min_stack_version": "8.3",
"rule_name": "Network Activity Detected via cat",
"sha256": "bc5df61663e521c91606721992cd7a8151188b39742d369c2537dabd15b0937d",
"sha256": "d8ce7ce1d50539e7b9b135a7463c03309cee47dba07797c4c9a4198edb10e223",
"type": "eql",
"version": 3
"version": 4
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"min_stack_version": "8.3",
@@ -6460,9 +6467,9 @@
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"sha256": "d63cfc91fa9b1bb91389ee64591686beafffd9f84982f78f22bcb437826e0180",
"sha256": "f5220068a8eeba34ffc00f96b7aa3a8eebafc48bce2354524c3079da13b3e96a",
"type": "query",
"version": 1
"version": 2
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"min_stack_version": "8.3",
@@ -6502,16 +6509,16 @@
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "5ae04a57c1b38d7e0492041cf77dd21a4f39bbab4665de39b2fa755166cf1faa",
"sha256": "bfa8f71657fbb8749cf4f5f600a359722956bfa318207c2220ea634fc7403c4e",
"type": "machine_learning",
"version": 1
"version": 2
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Directory",
"sha256": "4ed65ee17e5e6a2e754823609612583d0e717cead35636b67da9903546d4f880",
"sha256": "679d1d5d3c635ce79753315c3c3081a592f215406e10e246e3a3fe9e4a2f7c9f",
"type": "machine_learning",
"version": 1
"version": 2
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.3",
@@ -6546,9 +6553,9 @@
"bfba5158-1fd6-4937-a205-77d96213b341": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
"sha256": "5b26c01b0dbc43669ecd86f7d517896559de73bb5322add585302163804f23fc",
"sha256": "63fa5830b9e441e960726196461abda7310d4b52b798a96b68b8cb2c717616ce",
"type": "machine_learning",
"version": 1
"version": 2
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"min_stack_version": "8.3",
@@ -6725,16 +6732,16 @@
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "98c498d667d0e19468ae624112a73bcd2a85d40b0caff39529b93ce06206aaaa",
"sha256": "7ae96f1df833b14af7547f0e08d6b5b00c9e944fbac39dbceb641ce799daf5e7",
"type": "eql",
"version": 106
"version": 107
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"min_stack_version": "8.3",
"rule_name": "Installation of Custom Shim Databases",
"sha256": "180f35496a5277ea5829782e66057c78d10f5cf1a375c0de5b836548f2236bed",
"sha256": "b7d3d0eac47540ae843fe1289c5c3b34a1f89e1f292b2990b68cb241983c52aa",
"type": "eql",
"version": 105
"version": 106
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"min_stack_version": "8.3",
@@ -6849,9 +6856,9 @@
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"min_stack_version": "8.3",
"rule_name": "Direct Outbound SMB Connection",
"sha256": "276fda09a4647e0a3d729f05859857312616bc6c9355cbe2717d2c32fd0cc4fc",
"sha256": "60e36bac49806489006bf776593fb6782d3af26d927558c032d5c6cc16be7340",
"type": "eql",
"version": 107
"version": 108
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"min_stack_version": "8.3",
@@ -6990,9 +6997,9 @@
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
"sha256": "6be5434c46b81e00bf29a5b3c08506bb5fefe291cfffe9666594851bd81d5007",
"sha256": "b5449914c57f3b158b22d6929e85c95b29763e3eb6af772e343f1f4d907efe24",
"type": "machine_learning",
"version": 1
"version": 2
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -7094,10 +7101,10 @@
"version": 106
}
},
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
"sha256": "21e5d78749220436e967eeeb044dd1f1f605e2586c03e609b54561405c40cccf",
"type": "query",
"version": 206
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "68ad2d14c4876759c36eb2916aee5dc6a93ce9aba5183bea4fde222d94ad4fa5",
"type": "eql",
"version": 207
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"min_stack_version": "8.10",
@@ -7118,9 +7125,9 @@
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.3",
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "fb56f30729c9d160477b06f02df315c4d6c9387007b670146b4c0060f556afce",
"sha256": "2eb8c5c3eeddd0af42ec3046f59499ed54cf8d1fda03bf20e935a69f2bcfd306",
"type": "query",
"version": 7
"version": 8
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.3",
@@ -7490,9 +7497,9 @@
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"sha256": "fd0e143d1c3b97e0d0f5faf7c2574e3a80509905c6d6564cc15eadb49661058d",
"sha256": "6e01111d746a2621fba51d683e3b21a475878fb95b0da75efef8c54f665fb13d",
"type": "query",
"version": 1
"version": 2
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"min_stack_version": "8.3",
@@ -7632,9 +7639,9 @@
}
},
"rule_name": "Query Registry using Built-in Tools",
"sha256": "1ce3bd6bd9c91187b6ee6941b8adf51a9bc72c81dd5bcc25fe03bd480f1122eb",
"sha256": "66c6b23d0b93c2a355ec7809c00272dad9d6ae5d8e1b8c594010f6d352504e9c",
"type": "new_terms",
"version": 102
"version": 103
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"min_stack_version": "8.6",
@@ -7793,9 +7800,9 @@
"e1db8899-97c1-4851-8993-3a3265353601": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
"sha256": "1ce0e6ef09a67c9f0018cebdedc41c09e0f2d980c0892d2c58f1e17af536bd70",
"sha256": "cc35fa122722a6fb07e287d93ad415f86567f457bfb947fb14a2273427f257f6",
"type": "machine_learning",
"version": 1
"version": 2
},
"e2258f48-ba75-4248-951b-7c885edf18c2": {
"min_stack_version": "8.3",
@@ -8141,9 +8148,9 @@
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
"min_stack_version": "8.9",
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
"sha256": "f4946a910d3c5cf165420c1f5768200c1484fdc853e0a53756994d7993255dd4",
"sha256": "a15543671d4d5fe65bb33045b81836fa6b6701277fde03baed1cfa4128d58b52",
"type": "machine_learning",
"version": 1
"version": 2
},
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"min_stack_version": "8.3",
@@ -8162,9 +8169,9 @@
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"min_stack_version": "8.9",
"rule_name": "Spike in Remote File Transfers",
"sha256": "5a680fcc21fa3a04e8559fed157bb4ad2d12ae704220ebfb794b987dd5e7f9ab",
"sha256": "470e8ced054f1bc59729079e22245fdd3df57ee3c76ad8d61dc913d979c69f89",
"type": "machine_learning",
"version": 1
"version": 2
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
@@ -8188,9 +8195,9 @@
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "e0eb8a5cb723b6d21c3bd60ed9f2fbaa258b957aaf1c3ccb239075cb1bd9e3a2",
"sha256": "67bc8b9711b46b277066e6c665fb98446858a64b2fd08257cd3fbfb87dcdf4fd",
"type": "machine_learning",
"version": 1
"version": 2
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"min_stack_version": "8.9",
@@ -8232,9 +8239,9 @@
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "f2b652ded44a6da7a65d03f5aeb3b74b8f9790089a0d1c2e3346e02ff70f66af",
"sha256": "362b14187d99cc82260552ac8948c4169dfc7a138c656b64536dd43703b67906",
"type": "query",
"version": 109
"version": 110
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"min_stack_version": "8.3",
@@ -8419,9 +8426,9 @@
"ef8cc01c-fc49-4954-a175-98569c646740": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"sha256": "ae2f3e60d6bf07e3ace4c7be1a9a199dc8b181ae4c472baa2f02f91eb86e6801",
"sha256": "56cd681da1967f0a220f930eeadbda12546363729b2fa2a955f9c59ac16086a4",
"type": "machine_learning",
"version": 1
"version": 2
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"min_stack_version": "8.3",
@@ -8549,9 +8556,9 @@
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"sha256": "109d0c7e3887d7f898702bb931801365f78166bc37b58aa04f66b0e30101f41b",
"sha256": "23a660434de3455f0a6de99e5a7da5c45a05eeeffa82698844dcbab5d76c3932",
"type": "query",
"version": 1
"version": 2
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"min_stack_version": "8.3",
@@ -8653,9 +8660,9 @@
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "d95530ac48c152547acc046bef874063d532e0a9f5f639803e3b525025209f22",
"sha256": "866744b042cda9a292065f261e1a62d729b5c7aca98c990bd5be1c0dbf04bc39",
"type": "machine_learning",
"version": 1
"version": 2
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"min_stack_version": "8.3",
@@ -8767,9 +8774,9 @@
"f95972d3-c23b-463b-89a8-796b3f369b49": {
"min_stack_version": "8.3",
"rule_name": "Ingress Transfer via Windows BITS",
"sha256": "2b0bea22a5bf532f9af15d9ab5ed07db310010798335f52475ceb9d0292017b0",
"sha256": "17194641e5b83110a15ad1ea56df6e69c2061a202fd582a587fa4581966173fa",
"type": "eql",
"version": 5
"version": 6
},
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"min_stack_version": "8.3",
@@ -8941,9 +8948,9 @@
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "752821996ecca2eaeacb9d0694eea57ddf1ed278ab32ceecfa6fd0514f9a16d6",
"sha256": "44dd765994937208cfee2f6b3d0e125111cbe88d94a5c67e840065955d2d3ea3",
"type": "query",
"version": 2
"version": 3
},
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"min_stack_version": "8.3",
@@ -8990,9 +8997,9 @@
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"min_stack_version": "8.9",
"rule_name": "Potential DGA Activity",
"sha256": "83e50c945d95a5c87970b0f27356a28d98589040cb7698c584b7b41c832a8c24",
"sha256": "589696d2263aedd5164e45823daed51e955d30cab677ac76f94129cb6dba05da",
"type": "machine_learning",
"version": 1
"version": 2
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"min_stack_version": "8.6",
@@ -9004,9 +9011,9 @@
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"min_stack_version": "8.7",
"rule_name": "LSASS Process Access via Windows API",
"sha256": "1b7ddc7981baef1561c102347f23a1168fd3023c338e394cc8ed2956864b7ffb",
"sha256": "3ebb73fb1bc78e99a7321c9da744e2462cb56b7b8b3a372342993176f40608c2",
"type": "eql",
"version": 5
"version": 6
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"min_stack_version": "8.3",