diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index 3fe707238..10839115c 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -4,11 +4,21 @@ "rule_name": "TCP Port 8000 Activity to the Internet", "stack_version": "7.14.0" }, + "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", + "stack_version": "7.16" + }, "0f616aee-8161-4120-857e-742366f5eeb3": { "deprecation_date": "2021/04/15", "rule_name": "PowerShell spawning Cmd", "stack_version": "7.14.0" }, + "10754992-28c7-4472-be5b-f3770fd04f2d": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via awk Commands", + "stack_version": "7.16" + }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "deprecation_date": "2021/08/02", "rule_name": "AWS RDS Snapshot Export", @@ -24,6 +34,11 @@ "rule_name": "SQL Traffic to the Internet", "stack_version": "7.14.0" }, + "1859ce38-6a50-422b-a5e8-636e231ea0cd": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", + "stack_version": "7.16" + }, "3a86e085-094c-412d-97ff-2439731e59cb": { "deprecation_date": "2021/03/03", "rule_name": "Setgid Bit Set via chmod", @@ -64,6 +79,16 @@ "rule_name": "SSH (Secure Shell) to the Internet", "stack_version": "7.14.0" }, + "6f683345-bb10-47a7-86a7-71e9c24fb358": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via the find command", + "stack_version": "7.16" + }, + "72d33577-f155-457d-aad3-379f9b750c97": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", + "stack_version": "7.16" + }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "deprecation_date": "2021/04/15", "rule_name": "Network Sniffing via Tcpdump", @@ -79,11 +104,31 @@ "rule_name": "Persistence via Kernel Module Modification", "stack_version": "7.14.0" }, + "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via the mysql command", + "stack_version": "7.16" + }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "deprecation_date": "2021/04/15", "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", "stack_version": "7.14.0" }, + "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via the vi command", + "stack_version": "7.16" + }, + "8fed8450-847e-43bd-874c-3bbf0cd425f3": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", + "stack_version": "7.16" + }, + "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via the SSH command", + "stack_version": "7.16" + }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "deprecation_date": "2021/04/15", "rule_name": "Base64 Encoding/Decoding Activity", @@ -139,6 +184,11 @@ "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", "stack_version": "7.14.0" }, + "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via the gcc command", + "stack_version": "7.16" + }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "deprecation_date": "2022/01/12", "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -149,9 +199,29 @@ "rule_name": "RDP (Remote Desktop Protocol) to the Internet", "stack_version": "7.14.0" }, + "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", + "stack_version": "7.16" + }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "deprecation_date": "2021/04/15", "rule_name": "SSH (Secure Shell) from the Internet", "stack_version": "7.14.0" + }, + "ee619805-54d7-4c56-ba6f-7717282ddd73": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", + "stack_version": "7.16" + }, + "f52362cd-baf1-4b6d-84be-064efc826461": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", + "stack_version": "7.16" + }, + "fd3fc25e-7c7c-4613-8209-97942ac609f6": { + "deprecation_date": "2022/05/09", + "rule_name": "Linux Restricted Shell Breakout via the expect command", + "stack_version": "7.16" } -} +} \ No newline at end of file diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 450f3b5c3..06841ccdf 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -6,7 +6,7 @@ "version": 6 }, "00140285-b827-4aee-aa09-8113f58a08f3": { - "min_stack_version": "7.13", + "min_stack_version": "7.16", "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "6bd8502bc40bd03620c90d9b566806eabce8546ce2a94ee8b2a6afba2bfd8d9a", "type": "eql", @@ -14,9 +14,9 @@ }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", - "sha256": "161e4e8728fd276829af91860fecf7fc25b01143476115bb2a19d1637201c439", + "sha256": "48c130a4cc7d3fd34f76519d5e62d293629ee285d092ef4850400464786572ac", "type": "eql", - "version": 11 + "version": 12 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Microsoft 365 User Restricted from Sending Email", @@ -24,6 +24,12 @@ "type": "query", "version": 2 }, + "015cca13-8832-49ac-a01b-a396114809f6": { + "rule_name": "AWS Redshift Cluster Creation", + "sha256": "0f9f2e6b27d7fc8e499195aea802559ebfc86c27bca6c9e14b3a0c9ca688c89c", + "type": "query", + "version": 1 + }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "d1d8134c952b55fa1b0bee04fa68195ff7ae87787222ae233a9002be2a19f94a", @@ -50,9 +56,9 @@ }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "e76bd3f199ab4185aef6e1a682ff57da01ec324c9c7a86a0e74442073e84fe64", + "sha256": "502568bda8a45463938048cbebfd2f4b7ebdc9c42d21fb2f5909d98b4b9e8de0", "type": "threshold", - "version": 4 + "version": 5 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Modification of OpenSSH Binaries", @@ -86,9 +92,9 @@ }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "aea05dc73b1d06b72db4f0e6bce404d9f254959414d0e3af6dc5eff2175d7d9e", + "sha256": "03e2c849f488b4255582dc556738350c682785e1db0c8716435248bd3d26337b", "type": "eql", - "version": 5 + "version": 6 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", @@ -98,9 +104,9 @@ }, "0635c542-1b96-4335-9b47-126582d2c19a": { "rule_name": "Remote System Discovery Commands", - "sha256": "c122c98b1ce32b6a4b1c6f6cd8e773c9d312bab7e7b32508fa3f5ed205e26d4c", + "sha256": "97d7e293810d547dbf62a8870db00621434ca316153fea733c6b23839fe8942f", "type": "eql", - "version": 4 + "version": 5 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", @@ -110,9 +116,9 @@ }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "2c90826212589d2f58baa3e279088cf89a517073ca5736395558610b68f3facb", + "sha256": "b7aac4ac25a00672dd28ff2c7b8295335ed04f4040eb355166fbd9e0e346bf40", "type": "eql", - "version": 5 + "version": 6 }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", @@ -169,22 +175,31 @@ "version": 7 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Anomalous Windows Process Creation", + "sha256": "9e82b05aeb4575a98f709abc32dedcd6597e85d952b0f635e6e3efa77c34eea1", + "type": "machine_learning", + "version": 5 + } + }, "rule_name": "Anomalous Windows Process Creation", - "sha256": "9e82b05aeb4575a98f709abc32dedcd6597e85d952b0f635e6e3efa77c34eea1", + "sha256": "4016b72789d6fc2eccdcc5ab3c1edca49249e6204f8bf791ba691994eda2bb02", "type": "machine_learning", - "version": 5 + "version": 6 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", - "sha256": "530be151c7380d77b392bb69a3927091b95505dabe5e215d7498dfac9a70be19", + "sha256": "3c70d874ab15cb6c3bcaf45af91a2da0480abff53380a63ddacf190479d1d20b", "type": "query", - "version": 1 + "version": 2 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "rule_name": "Peripheral Device Discovery", - "sha256": "f25cff103d26d356f2e7eb55da5889925ebdbf670af9f4fc8ff2073bc72799dc", + "sha256": "50c49407c691bb3554e8b8032e3e4d690e0a5628e04714428da86dd536b0143b", "type": "eql", - "version": 4 + "version": 5 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "min_stack_version": "8.0", @@ -207,9 +222,9 @@ }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "0f9353d514e91fcd914ee39f1c8abb89094025670de8bb9ddac6a07baf25365a", + "sha256": "e58851a94750450c6adccec2d211decb5601ef6c8fb04337f7179621fd807e28", "type": "eql", - "version": 5 + "version": 6 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "SharePoint Malware File Upload", @@ -236,7 +251,7 @@ "version": 8 }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { - "min_stack_version": "7.14", + "min_stack_version": "7.16", "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "7d16ee5358944e8f1ffcc6a1c546c3bf938b26bcce752e118aaa63d1b5ae3633", "type": "threshold", @@ -292,9 +307,9 @@ }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "8dc4111ee11147f0444e2f5184ce8e6b6e93638804f7f8a86600299dfb094ecb", + "sha256": "afa57fcef927a0013d38733fd287cd98a22f439dcacf84a243dfea19eb9c13e7", "type": "eql", - "version": 3 + "version": 4 }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", @@ -327,7 +342,7 @@ "version": 3 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { - "min_stack_version": "7.14", + "min_stack_version": "7.16", "rule_name": "Rare User Logon", "sha256": "f9e949d45ac4dc51bd454d12b2bd60ec23f8fe3d5ee9a15595a4663248317d73", "type": "machine_learning", @@ -351,6 +366,13 @@ "type": "query", "version": 11 }, + "14de811c-d60f-11ec-9fd7-f661ea17fbce": { + "min_stack_version": "8.2", + "rule_name": "Kubernetes User Exec into Pod", + "sha256": "f8545df65e0a8bdd40a22f65868a004d6ad603694bc26f6e92b53ed7bcf8b345", + "type": "query", + "version": 1 + }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "babbc6287d174b837d32ddc45d7233af2a2325136cdd66ffb0cae01ff942611d", @@ -359,15 +381,15 @@ }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "70660c0b8ec658ef3dee87e50fb1f9043df125fa38e8641a7a6ff9c12bff9157", + "sha256": "37feef3c443830a3d928b7da63899f44ed20a7f945f63bb6cfc0d01b28234b50", "type": "query", - "version": 3 + "version": 4 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "fc062d3bf4deba66d48c981710e41ccdca742c8be817aad00a87fbff74f5d4df", + "sha256": "e04dda94d308a00ea97e8f11881100e8b2be7301428d07415a022c25cd5d1c5b", "type": "eql", - "version": 6 + "version": 7 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", @@ -395,46 +417,91 @@ }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", - "sha256": "975fcc9572e8117b283322c180c833044bcd17bf6caf3fb3758f1b06c6c48351", + "sha256": "0ee9bdc342cc3d58a99e130d3659a7acda929c3b0d61733635486465999c6e76", "type": "eql", - "version": 6 + "version": 7 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "af1ffd24fd0a26c9e8ea2631e0dc2431a63d5292901f4eabdb74a96e7ce20bc5", + "sha256": "743ba4eef59cba89f8746fdb4fae26087f3ac2c969a96e7f1f072ea6618a14b5", "type": "query", - "version": 3 + "version": 4 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Windows Username", + "sha256": "15ad86ffb8402c2acabbd69bc91cf276320fbefe605de2f336f02d46936242a4", + "type": "machine_learning", + "version": 7 + } + }, "rule_name": "Unusual Windows Username", - "sha256": "15ad86ffb8402c2acabbd69bc91cf276320fbefe605de2f336f02d46936242a4", + "sha256": "105c5254659a1c9260cb4b1bf892b9717f7b3aacc4e4e92e84e3e1e82e0ff7ae", "type": "machine_learning", - "version": 7 + "version": 8 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Windows Service", + "sha256": "2056eb4358a68b426256be231c045180bdc5ed38f6ea5b6f8140d1656c102a7d", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Windows Service", - "sha256": "2056eb4358a68b426256be231c045180bdc5ed38f6ea5b6f8140d1656c102a7d", - "type": "machine_learning", - "version": 4 - }, - "1781d055-5c66-4adf-9d60-fc0fa58337b6": { - "rule_name": "Suspicious Powershell Script", - "sha256": "460a16a595ce6ae95c9edea03ef73004bc7c7308105aa6c9ea445cbde9af7acd", - "type": "machine_learning", - "version": 4 - }, - "1781d055-5c66-4adf-9d82-fc0fa58449c8": { - "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "f379e94cb9af607a023c169713f9d08359187394314686ae5e0c9e90c0cfc475", - "type": "machine_learning", - "version": 4 - }, - "1781d055-5c66-4adf-9e93-fc0fa69550c9": { - "rule_name": "Unusual Windows Remote User", - "sha256": "56324808be7511810a3929fc18e87820ab588197a384e84b772bc3f2addc8841", + "sha256": "2c41319a596e55048d651a8eae2fd4978d2deef380839a9e743efaac6bf9b774", "type": "machine_learning", "version": 5 }, + "1781d055-5c66-4adf-9d60-fc0fa58337b6": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Suspicious Powershell Script", + "sha256": "460a16a595ce6ae95c9edea03ef73004bc7c7308105aa6c9ea445cbde9af7acd", + "type": "machine_learning", + "version": 4 + } + }, + "rule_name": "Suspicious Powershell Script", + "sha256": "0d37e6a1f9ff04f0c8199abc65da52e5641856efcf15b181b8c3fc39f6b8db5e", + "type": "machine_learning", + "version": 5 + }, + "1781d055-5c66-4adf-9d82-fc0fa58449c8": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Windows User Privilege Elevation Activity", + "sha256": "f379e94cb9af607a023c169713f9d08359187394314686ae5e0c9e90c0cfc475", + "type": "machine_learning", + "version": 4 + } + }, + "rule_name": "Unusual Windows User Privilege Elevation Activity", + "sha256": "5664ad8db9671b02df9d85cc1137599f55f4d866702a8b557c998d278560bb7d", + "type": "machine_learning", + "version": 5 + }, + "1781d055-5c66-4adf-9e93-fc0fa69550c9": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Windows Remote User", + "sha256": "56324808be7511810a3929fc18e87820ab588197a384e84b772bc3f2addc8841", + "type": "machine_learning", + "version": 5 + } + }, + "rule_name": "Unusual Windows Remote User", + "sha256": "f4c5891de1f968b77020f063af4f068994f9578e6d31dd8f6bdbe6f62fecf7d3", + "type": "machine_learning", + "version": 6 + }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Suspicious Execution - Short Program Name", "sha256": "175f6548b5de9b9d17a9a0a1cdab3cc6acaac6de7ed04ce578c3ea023a8d891a", @@ -485,9 +552,9 @@ }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", - "sha256": "ef9723409faac70d85d65a48be677534310d61564e4f1727b2d774522f519b9e", + "sha256": "645486ddfa80dd7712def7d98a7095ec46e5307b181819b66c70f890f32ec756", "type": "eql", - "version": 10 + "version": 11 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", @@ -521,15 +588,15 @@ }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", - "sha256": "8d1bf3800564ce39e0bf71bd0e491e273a5496b6d4ef5de26827498bedd7c2a1", + "sha256": "85ae33aa6ea9da5d75b1566ea17607b7675b777fa6a3bbea99899cee587b85e5", "type": "eql", - "version": 4 + "version": 5 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "713f215dd72eac1c0676cf847d9f30d87ba3c2ff376db9f225c99d4433c1eb02", + "sha256": "fe0775b9258ab492e0ec9b626336cb0565ace7438e7a9c9c817aed1feab9bb81", "type": "eql", - "version": 7 + "version": 8 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", @@ -539,9 +606,9 @@ }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "addced6abf8dc7f24872880d268564ecb42c37637279c57f635c19123b951d91", + "sha256": "f12a62cb3e7043b37dd8cc3bffbfdeb5a191ac0e33d733d4644b245ac3c8d252", "type": "eql", - "version": 4 + "version": 5 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", @@ -550,17 +617,35 @@ "version": 5 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Sudo Activity", + "sha256": "ea35fdcda2944c1f32b9212d1a678d78dbb16552282224aaba7c0cf16fd29716", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual Sudo Activity", - "sha256": "ea35fdcda2944c1f32b9212d1a678d78dbb16552282224aaba7c0cf16fd29716", - "type": "machine_learning", - "version": 2 - }, - "1faec04b-d902-4f89-8aff-92cd9043c16f": { - "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "d8647d38ddacdcf88500083f0009fe8c6bf67cbfa193518c40becdf8c8120be3", + "sha256": "9d82b230918f0db964b2f2e07fca49ec284c7105c28d58018a4d322e5893bca0", "type": "machine_learning", "version": 3 }, + "1faec04b-d902-4f89-8aff-92cd9043c16f": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Linux User Calling the Metadata Service", + "sha256": "d8647d38ddacdcf88500083f0009fe8c6bf67cbfa193518c40becdf8c8120be3", + "type": "machine_learning", + "version": 3 + } + }, + "rule_name": "Unusual Linux User Calling the Metadata Service", + "sha256": "9d8ae15ea65c8d17c2ecc6ec2ec2b8a199580d92201179792f91b8e3961b9148", + "type": "machine_learning", + "version": 4 + }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "db699aa748d2368754bd1425dd417d14af479b9812bd1bd1b30fcfdaa28a8a59", @@ -599,9 +684,9 @@ }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "69e294a09630f9eb4247a56cedb9e0b8e554ec9dbab44a29636131e37fa932cf", + "sha256": "d73d4137d9648a5df1eaf5056df15b41eeb90de8072f4b35326de8d286d78330", "type": "eql", - "version": 1 + "version": 2 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -611,15 +696,15 @@ }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "rule_name": "SSH Authorized Keys File Modification", - "sha256": "e09b4081f8a3699114c413d133c7a1ac52dd6117fb38c45ad5a7e571ae266b0d", + "sha256": "422509485dcdfc86588db158efa6b71aa506a3a040879ef9d58ff360d9254116", "type": "query", - "version": 1 + "version": 2 }, "22599847-5d13-48cb-8872-5796fee8692b": { "rule_name": "SUNBURST Command and Control Activity", - "sha256": "68c97c28c03ea0aebbd1ef5329bec0b99e502d344915014d772c34baa82ac1ca", + "sha256": "4f224e42287dded2b371f213fd94adea7581f4ea593ef8efe14731814f32b26e", "type": "eql", - "version": 5 + "version": 6 }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", @@ -665,9 +750,9 @@ }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "b719addb4a6a57230aae3cc40562471814fa8acd231367bd19680f1898915bdc", + "sha256": "7600e66c79a7e595f82b2a9de4fe4ad3627b99577a2ddc803bea6675f6979854", "type": "threshold", - "version": 6 + "version": 7 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "Microsoft 365 Exchange Transport Rule Modification", @@ -710,9 +795,9 @@ } }, "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "10baf7a22ed410dd6e9322df564f73a88747df6187d923fcbb297e13f8a7e900", + "sha256": "cd977e5eda4ca92edd601f5de221d9d26603820e531f8c5670fb3014d62385fc", "type": "eql", - "version": 11 + "version": 12 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", @@ -722,9 +807,9 @@ }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", - "sha256": "49fcf33d915406bad89e37650162857322c5694c4c737f3d6d483354e7093ece", + "sha256": "1d856f4066095970388744bc7a5129d5bab0782175c24645216ab39908f5c34c", "type": "eql", - "version": 5 + "version": 6 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS Security Group Configuration Change Detection", @@ -746,21 +831,27 @@ }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "7c1598e9a202593653a405c7e689667f30879c9c7c5fbbaadcecd9b6b0f16703", + "sha256": "60ef1293f83074accd18d8bb8d9ec092840a776b301017bf38daca992135547b", "type": "eql", - "version": 3 + "version": 4 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", - "sha256": "c087ac82aadf7dfb2d9add79c330ae804def693824dbde17e6e2c3dabb70df72", + "sha256": "c6bbcabb66a2baaca5c8d09a361af561231f5180ca801d7f91f31e9e770b8cc9", "type": "eql", - "version": 10 + "version": 11 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "762fca2988b0f404c792d3e988b326211e555cace7a8ac733d1e8733c44ba16e", + "sha256": "d2d855c5d81207069a66dfe43aae45b4431bc671049e13b2b1c79444d9d9b2d3", "type": "eql", - "version": 7 + "version": 8 + }, + "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { + "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", + "sha256": "9cd1a4f9702a99116e02df6ad072dcad54e2340114f686fcc0e4e6cfad2b80eb", + "type": "eql", + "version": 1 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", @@ -788,9 +879,9 @@ }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", - "sha256": "eaab8260d69faff66f63e9bf739acc6871be99b9c66c13f390e2f5e3b04f7d63", + "sha256": "c9bfee8980152e41d3e2c0d9102a76838b7aec7da2cbce098861f35dc303bdde", "type": "query", - "version": 4 + "version": 5 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -800,9 +891,9 @@ }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "rule_name": "Creation of a Hidden Local User Account", - "sha256": "f0c358aa5ce1930d3e8307463f794f93731a062290d6be7eef454fc7e6759f35", + "sha256": "6b354d3e0d2bde85f3f9059cb9b068f2ffcacdf5d19bb374e576b325e143444b", "type": "eql", - "version": 3 + "version": 4 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "rule_name": "GCP Kubernetes Rolebindings Created or Patched", @@ -812,9 +903,9 @@ }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "f8d8792fcd8ecbefccf02a8fa0725cdea1b69cf092d93b6f51a5cec9592de397", + "sha256": "defedccb891832b93199ced00f6f614d48838f61bb610b44e3f56464c7115485", "type": "query", - "version": 5 + "version": 6 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", @@ -824,15 +915,15 @@ }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "8688f4442a4922c7389a3f775954758dfa304c9cd53815b368df6bd184aea318", + "sha256": "146671f078cb7b638967dfe4e5f0891222dd0b9aee2dae7c5e0783145dd09e95", "type": "eql", - "version": 3 + "version": 4 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "26dc5a10698d54e01d3c36e07dd25e3628615f6731e8f0c84899d7d8e84de5d3", + "sha256": "e47f79c39c992cb1760ddcadb3faa9fe9b31980089d5509249a9632ec964c4e7", "type": "eql", - "version": 5 + "version": 6 }, "30562697-9859-4ae0-a8c5-dab45d664170": { "rule_name": "GCP Firewall Rule Creation", @@ -841,7 +932,7 @@ "version": 5 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { - "min_stack_version": "7.15", + "min_stack_version": "7.16", "rule_name": "Agent Spoofing - Mismatched Agent ID", "sha256": "d067277b6d08d5e3fe395beecf2eb4a88a5ca6ae5691b52a1d334bae5e23661e", "type": "query", @@ -897,9 +988,9 @@ }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", - "sha256": "8679cd72bf85b67dde3dcfdaba749ed1fa6560bca5efd03ed41c76a500ce31d6", + "sha256": "ce6834d9dafd66f45445b3fb0a4245eed24500579f2af85682e5e6571a13435e", "type": "eql", - "version": 4 + "version": 5 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "min_stack_version": "8.2", @@ -924,9 +1015,9 @@ }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", - "sha256": "1a7637a8fac7be24840774ba8073ba9f6d41d86f869956ba529032727525f1a7", + "sha256": "74a0d255adb25d4827e203c7fa3922f546450ed3a707bdd96ce667237adfe184", "type": "eql", - "version": 6 + "version": 7 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", @@ -940,6 +1031,18 @@ "type": "machine_learning", "version": 2 }, + "3605a013-6f0c-4f7d-88a5-326f5be262ec": { + "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", + "sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3", + "type": "eql", + "version": 1 + }, + "3688577a-d196-11ec-90b0-f661ea17fbce": { + "rule_name": "Process Started from Process ID (PID) File", + "sha256": "fb229621998495e7b0380c1bc096587e6dd9344371b3f2be0cfc6c4dcca4c3d8", + "type": "eql", + "version": 1 + }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", "sha256": "7aa10957a516fe37a541e25ea0eb405baa887338b7cd95b080d7cb5f496e3eee", @@ -984,9 +1087,9 @@ }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", - "sha256": "9a4e0383a2220ac5eabe9f8e3ad9bdb4f9dc39f883852ab9325a0d1eaf5ade26", + "sha256": "502aac930269b1cc74ee8f1300a827ff81280b9d466ed2a3b56623b4c9f89749", "type": "eql", - "version": 7 + "version": 8 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with OSASCRIPT", @@ -1014,9 +1117,9 @@ }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "f0866afa0ff0c302726cbac517f57078dc6449aef9accd326db73eaa460774c4", + "sha256": "a242912740790ad096664c63b49e11e932516bbf3e5a54b0b58a023d4c426a48", "type": "threshold", - "version": 4 + "version": 5 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -1055,10 +1158,19 @@ "version": 6 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Linux Network Port Activity", + "sha256": "812b60afbec769e09def857ab8078ccd803d393f5f2fdd30ab043a95574a9df6", + "type": "machine_learning", + "version": 5 + } + }, "rule_name": "Unusual Linux Network Port Activity", - "sha256": "812b60afbec769e09def857ab8078ccd803d393f5f2fdd30ab043a95574a9df6", + "sha256": "1000f8d810e8053e982148bf3c89a01161b070ee8107e63e90cf68a25bb11a6f", "type": "machine_learning", - "version": 5 + "version": 6 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", @@ -1086,17 +1198,23 @@ }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", - "sha256": "7994f8c47774c0f02a84d4fbc196bbbd74efed6cfd4cc23a0c536e81d619f36e", + "sha256": "871acb6cd0c6fd18c41a2f2c3e4aa03f34aa9136368fd7ed7a2096e62638fc5d", "type": "threshold", - "version": 5 + "version": 6 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { - "min_stack_version": "7.14", + "min_stack_version": "7.16", "rule_name": "CyberArk Privileged Access Security Error", "sha256": "420e91f52a8fb273a099a96a3b3e8beb4c682a608f9ce67d763b32fa803a83dd", "type": "query", "version": 1 }, + "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { + "rule_name": "Binary Executed from Shared Memory Directory", + "sha256": "c61ffabbae249e561269fad5df75cc976195371c3f9e90b6a3a044a95dce6e69", + "type": "eql", + "version": 1 + }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", "sha256": "9d7ea3e58be2ab3e6c229d05df37c0f1dc248bdbd5e68c0fb8665051eac97e01", @@ -1128,10 +1246,19 @@ "version": 5 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Login Activity", + "sha256": "3f35fdeeb2a9009f7f98d3094d9923caff8ad61e07dbaeb0f483e5de46092849", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Login Activity", - "sha256": "3f35fdeeb2a9009f7f98d3094d9923caff8ad61e07dbaeb0f483e5de46092849", + "sha256": "eab6fce106f2399bd04eff3ebfcd91a9adec38c91c2edcd421d663be4f085033", "type": "machine_learning", - "version": 4 + "version": 5 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", @@ -1141,15 +1268,24 @@ }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "f1ff543b747d53d4b2e2b2aa5fda80f1a4d23108b488ea248435bb1a9a7c4345", + "sha256": "16e1633c1d492f6fd2fba6cb5bb83e1c8f23bb316938e3a4e4492a8a36497cf3", "type": "eql", - "version": 4 + "version": 5 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Windows Path Activity", + "sha256": "845885ac400eacce386fbf5040713ed065a66b447e5ddf8f450e0939c64bab9a", + "type": "machine_learning", + "version": 5 + } + }, "rule_name": "Unusual Windows Path Activity", - "sha256": "845885ac400eacce386fbf5040713ed065a66b447e5ddf8f450e0939c64bab9a", + "sha256": "6b7fa6eca7dbe6e2c1cab5f8f4fe85e211b7623bef22ff21fb4bc24dbe510a33", "type": "machine_learning", - "version": 5 + "version": 6 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", @@ -1159,15 +1295,15 @@ }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", - "sha256": "f90953062d0a4c12cac51591351ec76cbd9f8a0a027530500e49e200f57a459d", + "sha256": "7485e3272dcc60566ca499afce5cf1f87ab84c039d427a4ed6a522fd0a7d1bc0", "type": "query", - "version": 3 + "version": 4 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "3021d788b698bb96799aa0a9f8380152999cb4ba9b3b5a07f3f4aadacc7b2606", + "sha256": "028d53e4e609b25d1ba9184b3d064ba5709b11efcceba3b499220feb503b07d7", "type": "eql", - "version": 5 + "version": 6 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.2", @@ -1184,17 +1320,32 @@ "type": "eql", "version": 13 }, + "4682fd2c-cfae-47ed-a543-9bed37657aa6": { + "rule_name": "Potential Local NTLM Relay via HTTP", + "sha256": "2fb5a3528f28bea1d5629229379f286d3d7b2c4dd003ee69343bb3ac9a1944b8", + "type": "eql", + "version": 1 + }, "46f804f5-b289-43d6-a881-9387cf594f75": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Process For a Linux Host", + "sha256": "5dec41bb8c572f24b5a47b3903e2d4e2fd9bfe5a6a86789f0b50c1c52d956af6", + "type": "machine_learning", + "version": 7 + } + }, "rule_name": "Unusual Process For a Linux Host", - "sha256": "5dec41bb8c572f24b5a47b3903e2d4e2fd9bfe5a6a86789f0b50c1c52d956af6", + "sha256": "e9c33face1c8c02435902a4a3477fe61fa7b2781006293be951e49167c994a8e", "type": "machine_learning", - "version": 7 + "version": 8 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "f6d5f22394af0e7a961260a093dddca1ec0c17447f038d8daeddda7612d0502d", + "sha256": "e8534be952035c9ed25a97f05c8a974e50ea1f0f9635ddbb12ecfd63b85a8445", "type": "eql", - "version": 1 + "version": 2 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -1227,7 +1378,7 @@ "version": 1 }, "493834ca-f861-414c-8602-150d5505b777": { - "min_stack_version": "7.15", + "min_stack_version": "7.16", "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", "sha256": "829bb3432a7664715c5b96c2be6d56e4f957db320f71657203632e61e44b6fe0", "type": "threshold", @@ -1241,9 +1392,9 @@ }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "0182527c3aea40037ee645039520a3345bfdb046ba8fe73ac0e576a699fdefd4", + "sha256": "cdb824e4a9819c8e9889f065053418a5920b980702c0892282a34d584c8d6582", "type": "eql", - "version": 11 + "version": 12 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "rule_name": "Unusual Process Execution Path - Alternate Data Stream", @@ -1259,15 +1410,15 @@ }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "0ae822fec1abd33c32277f40e993668c09ec575f0f6580a760937417c7d50e32", + "sha256": "4c07864c9de0c88831a1a1b704628a56126012edebf132cb12045866c2d0f24e", "type": "query", - "version": 1 + "version": 2 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "7d0c7d18c1fde527b9d2b1db59f11692c19731d81d4ded5b1474c5157e719ced", + "sha256": "3073045e9ea5f36e53f50791af38546a458bb0c5a574df76c087c779b505365b", "type": "eql", - "version": 3 + "version": 4 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", @@ -1323,6 +1474,12 @@ "type": "query", "version": 7 }, + "52376a86-ee86-4967-97ae-1a05f55816f0": { + "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", + "sha256": "f6eadf53a53c859d3263ef9c0f123e255916897ab99b0451231ee9b818e772d4", + "type": "eql", + "version": 1 + }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "33e7314dd4b45b521415255a0c6fc075f77dba01dac56340b885f8befad43b9b", @@ -1330,10 +1487,19 @@ "version": 10 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Linux Network Activity", + "sha256": "64ae86b5af4ca19baebe75a2791db256410a0bb32de52364fffef246f551bc18", + "type": "machine_learning", + "version": 6 + } + }, "rule_name": "Unusual Linux Network Activity", - "sha256": "64ae86b5af4ca19baebe75a2791db256410a0bb32de52364fffef246f551bc18", + "sha256": "f5304548d6e36152f1e8a35019086b17cb71276fcf3b12fec97aebb69fe3be01", "type": "machine_learning", - "version": 6 + "version": 7 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -1347,6 +1513,12 @@ "type": "machine_learning", "version": 4 }, + "530178da-92ea-43ce-94c2-8877a826783d": { + "rule_name": "Suspicious CronTab Creation or Modification", + "sha256": "d3884fdedd271fd8ef68a5e1be9cd5b96f723566fb795594d2c41cdfd708cf0e", + "type": "eql", + "version": 1 + }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System or Mount Deleted", "sha256": "50fecd5f633def52322813c1945eafd486a657ed308f0a00c4ef1d5437850489", @@ -1361,9 +1533,9 @@ }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "3ed911267cf036188fb9ead85cd39d0a0a023803dfc7684b7c993052141d20ff", + "sha256": "7822580c4c1c4a801d5bc2d495742874654f65c943a3c8e33e7f7a9a57cc1f00", "type": "eql", - "version": 8 + "version": 9 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.2", @@ -1424,9 +1596,9 @@ }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "rule_name": "PowerShell PSReflect Script", - "sha256": "a6ab7a4b6183e85c823652746ea2e25f7f49ac05c1d0dbdc181f9a609672be1c", + "sha256": "9e5a518c440a470859b4dfcf1a8b5d910f8941a8a872b6087ef481565340fc7e", "type": "query", - "version": 3 + "version": 4 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", @@ -1448,21 +1620,21 @@ }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "rule_name": "PowerShell MiniDump Script", - "sha256": "5d915a9aeca90d9de6c05bd51d0801f4acd7991e9db0e7edd0a36fb22c02e786", + "sha256": "aa62dc42194f1f23e125ab54d9142e666ca5d21e32937d12142c29a1a324b3c7", "type": "query", - "version": 6 + "version": 7 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "7df021737a6a2038f5528d4b31288d8d55b44570fdfd88d8c8dcb97a60621e53", + "sha256": "86d42e7e69469e20c0a4e192ff7b1b3b8984297bb051fe0fc0d97a257710926c", "type": "eql", - "version": 11 + "version": 12 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", - "sha256": "35a31565a9041ceb30cc429bff5ab96fb097062f669b4dc18ef7f94c1e34510c", + "sha256": "30630b7400b5f0f712f2b852253bfab1474a2ca6b9268f8a42ba5d463b335b0a", "type": "eql", - "version": 6 + "version": 7 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", @@ -1471,10 +1643,10 @@ "version": 4 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { - "rule_name": "Lateral Tool Transfer", - "sha256": "3879f384221103f101d7c1c2cc0d549e9b6fb16338e554b2fefaa36d2581debb", + "rule_name": "Potential Lateral Tool Transfer via SMB Share", + "sha256": "fccdc8cdb7b3ef92b3e30da671101575b76c05c404ebf4657415a612c2f2d490", "type": "eql", - "version": 4 + "version": 5 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "min_stack_version": "7.16", @@ -1487,9 +1659,9 @@ } }, "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "e6a62a4921fe2133f5a000cbccfb57202b3dde0fb97ad66725c6da91a8c21751", + "sha256": "60e1a724d9edbc22f6528691c7025186bdb347bfbeeb7940698260f32e9aeee2", "type": "eql", - "version": 4 + "version": 5 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "O365 Email Reported by User as Malware or Phish", @@ -1504,10 +1676,19 @@ "version": 6 }, "59756272-1998-4b8c-be14-e287035c4d10": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Linux System Owner or User Discovery Activity", + "sha256": "4dfce8f9b71d1c1154bcf7d7e227f86a80e23ecf68649d7067d1b9daa21960b3", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual Linux System Owner or User Discovery Activity", - "sha256": "4dfce8f9b71d1c1154bcf7d7e227f86a80e23ecf68649d7067d1b9daa21960b3", + "sha256": "e41fd4f6fee735f8f4d622091922635835073038420494f835501080da741b64", "type": "machine_learning", - "version": 2 + "version": 3 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", @@ -1546,10 +1727,19 @@ "version": 8 }, "5c983105-4681-46c3-9890-0c66d05e776b": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Linux Process Discovery Activity", + "sha256": "d00b5c874958e60ebea75b76e2ed82104b526c831d61e946c915fd0cc7efa80d", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "d00b5c874958e60ebea75b76e2ed82104b526c831d61e946c915fd0cc7efa80d", + "sha256": "af77025b9a595eb66fc50d24b2dd04472ce63a9aa0ad7a240af00ce76c0c6708", "type": "machine_learning", - "version": 2 + "version": 3 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "rule_name": "Outbound Scheduled Task Activity via PowerShell", @@ -1559,9 +1749,9 @@ }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "rule_name": "User Added to Privileged Group in Active Directory", - "sha256": "36b3fb5179d103871eed9c7265c498b2d4b3a270689165e986807a9781a6522d", + "sha256": "ac000ad6848bf4383ec466ed3bc10b7dc7489864b7a2cda751e0036fc8434677", "type": "eql", - "version": 4 + "version": 5 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", @@ -1619,9 +1809,9 @@ }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "aedd7e1b3fcd50af628b1c9709e398994b3cfd6f423c0e4b19e3af03cb453f57", + "sha256": "348a40858c559125d0eec34d7212dfdeac55ba6faa8db7c6ab604fc97c9aa6d5", "type": "query", - "version": 5 + "version": 6 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -1631,9 +1821,9 @@ }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "b50f5194aabdcfbce951a9d9fde9396fa41a5dc392a8b4d23f48db9fcbca436b", + "sha256": "e4eda33820328a8ea3b438af247d210a2d27bba8ee73d91bb776965247b30b24", "type": "eql", - "version": 1 + "version": 2 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", @@ -1642,10 +1832,10 @@ "version": 6 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { - "rule_name": "Account configured with never Expiring Password", - "sha256": "231170e59c7b88093443b9be15147a4f2067521fdb2081c84ca961a107e229f5", + "rule_name": "Account Configured with Never-Expiring Password", + "sha256": "b11ea0b16c59af178aae7fc5869e311bc7e98918cedba5dcd6693398144c70d8", "type": "query", - "version": 1 + "version": 2 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", @@ -1654,10 +1844,19 @@ "version": 9 }, "647fc812-7996-4795-8869-9c4ea595fe88": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Anomalous Process For a Linux Population", + "sha256": "c10cfdb233bb94a8778c442480ba3bf3052d77b1a7233987c6c6f02bb88a69b3", + "type": "machine_learning", + "version": 7 + } + }, "rule_name": "Anomalous Process For a Linux Population", - "sha256": "c10cfdb233bb94a8778c442480ba3bf3052d77b1a7233987c6c6f02bb88a69b3", + "sha256": "f66d977c873bbbe1eccb28231f01007c50dd98592508187bda912d8b06282cd1", "type": "machine_learning", - "version": 7 + "version": 8 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", @@ -1685,9 +1884,9 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "d96aa5b8cc822b8685cde3ef233ed3f96f64628ea7e71117d8ac779f2c959c14", + "sha256": "56d77dd4079675a4b79810d1ca79ee02983c2fb5965c0676e9c831340f0a6262", "type": "eql", - "version": 8 + "version": 9 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", @@ -1726,7 +1925,7 @@ "version": 3 }, "6839c821-011d-43bd-bd5b-acff00257226": { - "min_stack_version": "7.13", + "min_stack_version": "7.16", "rule_name": "Image File Execution Options Injection", "sha256": "6f3da8f7ad3053933ead97d9f24027defb33edf3e295ff028bd18a9028833dda", "type": "eql", @@ -1792,15 +1991,15 @@ }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", - "sha256": "dd841408014554f88230b326f47d2cfc564d2cdd5b02b122f878f7be5495d19d", + "sha256": "dc7c016e305be812b3d2e4288822690caacc18eff343975887b642f4639d43ad", "type": "eql", - "version": 10 + "version": 11 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "1429ae42606ee0f1531dd13daed17012855d148d9e0c9c714095e01dcae486e7", + "sha256": "8ceeff23f163dec7641b8a40206c00d20925523f3b20a5d2f4e08140113fd083", "type": "query", - "version": 5 + "version": 6 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "rule_name": "Unusual Service Host Child Process - Childless Service", @@ -1810,9 +2009,9 @@ }, "6aace640-e631-4870-ba8e-5fdda09325db": { "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "64d22d71f078b010888d53343adfc825d0dc2e74e9164348bc6c11455058fe02", + "sha256": "52c5cb860bad700cc9d175680b4ef985f4c2b87d545923b755c96e802e023810", "type": "eql", - "version": 7 + "version": 8 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", @@ -1820,6 +2019,12 @@ "type": "query", "version": 1 }, + "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { + "rule_name": "Remote Computer Account DnsHostName Update", + "sha256": "45706af41dd0e101a3f59b870ba870250864df9ed5c53ce61e227e1027bc6e09", + "type": "eql", + "version": 1 + }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "9a47baed80aaf38c9a8f7e85d4037d396c3a9b38097f0b8e272fffd95dceae7b", @@ -1827,16 +2032,34 @@ "version": 3 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Process For a Windows Host", + "sha256": "9acf5cf644f0dd40d86fe207e02999cd5ad7cb60a50cb3c648eb7def01929e9a", + "type": "machine_learning", + "version": 10 + } + }, "rule_name": "Unusual Process For a Windows Host", - "sha256": "9acf5cf644f0dd40d86fe207e02999cd5ad7cb60a50cb3c648eb7def01929e9a", + "sha256": "d1b4768478efdf6055479fffaca2f55ec0d54619814576b99b10c10ea71b829b", "type": "machine_learning", - "version": 10 + "version": 11 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Anomalous Process For a Windows Population", + "sha256": "265db12570310439b937bb99bc1a58f1e6ad99c7bc17a2fcde50e05cf11b03bd", + "type": "machine_learning", + "version": 7 + } + }, "rule_name": "Anomalous Process For a Windows Population", - "sha256": "265db12570310439b937bb99bc1a58f1e6ad99c7bc17a2fcde50e05cf11b03bd", + "sha256": "21fc1de563e9b545cef035fc515694a096264e04a05671b680bbf89249f989e2", "type": "machine_learning", - "version": 7 + "version": 8 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", @@ -1858,9 +2081,9 @@ }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "rule_name": "Security Software Discovery using WMIC", - "sha256": "b9919bdd909607336ad86a5ea0346dd3acf151ca77662498136260cecd305027", + "sha256": "ab44461f57e7c5d83d961c3c2f612e62afa4180abc2bff89599028f52daa81df", "type": "eql", - "version": 5 + "version": 6 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -1957,9 +2180,9 @@ }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "57c45a048623d19d496d5ee98573591798ca52cb5ec071bba46c6b90c4b17cef", + "sha256": "377e5ce257eadd1dee5a301687b5b23a736ba35b1dc669781ff1b2e99b7a41a2", "type": "eql", - "version": 8 + "version": 9 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "rule_name": "Modification of Environment Variable via Launchctl", @@ -1968,7 +2191,7 @@ "version": 2 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { - "min_stack_version": "7.14", + "min_stack_version": "7.16", "rule_name": "Unusual Hour for a User to Logon", "sha256": "cfc6d020a4aff760e43c4f33a76f8e3f56c9aca58b2199c4c498bb3f6f966b42", "type": "machine_learning", @@ -2000,9 +2223,9 @@ }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "bc1fc688fed788cd66347d5c0eaa5a1d5d4fd1601c72d7a02c55cf368fdae795", + "sha256": "753b7a23d96a32763774e42a9ac7992bb99fd9734dfa3c25aa20caf83f352aa8", "type": "eql", - "version": 5 + "version": 6 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", @@ -2069,9 +2292,9 @@ }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", - "sha256": "fb501436e383efcf5e328aebd617b39354e50a49f0f6b3b3ab1107e0e98d4134", + "sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5", "type": "eql", - "version": 4 + "version": 5 }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { "rule_name": "AWS ElastiCache Security Group Created", @@ -2081,15 +2304,15 @@ }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "rule_name": "Windows Network Enumeration", - "sha256": "e0b9fe2ce2764508ca2276687829e1de0a3bbfe7ebda22dddb89e17c8081df19", + "sha256": "a8d8fd60cf7e270b2c2e36f2ede12840784085549953c8cb27dc721d43c9bcfe", "type": "eql", - "version": 5 + "version": 6 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Tampering of Bash Command-Line History", - "sha256": "52cd42c3d4611e694abedca8df138cb0ec2596f60016a1726ddf9b0cd565ada2", + "sha256": "4d0c013b8dd99044bdf0024a186dbd9e9c0b4442245c97e3b61314ce54816f96", "type": "eql", - "version": 7 + "version": 8 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", @@ -2123,9 +2346,9 @@ }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "4b526ba418a8a67f9378e02adfe4de5aee1b3d1370986fa05d967f8561a3470a", + "sha256": "8865595e2418b8460fccf1b3090d7ec582d17939e8e26bb42b714e35f2b79d8f", "type": "eql", - "version": 2 + "version": 3 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -2135,9 +2358,9 @@ }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "2d2f233d0eac8f98bb7eaed5cd0e71104341516f9d6b45a7e0895d9ba2353502", + "sha256": "ee5b8127fbd2fb5d6fb5a1ad6b9071823bdccd69f2867ced85c3daf3470bd887", "type": "query", - "version": 3 + "version": 4 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", @@ -2158,18 +2381,18 @@ "version": 1 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { - "min_stack_version": "7.15", + "min_stack_version": "7.16", "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "5c9f1a93f3b025b4be0f335bb2cae5bfc853b437d7f16355b30cd65eabc4520e", + "sha256": "8685535bf9243409313814ba723d4756086bfd934685c8d4c488df2aae0f7afb", "type": "eql", - "version": 1 + "version": 2 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { - "min_stack_version": "7.13", + "min_stack_version": "7.16", "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "82cc2880a87f37799588a44ac43274cc655633a7c57ff138a6bbd29b7e65b254", + "sha256": "090277993fca5c0b7466a70ead493206f923df9d98dcfa4624f7d9d624135bf1", "type": "eql", - "version": 5 + "version": 6 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", @@ -2197,9 +2420,9 @@ }, "871ea072-1b71-4def-b016-6278b505138d": { "rule_name": "Enumeration of Administrator Accounts", - "sha256": "99dc6a0d861583d91f2cfad5c22bff727b1f52ff001b28cacb48b7b09264a1cb", + "sha256": "94436e95522ff9b53a6319cd88739796bab4984279a26a9e6bca4509e08904dd", "type": "eql", - "version": 5 + "version": 6 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", @@ -2239,9 +2462,9 @@ }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "0bf83bae94f8428bbde22ccd5cb8ada9e697e8f614c366e56ff0123e7ab80231", + "sha256": "8a406566ef82da155db97b3a1beebb344df49359242791eede92f672f71dc074", "type": "eql", - "version": 6 + "version": 7 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Command Prompt Network Connection", @@ -2280,7 +2503,7 @@ "version": 4 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { - "min_stack_version": "7.13", + "min_stack_version": "7.16", "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "ece6617d0c710bb863cfc4efd2fe61e53bfc9df42a5584c739b063d25a49995a", "type": "eql", @@ -2288,9 +2511,9 @@ }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "fdf2016d69e887f99a56af384b5cfe9f354c3b8d6a4c50f5b96d13e1c4936074", + "sha256": "1ef638d32b8a25cfaeee7f43b7c5ec3ce34ea722e2b037241f7403db07c4e81f", "type": "eql", - "version": 3 + "version": 4 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Events Deleted", @@ -2369,9 +2592,9 @@ }, "90169566-2260-4824-b8e4-8615c3b4ed52": { "rule_name": "Hping Process Activity", - "sha256": "e95b011bb8a3aa490e0c1725dbcb086dcbe8f993b61947c9a5c274bf5de92b83", + "sha256": "b67a5ad8438ca5f03153173607bd3e2f12cf73ba352e1f3d094c85dfc7c1e7c3", "type": "query", - "version": 7 + "version": 8 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS Deletion of RDS Instance or Cluster", @@ -2441,9 +2664,9 @@ }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "6d382546346f8466280644399f00e615d3e25f460ba094afcc29da63e902a910", + "sha256": "ecc07276a30e1c2b066d22354d26535909e33b5c78f61e56ba7267a91790cc9b", "type": "eql", - "version": 4 + "version": 5 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Encoded Executable Stored in the Registry", @@ -2480,9 +2703,9 @@ }, "959a7353-1129-4aa7-9084-30746b256a70": { "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "fbced4ec00849c83a12529e3b2cb735a03fd08be899628e833a920f1bb042e8a", + "sha256": "e7199b7564ddc365ce924851aae185ee10cd63b272d5c35f43c44e3f805d9b26", "type": "query", - "version": 3 + "version": 4 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", @@ -2590,7 +2813,7 @@ "version": 4 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { - "min_stack_version": "7.14", + "min_stack_version": "7.16", "rule_name": "Spike in Failed Logon Events", "sha256": "7672fb2df32a9f3da61cb0c2022f18f8bf57af080a3e29e0b647e715d887ef07", "type": "machine_learning", @@ -2690,10 +2913,19 @@ "version": 4 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Linux Process Calling the Metadata Service", + "sha256": "939fb37f3245d63c1e25753987fcf1b542e5e60e2f84d4dc26226d40be958420", + "type": "machine_learning", + "version": 3 + } + }, "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "939fb37f3245d63c1e25753987fcf1b542e5e60e2f84d4dc26226d40be958420", + "sha256": "f2adae4151faa2a64ae9ff2e67c933ae866b7ef695a46927533cb8971f55c395", "type": "machine_learning", - "version": 3 + "version": 4 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", @@ -2703,9 +2935,9 @@ }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", - "sha256": "43fe08ed07e605533a34a15977f617fbc2df8f092e0786ca9163476e5a8153e3", + "sha256": "3923833310eb6eed8cbf8fcda44d03b9f961d351e2e1e52967b4dfc4cdfe7d93", "type": "eql", - "version": 2 + "version": 3 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", @@ -2768,11 +3000,11 @@ "version": 5 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { - "min_stack_version": "7.15", + "min_stack_version": "7.16", "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "cc90a0587f15e6896fcc7fcdf8b94c2a6ca43a67d0fcd2a20023a79cc5da21d3", + "sha256": "80d3c23f3267aac09f575e38679ce6ab8784d74f599a8ec2897a6a4bcde48932", "type": "eql", - "version": 1 + "version": 2 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -2794,15 +3026,15 @@ }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", - "sha256": "cebc6b72197a1e19dcd4e282b646edae5d0ce561248b867325375fcb0499af68", + "sha256": "8c4c8ab828b11155adf651f53035cdcf8fe3f554234049b374fbdfe0bf6a6a8f", "type": "eql", - "version": 10 + "version": 11 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", - "sha256": "6ca94a6a62b97c72a2074a2a01c670851905fd3244a244190411743a14d9797a", + "sha256": "c3d17caef381a5e8390cb4562f57e69687174f2022e14ffb1da0e15b8e84365e", "type": "eql", - "version": 2 + "version": 3 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious PrintSpooler SPL File Created", @@ -2812,9 +3044,9 @@ }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "46db472c6e6f0ed4f21ae620146ad473a93dd5d96e2f53541a5f40fdc9a80330", + "sha256": "0af224a5eb8a33da9642d8e48a9bebc285f01e0e81bcbda039a6de6148ac6039", "type": "eql", - "version": 5 + "version": 6 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", @@ -2886,10 +3118,19 @@ "version": 2 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Windows Process Calling the Metadata Service", + "sha256": "c8bab792d5a0d3d62e1447a105d4446258611cda4cb8a9e4b694a0d514c93728", + "type": "machine_learning", + "version": 3 + } + }, "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "c8bab792d5a0d3d62e1447a105d4446258611cda4cb8a9e4b694a0d514c93728", + "sha256": "1c145ebc96d973eb2cb7dd091071dd3dea4869b769639ac1cfdcebb36348a6c3", "type": "machine_learning", - "version": 3 + "version": 4 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", @@ -2909,6 +3150,12 @@ "type": "machine_learning", "version": 7 }, + "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { + "rule_name": "Potential Invoke-Mimikatz PowerShell Script", + "sha256": "997ca5317573645e3d462b83b30ea09d78aa303adce6d796de2fe3be82e11cf7", + "type": "query", + "version": 1 + }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "min_stack_version": "8.0", "previous": { @@ -2943,10 +3190,10 @@ "version": 5 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { - "rule_name": "Signed Proxy Execution via MS WorkFolders", - "sha256": "9a4da22d2ca3a439a861ba534233154b481ece85272d40a4d5b79103465b6039", + "rule_name": "Signed Proxy Execution via MS Work Folders", + "sha256": "e254b2fad135ecabff65179dfa71ce6dd7a05eae1dca58f099f498987c2a5187", "type": "eql", - "version": 1 + "version": 2 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -2971,9 +3218,9 @@ }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "595203c7bd02d7aa640feb6640002bcc3ea2c49602a4366ddc30df6b68ce68d8", + "sha256": "bf3c9373100e7d25782f5d517203035fea52e6ed20f37e9669367bec59f4ab01", "type": "query", - "version": 5 + "version": 6 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", @@ -3028,9 +3275,9 @@ }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", - "sha256": "8a6025e8055e5afad2fa19034796fb8c6b25d53fc9e907a56082bcac019dcc09", + "sha256": "4c7e904ee42a6ff60e2d1987a4bc1be0b90e5369160fb574294a40a60ee31ec6", "type": "eql", - "version": 6 + "version": 7 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Microsoft 365 Unusual Volume of File Deletion", @@ -3045,10 +3292,19 @@ "version": 9 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Linux Username", + "sha256": "e25a73b70b17529d8b55a00fffc8d8519098a3374280fad8d7081623383fa6eb", + "type": "machine_learning", + "version": 7 + } + }, "rule_name": "Unusual Linux Username", - "sha256": "e25a73b70b17529d8b55a00fffc8d8519098a3374280fad8d7081623383fa6eb", + "sha256": "093dc7c42353af6d60328fd53893e9e14af849f5becdf3eb7967d069e7a58b44", "type": "machine_learning", - "version": 7 + "version": 8 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", @@ -3076,15 +3332,21 @@ }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", - "sha256": "b1b1242e639188790fc49c1b14998f746358dc7842e380a8cc4263bc75e91d0c", + "sha256": "2be4d09f50ef43f4f53efd5dd6e0036303eafa2fc21a20db86900d1ff4aaebf2", "type": "eql", - "version": 2 + "version": 3 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "93e3837fce54c54aa393d2afc036472d007425eaca1413fd955a684f14d9911e", + "sha256": "78cd566f7c38ddb92425d4255262993cdc7dd28e468339eeb2a65b5026f27890", "type": "eql", - "version": 12 + "version": 13 + }, + "b627cd12-dac4-11ec-9582-f661ea17fbcd": { + "rule_name": "Elastic Agent Service Terminated", + "sha256": "995e6676acb368df8d6782116f30161a65f7537ae0cc62cc30c60aa6072546f0", + "type": "eql", + "version": 1 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", @@ -3112,9 +3374,9 @@ }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "d99501faedbcbfd5604de2e284b3e817a880a71abf439135e70cf7bd9f6370ff", + "sha256": "dd582cf7684e5084ab7e12614dac33c40c7f9fb8c58200da7cbb37d7bf655664", "type": "eql", - "version": 7 + "version": 8 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", @@ -3130,12 +3392,12 @@ }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "16df9b62d513df2c32180b356aa0ef1aa20c44710b61da67fec8e70c9e04e587", + "sha256": "4f17e0fa5cebe3ae30385335149befc21b643a6a3d17554cf9225a5013a381a9", "type": "query", - "version": 3 + "version": 4 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { - "min_stack_version": "7.13", + "min_stack_version": "7.16", "rule_name": "Creation of Hidden Files and Directories", "sha256": "9515b6e94011f55aaec0a81fd8c343771c1bd922a16a699075e105558cb4be3e", "type": "eql", @@ -3148,10 +3410,19 @@ "version": 5 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Windows Network Activity", + "sha256": "e902d7fb397e08212a5197fa5dce5708b07375ee8b7ccc2719b0633e9b8c27e3", + "type": "machine_learning", + "version": 7 + } + }, "rule_name": "Unusual Windows Network Activity", - "sha256": "e902d7fb397e08212a5197fa5dce5708b07375ee8b7ccc2719b0633e9b8c27e3", + "sha256": "7b02abc336d84242dd450c5912423eaaed3a749e68d8a3f890cfdc80079a6226", "type": "machine_learning", - "version": 7 + "version": 8 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", @@ -3215,9 +3486,9 @@ }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "rule_name": "PowerShell Keylogging Script", - "sha256": "6bc0cf9d4c533e8088498db20d276e4d852ce7b1be110fce699f99e9854897da", + "sha256": "3b664e177f2cb7ef127dc2562387c2c1ddeacc1940e67f9341b2c548bf0afd3d", "type": "query", - "version": 4 + "version": 5 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", @@ -3233,9 +3504,9 @@ }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "07df828e644721285f763fc179a56a42543204d8f075be83ace6ad790ca6d3ad", + "sha256": "cc6840aba4ea4559b570353b3df391dcb5b11a05ed0c0b141584ef294b4192c0", "type": "eql", - "version": 3 + "version": 4 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS Snapshot Restored", @@ -3245,15 +3516,15 @@ }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "c938dbc56d3bd5635cce18f040dd9ec53fa57aa4c5ec1465f22e0b0b5ec6252a", + "sha256": "b7af6c3dc975fe1841051e43ae8a61191cbe85cdded0f84c93c807772f48ff3d", "type": "eql", - "version": 3 + "version": 4 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "fd35291fa9dcfb77c5a0fce79b165bd99b7b86d051bf14f9d410819b87669ee5", + "sha256": "4f34a851ea5e0d5a304a4899574353546e939154981a9c0ed75767bb7be0f579", "type": "eql", - "version": 2 + "version": 3 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", @@ -3280,10 +3551,19 @@ "version": 5 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Linux Network Connection Discovery", + "sha256": "711dd36c9d0eca5be33613044ab9de38bdc703b51e619c57abd6125385dc7bb0", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "711dd36c9d0eca5be33613044ab9de38bdc703b51e619c57abd6125385dc7bb0", + "sha256": "e124e0a0c8431f7cb9d2620441bbba0cd3b662770721332fa1e52b056c6c3dc2", "type": "machine_learning", - "version": 2 + "version": 3 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", @@ -3323,9 +3603,9 @@ }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "8995efdaf76a976352c15573f17b0e1ec96daf916f4d6e1faeab3f009dd299da", + "sha256": "494da2709cc0f5de102df7e3c7846c43ff969489dfa9f08fdf7aa82c241cde84", "type": "eql", - "version": 2 + "version": 3 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "rule_name": "Potential Remote Desktop Shadowing Activity", @@ -3358,7 +3638,7 @@ "version": 10 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { - "min_stack_version": "7.14", + "min_stack_version": "7.16", "rule_name": "CyberArk Privileged Access Security Recommended Monitor", "sha256": "0c5ec551b85d7e7e8775c4c1508a831c6019881d679e137e6f0531968d3ab03c", "type": "query", @@ -3366,9 +3646,9 @@ }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "rule_name": "Remote File Download via MpCmdRun", - "sha256": "75e3e3971caefec2bf7c81e0739021f44625588a2c956cbc87373a4cb0ba6269", + "sha256": "0534f53daf22af73ee3e33bcb24223e7c54f624944059b8dcceb8b24fdbceea5", "type": "eql", - "version": 6 + "version": 7 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -3444,15 +3724,15 @@ }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "1909632e3c969f69f05e2678860ab0045baa8ed17e8b2d10fb60316d63dec7e7", + "sha256": "bf93f818a5acdc021805c2fb4f53fa56ededcdf991128dd0b0bdbbd7d3f18c8c", "type": "eql", - "version": 5 + "version": 6 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "25c95946bf344f63ac94a1fc18564d54f8ff89ba5343ee409f5574df6f06ea05", + "sha256": "f3008c2551fcd90560270ad7f389a439399cfee139bba0ae29358e5e9db2bece", "type": "eql", - "version": 3 + "version": 4 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", @@ -3472,6 +3752,12 @@ "type": "query", "version": 1 }, + "cac91072-d165-11ec-a764-f661ea17fbce": { + "rule_name": "Abnormal Process ID or Lock File Created", + "sha256": "c887c38b43b71e69ceea2c9200eaafd7804f6a83931f19b86c13bc5bc97611d2", + "type": "eql", + "version": 1 + }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.0", "previous": { @@ -3536,10 +3822,19 @@ "version": 7 }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Anomalous Linux Compiler Activity", + "sha256": "72774e826f2421c6fb071aca38cde16199ac2227c454f40e278aa68331bfb9ff", + "type": "machine_learning", + "version": 3 + } + }, "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "72774e826f2421c6fb071aca38cde16199ac2227c454f40e278aa68331bfb9ff", + "sha256": "4ee4b5dcb56b421f4908084b64cba1d0a70d0715936b58267f12b7462b96dfbc", "type": "machine_learning", - "version": 3 + "version": 4 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", @@ -3600,9 +3895,9 @@ }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "e83e96779d7bc8c89103bf100c4bb596f9aeb387931909a39a021dbd0af35f6c", + "sha256": "92a93c83ab68d2d97a45dab6d50fa7243069c4a8231fe94c56714d38edec35e4", "type": "eql", - "version": 3 + "version": 4 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -3624,9 +3919,9 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "1f23c465db09e249755d3b09fb418edf53deca54b7445ea237f238b358b35bf7", + "sha256": "d69060f4b72ddf9a9f9b75d678b0c3847b0a8dece00b17b978ea865315c7a0ba", "type": "eql", - "version": 12 + "version": 13 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", @@ -3647,13 +3942,22 @@ "version": 7 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Linux System Information Discovery Activity", + "sha256": "e6bfd938d1323fddf3554c4c9a5a57d6490c2b23ec7d42a12455a5cd6ab96d14", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "e6bfd938d1323fddf3554c4c9a5a57d6490c2b23ec7d42a12455a5cd6ab96d14", + "sha256": "3d98f764fe976df253f64e01eebc8c21b6f053483109c520c47251ae353f12df", "type": "machine_learning", - "version": 2 + "version": 3 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { - "min_stack_version": "7.14", + "min_stack_version": "7.16", "rule_name": "Unusual Source IP for a User to Logon from", "sha256": "eaec6ceda71a7d7f2ef470443ab29248249a5782241bd0d422c6c5201dff280f", "type": "machine_learning", @@ -3691,9 +3995,9 @@ }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", - "sha256": "394e164b962405824e20fa9efd81e7a2a8b9017ec483bc0d0dec04f4bb9684d1", + "sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7", "type": "query", - "version": 7 + "version": 8 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", @@ -3703,15 +4007,15 @@ }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", - "sha256": "7d63d0abff428bf67a031e4be391caf6ec142d6044d5ec8e0c97c1835872e490", + "sha256": "e042c3c4ababcee73270ddb582bb80c6c7859ecc5f62bcc4fc7e29e1c9c6a22c", "type": "eql", - "version": 3 + "version": 4 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", - "sha256": "7b99b1f37d4afb6f85cb3358aa89d765eb877dd3c9f4354b71fa319a88ce039b", + "sha256": "ed067d19adb84d5fdb2bb9789fcc1eb9ae137325e9b41c83b035570270608cfe", "type": "eql", - "version": 4 + "version": 5 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", @@ -3747,7 +4051,7 @@ "version": 1 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { - "min_stack_version": "7.14", + "min_stack_version": "7.16", "rule_name": "Spike in Logon Events", "sha256": "f597878752cb6e91544579901584b4938249c29026da834e202622b3194aac5b", "type": "machine_learning", @@ -3767,9 +4071,9 @@ }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "388ee1ef5e4170596ff60bac0033454aee9dd9bd0b146b99f3306e7f52aef1f4", + "sha256": "2e7e33d7a4d4b5507845fa13ff50cd296f435afed71b4d7bc58c7459ff11cf08", "type": "eql", - "version": 3 + "version": 4 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -3797,9 +4101,9 @@ }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "73718af6cf5f96c1d96a0e33fc3a4dbc1295856ee436189ad912e94ac829640b", + "sha256": "7efa41860adf6873d8772c86cbb32fdbf1051b2e8f325178741c543cba9ac141", "type": "eql", - "version": 11 + "version": 12 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", @@ -3826,10 +4130,19 @@ "version": 7 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Windows User Calling the Metadata Service", + "sha256": "40ac13cc950b6d31bbf8793ae0941af4edbaf36dc40070df6f4173775298c968", + "type": "machine_learning", + "version": 3 + } + }, "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "40ac13cc950b6d31bbf8793ae0941af4edbaf36dc40070df6f4173775298c968", + "sha256": "f2e71281a73e50949328cab350a1fa9f8f5cbe687da5e0e6a3d605cf140c84df", "type": "machine_learning", - "version": 3 + "version": 4 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", @@ -3839,9 +4152,9 @@ }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", - "sha256": "8d4ae843cb9c1a4ab4c415b00ed10ca09a6ff0c4911446cf5d667f379e7e2ea3", + "sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d", "type": "query", - "version": 7 + "version": 8 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure Firewall Policy Deletion", @@ -3872,9 +4185,9 @@ } }, "rule_name": "Whitespace Padding in Process Command Line", - "sha256": "ab5ccb25f6a2009b8ef47f280cb8c27210fe1bf06e1bff55746754b6d021a2a0", + "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", "type": "eql", - "version": 8 + "version": 9 }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deletion", @@ -3884,9 +4197,9 @@ }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "rule_name": "AWS Route Table Created", - "sha256": "c2d3c4f677cfdfa69ef9ba32f1d771d62809253c641ffea2d75fa7b2e85f559d", + "sha256": "ced07968e26a004585120ef12658b3be4f12bfa5f601e3caaadbbb4b27529700", "type": "query", - "version": 2 + "version": 3 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", @@ -3901,7 +4214,7 @@ "version": 6 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { - "min_stack_version": "7.14", + "min_stack_version": "7.16", "rule_name": "Spike in Logon Events from a Source IP", "sha256": "604e329a73f5f711f4d8aeb944976f58a8d5a993388062231c925fe211be1b91", "type": "machine_learning", @@ -3909,9 +4222,9 @@ }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "cac862ac2f6933ac4a3b016aed2ec100b670ab49ab3d148e57a4f2af8f4b10bd", + "sha256": "68c33f06b1581f219147e1dd21155ea426dcd622d103e738942cfd6484cbf101", "type": "query", - "version": 2 + "version": 3 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", @@ -3967,11 +4280,17 @@ "type": "query", "version": 6 }, + "e4e31051-ee01-4307-a6ee-b21b186958f4": { + "rule_name": "Service Creation via Local Kerberos Authentication", + "sha256": "bcdd122e8566edca2f53e8e240809c4b74fe7a8351cf91d27f712b45b2848ade", + "type": "eql", + "version": 1 + }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "c8a4e7055859268ed7bd4de337af074e907e1f0201fa149b256b4b28e0dd7158", + "sha256": "abd4f1d93a531d56627582b8eef736fdc31ba0c3fe3343aa6dd9e2d4ff6efffb", "type": "query", - "version": 2 + "version": 3 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "min_stack_version": "8.0", @@ -4032,9 +4351,9 @@ }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "24310c50c362c030cd18b5fc424495faff6d0a8124112c0c786911fc8ae10ae6", + "sha256": "a3f47174a8ef30c46dc619170edec3eee8d924bf9c984995c73b44c58f1c4446", "type": "query", - "version": 2 + "version": 3 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Service Control Spawned via Script Interpreter", @@ -4110,9 +4429,15 @@ }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "12e68865764cb1f05d6ebb9353693e06d2c742cf994b547711f7fd379654ba42", + "sha256": "4e3dbed23985f9177ec4b64e9e8a39b7d134016e9f24a0511c7fa1b0ad3e5616", "type": "query", - "version": 2 + "version": 3 + }, + "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { + "rule_name": "Suspicious Network Connection Attempt by Root", + "sha256": "44ed2613b321b265aa643120f1f0f46f3c2fd6c4d7557b2ae4c9d7680e3600f8", + "type": "eql", + "version": 1 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", @@ -4122,9 +4447,9 @@ }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "a8103bcc41bedfd85a8511f7e6d3bf8b3b13ca107aba3e48a1ddd7ada099fe1a", + "sha256": "6b3c56dfa4b0f9ca84cf0a2d7eec8af1e8a0dc041776a9642ea05bdcf4905fc8", "type": "eql", - "version": 5 + "version": 6 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", @@ -4140,9 +4465,9 @@ }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "424f3ef1d9ddc7dc2705c1b02e6ef01b017795d1d812e0b10c9563a4ff232c37", + "sha256": "354d712416c35cb028b95cb1960ee6cc7db40176e030ede0068ffe2fa0d0216b", "type": "query", - "version": 3 + "version": 4 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "AWS RDS Instance/Cluster Stoppage", @@ -4158,9 +4483,9 @@ }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", - "sha256": "11c4de8ecd2064c2bc618687d9ceb19b1b8c051ac157631b679ceff497fae548", + "sha256": "e43c14d6cbccd4bb0e6ac4485ec72afa4a073da25100f4f5f31946a21765cbfd", "type": "eql", - "version": 7 + "version": 8 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "rule_name": "Attempt to Deactivate an Okta Application", @@ -4194,9 +4519,9 @@ } }, "rule_name": "Unusual Print Spooler Child Process", - "sha256": "ddb1a4dc2a91661de7dcfb7b0694d46aeab631523f60a9069b45cee20a794644", + "sha256": "ac1ded91f88cd92988bdc5f20a34f790657172aae3e5a5a437641640b06091d3", "type": "eql", - "version": 5 + "version": 6 }, "ee619805-54d7-4c56-ba6f-7717282ddd73": { "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", @@ -4212,9 +4537,9 @@ }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", - "sha256": "319c4123b31ad2196672f2a0ff57e66a3ab8862dd8f2f7b537e2cd5fc6603068", + "sha256": "58cbffa455c5c098fd444fa2716bd4f4a4e47ea7c9ed98cb3f3df2a8e8f50314", "type": "eql", - "version": 8 + "version": 9 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "rule_name": "Unusual Child Processes of RunDLL32", @@ -4305,9 +4630,9 @@ }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "7575644342a64ba1f288f6a10cb2e2182b305eab1ceef6170afa4c97f6ca8271", + "sha256": "f10789004ab5a0b3189568a57c3ba230dfee3b40ee91029e96db4796107b08bb", "type": "query", - "version": 2 + "version": 3 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -4317,15 +4642,15 @@ }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", - "sha256": "16bb5b4d0080ab3334bf9efb00c73a6e7ddeefc07a959db37ba971f1b12f3e17", + "sha256": "a051b45e6ebd98e14959c0987ad3b9e0a8588a46e64ce9ce4d3449c05ca513a7", "type": "eql", - "version": 10 + "version": 11 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "ec71a3ed4b21d685b3c9930d353d7916e9e5eb903d2c8cb8848b2f39e1da8098", + "sha256": "ba326ac9368b4e5d082ededa977176061cac940705885aa1dc8be2ce9eb0b926", "type": "eql", - "version": 4 + "version": 5 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", @@ -4353,9 +4678,9 @@ }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "bb1191d6f9f749c46e6b4c3e716044498d576f5349622f9806ddb108a66b76b3", + "sha256": "5d8d5e30fb647fda5e111159561585d252ba6c0dbb5fa2686948a5049413c092", "type": "eql", - "version": 4 + "version": 5 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", @@ -4371,15 +4696,24 @@ }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "405111199c8c503d24778b4d2fb10946691622b1eb16de257a6fc695f20d3133", + "sha256": "9b6a01fd1ebe28d49977691c2436fc4fb42558b6e5f71af4c2d264ebdb31f81a", "type": "eql", - "version": 4 + "version": 5 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { + "min_stack_version": "8.3", + "previous": { + "7.16": { + "rule_name": "Unusual Linux System Network Configuration Discovery", + "sha256": "e0d27723f14bfc1f2d57f46507f432ac8447aeedaa48ac60222193653c4ea2a8", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual Linux System Network Configuration Discovery", - "sha256": "e0d27723f14bfc1f2d57f46507f432ac8447aeedaa48ac60222193653c4ea2a8", + "sha256": "14d20e2e82e941edcdbd220e8a8452c2b7c3d439345f8c165c7028552891d60d", "type": "machine_learning", - "version": 2 + "version": 3 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "rule_name": "Suspicious Activity Reported by Okta User", @@ -4470,15 +4804,15 @@ }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "ca7354db67f950fb406782499a38954ab5d8065ce2876236971f85afa96d0cb9", + "sha256": "01ee1a5a314fe80a4edfbd7802473022fa8ed3b34b017b654c6b763b8b334c55", "type": "eql", - "version": 3 + "version": 4 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "6792430fea2750424fd5efe256cbb96c69b93767b45e0fc15ba33a9732c92b76", + "sha256": "bdc3c3820099bd72e96f4e009fea0a4f1edda746435b53c0a4c1a756f6317848", "type": "eql", - "version": 2 + "version": 3 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",