diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index 7b6d7e5cc..10f2580eb 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -74,6 +74,11 @@ "rule_name": "GCP Kubernetes Rolebindings Created or Patched", "stack_version": "8.3" }, + "301571f3-b316-4969-8dd0-7917410030d3": { + "deprecation_date": "2023/12/14", + "rule_name": "Malicious Remote File Creation", + "stack_version": "8.9" + }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "deprecation_date": "2022/08/01", "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -99,6 +104,11 @@ "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", "stack_version": "8.6" }, + "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { + "deprecation_date": "2023/11/02", + "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", + "stack_version": "8.3" + }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "deprecation_date": "2022/03/16", "rule_name": "Potential PrintNightmare File Modification", @@ -259,6 +269,11 @@ "rule_name": "Process Discovery via Tasklist", "stack_version": "7.14.0" }, + "ccc55af4-9882-4c67-87b4-449a7ae8079c": { + "deprecation_date": "2023/12/15", + "rule_name": "Potential Process Herpaderping Attempt", + "stack_version": "8.3" + }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "deprecation_date": "2021/04/15", "rule_name": "Socat Process Activity", diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 01bdb3672..74bfb245f 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -18,7 +18,7 @@ "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "456e5ed43e056841aea460851e9e496aa85a9828fcb4bebade3a4f8b1d2a637e", + "sha256": "456e5ed43e056841aea460851e9e496aa85a9828fcb4bebade3a4f8b1d2a637e", "type": "eql", "version": 110 }, @@ -211,9 +211,9 @@ "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "min_stack_version": "8.9", "rule_name": "Unusual Remote File Size", - "sha256": "ad214cde675085b61786dcd969409c869ca6ea48663d0b5227356ec6b1bd906e", + "sha256": "9e8ce2ede438524fde20e36cf675fed67bdb8b9f33c673b0573c7ab9c8ef476d", "type": "machine_learning", - "version": 1 + "version": 2 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.3", @@ -358,9 +358,9 @@ "0ab319ef-92b8-4c7f-989b-5de93c852e93": { "min_stack_version": "8.10", "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", - "sha256": "0d74c78086416566df6174db2e219ff1366b37b544a388f89b465f5ca7ef7dda", + "sha256": "9b3055e1c359a21625fd9a6ffb3b15d6ddcc6c9cbce357e0f66d68ba9a2a4164", "type": "query", - "version": 1 + "version": 2 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.3", @@ -623,9 +623,9 @@ "1224da6c-0326-4b4f-8454-68cdc5ae542b": { "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "dce0a6166ccdba29ec3a03d3fbd91c615057e7615daa7020e5a488304719aa3d", + "sha256": "3271476794a96692c0bcef81fe8cac64f7f9b72274691a91d92f0075be7a8bba", "type": "machine_learning", - "version": 1 + "version": 2 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", @@ -718,9 +718,9 @@ "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", - "sha256": "2841e9117fd834df97cee4f6d7220cf2c5296a604b9e73f4477e8206eb7f78b3", + "sha256": "551d15b4a76aa3a0932077f553cdd60ad02d13b2aada4d46cb9d343b7d8ffcc3", "type": "eql", - "version": 1 + "version": 2 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "min_stack_version": "8.3", @@ -917,9 +917,9 @@ "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made to a Destination IP", - "sha256": "92faf5914bec5a5a185f949112f5ff576d15fd69a5f405d73697602768830d77", + "sha256": "871f128810304fd883353470a5d1c2aac984a262de2c216b6d8b94e64fd8615c", "type": "machine_learning", - "version": 1 + "version": 2 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "min_stack_version": "8.3", @@ -947,9 +947,9 @@ "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "min_stack_version": "8.9", "rule_name": "Spike in Number of Processes in an RDP Session", - "sha256": "c3869d7536ca507bf986047bad80507a729751302776f5a258810c9a9814c2de", + "sha256": "0eae02bca1aa24bba6aa6420f05401d4890c290ff47f2be34bbc1ed4cf55881b", "type": "machine_learning", - "version": 1 + "version": 2 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "8.8", @@ -1257,6 +1257,13 @@ "type": "eql", "version": 1 }, + "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { + "min_stack_version": "8.3", + "rule_name": "Potential Reverse Shell via Child", + "sha256": "a000ef62eb0c4260a2c35b773be14845533597b5363d8762a9dc78b65a342149", + "type": "eql", + "version": 1 + }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "min_stack_version": "8.4", "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", @@ -1460,9 +1467,9 @@ "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.3", "rule_name": "Account Password Reset Remotely", - "sha256": "f21f7b41b32d1c07a79ab7a9be75729b18a0dff1cf744238f305d04f3a862ea6", + "sha256": "a3ad12d5f9099c09f319bd8673a640d823bd711b02d7db6ac84e83966963cfc2", "type": "eql", - "version": 107 + "version": 108 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", @@ -1561,9 +1568,9 @@ "29f0cf93-d17c-4b12-b4f3-a433800539fa": { "min_stack_version": "8.3", "rule_name": "Potential Linux SSH X11 Forwarding", - "sha256": "8e67f5c7d845b4018e1be6a13d83ea84ba3cf8d5aa448dec49e7e3672158a0fc", + "sha256": "5033fd4d9756e3c485f90e5526da651406b9805f178469b7a8ae4cbd0903d60b", "type": "eql", - "version": 1 + "version": 2 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "min_stack_version": "8.3", @@ -1891,9 +1898,9 @@ "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device", - "sha256": "a8debadb004c9ca04fb7f3321cd45dc0ad8f93d6437be72cbbc5d09b84382fd1", + "sha256": "32a12fdccb57725b598715c3cf122e2068cf259b449fb15047fb9b0fc99a5fcd", "type": "machine_learning", - "version": 1 + "version": 2 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.3", @@ -1932,9 +1939,9 @@ "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "min_stack_version": "8.9", "rule_name": "High Mean of Process Arguments in an RDP Session", - "sha256": "43e809e5064a205d0a1e107068d372415cecef22a677dc5acb3bd91b754772b5", + "sha256": "296e8ed0e6066e7b702fcf4311d2217ba39f5c0799f3226fad2477b5424210d1", "type": "machine_learning", - "version": 1 + "version": 2 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "min_stack_version": "8.3", @@ -2079,9 +2086,9 @@ "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "min_stack_version": "8.3", "rule_name": "Suspicious Module Loaded by LSASS", - "sha256": "94f504dbd294572829f124578db222617f24279fa9d20443db1c7497f5f167a5", + "sha256": "bb7e77e182b27492c362583686a193391f56ca19f0c2663ade4d1b95e4fab26c", "type": "eql", - "version": 5 + "version": 6 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -2120,9 +2127,9 @@ "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", "rule_name": "NTDS or SAM Database File Copied", - "sha256": "4ff0e24875bfb35972c6017f875f3f557a82affb8d01f26b1e841de629d3f418", + "sha256": "aa1f6b51dfaf16ed53025b1b4cb2f73647fb4e83a6da692753a3f319bf43c6e1", "type": "eql", - "version": 108 + "version": 109 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "8.3", @@ -2157,9 +2164,9 @@ "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made from a Source IP", - "sha256": "d02ca6fa6392da7a7d8757ae5757e04feb7e340f9b58af698935f60f077e5b80", + "sha256": "1d9b0dc7353a9d3f8bfc169a53aed8e05d122ae303c184d2ef1de2baf411c76b", "type": "machine_learning", - "version": 1 + "version": 2 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.3", @@ -2229,9 +2236,9 @@ "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "cb2bfaf035ed8f6cda1b9f14af8ef78a36f0984d1f3d5baaf375ba1bdfd833f2", + "sha256": "096a86b65506d41f82036e1d4ea0151a295eefc548fe5ba3f7c38995c83f088b", "type": "eql", - "version": 3 + "version": 4 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "min_stack_version": "8.3", @@ -2250,16 +2257,16 @@ "3f4e2dba-828a-452a-af35-fe29c5e78969": { "min_stack_version": "8.9", "rule_name": "Unusual Time or Day for an RDP Session", - "sha256": "649d4962dc3c27de65026dd648d4e7b0e8285a58920fe69e4994449af66eac61", + "sha256": "9b471f8864eedbbad89dffb8d15a22628f08b9e1a67dd5221d1766d6eba59e57", "type": "machine_learning", - "version": 1 + "version": 2 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a User", - "sha256": "76ae6142111e83c98205115ae9df5b7be5f1c79187429dbf5dba2f51c0cdb4d6", + "sha256": "b50af272ff3b6b7eb7b333f0c8d267b51bfdd83586ee5b0691748862fd2c3923", "type": "machine_learning", - "version": 1 + "version": 2 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", @@ -2280,9 +2287,9 @@ } }, "rule_name": "Suspicious Modprobe File Event", - "sha256": "adfdf5e7e2b042ce698eaca7b4100de49ad0b439725a5ae9ed2da41b4164de0c", + "sha256": "e2563182898cd53fd297c35504ad76579440cfef8eabe9d2cfe715150dce74eb", "type": "new_terms", - "version": 104 + "version": 105 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "min_stack_version": "8.3", @@ -2401,9 +2408,9 @@ "45ac4800-840f-414c-b221-53dd36a5aaf7": { "min_stack_version": "8.3", "rule_name": "Windows Event Logs Cleared", - "sha256": "841e18ac7c1e4cc6d98cdc33d34094f042f009d80854bb649f2de577141ba843", + "sha256": "fc09cce15ed08c912228c02d8c8a913febbcfde1263a2410a281a5b780cbc1bd", "type": "query", - "version": 107 + "version": 108 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.3", @@ -2484,9 +2491,9 @@ "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell", - "sha256": "63175dac732fef15d41d1dc2201b78948d69e4bb32c1409f60fb541ac7831b56", + "sha256": "89cb7506c40c363e3a341bf80a940b915a41f7abbf4c1e2889967a5a1c18b485", "type": "eql", - "version": 6 + "version": 7 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.3", @@ -2605,16 +2612,16 @@ "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "min_stack_version": "8.3", "rule_name": "ProxyChains Activity", - "sha256": "afdf629d5be941e88364f49c8fdd9ad2f02b342950996749d59123c3e24ba71e", + "sha256": "b6d4b380b3738c08ae7418cf9bf2094fea2128d43315465e741e17fb6bf6c361", "type": "eql", - "version": 1 + "version": 2 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "min_stack_version": "8.9", "rule_name": "Unusual Process Writing Data to an External Device", - "sha256": "89378fe5870a5d6d2e956d464c722bdba8845495639f22082cb218dfe9c4fbf0", + "sha256": "b86e21f533a8abbe681d8e714d35bff6b31ec9354bf3751ee7d5f488940e6bd3", "type": "machine_learning", - "version": 1 + "version": 2 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.3", @@ -2670,9 +2677,9 @@ "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "1c8451ec310e430b6d2658e6aa679415e4b0556d560352b9d484325e46721c23", + "sha256": "5fc006866645843af182ca61acac0199ac14da30181a0da5371c2bde0902ec72", "type": "eql", - "version": 8 + "version": 9 }, "4ec47004-b34a-42e6-8003-376a123ea447": { "min_stack_version": "8.3", @@ -2691,9 +2698,9 @@ "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.3", "rule_name": "Suspicious Script Object Execution", - "sha256": "41b132e87127770048e08a8d65fb63fd3180ee0d52ad69f666c0abe1ab20afd2", + "sha256": "8db69fc49940b524199c4fc60605ef12797755543bf966dcb698d7ea10ce6ade", "type": "eql", - "version": 105 + "version": 106 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.10", @@ -2847,9 +2854,9 @@ "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "min_stack_version": "8.6", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "a4ae81b9425df791d01fc8bf3060f56f1f40fc0dbdeeb4756b36b8f1562aead5", + "sha256": "0ca4553577a276a0afb0bbee5fc06fa283385f41dc413ebf23ecd2e4eb1b6e6a", "type": "new_terms", - "version": 5 + "version": 6 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "min_stack_version": "8.9", @@ -2877,9 +2884,9 @@ "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { "min_stack_version": "8.10", "rule_name": "Statistical Model Detected C2 Beaconing Activity", - "sha256": "852b52290a8f1d6864befff3b58e40a57c50f4a30a58d4415118a26871b6c013", + "sha256": "7b3107911e8c741b9ec3094b7c7a52e543860a937b4ed244eece2b4aa8e5e3e7", "type": "query", - "version": 1 + "version": 2 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.3", @@ -2905,16 +2912,16 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.3", "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "b7e3322f384197eb6eef899fcd0dab3032f80e4707f62046e423fe51756f2e9a", + "sha256": "8b8b47b60cf612754dc318d5963e5f915e3a9a6cc52152d9e3211eeb0155b2c2", "type": "query", - "version": 6 + "version": 7 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.3", "rule_name": "Network Logon Provider Registry Modification", - "sha256": "576b851afcf1857641d4f721b18a5617a334cc07ab3d60220ac1a8c5fc5ecd46", + "sha256": "7181c9bb9bcebc8e25b18d6dabbedd9cbf39592c805512606e418ec028f4003b", "type": "eql", - "version": 106 + "version": 107 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.3", @@ -2940,9 +2947,9 @@ "56004189-4e69-4a39-b4a9-195329d226e9": { "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Host", - "sha256": "79250afad59e7a34a28a1fc9474da4c16612e73c23032855389f019fa153add8", + "sha256": "096b9a5a676e3ff07deaf9518e90a65b1b738c50f20cd0599281e782282da58f", "type": "machine_learning", - "version": 1 + "version": 2 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { "min_stack_version": "8.10", @@ -3119,9 +3126,9 @@ "5a3d5447-31c9-409a-aed1-72f9921594fd": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Java", - "sha256": "9aed8f99e318764fbd5eddbb31ec2b2f68e3d1f169f6b441ab560dd2a7a9e36f", + "sha256": "101fe62af1dde7632ea69d604f837f167ce9c392ec275f41f97edbf9d32bb888", "type": "eql", - "version": 5 + "version": 6 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "min_stack_version": "8.3", @@ -3240,9 +3247,9 @@ "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.3", "rule_name": "Persistence via PowerShell profile", - "sha256": "421c30d4787b7da4cf4496d67084325210732a4aa854db2cac54429840f044c7", + "sha256": "bcad25e05d53aa35c64eed0d265c87d015b8da21345be33534265a037330e687", "type": "eql", - "version": 6 + "version": 7 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "min_stack_version": "8.3", @@ -3373,9 +3380,9 @@ "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", - "sha256": "77726aab9988d9e9be93a479e9eddf63e8d156e072e00526fc0df153555e4d58", + "sha256": "89ccb4bcf9974d7efeab3cd8f2c79c351f07bbe779369d826e8946ee6ef084fb", "type": "eql", - "version": 2 + "version": 3 }, "63c05204-339a-11ed-a261-0242ac120002": { "min_stack_version": "8.4", @@ -3717,9 +3724,9 @@ "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "min_stack_version": "8.3", "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "f455bea3a4c14a782b77a9cdb3ec5213825e368ccbdf1c2a55bf0522cd28dca1", + "sha256": "fd2f406746a1331d05c1e2bf2940f233dfaaa7ab24732e3e56902a388363e65f", "type": "eql", - "version": 3 + "version": 4 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "min_stack_version": "8.6", @@ -3823,9 +3830,9 @@ "6ee947e9-de7e-4281-a55d-09289bdf947e": { "min_stack_version": "8.3", "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "466d37f1b0c5665f804109f5ba5eeb6e361102da2c027522a5cc3ddec2a83be5", + "sha256": "58ce00446ecb88689b8d1b9f52c81a45a77fd09bd0553ddaff0cf1cf19685342", "type": "eql", - "version": 3 + "version": 4 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -4028,9 +4035,9 @@ } }, "rule_name": "Suspicious Sysctl File Event", - "sha256": "c8fa3c2ccaa18f3f2c9e8646cd67af9b2878616c81a2bc734f64af0e6f293d9d", + "sha256": "bfc9a20f20463b90faf15152ce6289f0f6144771298c87568ef2133798040a07", "type": "new_terms", - "version": 104 + "version": 105 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "min_stack_version": "8.3", @@ -4093,9 +4100,9 @@ "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "2f44d242c4986efb3033aea6b16548ece740afab086c732a010c52b375b323ec", + "sha256": "551061d1ad90acc7d6514094b3e49c26ca4410c8372871f868166f8e386e17a3", "type": "eql", - "version": 6 + "version": 7 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.3", @@ -4209,9 +4216,9 @@ "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "min_stack_version": "8.3", "rule_name": "Potential File Transfer via Certreq", - "sha256": "a74b9849420ed6b7c23bfb51caa8aad585cf535af48bfd4c11d1d7a16c8560f8", + "sha256": "c33e5d3c93fbcee2f5e36fa7cabf7b38e81c6acc0d71b2fd57c13d5f3946887b", "type": "eql", - "version": 5 + "version": 6 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.3", @@ -4407,9 +4414,9 @@ "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { "min_stack_version": "8.9", "rule_name": "Unusual Remote File Extension", - "sha256": "1eaf7e432793ec71e4a6924b5d8e2f95b30b4b8042f8aaeee43aed4a24050610", + "sha256": "b84983a46efbfefb9fee7a305208a049944240b75335512e43271f5a7c3efebd", "type": "machine_learning", - "version": 1 + "version": 2 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.3", @@ -5061,16 +5068,16 @@ "947827c6-9ed6-4dec-903e-c856c86e72f3": { "min_stack_version": "8.3", "rule_name": "Creation of Kernel Module", - "sha256": "bc11b02e437e764264346f0fbf206b73fc696e806b497b4465f6df6841315099", + "sha256": "fa5ba6a7b2e6d152888b0d7092c06b5ede38ccd92aafe335279b3db465ec2076", "type": "eql", - "version": 1 + "version": 2 }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { "min_stack_version": "8.3", "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "3eeb11e2e94049e8d1119a4cafd05b0fe2188371b6cfa8a38d62535f57df784f", + "sha256": "2bacdc3988548986c2dd070cd0e1df419868ab248ce0c6cb0a2749f274c044c2", "type": "eql", - "version": 5 + "version": 6 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "min_stack_version": "8.4", @@ -5293,9 +5300,9 @@ "994e40aa-8c85-43de-825e-15f665375ee8": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "58480532047dc1a5936dce3ece1b30e3643a68fe8d7e2343553008f2a0deab18", + "sha256": "e793c278c3154d2a7eb15afce2d4936fa72a471bdcdf6df479c3166fcaa95e48", "type": "eql", - "version": 1 + "version": 2 }, "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.8", @@ -5387,10 +5394,10 @@ }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.3", - "rule_name": "Remote Logon followed by Scheduled Task Creation", - "sha256": "4e0993f31425ff82fe3e63aadcaf70f37978105fffef6e3988effbe42e8e2e2f", + "rule_name": "Remote Scheduled Task Creation via RPC", + "sha256": "22e8e1bb2a6a9366178e012e1811993b0ce5f79b27afc154f93ed760c6489f1e", "type": "eql", - "version": 6 + "version": 7 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.3", @@ -5498,9 +5505,9 @@ "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "374e0e8d1e934d5f1bfea0c8256c5ea2425f5bd9be8374f7728ce60d1545baa4", + "sha256": "fe83625174ae62ca10465c0894c0d81aa59d398c6afe266c565f6f6e18c6d027", "type": "eql", - "version": 108 + "version": 109 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.3", @@ -5743,9 +5750,9 @@ "a74c60cb-70ee-4629-a127-608ead14ebf1": { "min_stack_version": "8.9", "rule_name": "High Mean of RDP Session Duration", - "sha256": "da4ddd46272515e372d09fc4efb2d394cba8e054b0ce9bd555adef5a46d91034", + "sha256": "b5ff9202f928ffea90be6b05e0a028c6b37da1aeb007eeba5fb6a7f5f75c92b3", "type": "machine_learning", - "version": 1 + "version": 2 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "min_stack_version": "8.3", @@ -5778,9 +5785,9 @@ "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "min_stack_version": "8.9", "rule_name": "High Variance in RDP Session Duration", - "sha256": "c0f263fa0ff7d4e7f059e58dd7c707af412cdea311f76703517ce73844a1267a", + "sha256": "ae52791c8f4a7d0173fa12bfe257b0386155b7776abe2fe91e4598c465460409", "type": "machine_learning", - "version": 1 + "version": 2 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", @@ -5900,9 +5907,9 @@ "ac8805f6-1e08-406c-962e-3937057fa86f": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Server", - "sha256": "be83fd066d79be0ffae0c129953fb19a321244c86fd3c8fc46fa0f89905e3ac0", + "sha256": "8c1fcd1ccc01b7c092eac3e49fb246f3f883093d07485ca2528b0212e66d1421", "type": "eql", - "version": 3 + "version": 4 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.3", @@ -5944,9 +5951,9 @@ "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.3", "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "7a665dd484eabb4ea95433a9fc76aa6c2f6a5e88e3bf2aa3586eb8624521f396", + "sha256": "0a533f32c8d5462d986ae942d838d8fba2be5f9d9d777acbf61864a1fda4b275", "type": "eql", - "version": 106 + "version": 107 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.3", @@ -6043,9 +6050,9 @@ "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "min_stack_version": "8.3", "rule_name": "Network Activity Detected via cat", - "sha256": "bc5df61663e521c91606721992cd7a8151188b39742d369c2537dabd15b0937d", + "sha256": "d8ce7ce1d50539e7b9b135a7463c03309cee47dba07797c4c9a4198edb10e223", "type": "eql", - "version": 3 + "version": 4 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "min_stack_version": "8.3", @@ -6460,9 +6467,9 @@ "bcaa15ce-2d41-44d7-a322-918f9db77766": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", - "sha256": "d63cfc91fa9b1bb91389ee64591686beafffd9f84982f78f22bcb437826e0180", + "sha256": "f5220068a8eeba34ffc00f96b7aa3a8eebafc48bce2354524c3079da13b3e96a", "type": "query", - "version": 1 + "version": 2 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.3", @@ -6502,16 +6509,16 @@ "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "5ae04a57c1b38d7e0492041cf77dd21a4f39bbab4665de39b2fa755166cf1faa", + "sha256": "bfa8f71657fbb8749cf4f5f600a359722956bfa318207c2220ea634fc7403c4e", "type": "machine_learning", - "version": 1 + "version": 2 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "min_stack_version": "8.9", "rule_name": "Unusual Remote File Directory", - "sha256": "4ed65ee17e5e6a2e754823609612583d0e717cead35636b67da9903546d4f880", + "sha256": "679d1d5d3c635ce79753315c3c3081a592f215406e10e246e3a3fe9e4a2f7c9f", "type": "machine_learning", - "version": 1 + "version": 2 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.3", @@ -6546,9 +6553,9 @@ "bfba5158-1fd6-4937-a205-77d96213b341": { "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", - "sha256": "5b26c01b0dbc43669ecd86f7d517896559de73bb5322add585302163804f23fc", + "sha256": "63fa5830b9e441e960726196461abda7310d4b52b798a96b68b8cb2c717616ce", "type": "machine_learning", - "version": 1 + "version": 2 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.3", @@ -6725,16 +6732,16 @@ "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "98c498d667d0e19468ae624112a73bcd2a85d40b0caff39529b93ce06206aaaa", + "sha256": "7ae96f1df833b14af7547f0e08d6b5b00c9e944fbac39dbceb641ce799daf5e7", "type": "eql", - "version": 106 + "version": 107 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.3", "rule_name": "Installation of Custom Shim Databases", - "sha256": "180f35496a5277ea5829782e66057c78d10f5cf1a375c0de5b836548f2236bed", + "sha256": "b7d3d0eac47540ae843fe1289c5c3b34a1f89e1f292b2990b68cb241983c52aa", "type": "eql", - "version": 105 + "version": 106 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.3", @@ -6849,9 +6856,9 @@ "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "min_stack_version": "8.3", "rule_name": "Direct Outbound SMB Connection", - "sha256": "276fda09a4647e0a3d729f05859857312616bc6c9355cbe2717d2c32fd0cc4fc", + "sha256": "60e36bac49806489006bf776593fb6782d3af26d927558c032d5c6cc16be7340", "type": "eql", - "version": 107 + "version": 108 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "min_stack_version": "8.3", @@ -6990,9 +6997,9 @@ "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", - "sha256": "6be5434c46b81e00bf29a5b3c08506bb5fefe291cfffe9666594851bd81d5007", + "sha256": "b5449914c57f3b158b22d6929e85c95b29763e3eb6af772e343f1f4d907efe24", "type": "machine_learning", - "version": 1 + "version": 2 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "min_stack_version": "8.4", @@ -7094,10 +7101,10 @@ "version": 106 } }, - "rule_name": "Attempt to Deactivate MFA for an Okta User Account", - "sha256": "21e5d78749220436e967eeeb044dd1f1f605e2586c03e609b54561405c40cccf", - "type": "query", - "version": 206 + "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", + "sha256": "68ad2d14c4876759c36eb2916aee5dc6a93ce9aba5183bea4fde222d94ad4fa5", + "type": "eql", + "version": 207 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.10", @@ -7118,9 +7125,9 @@ "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.3", "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "fb56f30729c9d160477b06f02df315c4d6c9387007b670146b4c0060f556afce", + "sha256": "2eb8c5c3eeddd0af42ec3046f59499ed54cf8d1fda03bf20e935a69f2bcfd306", "type": "query", - "version": 7 + "version": 8 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.3", @@ -7490,9 +7497,9 @@ "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", - "sha256": "fd0e143d1c3b97e0d0f5faf7c2574e3a80509905c6d6564cc15eadb49661058d", + "sha256": "6e01111d746a2621fba51d683e3b21a475878fb95b0da75efef8c54f665fb13d", "type": "query", - "version": 1 + "version": 2 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.3", @@ -7632,9 +7639,9 @@ } }, "rule_name": "Query Registry using Built-in Tools", - "sha256": "1ce3bd6bd9c91187b6ee6941b8adf51a9bc72c81dd5bcc25fe03bd480f1122eb", + "sha256": "66c6b23d0b93c2a355ec7809c00272dad9d6ae5d8e1b8c594010f6d352504e9c", "type": "new_terms", - "version": 102 + "version": 103 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "min_stack_version": "8.6", @@ -7793,9 +7800,9 @@ "e1db8899-97c1-4851-8993-3a3265353601": { "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", - "sha256": "1ce0e6ef09a67c9f0018cebdedc41c09e0f2d980c0892d2c58f1e17af536bd70", + "sha256": "cc35fa122722a6fb07e287d93ad415f86567f457bfb947fb14a2273427f257f6", "type": "machine_learning", - "version": 1 + "version": 2 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "min_stack_version": "8.3", @@ -8141,9 +8148,9 @@ "e92c99b6-c547-4bb6-b244-2f27394bc849": { "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", - "sha256": "f4946a910d3c5cf165420c1f5768200c1484fdc853e0a53756994d7993255dd4", + "sha256": "a15543671d4d5fe65bb33045b81836fa6b6701277fde03baed1cfa4128d58b52", "type": "machine_learning", - "version": 1 + "version": 2 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.3", @@ -8162,9 +8169,9 @@ "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "min_stack_version": "8.9", "rule_name": "Spike in Remote File Transfers", - "sha256": "5a680fcc21fa3a04e8559fed157bb4ad2d12ae704220ebfb794b987dd5e7f9ab", + "sha256": "470e8ced054f1bc59729079e22245fdd3df57ee3c76ad8d61dc913d979c69f89", "type": "machine_learning", - "version": 1 + "version": 2 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -8188,9 +8195,9 @@ "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "e0eb8a5cb723b6d21c3bd60ed9f2fbaa258b957aaf1c3ccb239075cb1bd9e3a2", + "sha256": "67bc8b9711b46b277066e6c665fb98446858a64b2fd08257cd3fbfb87dcdf4fd", "type": "machine_learning", - "version": 1 + "version": 2 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "min_stack_version": "8.9", @@ -8232,9 +8239,9 @@ "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "f2b652ded44a6da7a65d03f5aeb3b74b8f9790089a0d1c2e3346e02ff70f66af", + "sha256": "362b14187d99cc82260552ac8948c4169dfc7a138c656b64536dd43703b67906", "type": "query", - "version": 109 + "version": 110 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "min_stack_version": "8.3", @@ -8419,9 +8426,9 @@ "ef8cc01c-fc49-4954-a175-98569c646740": { "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", - "sha256": "ae2f3e60d6bf07e3ace4c7be1a9a199dc8b181ae4c472baa2f02f91eb86e6801", + "sha256": "56cd681da1967f0a220f930eeadbda12546363729b2fa2a955f9c59ac16086a4", "type": "machine_learning", - "version": 1 + "version": 2 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.3", @@ -8549,9 +8556,9 @@ "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", - "sha256": "109d0c7e3887d7f898702bb931801365f78166bc37b58aa04f66b0e30101f41b", + "sha256": "23a660434de3455f0a6de99e5a7da5c45a05eeeffa82698844dcbab5d76c3932", "type": "query", - "version": 1 + "version": 2 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.3", @@ -8653,9 +8660,9 @@ "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "d95530ac48c152547acc046bef874063d532e0a9f5f639803e3b525025209f22", + "sha256": "866744b042cda9a292065f261e1a62d729b5c7aca98c990bd5be1c0dbf04bc39", "type": "machine_learning", - "version": 1 + "version": 2 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "min_stack_version": "8.3", @@ -8767,9 +8774,9 @@ "f95972d3-c23b-463b-89a8-796b3f369b49": { "min_stack_version": "8.3", "rule_name": "Ingress Transfer via Windows BITS", - "sha256": "2b0bea22a5bf532f9af15d9ab5ed07db310010798335f52475ceb9d0292017b0", + "sha256": "17194641e5b83110a15ad1ea56df6e69c2061a202fd582a587fa4581966173fa", "type": "eql", - "version": 5 + "version": 6 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "min_stack_version": "8.3", @@ -8941,9 +8948,9 @@ "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "752821996ecca2eaeacb9d0694eea57ddf1ed278ab32ceecfa6fd0514f9a16d6", + "sha256": "44dd765994937208cfee2f6b3d0e125111cbe88d94a5c67e840065955d2d3ea3", "type": "query", - "version": 2 + "version": 3 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "min_stack_version": "8.3", @@ -8990,9 +8997,9 @@ "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { "min_stack_version": "8.9", "rule_name": "Potential DGA Activity", - "sha256": "83e50c945d95a5c87970b0f27356a28d98589040cb7698c584b7b41c832a8c24", + "sha256": "589696d2263aedd5164e45823daed51e955d30cab677ac76f94129cb6dba05da", "type": "machine_learning", - "version": 1 + "version": 2 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "min_stack_version": "8.6", @@ -9004,9 +9011,9 @@ "ff4599cb-409f-4910-a239-52e4e6f532ff": { "min_stack_version": "8.7", "rule_name": "LSASS Process Access via Windows API", - "sha256": "1b7ddc7981baef1561c102347f23a1168fd3023c338e394cc8ed2956864b7ffb", + "sha256": "3ebb73fb1bc78e99a7321c9da744e2462cb56b7b8b3a372342993176f40608c2", "type": "eql", - "version": 5 + "version": 6 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "min_stack_version": "8.3",