From f8bcfe68008c8add02a740b5eb18e32a3559d72a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 28 Nov 2022 09:15:53 -0500 Subject: [PATCH] Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 (#2407) Co-authored-by: terrancedejesus Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- detection_rules/etc/deprecated_rules.json | 7 +- detection_rules/etc/version.lock.json | 1494 ++++++++++++--------- 2 files changed, 844 insertions(+), 657 deletions(-) diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index e6635e2ca..41c928246 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -54,6 +54,11 @@ "rule_name": "Suspicious Process from Conhost", "stack_version": "7.16" }, + "2f0bae2d-bf20-4465-be86-1311addebaa3": { + "deprecation_date": "2022/10/04", + "rule_name": "GCP Kubernetes Rolebindings Created or Patched", + "stack_version": "8.3" + }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "deprecation_date": "2022/08/01", "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -67,7 +72,7 @@ "43303fd4-4839-4e48-b2b2-803ab060758d": { "deprecation_date": "2022/09/13", "rule_name": "Web Application Suspicious Activity: No User Agent", - "stack_version": "8.5" + "stack_version": "8.5" }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "deprecation_date": "2021/03/17", diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 517201541..1865e20fd 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -11,9 +11,9 @@ } }, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "89cbc0eb5b4639be3e37bb1e89b7ee51e90f6e50c76d4368e131a7e38d0cee81", + "sha256": "6959ea68e624648c00260b8b0f15cd196d5b8c735a992496989e2dafdaae5661", "type": "query", - "version": 101 + "version": 102 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.3", @@ -27,9 +27,9 @@ } }, "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "d0456fb46a13a6bcab231c6a97d6a4c75cae7c3b65021b97dcc006818c58513a", + "sha256": "9a2bb793d703a733bf16375f282b739d08e13117005519222c89c24046a13ccd", "type": "eql", - "version": 101 + "version": 102 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.3", @@ -43,9 +43,9 @@ } }, "rule_name": "System Shells via Services", - "sha256": "9030af9779777809772931456c609cfd7719e5ee42b5564bc444474d8fc2e2ff", + "sha256": "9054b733a6af2f4ff12723ca6a2dc7e0e6bfc139bbadd203cf305b914741934c", "type": "eql", - "version": 101 + "version": 102 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "min_stack_version": "8.3", @@ -95,6 +95,13 @@ "type": "eql", "version": 100 }, + "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { + "min_stack_version": "8.4", + "rule_name": "Process Created with an Elevated Token", + "sha256": "00ad543823a9e20e0583b47c852b921826e47768d782f2772fa2bca38c11d864", + "type": "eql", + "version": 1 + }, "02a4576a-7480-4284-9327-548a806b5e48": { "min_stack_version": "8.3", "previous": { @@ -107,9 +114,9 @@ } }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "b1de0af156bfc3f36a6e07bfd27aeeea26c2fc55324cef750b6b1795d5ec28eb", + "sha256": "1283b73282bbe46a1875c9015ffee0f8d0413d7af841a0d9ce0b61f688c52cc4", "type": "eql", - "version": 100 + "version": 101 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "min_stack_version": "8.3", @@ -155,9 +162,9 @@ } }, "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "25ec7cb90feb02124560e83d47c2051821be1d72524cbc9cd1a895072636621b", + "sha256": "86593b0575d879e34f78974d20acdfe253194fe63160a27a1a498a751095b6b0", "type": "threshold", - "version": 101 + "version": 102 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "min_stack_version": "8.3", @@ -219,9 +226,9 @@ } }, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "09547c03e6129c7949f7f3416adf014489344d5f43d4090c9235bee2730437b1", + "sha256": "3f2a7c2b330b49b03bd3cf0f96932ab6d326462b833267ef430b735a5bad807b", "type": "eql", - "version": 100 + "version": 101 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.3", @@ -235,9 +242,9 @@ } }, "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "7785e6b11756f1a60bee8778c46fde373131964d9b6e39229a83b22af79647f3", + "sha256": "21504d9ea534dd5f08f04e60089cb6d2cd61d5190031281e41a76e514f523c43", "type": "eql", - "version": 101 + "version": 102 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.3", @@ -251,9 +258,9 @@ } }, "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "75e8dac304fb6a8edaf7388d55d8b0f7985492c3bd323f64fa205335fdbfad62", + "sha256": "df93148bf6e98150d192dc57e05e6537c135ad3e3dde7b4ec449b065e17fab5a", "type": "eql", - "version": 101 + "version": 102 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "min_stack_version": "8.3", @@ -283,9 +290,9 @@ } }, "rule_name": "Remote System Discovery Commands", - "sha256": "008f83688d4d6095705aaa866c08ad5e944d856490fe068ae075b3d1581f834c", + "sha256": "bc94ab01edc4a660805e6541bb6778d4178a2f239c7384b51a4c5958c0a9ef2f", "type": "eql", - "version": 101 + "version": 102 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.3", @@ -299,9 +306,9 @@ } }, "rule_name": "Potential Evasion via Filter Manager", - "sha256": "2b364897ca53769a7088a0a30b555b2a360b48dc6e0894be286b9bb7b6895b82", + "sha256": "531e533a1224e429224fffbb52299e373494bd2f267aa0c59a23ee842b5a5bd6", "type": "eql", - "version": 101 + "version": 102 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.3", @@ -315,9 +322,16 @@ } }, "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "6abac6bdb953f843131c74427b2a2d7868be53e3d1ece8e42dbd69f7bd457896", + "sha256": "cfbfe119b44f2b9ad11c7f246c00e16d2bd04dca836887d52daf40e9c84a365f", "type": "eql", - "version": 101 + "version": 102 + }, + "07b1ef73-1fde-4a49-a34a-5dd40011b076": { + "min_stack_version": "8.3", + "rule_name": "Local Account TokenFilter Policy Disabled", + "sha256": "34ede76da9608e91ffef1b835f3d14cab3a8d8e8f388cf072daa2d29ab62dc11", + "type": "eql", + "version": 1 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "min_stack_version": "8.3", @@ -408,9 +422,9 @@ } }, "rule_name": "Process Termination followed by Deletion", - "sha256": "4f300bb1693cdbbb126b71da963cbbc49b9c455dd985f590779304fcd36679ec", + "sha256": "f5c7852271961b94efe6c614fa439cabb2ff1c5fd1fa8f3d94ec4c3aef947388", "type": "eql", - "version": 100 + "version": 101 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -478,9 +492,9 @@ } }, "rule_name": "User account exposed to Kerberoasting", - "sha256": "ea7a49ebd480148b62e1409cf3013e7961ecc863ea0fd6739dfc7b11032b3e23", + "sha256": "ca0311f1e832df28714d264b43d5887d964e93af2698e7d99a9d62e7684c8f96", "type": "query", - "version": 101 + "version": 102 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.3", @@ -494,9 +508,9 @@ } }, "rule_name": "Peripheral Device Discovery", - "sha256": "0f131f20084bf9ff117f40fc1b93d6c6f2d317830971189536e87031bc7be75c", + "sha256": "ef436ce26d6527a056a3f6355c43839993ff94dcb77cc396c58dec71bcdca79a", "type": "eql", - "version": 101 + "version": 102 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "min_stack_version": "8.3", @@ -510,9 +524,9 @@ } }, "rule_name": "Threat Intel Indicator Match", - "sha256": "35422331ee86bff7cba5739cf0b8e7446df3fce8ccb08451418d15163f743c6f", + "sha256": "1f64906c8b85f2b016f21a03e8ab4f5609fe4788594237e487696cd31c0a96ed", "type": "threat_match", - "version": 101 + "version": 102 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "min_stack_version": "8.3", @@ -558,9 +572,9 @@ } }, "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "c655a1153df364e076474e02b7608a83c129141a06ee03a108eecec42030ad6d", + "sha256": "1040bdf26ce321bfb88518209a8dee3ebe9fa024f4e2d90f19eb5568371fffaa", "type": "eql", - "version": 101 + "version": 102 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "min_stack_version": "8.3", @@ -590,9 +604,9 @@ } }, "rule_name": "GCP Service Account Key Creation", - "sha256": "6afc25f81b4cad253ba69aca882700f0ba5ceedb977e7013834813cf782b7edf", + "sha256": "e40dbbf4fb95d007939d7dbb342fda9d8bdb333215cfff5d9b1c12eaad38dc9d", "type": "query", - "version": 101 + "version": 102 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "min_stack_version": "8.3", @@ -628,9 +642,9 @@ } }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "adbb844008cf9c493562c5309080461156e41dda2c575e5b11cade5ee1a4a642", + "sha256": "cf6da0bfe128493f824a318823bdbed765bfb5743ce150c79049a74dbd6304d0", "type": "threshold", - "version": 100 + "version": 101 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "min_stack_version": "8.3", @@ -682,9 +696,9 @@ } }, "rule_name": "Abnormally Large DNS Response", - "sha256": "71ae7239629e1327674fb90a5113c25dfe9dbe95eac8e490ee511f676f8acad4", + "sha256": "0d0615dd1bb23328f8d6dcdedae6c7f2144a8cce6884f8656f2db2c690262d0a", "type": "query", - "version": 101 + "version": 102 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.3", @@ -698,9 +712,9 @@ } }, "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "sha256": "a15b96e8d941bb34de5bb1cb20c05f46756bd2696a7b23366a894956b4dc78d7", + "sha256": "33efb6d487cf7f3487f6fdeec41c0e3bd05eb88bc9d35b7d88cf8532ada2f42d", "type": "eql", - "version": 100 + "version": 101 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.3", @@ -714,9 +728,9 @@ } }, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "fd844ac52903a33e32c91999a760e1ec4c2f75b7b748a9cb1b63907c619853e2", + "sha256": "8dd48f7d54be6936af3b63376fc72a79bf997c4ef06ab7f5dd9b41d64b258570", "type": "eql", - "version": 101 + "version": 102 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "min_stack_version": "8.3", @@ -759,9 +773,9 @@ } }, "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "4b2fe4d5a803628fd2b662d13b09b9d05108fe3a2f4cc9554bfe79ac508835ff", + "sha256": "3e88ae45a65c0b081d42f4f65f5823f3b3386f0252e4e888fadb5b6e79a8dfc9", "type": "eql", - "version": 101 + "version": 102 }, "12051077-0124-4394-9522-8f4f4db1d674": { "min_stack_version": "8.3", @@ -792,7 +806,7 @@ "version": 100 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "8.2": { "max_allowable_version": 99, @@ -800,15 +814,22 @@ "sha256": "344dd45b89887d9f6037e782a5c6e321a7e348581f1372c4180b8b5e2aad81e9", "type": "query", "version": 3 + }, + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Suspicious Self-Subject Review", + "sha256": "9849f3733be1f4f160704b38909e60354493b106e233d0fb46bbad606d4cf8c8", + "type": "query", + "version": 100 } }, "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "9849f3733be1f4f160704b38909e60354493b106e233d0fb46bbad606d4cf8c8", + "sha256": "1609a8bb2a0ea6820bc3460a63b651635a5e1f663ad8eedc74fd5b6957bb4bb3", "type": "query", - "version": 100 + "version": 200 }, "12cbf709-69e8-4055-94f9-24314385c27e": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "8.2": { "max_allowable_version": 99, @@ -816,12 +837,19 @@ "sha256": "1944874623a3c0eb94b6c60e923f345644329467a5e2b4d450710fa23af51940", "type": "query", "version": 3 + }, + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod Created With HostNetwork", + "sha256": "5d921734039fe405b0c6592212c7e3019f5b13cd5364c1387b30211aebcd0f31", + "type": "query", + "version": 100 } }, "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "5d921734039fe405b0c6592212c7e3019f5b13cd5364c1387b30211aebcd0f31", + "sha256": "5f2582765cd853ce500b325effffe0828bd5525037ed1c2b177cdc111301a967", "type": "query", - "version": 100 + "version": 200 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.3", @@ -835,9 +863,9 @@ } }, "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "1c66ca745212e6920c820ab7c7ef4c047dad7008230c62efd6e4ed4d9219f230", + "sha256": "eaf394c47a6a00f7ec67c1d0c9c1f1705cd0f722291568515a65e18bce1ffca6", "type": "eql", - "version": 101 + "version": 102 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.3", @@ -910,7 +938,7 @@ "version": 100 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "8.2": { "max_allowable_version": 99, @@ -918,12 +946,19 @@ "sha256": "939f1dfae51e5df729029c2bf9c6cd64c211afd38624b26e0878e4e9f0623956", "type": "query", "version": 4 + }, + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes User Exec into Pod", + "sha256": "a00465734be3cc8c51d1068bd7d2d6fd67cc0144a3f4b11d969411083176df00", + "type": "query", + "version": 100 } }, "rule_name": "Kubernetes User Exec into Pod", - "sha256": "a00465734be3cc8c51d1068bd7d2d6fd67cc0144a3f4b11d969411083176df00", + "sha256": "6e44fbb4e1b299bca2aad647504db0a3ca2fb5636cf587b958bca2e4464f48d1", "type": "query", - "version": 100 + "version": 200 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.3", @@ -953,9 +988,9 @@ } }, "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "4d2b47b1d5625168b8362f28a9a266caac9cf70e0458341cd6f4cc94edb6c3df", + "sha256": "249b8f8a69a473df5ec809ec3851fd8cb9346e919132380e9d613a6c29d9bea5", "type": "query", - "version": 101 + "version": 102 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.3", @@ -969,9 +1004,9 @@ } }, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "560310be6d4234b54f2f87c670b25bb4c53540a17eecd6f93a2f0c3685288a01", + "sha256": "196861798809377b6cc9637b827ed5dfa645fa3ddb99087940acdf3e44d7a7b6", "type": "eql", - "version": 101 + "version": 102 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "min_stack_version": "8.3", @@ -1049,9 +1084,9 @@ } }, "rule_name": "Component Object Model Hijacking", - "sha256": "32154d783cd08ea852d6a32ef6b27f6b53cb6a74c89b5e933c1ab221e782f3c1", + "sha256": "3e5d123aa232fe56522306bb38847dc8dd37c6a0ee50712d030525e8aa158556", "type": "eql", - "version": 101 + "version": 102 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.3", @@ -1065,9 +1100,9 @@ } }, "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "43cc58fd922e975740c567792897ede93f75cef6ec2291aa281df3dde4edb9e5", + "sha256": "31f0ddc26ebf2d0688757cf849a3a8fa8f29aee403b547e85c8a2fc893c5eeba", "type": "query", - "version": 101 + "version": 102 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.3", @@ -1113,9 +1148,9 @@ } }, "rule_name": "Suspicious Powershell Script", - "sha256": "62f1e3313ee3c9dbac1fa73f2238367424ff02754a4d740f973cdac6901e53a1", + "sha256": "3f2c7a02718fef440dc22e8f1b4f26a82a874244e78627aa709c4a62d0a6ff0f", "type": "machine_learning", - "version": 100 + "version": 101 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "8.3", @@ -1161,9 +1196,9 @@ } }, "rule_name": "Suspicious Execution - Short Program Name", - "sha256": "dee6649f24187e9b4297bfbbf7181b27e82a6cfdf2dd7a70de1639c624a4e2ee", + "sha256": "ce1640584f84bdea3ebc2965c64e2dc86fbbf0c434779a099e28ff40bcb73b62", "type": "eql", - "version": 101 + "version": 102 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "min_stack_version": "8.3", @@ -1193,9 +1228,9 @@ } }, "rule_name": "GCP Logging Sink Modification", - "sha256": "37e5db0b52f2fb6adfd3e9e6c268a8c6869f11e97fb66e0df258ce2cdf8cf23d", + "sha256": "4ff90adb8f0ca4bb71028c214898da08ab3b11d12e8029ba076eb1cc46a8718f", "type": "query", - "version": 101 + "version": 102 }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", @@ -1215,9 +1250,9 @@ } }, "rule_name": "Rare AWS Error Code", - "sha256": "b35378255a816463aa6e7bb151f8fcd0457eaa0189327e7a35f3ff770fc96eed", + "sha256": "17578a2a8d5a427065414d9cb1f05b83536dee482279c7bf87fd038d63ef3f12", "type": "machine_learning", - "version": 101 + "version": 102 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "min_stack_version": "8.3", @@ -1247,9 +1282,9 @@ } }, "rule_name": "Execution of COM object via Xwizard", - "sha256": "c8621df9fdc867d538de65f67be4ff5b9bcf7cd5af96f040cfee75f2f5d3ce95", + "sha256": "512186ecc8ceb9b2ce443cd88b7e3a78c65609ec9f861163d9aa864bbab4817a", "type": "eql", - "version": 101 + "version": 102 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "min_stack_version": "8.3", @@ -1263,9 +1298,9 @@ } }, "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "05bfadde2b742216d77d68d250fe2191fdd06d02a3426e96f3287a9a1398f8bb", + "sha256": "942ddbbab53e5e73598cce79c29feab5655138cda8d30f9da22cd34d2acfd9c8", "type": "query", - "version": 102 + "version": 103 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.3", @@ -1279,9 +1314,9 @@ } }, "rule_name": "User Account Creation", - "sha256": "fd69451622602ebcb50b05196ed535b62c4897963c7e28660f5799f45d844e74", + "sha256": "72e5a67a13e117aae82582e37eb0b8613cb1f2402e60f6ea7fbcbe8150520cec", "type": "eql", - "version": 101 + "version": 102 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.3", @@ -1334,9 +1369,9 @@ } }, "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "4184599620742719a0761ffccaf0ffe2da0455e8d5a29756443c609edfb8ce47", + "sha256": "748830954ca072ea9c835851921ad126060d1857fe20741b7261d369bfc50746", "type": "query", - "version": 102 + "version": 103 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", @@ -1350,9 +1385,9 @@ } }, "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "c9f1b420b573a482228ed4337a8bac1aadde7b219789cdc2c90905d136f28b26", + "sha256": "02cdfac6c99432304168007a6a9818e6dcda4b6cafd648143557fc919e5b5eb2", "type": "eql", - "version": 100 + "version": 101 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "min_stack_version": "8.3", @@ -1398,9 +1433,9 @@ } }, "rule_name": "Remote File Download via Script Interpreter", - "sha256": "074a0926e1c3be18d66dc109559a0af1f998d93f3c1dfeb956b9317f7bc2256f", + "sha256": "3a044d6e00f3fa3796eb4da3a8e6cc9ccb6d295a42afdd55b542f5ad49fe5f5a", "type": "eql", - "version": 101 + "version": 102 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "min_stack_version": "8.3", @@ -1414,9 +1449,9 @@ } }, "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "37661b2147a456b4ece2cf2f60f9c4364142b23d189293d30ea868dbebb3fa1a", + "sha256": "09d7de655b5ae44026204c472c4c6177426467dc5ffaf0a6a07f9ccc761368dc", "type": "eql", - "version": 101 + "version": 102 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.3", @@ -1446,9 +1481,9 @@ } }, "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "6163f24c5d3aa556bd201072fa5d14346faa906d1cf09e73b6b04ace4b59bddf", + "sha256": "ff4c67b47088fc7d788c3fa693da529fab038597c309bfe9f69104b1ebe1fb2a", "type": "eql", - "version": 101 + "version": 102 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "min_stack_version": "8.3", @@ -1542,9 +1577,9 @@ } }, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "d26c3a9c1df6cbf594a645a9e26d16311923ca2580de70627e5c7c7fa7ef9ccf", + "sha256": "7a1b4c7a78bee258d3d87e7f259fc117a297ed9128a5b7c54c853bc6c0d6e459", "type": "eql", - "version": 101 + "version": 102 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.3", @@ -1558,9 +1593,9 @@ } }, "rule_name": "Creation or Modification of Root Certificate", - "sha256": "e739a5b5e3afbf00e7a2a7af027175ed7a5e96103eb7d267d515fb232ba04712", + "sha256": "edb8fb44d6823f255670763c54e1c8c465cc0fc980eba5e9cef7efc852cf039f", "type": "eql", - "version": 101 + "version": 102 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "min_stack_version": "8.3", @@ -1606,9 +1641,9 @@ } }, "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "30dc1da92d4206f095081abe3f7ad377f2c8c996a5959f5ffb686cc15cb2a41e", + "sha256": "c45a1e4d736fb46e4a71bd6ab327aa44b82676ffa48e42d068a9c2951873e8e0", "type": "eql", - "version": 101 + "version": 102 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -1651,9 +1686,9 @@ } }, "rule_name": "SUNBURST Command and Control Activity", - "sha256": "0a489b08ad7626d3812dec3f86a795e81fcab3b92418108ad10d953b14919d29", + "sha256": "3ec9b5afcdd0bd2eb04af9278254cf9aeaa9204dd3c0de9a6dc6c1bba39b9582", "type": "eql", - "version": 101 + "version": 102 }, "227dc608-e558-43d9-b521-150772250bae": { "min_stack_version": "8.3", @@ -1683,9 +1718,9 @@ } }, "rule_name": "Potential Shell via Web Server", - "sha256": "e7e3cc4724e1f2bca5659099992b917c0e62b3d926b8cad149a447d11efe747f", + "sha256": "26736e03d88cdfe6bc01e28a8824639a9041fab8a1ad4d746f5efcb1cc9f80b5", "type": "query", - "version": 101 + "version": 102 }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "min_stack_version": "8.3", @@ -1699,9 +1734,9 @@ } }, "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "3a74c25c08ab6c0f9443f08ec07e9c2ffba7dc1c8becd1c506ecda3036984ab0", + "sha256": "99a2e12d697c64e1ffd1ec2a86da9159c5a9281c37b2691a9a2bc22c85510c7f", "type": "query", - "version": 101 + "version": 102 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "min_stack_version": "8.3", @@ -1763,9 +1798,16 @@ } }, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "0cdca6f6faa4c636ce760aa198df61671c58e1e4e13d4bc4e539a851cdbd49c9", + "sha256": "2fe23b24085b84eda8e5e8c693568b1f3e92c58610db0c37b78b18ec9cc9dd0c", "type": "eql", - "version": 101 + "version": 102 + }, + "26b01043-4f04-4d2f-882a-5a1d2e95751b": { + "min_stack_version": "8.3", + "rule_name": "Privileges Elevation via Parent Process PID Spoofing", + "sha256": "095d1fad1f540b5527f8e52788041353f67b59db6bd9bae84ee0a7a6fa7ecceb", + "type": "eql", + "version": 1 }, "26edba02-6979-4bce-920a-70b080a7be81": { "min_stack_version": "8.3", @@ -1779,9 +1821,9 @@ } }, "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", - "sha256": "e51084c7f907586bbb7ab0533c6e4224e314cd945f1f8e1aa6b47a12bf99e679", + "sha256": "3ce65056cb8c60506450589304cc606f22041ef5397cdca8b84444cfcfbb8ce5", "type": "query", - "version": 102 + "version": 103 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "min_stack_version": "8.3", @@ -1843,9 +1885,9 @@ } }, "rule_name": "GCP Firewall Rule Modification", - "sha256": "c46e35ee0ca1918848d5c07bb8d194b7c09f835063fedbb38ac67903d7a0e411", + "sha256": "3ecb269b043c21a8351338e9b181a3a9fbfbbc7c27e850a9cb2fedac86f81bd0", "type": "query", - "version": 101 + "version": 102 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "min_stack_version": "8.3", @@ -1875,9 +1917,9 @@ } }, "rule_name": "Account Password Reset Remotely", - "sha256": "366853c0df9537317d7b8251ee2c51f083128394041665377f22dd63ed7104ae", + "sha256": "23975de7ae07f10e29f113a18c300172f53e7397c6aa834109ef559d990d1d00", "type": "eql", - "version": 100 + "version": 101 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", @@ -1891,9 +1933,9 @@ } }, "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "332554db89e6dd413c6f1d0969db9c996129c2cf72d360eae4aa952226fad75c", + "sha256": "50192b1a8bb02985ea55f5eb825c5c46c392e4e3580c3d83ace82f4ec7cb8744", "type": "eql", - "version": 101 + "version": 102 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "min_stack_version": "8.3", @@ -1945,9 +1987,9 @@ } }, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "6004e014be74e9d34913da034d1bf58f6cbf698d93ad5746a320785251e0b0db", + "sha256": "2c78dc337edb63f0e70e22004ea039f5c23979f7c7be5b58d0a40c9eafbac35f", "type": "eql", - "version": 101 + "version": 102 }, "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.3", @@ -1961,9 +2003,9 @@ } }, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "10ff022c0a94d48841c1d572096762b66de0537940aede6dee7cb1b0df6d084a", + "sha256": "4519a0cdf3686ec387297352634a4e49bcd98366b3ab5d2f688adcf2f5a07f33", "type": "eql", - "version": 101 + "version": 102 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.3", @@ -1977,12 +2019,12 @@ } }, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "30f8106d967a67bd1fe88ffde5ada349cf954fd63cd3786c0d09a3fbc72e3ee4", + "sha256": "dfc36d9f16e194f68e96c55c2ac31c08c30ff2a166ccbfa026c07347b4189e2c", "type": "eql", - "version": 101 + "version": 102 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "8.2": { "max_allowable_version": 99, @@ -1990,12 +2032,19 @@ "sha256": "c0ee6425ca26e268371a5176086ec5beb58fc8ceae2a33daf00d09b473fc448c", "type": "query", "version": 3 + }, + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", + "sha256": "178a7bac7a538fcdc72434c1e7d6d9c9f1698802fb94817047bbf1d0f39da540", + "type": "query", + "version": 100 } }, "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "178a7bac7a538fcdc72434c1e7d6d9c9f1698802fb94817047bbf1d0f39da540", + "sha256": "d52ea103778fa8dc22e0e656f32ea22cbea9377775709a0aed73be57b2a37447", "type": "query", - "version": 100 + "version": 200 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.3", @@ -2009,9 +2058,9 @@ } }, "rule_name": "Adobe Hijack Persistence", - "sha256": "4a4801e7470ca5e5679139c2a48f580610258c91c52131a22ba1049b4f8b2bc0", + "sha256": "affe1c06c1e3397d61e25f647c627d12fdb6934097e7582a7e85b3850680a325", "type": "eql", - "version": 101 + "version": 102 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.3", @@ -2025,9 +2074,9 @@ } }, "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "c24b4c976b089f5f2b0a718853ba336db50c32296790b4cd01b752992b076bc4", + "sha256": "0436c45982b85239b72290c455a9c5e629034d90385d80f6db976e7ddf0c41c5", "type": "eql", - "version": 101 + "version": 102 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "min_stack_version": "8.3", @@ -2041,9 +2090,9 @@ } }, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "18c0b16ed19cfc91df847e16e6d82e2f46826fb138e63ace629b67b6b85917f7", + "sha256": "a21ef2da6feae3d15a6571e1c9dbb4843e9f4a84a0004839a7729fbde9359d65", "type": "eql", - "version": 101 + "version": 102 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "min_stack_version": "8.3", @@ -2073,9 +2122,9 @@ } }, "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "f02488141624acacf42e1b94daebf74a3d7b0c9b7ef28ece2c20b5fe6029a36d", + "sha256": "0f65417847b62a372e45a8b74e1e67cbf710d5b7ebe600b26a0c81349520c5eb", "type": "eql", - "version": 101 + "version": 102 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "min_stack_version": "8.3", @@ -2093,6 +2142,13 @@ "type": "threshold", "version": 101 }, + "2de87d72-ee0c-43e2-b975-5f0b029ac600": { + "min_stack_version": "8.3", + "rule_name": "Wireless Credential Dumping using Netsh Command", + "sha256": "923d2972bad65627825f7f03ac11165a17e3a91b39570ad3d010563fc7b077c1", + "type": "eql", + "version": 1 + }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.3", "previous": { @@ -2105,9 +2161,9 @@ } }, "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "cd00b270fc84942b3cd8a091aebb8977c4d60d2e6d6a0f811b41b8c8680c97c8", + "sha256": "91adcfde561603c598699bd0d45c902fb00efff0b58eb6d1e3042019fc63c954", "type": "eql", - "version": 101 + "version": 102 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.3", @@ -2121,9 +2177,9 @@ } }, "rule_name": "Potential Process Injection via PowerShell", - "sha256": "8112cc5bdb7d1e500f0cb5c55e40ad7e808f1d21b371f31390e36381851be394", + "sha256": "d5c6e20b87462f11e4b5835d5c4627ff7564fdf26c4473aa2c813a37f64f7f96", "type": "query", - "version": 101 + "version": 102 }, "2e580225-2a58-48ef-938b-572933be06fe": { "min_stack_version": "8.3", @@ -2153,9 +2209,9 @@ } }, "rule_name": "Creation of a Hidden Local User Account", - "sha256": "3baeed0e8f333943a7e22f8844ed4d8ed0c4b5717265fe333e76a7377140aee6", + "sha256": "fe732dbec24491d0106c290c6324617a79e6ec7335584eacc669fcd2e0f97310", "type": "eql", - "version": 101 + "version": 102 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "min_stack_version": "8.3", @@ -2185,9 +2241,9 @@ } }, "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "5b14cf100cbd708f7b50dd73ad028e7caac9de574c96a104d356cc55d37e4e1f", + "sha256": "60f065bfd57fdb790098f3791c8e2d2f8f858eaaf49c342b7f616491b53d213d", "type": "query", - "version": 101 + "version": 102 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "min_stack_version": "8.3", @@ -2217,9 +2273,9 @@ } }, "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "0497df6954abf2ebbd00a01e15ac07ff99a4e033c70fe71f281711bbb900ac59", + "sha256": "2e16af391ff63788f7160774bdef79fbbe1751b66d38b6128184e1dbe802166b", "type": "eql", - "version": 101 + "version": 102 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.3", @@ -2233,9 +2289,9 @@ } }, "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "a0ba24235ed21ce57592ae7d533e360b0ac5423127f1599b32768fcdba2eea18", + "sha256": "cae9e4448ed634a3543dc00b248a8ab4bcef098d898395e269ffd142a3924484", "type": "eql", - "version": 101 + "version": 102 }, "30562697-9859-4ae0-a8c5-dab45d664170": { "min_stack_version": "8.3", @@ -2249,9 +2305,9 @@ } }, "rule_name": "GCP Firewall Rule Creation", - "sha256": "6b22ed0dce77a88333520b488a22ee9831f3fde9e7d782c7464a81a5af7f68d1", + "sha256": "0cd1853858d4f3371c6cfa74a65b7ee87839134dc7658d155d4e862feb5c8f66", "type": "query", - "version": 101 + "version": 102 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "min_stack_version": "8.3", @@ -2297,9 +2353,9 @@ } }, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "06ca38cbb883168d3dd1793c890ed4d144537d0ba2b20552efdb56413ac78c65", + "sha256": "60019c2e4eaefb983bbef3c868d7de9ba14dfb8608e65059d29484fd9f39b645", "type": "eql", - "version": 101 + "version": 102 }, "3202e172-01b1-4738-a932-d024c514ba72": { "min_stack_version": "8.3", @@ -2313,9 +2369,9 @@ } }, "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "a2d4932e5b9b6484d87be5d984065ff70180730d9c9165ca3c4e15e805390e62", + "sha256": "5dabf36750452813028395a66c743a6be256e6ec9de931117e59260476ee6d0c", "type": "query", - "version": 101 + "version": 102 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "min_stack_version": "8.3", @@ -2361,9 +2417,9 @@ } }, "rule_name": "Program Files Directory Masquerading", - "sha256": "5385a0f0781bc406c13e7ece8fa9d16b8c126277b4b7b7e32401885937073810", + "sha256": "6e06ac8ffb06fa4093c71af4b37017c5b248f97ca17bdfb123b0b23880ab2d88", "type": "eql", - "version": 100 + "version": 101 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.3", @@ -2377,9 +2433,9 @@ } }, "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "3bb573d33d39ebf8ce73ac91cd2e2c7807fcb3d06c046c5f1f84daffff8b62c3", + "sha256": "83741d9a472dc0cdb1d07bde1ebe46af605f35977e25d783eab52644f6dce64b", "type": "eql", - "version": 101 + "version": 102 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "min_stack_version": "8.3", @@ -2393,9 +2449,9 @@ } }, "rule_name": "AWS IAM User Addition to Group", - "sha256": "187f8fc5a7b7a4da4503ede2a18051b669563e0cf85fc9e07870d177fb00a28f", + "sha256": "b1fe47b277fb195ff7d52c0105d9c34dd32f92a5088de0bfb12b76dccd52acbb", "type": "query", - "version": 102 + "version": 103 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "min_stack_version": "8.3", @@ -2409,9 +2465,9 @@ } }, "rule_name": "Remote File Download via PowerShell", - "sha256": "a9ff45fe25c9b9c0b0e5fd80bcab308f275eacc9881819b10dd758a99ca13b8e", + "sha256": "2186f50b71b0c103a7d459d672bb9daf78f2c0a58f3d6cc9dc62cd70bedcfc20", "type": "eql", - "version": 101 + "version": 102 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "min_stack_version": "8.3", @@ -2431,10 +2487,10 @@ "version": 14 } }, - "rule_name": "Telnet Port Activity", - "sha256": "51ac5d0b9e729adae08b0ac327ccba30881f6e1f4f2922f64df9fb2e88c9575c", + "rule_name": "Accepted Default Telnet Port Connection", + "sha256": "587e009557c6b535109edbb0c6c96348ff82af5ccea0943b4de310a9abdcc89e", "type": "query", - "version": 100 + "version": 101 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "min_stack_version": "8.3", @@ -2464,9 +2520,9 @@ } }, "rule_name": "Port Forwarding Rule Addition", - "sha256": "30c1e029505f96f765875b8aa244b288d7d94504e3884baa67de302959c8b74f", + "sha256": "7caa68288fe7404f96ab0e4e05e59985eae00339098072f2330be4d67f625b81", "type": "eql", - "version": 101 + "version": 102 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.3", @@ -2480,9 +2536,9 @@ } }, "rule_name": "Unusual Parent-Child Relationship", - "sha256": "d6e503fa566aa64466ca9ffcbbb2953c0c41abf12d546187141eafd323bf268a", + "sha256": "5a722bb620808a66ac7a92b5ac41db81e7f87ca2de0e30d7763bdcb257549485", "type": "eql", - "version": 101 + "version": 102 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "min_stack_version": "8.3", @@ -2518,9 +2574,9 @@ } }, "rule_name": "Process Started from Process ID (PID) File", - "sha256": "e8ea41815ee4f0e3001c542877739a0c31993fd8f340a30c227e83e1227a5b44", + "sha256": "a775f99a522c94ed2020c5535c04b1363a3a0e9ce8b3a7f2880355a1e718b56b", "type": "eql", - "version": 100 + "version": 101 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.3", @@ -2566,9 +2622,9 @@ } }, "rule_name": "Azure Active Directory High Risk Sign-in", - "sha256": "348052c64f71f90dcb6ee503fc83470eacd275b679326af6f3f8e2be8cd72bed", + "sha256": "8d18507b7a72bb782e31286dcff312985ef8731ec844c1c321d06fe83ae38fa6", "type": "query", - "version": 102 + "version": 103 }, "37b0816d-af40-40b4-885f-bb162b3c88a9": { "rule_name": "Anomalous Kernel Module Activity", @@ -2588,9 +2644,9 @@ } }, "rule_name": "AWS Execution via System Manager", - "sha256": "71c37d4d5ec0f32aaededca772445a7d210706e1ebaa230b5ff6d8818bd969a6", + "sha256": "3383fab0a0ac8a02cdc6b0b2dc6b8427660bc69456c2c7e06bfe41304fc6e919", "type": "query", - "version": 102 + "version": 103 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.3", @@ -2620,9 +2676,9 @@ } }, "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "a6d8d6da1a5504de456e60bc1a93eb5a2f01ad762adb11172dc93a08e83801dc", + "sha256": "5dc3d4b26fb6d7a5870f5b587f98ded53d043ff35b39a5d1a79e515e57488dff", "type": "query", - "version": 101 + "version": 102 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.3", @@ -2636,9 +2692,9 @@ } }, "rule_name": "Network Connection via Certutil", - "sha256": "691ce2d376fa45bc1e53d35c65ea8269f55e36bd45c59e7fbd218aced50fa18e", + "sha256": "6c2d2ea6965fe546cd308ec5d536796987bcc29c1e68ad40d7b4155e045a2458", "type": "eql", - "version": 101 + "version": 102 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "min_stack_version": "8.3", @@ -2716,9 +2772,9 @@ } }, "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "592752bbae091e003854d9d53e0b9d57ed82ca0288abda1349e1bf028e1e77c1", + "sha256": "7b1fa40876fc512baacf5a782bd640c9f29740c8a73b02855a25058093646132", "type": "threshold", - "version": 101 + "version": 102 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -2786,9 +2842,9 @@ } }, "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "b5f0431fd230e67581f5754f4d37e0066a71255ab5a960c8e5bcff1c551d1be6", + "sha256": "62586724fbb57fc9dcdab71897e81c743b0929d310e26dbac2d9f8a4989ebb02", "type": "eql", - "version": 101 + "version": 102 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", @@ -2802,9 +2858,9 @@ } }, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "ac10f6ccc24ce82be01f6f5fedce0c17a3935821fa1d30dd886d03a66c6387c8", + "sha256": "0120ceefb1e30d90d4d8896f912ade4cf8fdf789a705eb64dfebc65cccbfe955", "type": "eql", - "version": 101 + "version": 102 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "8.3", @@ -2834,9 +2890,9 @@ } }, "rule_name": "AWS CloudTrail Log Updated", - "sha256": "ca1a335240ddaea8136fa5af17127f0a9434a1b473eac0a6c436119918dd7420", + "sha256": "220879a316da0fe8798fd41ba51176779abd4f8b865ba8d88a91b41d16f4f612", "type": "query", - "version": 102 + "version": 103 }, "3e3d15c6-1509-479a-b125-21718372157e": { "min_stack_version": "8.3", @@ -2882,9 +2938,9 @@ } }, "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "bb92799a242c6e20d935250ea0cbe1bfa3b9572f01a497225389947c74fb6af3", + "sha256": "75db34663063ebe23ffb55b28b966cb858052d07a4cc0512b1482f9c93fe6748", "type": "eql", - "version": 101 + "version": 102 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "min_stack_version": "8.3", @@ -2930,9 +2986,9 @@ } }, "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "4067a8e393f6e03857fee7e7fda027859affe06da2e0069a5a88d4abe6b15bc0", + "sha256": "122156da328be196d97b2db921f3d570baad7868cc3cd8ef3599a5a7deaa5d5d", "type": "eql", - "version": 100 + "version": 101 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", @@ -2962,9 +3018,9 @@ } }, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "66873bb69829d5951b8cebb2a33be10cec1e6a31b1090bc9a2d52a8d47c4c2d0", + "sha256": "c989d6134a24a06b070ddd752d9f4aaa06618885bcd339102c367f0e48ca5dea", "type": "eql", - "version": 101 + "version": 102 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "min_stack_version": "8.3", @@ -3010,16 +3066,16 @@ } }, "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "9507019dcb04b4ca591e79a6563cc6a7293cc6b2922a1247faa399bff3ce4ccd", + "sha256": "20c32ae0449654c229d96f32b7577f83c6e1990b578aa631578de9a5d8c5d0c1", "type": "threshold", - "version": 101 + "version": 102 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.3", "rule_name": "Process Creation via Secondary Logon", - "sha256": "03a4685c7fd2543943d9d3ea3d1a70d7972c016c7068d40da5bdd8235512b7ed", + "sha256": "d66ece9c05efcd17043455802947a0ef771c694e655135e8bbb795a54cf950a9", "type": "eql", - "version": 1 + "version": 2 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "min_stack_version": "8.3", @@ -3065,9 +3121,9 @@ } }, "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "3f7b7c353a183f954267934638a1e7cc9efd033fad2616b6472aff4e617b294f", + "sha256": "e26d7fa177b938293cf4f72ec678160ccf23648e550f4bb9609fd48fd2035d6d", "type": "eql", - "version": 101 + "version": 102 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.3", @@ -3088,9 +3144,9 @@ "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.3", "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "3beb0463626eee5c772571787bdf1668ca12c57883640d11f08b0e033c5cfb77", + "sha256": "26b17f8432d2b521c5fce9e5c0493ed525442e6c84494384b1c1255e7a6d4681", "type": "eql", - "version": 1 + "version": 2 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "min_stack_version": "8.3", @@ -3120,9 +3176,9 @@ } }, "rule_name": "Windows Event Logs Cleared", - "sha256": "c5f7cc0dcab227c127f10d25c051d81baf3375a047fa63166bde9e264f5308d8", + "sha256": "386c67997470664714f275dcb76a1e5c151f1343127e0014fb37d0ff31951b1f", "type": "query", - "version": 101 + "version": 102 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.3", @@ -3136,9 +3192,9 @@ } }, "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "06a9107f4b386e10196ecbc083b1ebaf6e427ba7e94fc12ee66df5bcd3875db1", + "sha256": "02cd4a644f9e9a8b943b8facf37e97285c7b937b23f1c17a707133d0d37d26b1", "type": "eql", - "version": 101 + "version": 102 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.3", @@ -3159,9 +3215,9 @@ } }, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "12d812b856650bca6e0369916820dfba4a0d23d6696756a0451d062d4d2386e4", + "sha256": "0525dd2fbd2dfc14caa23e060d62dd39f55ae2f038d4bbc2d4c916de969ca9c3", "type": "eql", - "version": 101 + "version": 102 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.3", @@ -3175,9 +3231,9 @@ } }, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "3b7e28b4b12f84229519564c2686aebd08a9fc1364688b7d4381342f4a212ec9", + "sha256": "b93dfb8b3a515575351cb9f913663605ab0d6a2db9757824371d81fd32cb1327", "type": "eql", - "version": 101 + "version": 102 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "8.3", @@ -3207,9 +3263,9 @@ } }, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "554a22cb45f8eb9175a243358970d02e9ededc8bca227a4e8b8c33828888e27f", + "sha256": "584b912e98f760e2dc9fa67e60ec12efdadb4de30b857b22faba5eb817eda955", "type": "eql", - "version": 101 + "version": 102 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -3339,9 +3395,9 @@ } }, "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "3be0908e8ea93d381fdd04df00875de60f82aa51321b0e5fcc6d23e5518477ef", + "sha256": "af2c9b4cc8d65f070569b00e23d6bb76b9d88508a40f852ead49a5089bfeaff9", "type": "eql", - "version": 101 + "version": 102 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.3", @@ -3355,16 +3411,16 @@ } }, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "ebc1e9be7060855bb004538d48a77dc3f757edda38e56820190dea71ded529da", + "sha256": "570ef3808b84183fe9e71dfb7065365ec84eae8737d8f04abd629d725184076e", "type": "eql", - "version": 100 + "version": 101 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.3", "rule_name": "PowerShell Share Enumeration Script", - "sha256": "41d4a587e6396df429d6411f91540c4484859715070a8b1b531437706bc9a04e", + "sha256": "f91d5e32c45523bf3b626165b2685cc04e75c7fe14145b08fff92a7d679b1fa2", "type": "query", - "version": 1 + "version": 2 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "min_stack_version": "8.3", @@ -3410,9 +3466,9 @@ } }, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "b31e30c9dc25e40da985cd39f3861186666b4d5d5adfa319eabebc591cc16760", + "sha256": "bc5376543b8c61af96f26822568b4b0c34172b2fc6ccdfb56f97c0da355a03de", "type": "eql", - "version": 101 + "version": 102 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.3", @@ -3433,9 +3489,9 @@ } }, "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "24d70031983bf8892fa1f62c964d58c44131b44a22e09c19591212fcfeefd762", + "sha256": "8685f684dcc7eae537c0a90e6eb072e2137bf7a86ee2a28e39310dc9fca16125", "type": "eql", - "version": 101 + "version": 102 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.3", @@ -3465,9 +3521,9 @@ } }, "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "91937ce85079314b002d9db667305679fa7defb86a978d5565009df30815d8d1", + "sha256": "b3b118ad1059195cca5ad6345c2480031da54ca94602e5e88c8446dbf90c793f", "type": "query", - "version": 101 + "version": 102 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.3", @@ -3529,9 +3585,9 @@ } }, "rule_name": "GCP Logging Sink Deletion", - "sha256": "f04f86ca61f586621773775c3d833043ecc41f01875ed7a6754bc0d388299811", + "sha256": "f9dbf652d2a93e2123d4f8eeabeb30b9f67f8073e9e446c605bb560618ba8db5", "type": "query", - "version": 101 + "version": 102 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.3", @@ -3593,9 +3649,9 @@ } }, "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "6b6d553224dee6183191b7a780ca1da9a276134b5568711c360831fca73bd6a6", + "sha256": "930eaa51108e3a5ea3b0148c395dbaf4776bb96279b0b8e82f356dc2a76d1690", "type": "eql", - "version": 101 + "version": 102 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "min_stack_version": "8.3", @@ -3685,9 +3741,9 @@ } }, "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "8f4a15c80a5f7d11a176a31ca9ad4563335e833b2087e0a602f73c508ae80151", + "sha256": "11f69e54fd69b3d1c73318bc1b670ca762a709e7aee4f68323b388d8361475f0", "type": "eql", - "version": 101 + "version": 102 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.3", @@ -3724,9 +3780,9 @@ } }, "rule_name": "Network Logon Provider Registry Modification", - "sha256": "1762a35e44d0c99be8dd9123b515a8d30fe75580f5dff0ec13401bfdcf3caad8", + "sha256": "d4118b8122cf4c735d7fb891f1d5372f1d2d5a94cd3a1f7b13c2a4d9d6d4e8f0", "type": "eql", - "version": 100 + "version": 101 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.3", @@ -3756,9 +3812,9 @@ } }, "rule_name": "PsExec Network Connection", - "sha256": "e21cf432ec27b99fa0cf830c93ad21d7eb822ee25315db431a4ad52452f1bfe5", + "sha256": "a64e355763ec36a7d0ee00311ceb44b807e5926dcf048449ed2ff40dbf2a922f", "type": "eql", - "version": 101 + "version": 102 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.3", @@ -3820,9 +3876,9 @@ } }, "rule_name": "GCP Logging Bucket Deletion", - "sha256": "36d1f7974b7afefde6314e3bed440da6c6784c0f110c1fbc1293aed89c635d13", + "sha256": "282a179a621aa51ff8a275643d155c980068398a81af68563529bcd2dbef5473", "type": "query", - "version": 101 + "version": 102 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.3", @@ -3836,9 +3892,9 @@ } }, "rule_name": "PowerShell PSReflect Script", - "sha256": "c72390355e0a04ec708a61acc3ddce3ec8d4db4f6c9d44cfcc631181eebacc81", + "sha256": "11793e939f586d89b235b88b2f5b40c23ec6b12c4896a0a0d166ab888296bb43", "type": "query", - "version": 101 + "version": 102 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "min_stack_version": "8.3", @@ -3900,9 +3956,9 @@ } }, "rule_name": "PowerShell MiniDump Script", - "sha256": "7ec5d73fae487dddb7e642cdd58c4652e6e616abbd11af3a8ab7d77e80b78dd0", + "sha256": "7d2512bebbdec3a46780132e894bd27888dfd3b20758b94180f6da92114ffb18", "type": "query", - "version": 101 + "version": 102 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.3", @@ -3916,9 +3972,9 @@ } }, "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "c37b854a6c3c01a4bcf07845daa8a68e58d2736ad09f03dc99144778fd6f0913", + "sha256": "1ea6584098c2efba98cbe684877ffae68be822ecfecc1833e7947c849d09a416", "type": "eql", - "version": 101 + "version": 102 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.3", @@ -3932,9 +3988,9 @@ } }, "rule_name": "RDP Enabled via Registry", - "sha256": "a6eb4c3ed852cc3c411daa991ef869b3cb925e69ec723e5e661ed3ec5efeb7ad", + "sha256": "567ce82bdbcaecc481d576875c33c029a369ac904e36e0ac3efc4d2fb1cedfb7", "type": "eql", - "version": 101 + "version": 102 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "min_stack_version": "8.3", @@ -3964,9 +4020,9 @@ } }, "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "7037d376e1a6fb9a7dacd01ce947e02c9456897d0464354b95736d1979e9201c", + "sha256": "5a292304d9e8e307da4b3620cf91c33f574b8a4ff3831769c43b56228cc45388", "type": "eql", - "version": 101 + "version": 102 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "min_stack_version": "8.3", @@ -3980,9 +4036,9 @@ } }, "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "d7b00e3725166f61eefc3ecac25da8babe0ad5e46894cc4d0682f1188e6f181b", + "sha256": "01d0be254b4afd06e914ee4bcc1650b928ec950d893477db65e11ec2a13a011e", "type": "eql", - "version": 101 + "version": 102 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "min_stack_version": "8.3", @@ -4044,9 +4100,9 @@ } }, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "82cb59512014ab0e01173d569e396665f29f1872f19658346dd205b1c20c2795", + "sha256": "39f2ca629f5de57923b1533ba1b129d07648486b402c1fd066478be5013c7e37", "type": "eql", - "version": 100 + "version": 101 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "min_stack_version": "8.3", @@ -4076,9 +4132,9 @@ } }, "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "29f7f0a29bc15d489a5dd0c181f2a35e41dd3a52f958e9c17556ddb5324eed71", + "sha256": "12990c6f65d061247e1e4ec474b326ba0b452effe26cda755ecd4be8d023c911", "type": "eql", - "version": 100 + "version": 101 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "min_stack_version": "8.3", @@ -4171,10 +4227,17 @@ "version": 8 } }, - "rule_name": "User Added to Privileged Group in Active Directory", - "sha256": "9e42d09c9e604b81ce6d51f0584da1b500697b26f5a6edfc75834f0b911a62d0", + "rule_name": "User Added to Privileged Group", + "sha256": "ca4ef74cd89a0f83d2a0906b69f045a87c985eeded4b5471b7096d0107e00b39", "type": "eql", - "version": 101 + "version": 102 + }, + "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { + "min_stack_version": "8.3", + "rule_name": "Persistence via PowerShell profile", + "sha256": "21d7fc9ff63af877276cf335445a7f459888051b52107ec92ce63648fd3025b2", + "type": "eql", + "version": 1 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "min_stack_version": "8.3", @@ -4281,9 +4344,9 @@ } }, "rule_name": "Azure Service Principal Addition", - "sha256": "24b0f7575e69c3da0576076406bc354a01b3885bf902debc9d613c3a9e94c71f", + "sha256": "4c82fdffed6b1a65768f3bc3f45d5cbf50a315d153dc1c20f1458dc016e204d2", "type": "query", - "version": 102 + "version": 103 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "min_stack_version": "8.3", @@ -4313,9 +4376,9 @@ } }, "rule_name": "Unusual Process Network Connection", - "sha256": "97cfbd941b88485756921679da5f9f0414a9e43d7b3d92d149bd22a01352d08d", + "sha256": "59170d29e533284bdedeff0329685b145c16dfdf80da895c2dcabd66cd2654e1", "type": "eql", - "version": 101 + "version": 102 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.3", @@ -4329,9 +4392,9 @@ } }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "b294c5544f88b00704acf417a7a05d62ae93bd1936e3562977f97d767df558e6", + "sha256": "50f41c1e4183330111d06d4ef74c04fc24f19a7fcb76fa60ab5be766ba93fdb4", "type": "query", - "version": 101 + "version": 102 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -4351,9 +4414,9 @@ } }, "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "960ce8bcbdb17af9ebb21f2e0552ca016366ac012d98141a6cf9f1c01a17cd44", + "sha256": "b413d4eea7c0c11eb393ca157d9fad743293d043703609b2f4d7f8724ebb1f0d", "type": "eql", - "version": 101 + "version": 102 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.3", @@ -4383,16 +4446,16 @@ } }, "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "5bc3884f85cb23ef9dcb68da3accd2c174e888f14003dd0120889a9e973072ed", + "sha256": "7cf05e67ec76000aae309051fd95fa7015fccc9d6bca402fb56910022cfc17f8", "type": "query", - "version": 101 + "version": 102 }, "63c05204-339a-11ed-a261-0242ac120002": { "min_stack_version": "8.4", "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", - "sha256": "b26e2d87c35842443778574939ecc5d426b960a505ada7acb42bcdc372e86d9e", + "sha256": "2e76f0b4789dd25073d770025b98f2cf054276674ecc3e13c14537b6fc13e899", "type": "query", - "version": 2 + "version": 3 }, "63c056a0-339a-11ed-a261-0242ac120002": { "min_stack_version": "8.4", @@ -4404,9 +4467,9 @@ "63c057cc-339a-11ed-a261-0242ac120002": { "min_stack_version": "8.4", "rule_name": "Kubernetes Anonymous Request Authorized", - "sha256": "a2254efd45c81509a0821dfe2637b59d41176b00bcf5e992e9667ec09a5053d0", + "sha256": "5ec06e31f791fe00ded59b09c91b78cfa0cf71a7ae5ee82ec3f629a2799c2262", "type": "query", - "version": 1 + "version": 2 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "min_stack_version": "8.3", @@ -4463,7 +4526,7 @@ "version": 100 }, "65f9bccd-510b-40df-8263-334f03174fed": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "8.2": { "max_allowable_version": 99, @@ -4471,12 +4534,19 @@ "sha256": "013298b6842e5c3da39c9653179dd8e9b62b3dfd4227f34256471cf64bcfe2ee", "type": "query", "version": 3 + }, + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Exposed Service Created With Type NodePort", + "sha256": "7bdb29beee19d63add116b929b7806d41ae36881ef9d37390be3331c731bcf28", + "type": "query", + "version": 100 } }, "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "7bdb29beee19d63add116b929b7806d41ae36881ef9d37390be3331c731bcf28", + "sha256": "93da03ba0cf464e1f2b4e31b9d58e500b834a3b53c3cd329dd8118fe90949fdf", "type": "query", - "version": 100 + "version": 200 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "min_stack_version": "8.3", @@ -4522,9 +4592,9 @@ } }, "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "e44a6471cd9f3cb9f4ff2ff71b707d4b895e7111d26caf035fb73a7a649a74a6", + "sha256": "637a5af49121b368d922f1ce8beaaa9abc999817c2585dd1eefe9fe6c4f7e262", "type": "eql", - "version": 101 + "version": 102 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.3", @@ -4542,6 +4612,13 @@ "type": "eql", "version": 100 }, + "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { + "min_stack_version": "8.3", + "rule_name": "Modification of the msPKIAccountCredentials", + "sha256": "95186261be0ecacd8060f27fcbd33649f3e86c40d53f73a50c1d52d4e53e9c6b", + "type": "query", + "version": 1 + }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.3", "previous": { @@ -4554,9 +4631,9 @@ } }, "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "3dc9daa76e62e8c631c9303e09468d98447d71290ddfd2d926d570bf2f580d66", + "sha256": "920fbba08c958b8664071c20d1ba637d146ed67edef7e8cf792e6b24155ab831", "type": "query", - "version": 101 + "version": 102 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "min_stack_version": "8.3", @@ -4586,9 +4663,9 @@ } }, "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "12a8d39f94e8286e76e2461d978b636448c471180d04134c11d2b06fc623e504", + "sha256": "89eb0d585dbafbd7f1ed391a4b5ba76bc2f8adffa69f5c6d9206537fd862d777", "type": "query", - "version": 101 + "version": 102 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -4608,9 +4685,9 @@ } }, "rule_name": "High Number of Process Terminations", - "sha256": "572bcc01029f280970b61a6a247c698227edb788c0f7a7a879001d76c5769030", + "sha256": "55e14e8b904c0b8813efea03b783b3a5f18ab3242e63ed7c52df85e9bb3d97dc", "type": "threshold", - "version": 101 + "version": 102 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -4662,9 +4739,9 @@ } }, "rule_name": "Threat Detected by Okta ThreatInsight", - "sha256": "265eccee9014d25d76ba6c13ef37b75fe4b585694f0ad3aa47ae0690669d4d9b", + "sha256": "6b3365514534840a4ded646f7e1a3e0cb9eefa5c2f9a6442524d9cb7b4f1abe9", "type": "query", - "version": 101 + "version": 102 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.3", @@ -4733,9 +4810,9 @@ } }, "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "83270dc39fbfd745efa730454cdf9fe041bc1b5913aceb61ccde29d37aed5da9", + "sha256": "d3b09801cc468b446717931f1a1a91ebc43be554b239ef8f1b54b3ef3f8657df", "type": "query", - "version": 102 + "version": 103 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.3", @@ -4753,6 +4830,13 @@ "type": "eql", "version": 101 }, + "6951f15e-533c-4a60-8014-a3c3ab851a1b": { + "min_stack_version": "8.3", + "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", + "sha256": "2b67895f213f344c0727d912a9536936ca3c72c0af1b9ce24070f5ff8ff76582", + "type": "query", + "version": 1 + }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "min_stack_version": "8.3", "previous": { @@ -4765,9 +4849,9 @@ } }, "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", - "sha256": "c3c9c7bd57d452b175e97c8fd10e3e5521fc159489800d7fcd7ec70b6131f5f9", + "sha256": "4b26d2664f78d79d8d1cdffbd789a282d60745f4072df033221487990581f5a6", "type": "threat_match", - "version": 101 + "version": 102 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "min_stack_version": "8.3", @@ -4781,9 +4865,9 @@ } }, "rule_name": "Modification of Boot Configuration", - "sha256": "d47046dd3c6d7b2d81857cdb59c12e30632f4cb338bdee6d77017eeb7d905572", + "sha256": "426646a36cef865beff67c020d631e42826e2ccd4d9f9b3a59e7ff70bde193e2", "type": "eql", - "version": 101 + "version": 102 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "min_stack_version": "8.3", @@ -4829,9 +4913,9 @@ } }, "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "15d304ca4610d3bdcdd5ccbf59f4557b33f5dcb4586d4f7aa0a9e0b02ceabde8", + "sha256": "6a884d882ddcaaf8c9b8e0b5fdeab96b50e80019035e3ce5037d946c77e65175", "type": "eql", - "version": 101 + "version": 102 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "min_stack_version": "8.3", @@ -4861,9 +4945,9 @@ } }, "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "6023b238c4eefc97b6a59ca0a23a1985dd52daf852fcbb1d338f183812588e5d", + "sha256": "1494fa3950917de3e55d255fcbf2a26c464f2699dc866ffdea50c4b9f4754554", "type": "eql", - "version": 100 + "version": 101 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.3", @@ -4893,9 +4977,9 @@ } }, "rule_name": "Unusual Process For a Windows Host", - "sha256": "c511cda4aa28a9b42656c38d2ca0b72f1a2a1867cebbac11e496ac7ff737ae06", + "sha256": "791ab8700a52039f24e5816979494fbae818c52ba20be375d733e9fa730af444", "type": "machine_learning", - "version": 101 + "version": 102 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.3", @@ -4973,9 +5057,9 @@ } }, "rule_name": "Security Software Discovery using WMIC", - "sha256": "405fe7f8c2a23925e7d2fe92930f1cdc3be8bf444e8eae0b1c1c123b6a8cf69a", + "sha256": "2814c765dc4cb7edc0634ee7cd7c996bcbdb5afea9d9939e58d07775aed3505d", "type": "eql", - "version": 101 + "version": 102 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -5030,9 +5114,9 @@ } }, "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "b39ba2fb57dbf938e72f9acbe9a64c4d65ca5123539a40e67b80060ac3b1966f", + "sha256": "8c3be0de4870c41a26ed37671e231c864b6b53dda7ad827e6c9624ac334fda32", "type": "query", - "version": 102 + "version": 103 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "min_stack_version": "8.3", @@ -5046,9 +5130,9 @@ } }, "rule_name": "AWS Config Resource Deletion", - "sha256": "90cb1cfb2ad7ed8caee073392761b2e26ee4c706c9561a7216e1613be85b4d86", + "sha256": "fb393cd34a55fdcc34044a5a848e3f6373ac8250b885f24bb2a16408650d679c", "type": "query", - "version": 102 + "version": 103 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "min_stack_version": "8.3", @@ -5062,9 +5146,9 @@ } }, "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "b0afbf06b864f7794e0a2be2de337c03e68e9a31fa7b42ea61e11a0de36e4459", + "sha256": "610ab8e827cd3016cf5667ab7c06dd4b512b7be7f658a7aa790d41769d75d6bb", "type": "eql", - "version": 100 + "version": 101 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "min_stack_version": "8.3", @@ -5082,6 +5166,13 @@ "type": "query", "version": 100 }, + "7164081a-3930-11ed-a261-0242ac120002": { + "min_stack_version": "8.4", + "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", + "sha256": "6a6ead81d529cf013aa8fff27c048ecfe8bb0ccba9a6dbf0add1b22dd3dc76db", + "type": "query", + "version": 1 + }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "min_stack_version": "8.3", "previous": { @@ -5110,9 +5201,9 @@ } }, "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "b00e5a4d5d5c6d8d59504b96c3a00540fb27adbd513b6dcfe224ae36f1b1af54", + "sha256": "adc6ebe7661f128754e8f1ce980ed1bfffe78fa300675b0691605eeb853fb385", "type": "eql", - "version": 101 + "version": 102 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.3", @@ -5158,9 +5249,9 @@ } }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "1e794e11cf17f126dd248557655736d7e16036585bdcda44a847ee1c5ae1fcad", + "sha256": "605f9a888e2693ecfd1f05ee530a9d7e986088669abf71629dcbcbbcd91c025d", "type": "query", - "version": 101 + "version": 102 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -5180,9 +5271,9 @@ } }, "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "35c5171eaa6db62c999679b4f31b0ef290254247a4cbba5d704249d73bebe16d", + "sha256": "254bd969289b313da55d1505cf74d76bea71f9301fe389c8bd22ec03bc7818b6", "type": "eql", - "version": 101 + "version": 102 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.3", @@ -5265,7 +5356,7 @@ "version": 100 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "8.2": { "max_allowable_version": 99, @@ -5273,12 +5364,26 @@ "sha256": "8845c5c341a499cd38d65de796f7a5a18d12bb9527efd90d7c1f1b89c36c02e5", "type": "query", "version": 3 + }, + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod Created With HostIPC", + "sha256": "9a9a9b859d5aa0b1260420d9cf0d17cf615400af097106fd35f5b1d6af863196", + "type": "query", + "version": 100 } }, "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "9a9a9b859d5aa0b1260420d9cf0d17cf615400af097106fd35f5b1d6af863196", + "sha256": "ab34844f2c83bab32d70239415845cc1733a4f0cff1e728da1bb823553b185ef", "type": "query", - "version": 100 + "version": 200 + }, + "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { + "min_stack_version": "8.3", + "rule_name": "Access to a Sensitive LDAP Attribute", + "sha256": "d5f0572716f839e7a857f25b7ec93b971114eab6e9d369bb3ee285a0cb3c7a4b", + "type": "eql", + "version": 1 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.3", @@ -5308,9 +5413,9 @@ } }, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "edaa42397d413323802f1ef7f9875f5de10bed34577f53a332289a143cbc001c", + "sha256": "25993ab5d4bea4f35bbbea0a25741dee934eae9e2f1f4877ac73d807ec0b9782", "type": "eql", - "version": 100 + "version": 101 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.3", @@ -5324,9 +5429,9 @@ } }, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "00524f4fded82a3b045e070c9a691744774e363de232d396267a2a9cc0b9d652", + "sha256": "f614000d4c9945aeed3b03723b7d7d1dbf6c946498fca97ee48bafcbc7a5a947", "type": "eql", - "version": 101 + "version": 102 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.3", @@ -5340,9 +5445,9 @@ } }, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "cf0976bea81b63409156eee359694480a9e7019b64e9934982721d5a033d64ac", + "sha256": "4ae9d0a86e7e7c0e0129ba04035fd7b11db34eabddd480108295f674473ae295", "type": "eql", - "version": 101 + "version": 102 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "min_stack_version": "8.3", @@ -5372,9 +5477,9 @@ } }, "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "0072ff59ca4feee94e2d1c15d48244bba7d6706c23b5fa838b2d80f112d5d3ac", + "sha256": "915716860c1f135cec8ba36dd5ee26b28cde838556f277fe9bfcb874ab78f8e3", "type": "query", - "version": 100 + "version": 101 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "min_stack_version": "8.3", @@ -5411,9 +5516,9 @@ } }, "rule_name": "Azure Privilege Identity Management Role Modified", - "sha256": "b97ff66b9f974c5948d1cd101ce1d612c1172848e28f936f9004aaacfbec8189", + "sha256": "9d50bc1519b0c8215bb4ab109270a1004862e42d02b9e4942343369ae531964f", "type": "query", - "version": 102 + "version": 103 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "min_stack_version": "8.3", @@ -5427,9 +5532,9 @@ } }, "rule_name": "Spike in AWS Error Messages", - "sha256": "8183eb5101841cac57269a1c57fd4742f08bf5abcef72f96e6941a714aa27fc7", + "sha256": "018861ff98848594a8ade137beebe13ea029fbefeb0c3b80426360169ce7c7c6", "type": "machine_learning", - "version": 101 + "version": 102 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "min_stack_version": "8.3", @@ -5443,9 +5548,9 @@ } }, "rule_name": "Azure Key Vault Modified", - "sha256": "cc11cad36b109a308b000d4ffef2cee07ed8515a3efaa31a6f87699596a763e3", + "sha256": "4e3adeb6c003172b64e7a0159d691edd03b0b1732440043433a32593315ee0d2", "type": "query", - "version": 101 + "version": 102 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.3", @@ -5459,9 +5564,9 @@ } }, "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "7e3d14629cfafc91401f89e4897f7c7c3af8fd54751dd0047922f11e48777896", + "sha256": "b6d48e257dcf97edbdeb87d0d53fbb2168ce839bacd20bfa341c3fe973df2c85", "type": "query", - "version": 100 + "version": 101 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -5503,9 +5608,9 @@ } }, "rule_name": "Windows Network Enumeration", - "sha256": "a9e25b25ba0cbbde73e38ee1a6c437b908c2512e5bdee9fa417c536dd41923c6", + "sha256": "64dfb6b9f24b91efe94e55270fbf2354054a45cc35b4e1dc5b5ad62549df51aa", "type": "eql", - "version": 101 + "version": 102 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.3", @@ -5519,9 +5624,9 @@ } }, "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "776bdc7d055bc880558ce25ef540c01f38557435a19f04cf3e6aad5190dafa54", + "sha256": "67ef6987a1c26528568dffe812dec248441f5f35b4b4d04978fcf2f7499539ab", "type": "eql", - "version": 100 + "version": 101 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "min_stack_version": "8.3", @@ -5558,9 +5663,9 @@ } }, "rule_name": "GCP Service Account Creation", - "sha256": "bfc9ca414ec24b008728120433fe6adbc82be9ee524bfa2d2e435d619ec3dd06", + "sha256": "49fc3c9ded84d779ac8c5ca91ab119e47c70543da16192e6ce24a5c1ae167347", "type": "query", - "version": 101 + "version": 102 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -5596,9 +5701,9 @@ } }, "rule_name": "Unusual City For an AWS Command", - "sha256": "e09731c2def2470615462990e4622174d41f4c999332453785b2e9040591e1a5", + "sha256": "b5a6b34745e354eb73fbd3587842dbf3afdfe52bbef6af1037aacefefa22d717", "type": "machine_learning", - "version": 101 + "version": 102 }, "80c52164-c82a-402c-9964-852533d58be1": { "min_stack_version": "8.3", @@ -5628,9 +5733,9 @@ } }, "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "601184a8d1153cc7ad2141aecd6d54cb94c1cadd7e38ae38fd1b45ec9859f072", + "sha256": "aab40be9338df10bd429b31720683a089f4517fac95b022ed084126b3c332c56", "type": "eql", - "version": 101 + "version": 102 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -5650,9 +5755,9 @@ } }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "1d665fbc50175609d066a06a5a9dd7e8826288fd4321053ad1c07dd51ea6f727", + "sha256": "80860b10a14648b1a39816e9d25154f1814f70f482e673a00203ed52345fb0da", "type": "query", - "version": 101 + "version": 102 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.3", @@ -5711,9 +5816,9 @@ } }, "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "e5bd4f551066f92ee4691cf324270878cd316318962eacb6caa6703787f73d6c", + "sha256": "a5f3cfb3426c8e395bc6bec94d5fa0e64b01d8cd1b1887714b359694de795fce", "type": "eql", - "version": 101 + "version": 102 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "min_stack_version": "8.3", @@ -5727,9 +5832,9 @@ } }, "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "65a765121cb562a2a0f0a3710e9da97ee5b5ca380d7833a925397e1e6b25f76e", + "sha256": "c7ba4b2996ef1d44dccbbb2edaab4bb103a696503e626f3f1dba9811a6670751", "type": "eql", - "version": 101 + "version": 102 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "8.3", @@ -5743,9 +5848,9 @@ } }, "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "45b564c5a63cf1b5814b9a4e60d3c91b93c97d12d5fbf31cec8539d9ae3edd6b", + "sha256": "0004176ff395773096ee165c7009b84b06596799c27aaf3fafe7299374422434", "type": "eql", - "version": 101 + "version": 102 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "min_stack_version": "8.3", @@ -5807,9 +5912,9 @@ } }, "rule_name": "Security Software Discovery via Grep", - "sha256": "75714943f8e2740e1926b35f09b67526a88b790d1958d66a60343dea55e4943e", + "sha256": "3eb98175e7cc1e2f8a3e4a584524d2b69b97ff51e5daa547e4255a0507c09b1a", "type": "eql", - "version": 101 + "version": 102 }, "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.3", @@ -5823,9 +5928,9 @@ } }, "rule_name": "Enumeration of Administrator Accounts", - "sha256": "b9eac6c72b12f8052297685e41942df07d41aa4754fa29d9d82b413a469aaffd", + "sha256": "cfe24f2db392548ec9bfee03fa359916333c1eb871cf2995cca2eaa26ff0e9a7", "type": "eql", - "version": 101 + "version": 102 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "min_stack_version": "8.3", @@ -5893,9 +5998,9 @@ } }, "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "a3ff7380f0b662c46ffcecab91e7b40b2ce4e9a74f19ea3aea29841af035b55c", + "sha256": "69ca050174c52ad424523fbd850b7f4092ca3096e561289de7e141dcf438e76b", "type": "eql", - "version": 100 + "version": 101 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -5915,9 +6020,9 @@ } }, "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "0d4ba175dff6933984e07a17b7cc6ff2aff80204a84ae8b0593e183c10a5668e", + "sha256": "16d7742fc2dcb046e497d96f1bc3372ba89d3853f2169523ec24813dc4166d72", "type": "eql", - "version": 101 + "version": 102 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.3", @@ -5995,9 +6100,9 @@ } }, "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "045434b736375d19dd5c2261b23dbdaee593cd818afa3d68de289052817c3eb2", + "sha256": "e612843f8f71a01687c6f3336181dc7b0c3ecab0c355105ec92ebafabaee95c5", "type": "query", - "version": 101 + "version": 102 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "min_stack_version": "8.3", @@ -6011,9 +6116,9 @@ } }, "rule_name": "Suspicious JAVA Child Process", - "sha256": "76091e6b4e844985dac48f608eae91eeee9cd02b29101c525f64dbf31495b434", + "sha256": "7f801bfd425aabfb1453211c45c7d35992d4920454935dea0b9cc1f05a10dbce", "type": "eql", - "version": 101 + "version": 102 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.3", @@ -6027,9 +6132,9 @@ } }, "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "d28a3ed999a5ef5a95a6710b2f118f6bfbeb31aee477de537ec2854e09560190", + "sha256": "3e6e734029b9ba5cd86e982d5debc795bdc7d88e57fc832b61fe5b20c6fde9ca", "type": "eql", - "version": 100 + "version": 101 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "min_stack_version": "8.3", @@ -6043,9 +6148,9 @@ } }, "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "45c314dbc1f863265cb06cdd60beb43bcc0ae9285325891e29f2278a01eb1d80", + "sha256": "79462be273249a5aa530dfe2ccc203540ea77d4eebbe92f8f094342f253c9299", "type": "eql", - "version": 101 + "version": 102 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "min_stack_version": "8.3", @@ -6098,9 +6203,9 @@ } }, "rule_name": "Unusual Child Process of dns.exe", - "sha256": "d025edd2a2669cd9ab0f5b0c2f9bbad26d0996dd63ae42861b0db07a3658ae4c", + "sha256": "ebc869469616c0df58e5e9dd229afad22aa454aaf3d4f80b47aec1e86aa20363", "type": "eql", - "version": 101 + "version": 102 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "min_stack_version": "8.3", @@ -6217,9 +6322,9 @@ } }, "rule_name": "GCP Service Account Deletion", - "sha256": "dc106358a8faa9b73188f48185804a769735e4e84da828db49b812e29cc5b522", + "sha256": "b9be0632bf3604570fe1351a591ba3a70dcda3be7ec0f027e58dc34c3ad7c382", "type": "query", - "version": 101 + "version": 102 }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", @@ -6293,9 +6398,9 @@ } }, "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "83db654be4ce09b09ea2f5fc1979aa9970b6a65b8325061138faff6de8405f7f", + "sha256": "c524a31fb3babd9583c570f4119294357ff4bda43eca7a0dcf6f7f1e51962d7c", "type": "query", - "version": 101 + "version": 102 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "min_stack_version": "8.3", @@ -6364,9 +6469,9 @@ "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "min_stack_version": "8.3", "rule_name": "A scheduled task was created", - "sha256": "596dee8b33992208e34dd60551f9b3334558b5aa1fb5ac9cb115224e7e990ab7", + "sha256": "848cb3cd04f062dbb6422eb538fceadd5fe83ad78981674a62fae7741538f92c", "type": "eql", - "version": 1 + "version": 2 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "min_stack_version": "8.3", @@ -6412,9 +6517,9 @@ } }, "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "1a802576b2f53f4b109418073778dbb9ab316488a42b15571652d43c1664cece", + "sha256": "a38f238af788b7d5c7ddb53e9e992cbb460b39e1a3278dc80944cf5a9c19cfd6", "type": "query", - "version": 102 + "version": 103 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.3", @@ -6428,9 +6533,9 @@ } }, "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "7961c889acee341e70dd9f9c28f9572742af84a397858b392bda127aa49fbd71", + "sha256": "6884679ec68508237604431d123b7d3d6dfe5f45c7e515f5757dd324e152a40c", "type": "eql", - "version": 101 + "version": 102 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.3", @@ -6444,9 +6549,9 @@ } }, "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "e4e3fbfe5541801f14ee027a2cc2e56362676fee8a2785c86d5c7b1c0ed7f083", + "sha256": "1675151b163b944850d988608a42a4d826132927985b739b843d3f71093770a6", "type": "eql", - "version": 100 + "version": 101 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "min_stack_version": "8.3", @@ -6506,9 +6611,9 @@ } }, "rule_name": "Remote Scheduled Task Creation", - "sha256": "62a9b9484177cb6bfb51bfea972dae4bd75d8c3dc5f67d99db5b3de16fa3ba65", + "sha256": "37f5ad20773f4e421d037187b0e00e0f7614224b4017349316603effd6e34ca0", "type": "eql", - "version": 101 + "version": 102 }, "959a7353-1129-4aa7-9084-30746b256a70": { "min_stack_version": "8.3", @@ -6522,9 +6627,9 @@ } }, "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "7c9b4104991762830205300b3dae2864ba35f69eda6c41709be4d83a0259ed86", + "sha256": "d8de00179b91e4b3f52be1d15718c56f4de205d7117625858cba3e68040a13ac", "type": "query", - "version": 101 + "version": 102 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.3", @@ -6554,9 +6659,9 @@ } }, "rule_name": "Attempt to Create Okta API Token", - "sha256": "e422d6ae568c6176ce467e84cff66e388e6aebd1a08ecd0975170f85d062755e", + "sha256": "ae0253993e1eaf34f0186cf3d7d0f136791d0ca732c546fb7a21b737c650f6c7", "type": "query", - "version": 101 + "version": 102 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "min_stack_version": "8.3", @@ -6574,6 +6679,13 @@ "type": "eql", "version": 100 }, + "97020e61-e591-4191-8a3b-2861a2b887cd": { + "min_stack_version": "8.3", + "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", + "sha256": "f9b5563fe00d7f811a53e5c4f8b64a7fa1e92b17655a67bd0c30c6a447f6d431", + "type": "eql", + "version": 1 + }, "97314185-2568-4561-ae81-f3e480e5e695": { "min_stack_version": "8.3", "previous": { @@ -6602,9 +6714,9 @@ } }, "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "23227ba904aeacc1007e1bc763fd3b47c14446815d11d7e94c9b551250ca8a8f", + "sha256": "b5d7f59e9c5704eff3cc4ba5dec2442e830314023bb5b527d96bdffe13d2b64e", "type": "query", - "version": 101 + "version": 102 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "min_stack_version": "8.3", @@ -6634,9 +6746,9 @@ } }, "rule_name": "Potential Abuse of Repeated MFA Push Notifications", - "sha256": "144ced09d087c3f09d76bfab1e7d3c1f57bdabdd49aa7ba0fe91571060a904e4", + "sha256": "0c99c47c86b7ae409358e4703c4571d70e52ff54917ca3592ac7cf77b5af8436", "type": "eql", - "version": 100 + "version": 101 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.3", @@ -6650,9 +6762,9 @@ } }, "rule_name": "Suspicious Zoom Child Process", - "sha256": "8203c88e34f43822aaf2d8ad3b6c6fe5c52e76cbe368b4b98701ac7ad5d2144f", + "sha256": "b6d9bc2a4ae487553d64843041fa9ae57de97471161ccfae59194391f4576f5b", "type": "eql", - "version": 101 + "version": 102 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -6685,9 +6797,9 @@ } }, "rule_name": "Startup or Run Key Registry Modification", - "sha256": "04ce9c1ed9afadef4b0595b0431aca7655094d11398dd6e4341b9c30c0a31f7c", + "sha256": "6617b8857b734d9c472e0c5ff47d46dc6ab3113f0eb83303ad196abe18e752c5", "type": "eql", - "version": 101 + "version": 102 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "min_stack_version": "8.3", @@ -6701,9 +6813,9 @@ } }, "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "1414d88d46470984e304f7aeff112cdd344d67618601150c1774758132123eb3", + "sha256": "970e1d438ecb681a25da6551a2468604dac0a6e9a7c6d0579b345d383f487dfb", "type": "query", - "version": 101 + "version": 102 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "min_stack_version": "8.3", @@ -6733,9 +6845,9 @@ } }, "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "10e3ca8d573e44ad91cce09df1598249420c0a30e2853bc649329dbb0f460819", + "sha256": "603a3f53fb4dfac70ab8fcf6d3a642bebe8028c86f41f4c0aae4865dd266bd3a", "type": "query", - "version": 102 + "version": 103 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "min_stack_version": "8.3", @@ -6781,9 +6893,9 @@ } }, "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "88d2c5f308cc28bcc031d965e8b50aa986c141f50bc673ba4f13d1ecdcfd9758", + "sha256": "9a6d337946e9ad29db4475d40027343e1de72f4c6e81103af2c68dcc224695ac", "type": "eql", - "version": 100 + "version": 101 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "8.3", @@ -6819,10 +6931,10 @@ }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { "min_stack_version": "8.3", - "rule_name": "Shadow File Read via Command Line Utilities", - "sha256": "b2da0bd8ae98077c7c58ab6ed35ab10547da51ec3fb5c452532877988ba83929", + "rule_name": "Potential Shadow File Read via Command Line Utilities", + "sha256": "a080c4579434fb0c657f0b2774cdd988d3c6b3686522c1010f608ff3b5d4a369", "type": "eql", - "version": 1 + "version": 2 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.3", @@ -6852,9 +6964,9 @@ } }, "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "ef6c8c55cdc8943049e6041daeb1fc99ac07f953f19b551643253e8fbf8135c5", + "sha256": "5a137eee9f8052741c8b6e6f3eba0ae3888aa76ef0b3f0ebe01f8bb3423c3902", "type": "eql", - "version": 100 + "version": 101 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.3", @@ -6868,9 +6980,9 @@ } }, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "b22024a681301cb72c382198d4546bfc233d9b5392c38e14397426f16aea7296", + "sha256": "6b505deadf24dfecd63b01bb047a56a452a75a7b29d3ed86cc9de53e70eb490f", "type": "eql", - "version": 101 + "version": 102 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.3", @@ -6891,9 +7003,9 @@ } }, "rule_name": "Hosts File Modified", - "sha256": "4d4d77432df7611cf1f79fda2d438ec5604ed06612fc271723c6c702e2621c94", + "sha256": "ae566e2b24b5826126b48579010af6e0641702a58c1db22f4429f616d429b2f0", "type": "eql", - "version": 101 + "version": 102 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.3", @@ -6914,9 +7026,9 @@ } }, "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "781600e7729464fbe081f95645735a242176d063824f68bf455d85d748d47d59", + "sha256": "e84a39a971bf6f7b883174cf89e7fcca790baafb4ffd976ff31ac21701d432e0", "type": "eql", - "version": 100 + "version": 101 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "min_stack_version": "8.3", @@ -6943,9 +7055,9 @@ } }, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "471cc585d9f8ced69466e297ae4f61b9e58ee967a30e25221d97cacf9aa50d3b", + "sha256": "e55add1d0269fe40e3495c283b4eca89e1d5227b00c473e1320dab844c5d1a22", "type": "eql", - "version": 100 + "version": 101 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.3", @@ -6959,9 +7071,9 @@ } }, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "26e33b0b951808fa5005787a9ee751d260a9be450966665c0837f3b3aa633909", + "sha256": "4f80e0931cdf43b31de77f438963fc21ee800f8c3fbaad2a8d083a2ac9d38fcc", "type": "eql", - "version": 101 + "version": 102 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.3", @@ -6975,9 +7087,9 @@ } }, "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "1e72085f77b8cde2b42fcfaf6209360250d22a2153cc6d71f0645b84087eabe9", + "sha256": "2bb1b82a8eb893d316f2655f3e3795254a09e025dd29f23b1610d9813a4ac4e3", "type": "eql", - "version": 101 + "version": 102 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.3", @@ -6991,9 +7103,9 @@ } }, "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "cd2c120213f2b09304c817743849cc93280f176e34fb8d484cf594cd4b878848", + "sha256": "c47e4cd305a3171973479232acebfa81875fa3d4fec05a0f8a4d464780ff371f", "type": "eql", - "version": 101 + "version": 102 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "min_stack_version": "8.3", @@ -7007,9 +7119,9 @@ } }, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "8f9348d8d0b125fe39fce9baf30cc3b171c5557ac0ef57e22dd50195d6745d16", + "sha256": "03a13bce7128b27d01060c070623b662c412d33c9acf3bbdb2073a2cc48762ae", "type": "eql", - "version": 101 + "version": 102 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.3", @@ -7023,9 +7135,9 @@ } }, "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "bb5a421f93153184544c9cb9f4a30cd1131cf22ec8a8c86860b37ac1a0246faf", + "sha256": "0531ffb647ff071e41dce39ea94ade87c60f5463eb203277dfd2e949f9bfe5cd", "type": "query", - "version": 100 + "version": 101 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "min_stack_version": "8.3", @@ -7087,9 +7199,9 @@ } }, "rule_name": "Potential Credential Access via DCSync", - "sha256": "98cc2ca9221f99fe9a3dbb8953a161bfae03bdbfbd31c3098fdf4d5120fad61f", + "sha256": "768866e70059d1853da308d71a205d4a2a3d825492116a7fe25992ad5baceac1", "type": "eql", - "version": 101 + "version": 102 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "min_stack_version": "8.3", @@ -7119,16 +7231,16 @@ } }, "rule_name": "AWS Access Secret in Secrets Manager", - "sha256": "8e7c4969b3d2c116adb3fb616c87882c97515b919b1b9e1d1ff80fc52f95b77e", + "sha256": "a69d582cf6e0e55870311c1dbb42fa45819bde91341256f2419a92ceb3661e87", "type": "query", - "version": 102 + "version": 103 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.3", "rule_name": "A scheduled task was updated", - "sha256": "661af71e6e6189c9d45f1b0d951521586c952bf6bcc8ff4f779f1c65f8f7b3b4", + "sha256": "c69f56036f2a41cecb4b44276c7a6afebcc1669a6a88a286b4bf83ab57ef8359", "type": "eql", - "version": 1 + "version": 2 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "min_stack_version": "8.3", @@ -7142,9 +7254,9 @@ } }, "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "6973822bda7a7ae138c5f65f145efe14c0a4c1bcf6f730567586454f158bd88d", + "sha256": "96698ba5f4e7ff1d6d7c7f4749c944237d36fd13f49dd6c6fa1cfc80889e7c34", "type": "query", - "version": 101 + "version": 102 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "min_stack_version": "8.3", @@ -7190,9 +7302,9 @@ } }, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "cecd8b378d90ff1e7057c45ccaf832fc9744bc8f3776deb97f2c47f3570688a3", + "sha256": "6d9f43c2018496c0af2e0f90311ea2876e1a4eeb5e29066471dbc7d358d748cb", "type": "eql", - "version": 100 + "version": 101 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "min_stack_version": "8.3", @@ -7206,9 +7318,16 @@ } }, "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "eb71b74468071bfd8d4f2dc0e3362ed1f387d348115ca17e441cf96cecf51ac0", + "sha256": "fcd5cbdabbc7af153dc5192f69e2da0c7fc2a02aedfa86746db1eb2e8dcce2b6", "type": "query", - "version": 101 + "version": 102 + }, + "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { + "min_stack_version": "8.6", + "rule_name": "My First Alert", + "sha256": "9551a719de75983639802d3145fc8fcb4585e896adb24c1ef887bcbcfc59a08e", + "type": "threshold", + "version": 1 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "min_stack_version": "8.3", @@ -7222,9 +7341,9 @@ } }, "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "dedb7372116ccf840ea4ca242e1949e286843f01f82669e49c6515dc6ee18cb1", + "sha256": "8b1e3f910bccfcbe4434e5c28042c976d372cd15cdda0fded421e99a03f1b3e0", "type": "eql", - "version": 101 + "version": 102 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.3", @@ -7238,9 +7357,9 @@ } }, "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "bb8d136a1a37fe63e46a4b01dad61dfe6aa7a432add04d5ce631c8e76d26aa14", + "sha256": "f0f3ebccf1efd3f9f1280e07428ad659f7cd90c40b8c5cc80fc55dc11164d16a", "type": "eql", - "version": 100 + "version": 101 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "min_stack_version": "8.3", @@ -7261,9 +7380,9 @@ } }, "rule_name": "Execution via local SxS Shared Module", - "sha256": "a4ffef52c49a8018f8c68b0bec5c62af6349a374edc32872c7f6b70907732002", + "sha256": "5b5233ded54819e76301c6442e5135971245549c0f1afa6f552648be98ade2bb", "type": "eql", - "version": 100 + "version": 101 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "min_stack_version": "8.3", @@ -7277,9 +7396,9 @@ } }, "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "3f2a1afd12a88576cb5efea0e12de4f485b8906310b60d1cf44fc74c2e5fceab", + "sha256": "57ca3ec7a253676f948f283229efffe45f67034f01086efe4acf9897788edd30", "type": "eql", - "version": 101 + "version": 102 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -7306,9 +7425,9 @@ } }, "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "b5b57526e2a7404d7757088dce163fd98f8ee1cd777d093cdab4e2e415bb3629", + "sha256": "4f999b21412be799a88eee2e818938ef07fa10579c83384c8f71fff8b3b49ef6", "type": "query", - "version": 102 + "version": 103 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "min_stack_version": "8.3", @@ -7322,9 +7441,9 @@ } }, "rule_name": "Azure Active Directory PowerShell Sign-in", - "sha256": "6d5eb363ba49b4f22a3d6b82e3e8eea02ef8d63778b70b61097b0c4652595025", + "sha256": "7594e283436e5c535f5185aafafac33e47811e6949c07356d115fe7d8d22a694", "type": "query", - "version": 102 + "version": 103 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.3", @@ -7338,9 +7457,9 @@ } }, "rule_name": "Suspicious MS Office Child Process", - "sha256": "211342c0c1c3b84d608152b9f15ecd6372eb6bfdb9327ffcaeb7b5f1da485379", + "sha256": "91ce6b47545595a2137eff08988b3e09a6843d8a71e6809acb7edade96027a8c", "type": "eql", - "version": 101 + "version": 102 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "min_stack_version": "8.3", @@ -7370,9 +7489,9 @@ } }, "rule_name": "Suspicious Print Spooler SPL File Created", - "sha256": "ac3e386ec53fff6d7a73804bac0aa697c3c4661edaf048b84972733211b6ca40", + "sha256": "c58bd5faad6a27bd4d27ab5eedd585f2517329f8d2f8bac6db04a2d380384365", "type": "eql", - "version": 101 + "version": 102 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "min_stack_version": "8.3", @@ -7386,9 +7505,9 @@ } }, "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "49b7b99d15de4db37df8a43545a2476768e7edebb347fbab117689283c0fcd86", + "sha256": "27d0a6f41de1cc8b396bde7ca98acef7750e73a19159ddc4c5de195afce270bb", "type": "eql", - "version": 101 + "version": 102 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "min_stack_version": "8.3", @@ -7495,9 +7614,9 @@ } }, "rule_name": "GCP IAM Custom Role Creation", - "sha256": "da0623509f7796f22ca62b96242ea504f076263186a5b77099f970be2ebd74b6", + "sha256": "9f752228a317a2a789cdd726eee2ea32258ec954d76e1e967d18b561faa063d4", "type": "query", - "version": 101 + "version": 102 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "min_stack_version": "8.3", @@ -7511,9 +7630,9 @@ } }, "rule_name": "System Log File Deletion", - "sha256": "46917edee13ce1920e16d4abca0860805c2905e081f95a13acdc961ccb31bd70", + "sha256": "44da4fccf68245941a36ce2ea6769573f31449a13345d27283f7dcc8e9fb2356", "type": "eql", - "version": 100 + "version": 101 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", @@ -7527,9 +7646,9 @@ } }, "rule_name": "Remotely Started Services via RPC", - "sha256": "100ddcd44032ba4d6075c4239354f24d10f38ed508e73257caec620d522a4d58", + "sha256": "62b43a5588f610b2b398b35cd1e1ccc789d0b64bdbc25094a605879f35a1a254", "type": "eql", - "version": 101 + "version": 102 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", @@ -7543,9 +7662,9 @@ } }, "rule_name": "Remote Execution via File Shares", - "sha256": "e4eef1d2a84e89af9d2bd0a303700da937d723243f410994f3b0f410318e95ee", + "sha256": "780914a87680988b043b2652aed266587f1ccf25f64d3a7b4e485a26aae6f669", "type": "eql", - "version": 101 + "version": 102 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.3", @@ -7575,9 +7694,9 @@ } }, "rule_name": "Potential Persistence via Login Hook", - "sha256": "21c5c05e597fe02f130b9a0af8bbaa4669e45f5159f1a272e3b79187f5ba3347", + "sha256": "d5ad89f1184078f225a708b7b9c6e056dac1b82a616cffa4375da1141f7bb40f", "type": "query", - "version": 100 + "version": 101 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.3", @@ -7591,9 +7710,9 @@ } }, "rule_name": "Suspicious WerFault Child Process", - "sha256": "5f09d7f3510d3f1c8609d214837a3c4d34463951f4cece2e7927a7bc69875d21", + "sha256": "94fa0922059e45a20b47115bdd0ee7299478a0bd8862e1541638a8e5902c8c84", "type": "eql", - "version": 101 + "version": 102 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "8.3", @@ -7607,9 +7726,9 @@ } }, "rule_name": "Unusual AWS Command for a User", - "sha256": "1b85d3a4b1a0ed8a45f322de57273dcd5df8f4cd4f3afb6de7c94350a3a23db2", + "sha256": "ed1ed310e8cd112d3677699e23bedeafb31f54a9267a254312ed66089eee5be8", "type": "machine_learning", - "version": 101 + "version": 102 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.3", @@ -7623,9 +7742,9 @@ } }, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "11690a470d6dd85080c882c084aa20680fd6c458ff2d47c6c3ee8eff18ccf078", + "sha256": "59b4eb370173a24670b181e9677e4aa5b145836fd97c3b7c4da84b53bd08aee8", "type": "query", - "version": 101 + "version": 102 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "min_stack_version": "8.3", @@ -7710,9 +7829,9 @@ } }, "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "0481358387cd42bd165bf22af89774374541c9839126637ea92ee9a2b9b5e9dc", + "sha256": "1d78d5b6d0d751957746e02e6ae61662aef442fe2344cbdf21c6fca13239f957", "type": "eql", - "version": 101 + "version": 102 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -7755,9 +7874,9 @@ } }, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "befdefeb885fae0bcc5c56f857572949cbe820be6a9fe14b6ac6d8543a082ecc", + "sha256": "dd3bc5fe5e5a33261113281e5c22415d614a16cf946705510c5905a162b9bc5e", "type": "query", - "version": 101 + "version": 102 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "min_stack_version": "8.3", @@ -7786,10 +7905,10 @@ "version": 9 } }, - "rule_name": "Netcat Network Activity", - "sha256": "34627e6ab4f68c58c9a4165983ccfd4382b395ee4ab1e87f207b934692de1c8d", + "rule_name": "File Transfer or Listener Established via Netcat", + "sha256": "5850d11aca245001d24d7d825b1117850763f6a4d2ce483a8c1a4aeed6aaa50c", "type": "eql", - "version": 101 + "version": 102 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.3", @@ -7803,9 +7922,9 @@ } }, "rule_name": "Local Scheduled Task Creation", - "sha256": "d412e663786e8446c8b21ca4436eca75890995e2f9ba2af309afc077e1b63ef5", + "sha256": "da1e77e9fd2e8d8ee1411d69f4643ea5b67d88977558f3353a068201ef22fc3f", "type": "eql", - "version": 100 + "version": 101 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "min_stack_version": "8.3", @@ -7873,9 +7992,9 @@ } }, "rule_name": "Remote File Copy via TeamViewer", - "sha256": "a281be4634c4e1517cb4e7e54ce8c773ccfa7b841cdb3db16833630712164bc3", + "sha256": "d4ce1a51fa3b832dab306a8dad06f043c013e22d103172ed3b777f42c35e7d12", "type": "eql", - "version": 101 + "version": 102 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "min_stack_version": "8.3", @@ -7937,9 +8056,9 @@ } }, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "4a155a2fa22017fe0404d4c080c39239c8e19f766abc880cabb80b641efe618a", + "sha256": "1d155f6c9935c3f224c5b17a93e7a0f1f3353d384c6a535e89ca66a0690db77c", "type": "eql", - "version": 101 + "version": 102 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "min_stack_version": "8.3", @@ -7985,9 +8104,9 @@ } }, "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "e529946936f72fa7d42c8d61570a67b8e12512acf6459dfa6f5d52a6e88075e1", + "sha256": "28b42be958d0bf8a397306dc7f0cb14cfdbe0f0eaccb5755c9de565c0880d356", "type": "query", - "version": 101 + "version": 102 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.3", @@ -8001,9 +8120,9 @@ } }, "rule_name": "Clearing Windows Console History", - "sha256": "f1a5ea62c6721026ca7e18caaf4bf33d454a30da95a5e51de871b44822d66354", + "sha256": "5ceee87c1b548f37bdc327285bebdaa3a1cb1d06bf9713eb611b3ce161782d4d", "type": "eql", - "version": 101 + "version": 102 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.3", @@ -8017,9 +8136,9 @@ } }, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "779f0a086342fa564299a8d21300ae7e4065e39fffbc4d09ee4f60b9bfd402cc", + "sha256": "602c968933d1f1f39134290e8f13136e46ae677a4704639820cdac364753421c", "type": "eql", - "version": 101 + "version": 102 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "min_stack_version": "8.3", @@ -8081,9 +8200,9 @@ } }, "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "300ef1cf29b48608ef4a16d56d027217689f6c7b50e0cbe93fa9affc2e384f53", + "sha256": "e80ff50996cd7da0cca7153e82a4a23ac280c4f59a61b07d8502cd37ea7573c6", "type": "query", - "version": 101 + "version": 102 }, "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.3", @@ -8097,9 +8216,9 @@ } }, "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "6f375a897c5b8d7a5a23e2b35ca57c0891a7c2058fbc9c5d9463c036a0a32039", + "sha256": "232980a0baea2530b71daf1953c4957e214ab632c7911fbdbf3ff40ceda34c98", "type": "query", - "version": 101 + "version": 102 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.3", @@ -8113,9 +8232,9 @@ } }, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "434c624c1d4ddbd26abf31b01797279cd3eb29a00e4e07455d3188ac512fe7d7", + "sha256": "8c3469e69ba0660bc0b636c9af6ec9ed9975f429405f07e05b878844f61849c4", "type": "eql", - "version": 100 + "version": 101 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.3", @@ -8165,6 +8284,13 @@ "type": "eql", "version": 100 }, + "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { + "min_stack_version": "8.3", + "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", + "sha256": "f21896688e943b2bdedd452b6169411cb9b02f5997f21450a6d639bcfb67f0b5", + "type": "threshold", + "version": 1 + }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "min_stack_version": "8.3", "previous": { @@ -8177,9 +8303,9 @@ } }, "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "fb8217f660f7f363d93046d01024c84e2b2418063e682cfd8e8bd6b1c9355fe2", + "sha256": "84df79aba4e32f5588aae45d5d339b379fda9bb54607c01920917a11f61a8e58", "type": "query", - "version": 101 + "version": 102 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "8.3", @@ -8209,9 +8335,9 @@ } }, "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "9c46b2102e5e8fe2f5628ea58b100c07e32fd347df708a90b4a6735485090aaa", + "sha256": "2e236d0525207b6d6353d5ecab5d1e5dfaa91572d71f51a7a8ecb54ff16df642", "type": "eql", - "version": 100 + "version": 101 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.3", @@ -8321,9 +8447,9 @@ } }, "rule_name": "AWS Root Login Without MFA", - "sha256": "940a45911a3b2b5b13e9c9b41b429d1c008def777b0186403f35a218bb9c16f2", + "sha256": "2347ecbb807f1900595aab3aeab6d5889701ec450add0c836762f5173d54586c", "type": "query", - "version": 102 + "version": 103 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "min_stack_version": "8.3", @@ -8337,9 +8463,9 @@ } }, "rule_name": "GCP Storage Bucket Deletion", - "sha256": "a026881049df47e46236c24763c0d0b70c2e7f81d0dfabc4f3f95c1867586572", + "sha256": "134d12ef938ed48704eb9729c1a3e34f211490ec5dbb9e5d5cf458cdee36cb6c", "type": "query", - "version": 101 + "version": 102 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "min_stack_version": "8.3", @@ -8373,6 +8499,13 @@ "type": "query", "version": 101 }, + "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { + "min_stack_version": "8.3", + "rule_name": "Potential Non-Standard Port SSH connection", + "sha256": "96df3e3b42243bbd41ca38b0e51e414c1f2e327620ffc6b7b0901c301e9e724a", + "type": "eql", + "version": 1 + }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "min_stack_version": "8.3", "previous": { @@ -8385,9 +8518,9 @@ } }, "rule_name": "GCP Service Account Disabled", - "sha256": "792b95b26dd07af5573402da08b2cc0c0b9bd500bea0be9c89237fec48f5904f", + "sha256": "e81d904e9ea39fca420643d85f858b8a0f52f2d7fc45be1523fae2dcb4f3ed94", "type": "query", - "version": 101 + "version": 102 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.3", @@ -8401,9 +8534,9 @@ } }, "rule_name": "PowerShell Keylogging Script", - "sha256": "dfdedc468067ef0624f4a3f8a138534b98e8b6ba5b07b56c2f2d4837d08175a8", + "sha256": "6b2cf5c328cc39f2acf19d607c7ab1484325e920545589c991b8ef9b675752e3", "type": "query", - "version": 101 + "version": 102 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.3", @@ -8449,9 +8582,9 @@ } }, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "63907c72742a3d7977c30a7371746c8db93f522c559150ceb254ca8980d9ea1b", + "sha256": "7050c7806e6422d201dffef3dbeee4d12350f7d38b886eb5e6170d2b334ee2f7", "type": "eql", - "version": 101 + "version": 102 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "min_stack_version": "8.3", @@ -8481,9 +8614,9 @@ } }, "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "bf9d87e0b134b5f59de31962493afb8906fb964fc1ca6cea6432661018e81096", + "sha256": "c8c91286a081838505d9ad847989134d28f2243c2dbf220c40db0221487704df", "type": "eql", - "version": 101 + "version": 102 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "min_stack_version": "8.3", @@ -8561,9 +8694,9 @@ } }, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "832490bfded743aadabb9dbe32ca35a032e3f19e38fe8845baa443ae13521af9", + "sha256": "3d15aec8ba207aea375b6108a1380a36e7bb8d4acea95b91ef6ddfad3ca1e5f9", "type": "eql", - "version": 101 + "version": 102 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "min_stack_version": "8.3", @@ -8657,9 +8790,9 @@ } }, "rule_name": "Potential JAVA/JNDI Exploitation Attempt", - "sha256": "0e20c1d9c7505bac6f968e50499da0d632e80699fa86b8d5f80681f960853bbe", + "sha256": "2a4f8b7cf6b327d7d9f00d709572020d408f9c01bdada1886f0db2049febc07c", "type": "eql", - "version": 100 + "version": 101 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "min_stack_version": "8.3", @@ -8673,9 +8806,9 @@ } }, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "39f726e84952213e8553aaef9a7cddb0d03fd68943b9e3d2a65eb95bd2bfdaff", + "sha256": "e6c4f2956a447cbb57b8fde4d9fe8edde091423a665136d6965bd9d0236ced6e", "type": "eql", - "version": 101 + "version": 102 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.3", @@ -8721,9 +8854,9 @@ } }, "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "aa4803b001bcee2d8402978d64d08d524e6feab40959002f098b8af22d80b979", + "sha256": "0a9032ef1c30200f1cc3ad3389897e916b69c06204af2f225c04e61f54f8bf90", "type": "query", - "version": 101 + "version": 102 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.3", @@ -8737,9 +8870,9 @@ } }, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "5693c66099391127c7952f8bb15cd31dbd3a0310486de295ae5fc0448a2c263c", + "sha256": "24718e94e9fc84f8fae4c1ae1592b6df96654953955646620aabf1ee62d15055", "type": "eql", - "version": 100 + "version": 101 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.3", @@ -8769,9 +8902,9 @@ } }, "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "e597971b64b1606fbd9c68467b49c62f75f4c1c3e606dc6a9d4fff6ed2b479cd", + "sha256": "3ca32de65d7dba5c24309bdad828cbcb026f208169beee674128d5675ad6e126", "type": "eql", - "version": 101 + "version": 102 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "min_stack_version": "8.3", @@ -8801,9 +8934,9 @@ } }, "rule_name": "Remote File Download via MpCmdRun", - "sha256": "52bc9584ceccacdf761581eae348ae4110cc6fe813d1835d932e35e953882d58", + "sha256": "1cdd5eb7d83247c18f6240b8abb31fe921f85a85dfec614dda820a8246932d9c", "type": "eql", - "version": 101 + "version": 102 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -8823,9 +8956,9 @@ } }, "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "265a1e94f2acf57c93587850a7f20003ede2ef0d082f278d593d2ecba108c99b", + "sha256": "ca0f503e8fae0469ced007730bbddcb8f7ccb18fbbf43730792333ca1a09aa73", "type": "query", - "version": 101 + "version": 102 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.3", @@ -8839,9 +8972,9 @@ } }, "rule_name": "Attempt to Modify an Okta Application", - "sha256": "a9a92aef56cb434f718d6d750452f4d66b7ec61a56fda772da9d216ff74df177", + "sha256": "82ecca8efc10bc1cc58ea10d5ac7df12452174a2eb96738f54e5d4c36bcf3854", "type": "query", - "version": 101 + "version": 102 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.3", @@ -8860,7 +8993,7 @@ "version": 101 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "8.2": { "max_allowable_version": 99, @@ -8868,12 +9001,19 @@ "sha256": "01bac327794401a552f635ee0b3a0bcc5ae37d9ca094baaf92b7f233dbcbef0b", "type": "query", "version": 3 + }, + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Privileged Pod Created", + "sha256": "490d52d841dfa80ed829303bdf0106213c05928b84203e29adca6b9ee93ffc98", + "type": "query", + "version": 100 } }, "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "490d52d841dfa80ed829303bdf0106213c05928b84203e29adca6b9ee93ffc98", + "sha256": "3dda67cc0c038b74335d55fa212102efb2e28513d780d1c058abe68229b02346", "type": "query", - "version": 100 + "version": 200 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.3", @@ -8887,9 +9027,9 @@ } }, "rule_name": "Unusual File Modification by dns.exe", - "sha256": "f2595eda244fd4babde332e6b734f668a97ab1f7e128e4753c8ee5c8d3c56904", + "sha256": "53b93b250fad5fe81f7f1f5d8c160462812fd9f4fcaba129f09ecd595b50339b", "type": "eql", - "version": 100 + "version": 101 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "min_stack_version": "8.3", @@ -8951,9 +9091,9 @@ } }, "rule_name": "Direct Outbound SMB Connection", - "sha256": "9a176ff1112962f8f4b72d0ae6cdc1753d1764de5baf488a063f3e424191b234", + "sha256": "7cf9e832a83dff6b0c662af86cdee5bca55413aa760050b56ddf48045f6b398d", "type": "eql", - "version": 101 + "version": 102 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "min_stack_version": "8.3", @@ -9005,9 +9145,9 @@ } }, "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "aa11813ffece76619556de611ca09031ce4bb2c374f37f412b0900abbb33171d", + "sha256": "d5a05748e667ae93db64bc48c7ef6e4ce8a948ded02b9c3653458ed11ae91482", "type": "eql", - "version": 101 + "version": 102 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.3", @@ -9021,9 +9161,9 @@ } }, "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "739b25b61ce3a222fbada6ef424ae076ca2f717296479eca4a6e7bdf75600f87", + "sha256": "eafc614cc6ff81754278616718139ec217ece38e32363a5eb06cf484c4671f41", "type": "eql", - "version": 101 + "version": 102 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "min_stack_version": "8.3", @@ -9075,9 +9215,9 @@ } }, "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "6333383e5cf8385b51e754164c06b8ea8626e376636adbcbd98369cf13314896", + "sha256": "dda4f232c44f2d23171d706d22905b4d54610db3b00edd35a2fa79c4363f89c9", "type": "eql", - "version": 101 + "version": 102 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.3", @@ -9098,9 +9238,9 @@ } }, "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "05fd75dac5209f44aeb77e65b0b73b52449dd5da76d606e36520fe03365021f7", + "sha256": "ae092f56126eca884a0794f491024c780354da3cdf52670bdf2ddc95208eb7b5", "type": "query", - "version": 102 + "version": 103 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "min_stack_version": "8.3", @@ -9159,9 +9299,9 @@ } }, "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "98f7bcc1acadcab0ac4d987de027955a2adb2c973f540f044c7c031e6b412813", + "sha256": "502bd12f4e8b045a85e3b60e96f365d676ee1b23bdb48ac6192572a63a476162", "type": "query", - "version": 101 + "version": 102 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.3", @@ -9175,9 +9315,9 @@ } }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "5d999367838b2c6c6c851f6638262dfdd1ae807364a2836b89f2670ff192397d", + "sha256": "96d42c07c11ea1e66f37d0fe71463b4bc8ff9f7dba1c7aa62a2a77482af2d478", "type": "query", - "version": 101 + "version": 102 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "min_stack_version": "8.3", @@ -9191,9 +9331,9 @@ } }, "rule_name": "Potential Process Herpaderping Attempt", - "sha256": "d3d51648e56786364ca0f5e181a5e8cf20b152c6edc443c8748cab4de6a5fa33", + "sha256": "fab9d3f8db851000f5fe8debc49a7336c9e23c03450b158ec250adeaa0589414", "type": "eql", - "version": 100 + "version": 101 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { "min_stack_version": "8.3", @@ -9207,9 +9347,9 @@ } }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "000c3451ea82378a6246a9f6f0ba19547411b2cd485bd18f88c57a51f1914ac4", + "sha256": "f62ce3d63c7514a1b1e3485043746bff4cbd29215e3532662de3da9a45385c48", "type": "query", - "version": 101 + "version": 102 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -9261,9 +9401,9 @@ } }, "rule_name": "Attempt to Deactivate MFA for an Okta User Account", - "sha256": "fee48d682975fbd154aa3d57b38b63d2f5b6ad9ffe5facb8a01ec97467fc61e5", + "sha256": "18737d6849af63f0300dab6e931af5464f8c15f68f31f5bf7bdbd6b3ccb1cdbf", "type": "query", - "version": 101 + "version": 102 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.3", @@ -9277,9 +9417,9 @@ } }, "rule_name": "Okta User Session Impersonation", - "sha256": "ca6216971f6482493b9d7ed49dc36a984892a3a066c4667255763427bcde1c4c", + "sha256": "b839129d515b067cff4aac735b1c9dc12f24f90fe301eb0b9fbc9bbbf4a4f19d", "type": "query", - "version": 101 + "version": 102 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.3", @@ -9309,9 +9449,9 @@ } }, "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "251ce0bab9c64891a65817cbbe623561d5a89f168d844da108c03562d4e2266e", + "sha256": "cffe277a143e742352935cbad8cf22d3f85f173a37c643195b21a9d22095ac11", "type": "query", - "version": 100 + "version": 101 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "min_stack_version": "8.3", @@ -9348,9 +9488,9 @@ } }, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "e21d8fcca7b44f63c903d7f887b5bac54e0fc9f699a8023540fae7ac4338f38a", + "sha256": "81cbbcbf7c64254ccfb966cd96ebb320807c192dc6dc3fde873211fcc4fd2568", "type": "eql", - "version": 101 + "version": 102 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { "min_stack_version": "8.3", @@ -9387,9 +9527,9 @@ } }, "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "f8d09d0f4eed118f42e827f0455ccde96d1e13fb736bb8e5b464a3fa1d2b0a8b", + "sha256": "f97d05c1feafd2556f568abbdc47045cca9e37120e295b9d7654fe1359263316", "type": "eql", - "version": 101 + "version": 102 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -9425,9 +9565,9 @@ } }, "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "3e9df58020cfccaaa28bd6db826ca997df8524f105956af44d17604491ff5597", + "sha256": "a99de43d815eee8fe71df7ef937c7ab3fafe8bd0d195d2ad3d7d8b0fb9c1cf90", "type": "eql", - "version": 101 + "version": 102 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "min_stack_version": "8.3", @@ -9441,9 +9581,16 @@ } }, "rule_name": "Clearing Windows Event Logs", - "sha256": "91c61dfda2eccdb8c59f38eb1379711e7846e9698a82d38e3cd08441cb450742", + "sha256": "80eb18a5cc8999d4e0465e89da2335eb835e0009bd5ecaa06732e30bf38dfd68", "type": "eql", - "version": 101 + "version": 102 + }, + "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { + "min_stack_version": "8.3", + "rule_name": "Remote Windows Service Installed", + "sha256": "3545eb890f9ebe56bdfb570d41bdb031805a91eefb681b5419f521054eb072ce", + "type": "eql", + "version": 1 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "min_stack_version": "8.3", @@ -9473,9 +9620,9 @@ } }, "rule_name": "Attempt to Delete an Okta Application", - "sha256": "0282c021304f537f3b7f79410e3cb51189f8fd9ac73d9170c8cad2ef25179626", + "sha256": "58adba1c923a8ce76e1a1764dc5cac882ab8ea93f2778dcf32c9c397a3aae8be", "type": "query", - "version": 101 + "version": 102 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "min_stack_version": "8.3", @@ -9553,9 +9700,9 @@ } }, "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "2eceff2f08e547b98b4a4fd273ebc5ff1002b5ea012653e10cafb5400c0d0750", + "sha256": "a734fea0dd23b59bccb99dbb39f55007140181853044b5bfacd32e882f62f49f", "type": "query", - "version": 101 + "version": 102 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.3", @@ -9585,9 +9732,9 @@ } }, "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "c8974712024f97ac7f5da1ae93f1c55d8aacd77df8244aaf05968503a0bbab27", + "sha256": "e93839d1fa0ad3b30a87027cfc1a0c51d8008c86ae5891f0ca2bf8cdcce1172d", "type": "query", - "version": 102 + "version": 103 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "min_stack_version": "8.3", @@ -9601,9 +9748,9 @@ } }, "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "82b6769fa6453b254624c5e78eb7879b4a85c11d5e645d3d59e93b2ed496617e", + "sha256": "92ed811067c71e649fbbc628a2a61e03c1d21a86f68da8aae9ed2529cd527123", "type": "query", - "version": 101 + "version": 102 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", @@ -9611,6 +9758,13 @@ "type": "query", "version": 100 }, + "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { + "min_stack_version": "8.3", + "rule_name": "System Information Discovery via Windows Command Shell", + "sha256": "0bb95eb3226ad0e60c098e8138b7e713948fcdf4ab8b5e3ed11ad365090e8c5e", + "type": "eql", + "version": 1 + }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "min_stack_version": "8.3", "previous": { @@ -9639,9 +9793,9 @@ } }, "rule_name": "Modification of WDigest Security Provider", - "sha256": "d9ecb8a5b46bb59c75d61c08cc9e805df478434893f9d18060606aa2cdd469d3", + "sha256": "299587e9c0b5a7fb82cae54651b8add80ec18fd4116c73d37c62c59ee4a8e78d", "type": "eql", - "version": 101 + "version": 102 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "min_stack_version": "8.3", @@ -9655,9 +9809,9 @@ } }, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "d5faba44073d65f08ebc2beb461ed5204fe47b5403698210637f957944333164", + "sha256": "8a4f280aa94b3ad7d25e1a762b698206bfd019f237850e932d35cfffea8c0870", "type": "eql", - "version": 101 + "version": 102 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "min_stack_version": "8.3", @@ -9774,9 +9928,9 @@ } }, "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "bf26336bfd7923642699c1afeef4e3883c311418a401723897117581fe882e16", + "sha256": "3d04ec568d333ede23b4fd635946bee450190e15d6c7df00eb984cf3a8055108", "type": "query", - "version": 102 + "version": 103 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.3", @@ -9790,9 +9944,16 @@ } }, "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "6c07e056b78194d8babb4e07d5f498e1b2405c3a24763655ffa394e5cf4d23d1", + "sha256": "fe22999297006569d3da7b919f04e63688de0d9e3f0c04307ab3410de0cb868b", "type": "eql", - "version": 101 + "version": 102 + }, + "da87eee1-129c-4661-a7aa-57d0b9645fad": { + "min_stack_version": "8.3", + "rule_name": "Suspicious service was installed in the system", + "sha256": "cc57f9589894b66173e79bcf9beb04116ea17f116f2117e8a10311ed52c55730", + "type": "eql", + "version": 1 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -9812,9 +9973,9 @@ } }, "rule_name": "Multi-Factor Authentication Disabled for an Azure User", - "sha256": "a9ea3b79a78beefb62ab8a2e7c3c743a0c2c2060c565d603d0988b78b74fa249", + "sha256": "58e37f75298f02342ce358c28f62bf60ccc43c83ca4dbecc51f1e417f8825336", "type": "query", - "version": 102 + "version": 103 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "min_stack_version": "8.3", @@ -9850,9 +10011,9 @@ } }, "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "d4eaf0bc1a742c8af3f1dc3c393a9f41d5fd3c892913755592408e9207c115c6", + "sha256": "c61762d2240bb79d813250ac2192f2fecccb26fd9680b19f1cf5d9f878eba2a7", "type": "eql", - "version": 101 + "version": 102 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "min_stack_version": "8.3", @@ -9866,9 +10027,16 @@ } }, "rule_name": "Unusual Country For an AWS Command", - "sha256": "48e2412881f42c63b399c71e7f3ab3b8c832aa2b170e5ced8ed0304247ca28e8", + "sha256": "8d05ba56d88cd404de0c0b88e55262013a807a20b7c0c834781d4aad7c801829", "type": "machine_learning", - "version": 101 + "version": 102 + }, + "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { + "min_stack_version": "8.3", + "rule_name": "Reverse Shell Created via Named Pipe", + "sha256": "3faece6db2f1c72fe1d5778d208c78215ef28e8d4d67b73f2da62980efe8874c", + "type": "eql", + "version": 1 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.3", @@ -9882,9 +10050,9 @@ } }, "rule_name": "NullSessionPipe Registry Modification", - "sha256": "3c571a1dd8be7ebd5a8a34f2c143d1ec0405ca997f9b91ddfda5df8707b3d122", + "sha256": "47f461351757f45e50cfdbadc787a96e798a6ce087899005559c7c758913dacc", "type": "eql", - "version": 100 + "version": 101 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.3", @@ -9898,9 +10066,9 @@ } }, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "66cc57811e58cc3b6b63b37ef65a7ac823ac2fa1827e6612cd5d33d282bdd3eb", + "sha256": "96e7e3fff5e33338c70c04d90e1f3d8c71df77ecb7ea85ea65312c41b82057c4", "type": "eql", - "version": 101 + "version": 102 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.3", @@ -9967,7 +10135,7 @@ "version": 100 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "8.2": { "max_allowable_version": 99, @@ -9975,12 +10143,19 @@ "sha256": "5f82d1552eab33089166bf4b52136d5755de62953bde404fa8922d5d4b39ac0d", "type": "query", "version": 3 + }, + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod Created With HostPID", + "sha256": "1812535ee0bdc44f1edbc5e9801928f2712abc4984e8a97fc4f641b2b6c2ea7a", + "type": "query", + "version": 100 } }, "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "1812535ee0bdc44f1edbc5e9801928f2712abc4984e8a97fc4f641b2b6c2ea7a", + "sha256": "09ff236a22f07a8a06af1137318993021d853570508b56f80d3582afc6851646", "type": "query", - "version": 100 + "version": 200 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", @@ -10032,9 +10207,9 @@ } }, "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "8dc167f9c34553aac49e9c99d5f221c55b7fc4214f922437fcb90476a82719f4", + "sha256": "23bb5841739565c44acd0f0bd8f596eea3cd2a7450d383d72e0f5c73d983857c", "type": "threshold", - "version": 101 + "version": 102 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "min_stack_version": "7.16", @@ -10144,9 +10319,9 @@ } }, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "e847c81e73d2e9e5eeb45c14ea50f9fb3326d945aed7ccb47ae090cba86e0635", + "sha256": "523cfb5805f13ece1f81e25c30c523c95c3f899e0492cfc883db1d16e0b1d4cb", "type": "query", - "version": 101 + "version": 102 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "min_stack_version": "8.3", @@ -10160,9 +10335,9 @@ } }, "rule_name": "AWS Management Console Root Login", - "sha256": "9df7d5838d0c4e559ca85a90db69833ac5d9cbebbdc5307b1c041066e02503d3", + "sha256": "b22d47e3db00b13d01872f061c55cba091a0c2f838d20c0311ffcd999310609a", "type": "query", - "version": 102 + "version": 103 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.3", @@ -10176,9 +10351,9 @@ } }, "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "05e6ba7ef86cf6c9c220639969457cc4d246a4dd0489a9759bb39d2283d92dc0", + "sha256": "cb1a1e483fa9c80cd3d9d4249d2e7119f20b1740fbfa5172c24f3acf92de9ed5", "type": "eql", - "version": 101 + "version": 102 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "min_stack_version": "8.3", @@ -10192,9 +10367,9 @@ } }, "rule_name": "GCP IAM Role Deletion", - "sha256": "a261c12a2575b204a26239d99fdedd6621ebd1e74766d317d83e32e4f4d880b6", + "sha256": "017514f1e7b158a68ee2e227a2a1973c2bb7495b15f4e2774d90b0e1e479d8fd", "type": "query", - "version": 101 + "version": 102 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.3", @@ -10208,9 +10383,9 @@ } }, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "98ae02a925474a4a9e78d0d0d8dbeabfdaf445f52521a8a9b959966ce82d5033", + "sha256": "3454ccbaa588bfe2fd59b9c06b4bc8fbc171115c06236e6bc371ec135edb5414", "type": "eql", - "version": 101 + "version": 102 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "min_stack_version": "8.3", @@ -10288,9 +10463,9 @@ } }, "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "602a542c8e9959c09c63a8848909e01c8998f2bd603dce697bcad5cf54a8ee41", + "sha256": "6daa40545ae110d23965c10cdd3b97559c76c2a36f9fc79abe0e93316a8d36ed", "type": "query", - "version": 101 + "version": 102 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.3", @@ -10320,9 +10495,9 @@ } }, "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "18b0b4765885e3927ff10194d174b56855207f7c39a8464625fd11ef9c666687", + "sha256": "68a7868d48a65f8e4e1e56826f2e37fe31cdc29523d6475d34d42f1bc9fe6fd8", "type": "query", - "version": 101 + "version": 102 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "min_stack_version": "8.3", @@ -10397,9 +10572,9 @@ } }, "rule_name": "Possible Okta DoS Attack", - "sha256": "3f076094b7534befc4760d78bea1055a65093435dc039640983afca7242cd674", + "sha256": "d79bf4f3a31c9f68d62437e3fc948da164cba7efb2dc53ccb82e3e44b85d75c9", "type": "query", - "version": 101 + "version": 102 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "min_stack_version": "8.3", @@ -10429,9 +10604,9 @@ } }, "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "def78e2a7f58ea9d6e4fe790d93765a71427715d5b30ac836d9328fc5afaaa2a", + "sha256": "83d36eebd5a1c5bd9b9284e4426de2874072c56ca9900883c3e40498d94926dd", "type": "query", - "version": 100 + "version": 101 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.3", @@ -10509,9 +10684,9 @@ } }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "5299c6e6ef8986d22caff9b0986512d01639fed9249c8fbc90c20ae3e980ac44", + "sha256": "ae574796583503daf7ee6688cbb92eba2472a7b294a56a091ec363cc4778cb13", "type": "threshold", - "version": 101 + "version": 102 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "min_stack_version": "8.3", @@ -10541,9 +10716,9 @@ } }, "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "72f3f24ab46905e067205b77360a5c5c72e64884a0444fecd2db93e731b2c7e2", + "sha256": "29bfd3f48b6df76e70779f91cfa1f8b759c2fa76fcaf9d68c0d83ecdcebeff0e", "type": "eql", - "version": 101 + "version": 102 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "min_stack_version": "8.3", @@ -10601,9 +10776,9 @@ } }, "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "b286d4dfcdc26c17c56d83d6370caac04c33f1cdec24e753ddce5eac2b43996b", + "sha256": "eb0986b65abd09f1b9b6f2a39768ef170acc5e1c555a31f5c1b0160b671980f2", "type": "threshold", - "version": 102 + "version": 103 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "min_stack_version": "8.3", @@ -10649,9 +10824,9 @@ } }, "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "54b7438d1013123460a2dc32513e815767625fe085c4107d10267f1c2d755f96", + "sha256": "eaaef4d43ff65f29d60201562572a38156ed486f23b570a0c83f39a8b29a6b86", "type": "query", - "version": 101 + "version": 102 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "min_stack_version": "8.3", @@ -10697,9 +10872,9 @@ } }, "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "aa24f4bc7aa8b848fd0d816f4e6c1eccf73256d4925c363778bd93f5ff9f2109", + "sha256": "0ef6309d0af8ab9ed399840ec33e7798c78f5b624991b8d1b1f6647d49bb6baf", "type": "eql", - "version": 101 + "version": 102 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "min_stack_version": "8.3", @@ -10713,9 +10888,9 @@ } }, "rule_name": "IIS HTTP Logging Disabled", - "sha256": "6aded695b37e4a22fde5daf044109f558869e0ecd37bf8223b824f3cfbcc151a", + "sha256": "65fd8fa75cb0637224d0b3700443ce3c480fdcc6537d41108a7e7b67dfcb64bf", "type": "eql", - "version": 101 + "version": 102 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "min_stack_version": "8.3", @@ -10729,9 +10904,9 @@ } }, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "51ee0462088e6eb9cbf1226f8e4a3f38ec3ebf7149e59e6111e8bf24d15c62d8", + "sha256": "b9bd02d84e2d8bc7cac8174aaf3f381455cfdaf0a0d2a66eb3015c6759194273", "type": "eql", - "version": 101 + "version": 102 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "min_stack_version": "8.3", @@ -10793,9 +10968,9 @@ } }, "rule_name": "AdFind Command Activity", - "sha256": "2485fbb2689a72ff253a67de943f22d4fb1f1b2f03f8048d7fb617c607811429", + "sha256": "1d62ea417a0695a5ddd6a2694d4720e4e744f9726124b6dd84edabac9518cba4", "type": "eql", - "version": 101 + "version": 102 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.3", @@ -10809,9 +10984,9 @@ } }, "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "840d13b54f7cb11a9f7a9b1051045be50c63876aa56316af95d6c9ac6a2ca649", + "sha256": "6dc4ff7b0ca3ce5144945a41508e56d1514037be901492a1a07c1baad5e0cc53", "type": "query", - "version": 101 + "version": 102 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.3", @@ -10832,9 +11007,9 @@ } }, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "353d5f8e6423023ff04c05d5581ee88d8b69ed680e3391194e5cacb86c03b7dc", + "sha256": "530382d7b01b3cda349bef2a36ac432bd9e0927c01ae0613325b0ffa70147a23", "type": "eql", - "version": 101 + "version": 102 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.3", @@ -10902,9 +11077,9 @@ } }, "rule_name": "Whoami Process Activity", - "sha256": "fe656a11589118be5a50bf03e4143873c92567396a8cb53a7d86a10f3d1bf880", + "sha256": "3a3e3caca16f7d42b8a0fd7ca791724215ce053bb5c1ce08d2124dc06726d5cd", "type": "eql", - "version": 101 + "version": 102 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.3", @@ -10950,9 +11125,9 @@ } }, "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "0e2011ae1168527217c41532a9809aca51fe9d23b35546e80a05feee4cb00f20", + "sha256": "1702f9d302ca3492bc215a85a0ab94b7db183f3f162e2419ecf3119b1fe07848", "type": "query", - "version": 101 + "version": 102 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "min_stack_version": "8.3", @@ -11014,9 +11189,9 @@ } }, "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "69f6e9352509b644c95ad43357cb6f9d3c39cb13a3a793ba5844232554883eda", + "sha256": "be9d456972ff4ca0b7790db2070a4fa76a3ab69c2a63278b586586187e6f461c", "type": "eql", - "version": 100 + "version": 101 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.3", @@ -11046,9 +11221,9 @@ } }, "rule_name": "SIP Provider Modification", - "sha256": "5262a4e6073b071fc281f6e7520b0fd5d2dc72fe5ee12be03ff920741797cf9b", + "sha256": "8e282a32c0a3d0ac5323eb344d3835fd1cc0188d2895c75c53c32ea0ccdfd481", "type": "eql", - "version": 100 + "version": 101 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.3", @@ -11069,9 +11244,9 @@ } }, "rule_name": "LSASS Memory Dump Creation", - "sha256": "d5ea7927774ec7e899aabbe5ff76bbf6320747fab152f3060a53f0ffa131d1a0", + "sha256": "d69789ff23168cfa1cd77c566506b2dd8d42e1b091ca65a8fdb71695fd8601b9", "type": "eql", - "version": 100 + "version": 101 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "min_stack_version": "8.3", @@ -11149,9 +11324,9 @@ } }, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "ad13c2d8f098b883bc6bf5c27f0678c10bcafc193fca62b85e1de1c4ef2f91ed", + "sha256": "1daa2d1aca1f89c4dea17834b8d4cb7c4e26542e2fcea9f36dd20b25b4a0374a", "type": "query", - "version": 101 + "version": 102 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -11171,9 +11346,16 @@ } }, "rule_name": "Windows Script Executing PowerShell", - "sha256": "fedc5ef0d246547918a65e267279fadbe346167eb50cae863f0f315138254dc1", + "sha256": "5941ad11744bd291b7d284877b37dbe61796e829d69eeab6f3d08121b1e152dc", "type": "eql", - "version": 101 + "version": 102 + }, + "f5fb4598-4f10-11ed-bdc3-0242ac120002": { + "min_stack_version": "8.3", + "rule_name": "Masquerading Space After Filename", + "sha256": "d08be051a0928e3e5e95c19cac5e06d4d4302bb489a20cd9e88b4191bf2956db", + "type": "eql", + "version": 1 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "min_stack_version": "8.3", @@ -11187,9 +11369,9 @@ } }, "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "13fcde72d8e87ca78eb4d8a245eada3ac99571d940c829c7aba1d199809e860b", + "sha256": "b832b358dba011c1161ed80e69f3b9fb97555b3257860df5116508c7b979a0dc", "type": "eql", - "version": 101 + "version": 102 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.3", @@ -11203,9 +11385,9 @@ } }, "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "baa9393bddaf7959dc8490b5d81c880e6b15612abe689a688ea96b31921089a7", + "sha256": "b93a1918988dff0813351479965b3ad2488fec624d9ffa3ec192c944821f2023", "type": "eql", - "version": 101 + "version": 102 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "min_stack_version": "8.3", @@ -11251,9 +11433,9 @@ } }, "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "9cdd636f05cb4a050455706f0fcecbbda409b1ba3899ef4ef6baae77a96512bd", + "sha256": "fdf3ea4c69919a47d87fe269b9c147190327f9b4b257d36f9167b408082983a8", "type": "query", - "version": 102 + "version": 103 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.3", @@ -11267,9 +11449,9 @@ } }, "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "ef5b71159e79ab55f581e66fe5b663f3dc4a2795f704dcf0e1be011d7c9253d7", + "sha256": "9bd593d93ab8018bd8213a5f7518e1c19ec8ec2684a5189d89546bd50ed06861", "type": "eql", - "version": 101 + "version": 102 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.3", @@ -11315,9 +11497,9 @@ } }, "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "149280220e16078cf0db0061bad940797ea17586a2d93324b30954457c888f89", + "sha256": "fca472ba727b985d4a44dfa6adf2fdf250aeb2f5c9edd0f019589d4e08fb7d93", "type": "eql", - "version": 101 + "version": 102 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "min_stack_version": "8.3", @@ -11354,9 +11536,9 @@ } }, "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "f764fb4f4b6247567b46c2d8518615e943ad68fc8a4a3700b508ed1eee602c32", + "sha256": "f6bd7eceac3a9f5c358384b9eb45ceb6fe554256572255ed542f2f087252080d", "type": "query", - "version": 101 + "version": 102 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.3", @@ -11446,9 +11628,9 @@ } }, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "1e024da5a55e3d1a8548dadb4c8b31139245ab531e780b68bb7e8ed8c16bf40a", + "sha256": "314c1a1c84407ea2bb271101c74921506fdb0c0c25d8d453d9891cf24b1c5cd1", "type": "eql", - "version": 101 + "version": 102 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.3", @@ -11469,9 +11651,9 @@ } }, "rule_name": "Suspicious CertUtil Commands", - "sha256": "7aafa80bd5d1755dd6faec5fd986c4dd331ab5c5139ef457c089cec992e6dd21", + "sha256": "934e4c8fb459a82e8f5a900989dbdaee889c42a8278b50f34c90f6a6c6b1af94", "type": "eql", - "version": 100 + "version": 101 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "min_stack_version": "8.3", @@ -11492,9 +11674,9 @@ } }, "rule_name": "Svchost spawning Cmd", - "sha256": "93c84da926504eee9f65932035b6ade982942e28bdc0bc0fd8a38bfd2bada827", + "sha256": "509470be42d36ed810fee8e7dff5816022b949e9ee4efeff63562ce795cd09a5", "type": "eql", - "version": 101 + "version": 102 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.3", @@ -11508,9 +11690,9 @@ } }, "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "94f7275eb748e77098ae1c4fd5e6b4a5c44376568274ac16fb9655e0dd7de6a2", + "sha256": "d073bbe38bfa52a90c3933ac4d05d66ddf074174b3d4e59c88d7492edc206f6b", "type": "eql", - "version": 101 + "version": 102 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "min_stack_version": "8.3", @@ -11524,9 +11706,9 @@ } }, "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "fd091af378672eb6a4d54cc67946b050400121579f1eae8d4a82063cafb21fd3", + "sha256": "a965a93045100c7f2d8fab35458272d76bef2737a777464f641b314e133fd1bb", "type": "eql", - "version": 101 + "version": 102 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "min_stack_version": "8.3", @@ -11572,8 +11754,8 @@ } }, "rule_name": "GCP Firewall Rule Deletion", - "sha256": "c5df9d509835d64ca44b34326499be978473ccd56aae84026f6b7d1acb3e3edd", + "sha256": "7c5d449d6c60389c14e240553ff0cb6515b0851c294f68f04fffbdfd4e89e297", "type": "query", - "version": 101 + "version": 102 } } \ No newline at end of file