{ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "cac0db4aff1d1ded02c07501baa3bbe6f5e27d707c93ffd2eeca27d36820a20a", "version": 4 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "aaa1e170fca28a38d31be457bde9aa519117096184eb0b7c03edd32b49031827", "version": 2 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", "sha256": "04fd329eb92cb9d357f7940cfa62cb8984f44cd5e65884330006e4d5415ed578", "version": 7 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "sha256": "5bc652138aa627b6d8867f2f9023691c90cf89eae1e8b41f15c5a39a3e45c2f3", "version": 2 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", "sha256": "675294fdab8938639d7813f80e9ed17a038d03d3d20b16462738ed18c86c0811", "version": 1 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Potential DNS Tunneling via Iodine", "sha256": "7599799ca4a0a55c535334c454d59cb689f6378970a445147023453e12dc936f", "version": 6 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "75f947671148de3e29e3264168da66ac71eca6cbce3fa91d085393f5100a56b4", "version": 3 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "e1d0ef7d698458198b86b38759592dfc86d48b04a8f229b80ec4b0235193928e", "version": 2 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", "sha256": "6dca378cf44291bfc85f995e2ef8dcdf0df44407d0b042cb72e33d49dee5a7c0", "version": 5 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "rule_name": "Remote System Discovery Commands", "sha256": "8ad286887e1e52dd9b5572836b215991274b766495448de4fe2f9b6042ac1a93", "version": 2 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", "sha256": "d2ce426a165fcaee593fab6a509528869efcd2f9e61a1c4c17719037b6fd0b82", "version": 5 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall", "sha256": "a3035c5ca2734a10cc9657fa0c2c23fef1195b83d4c1316e932898537ebc27d6", "version": 2 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "rule_name": "Launch Agent Creation or Modification and Immediate Loading", "sha256": "e528a87ea96507db3839017216ed364081e638391209af086b126d1de534f30c", "version": 1 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", "sha256": "fbafa9f4206bcfcd63c1a74767a930ee9e96f0a6f437e6252afd83cc73df2eb8", "version": 7 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "rule_name": "Process Termination followed by Deletion", "sha256": "c5f205ff54c1d0e79f4b4750bf6a7a410a4c6541e53a51be0d8cb5e8cc8e67c6", "version": 1 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Endpoint Security", "sha256": "adcd895329cc4d1c41bc4bf8b75404c838823731713fa11f3d3b671dd24cc31d", "version": 4 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", "sha256": "2c0ef448095688b59b12cdf6eaa8b1cf916845b1b9ca33e47412f87f855d493d", "version": 3 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "rule_name": "Peripheral Device Discovery", "sha256": "b3d195f66eff7d2a1c2cc3733f699db9279b137852ec73c44268c9aaf61204e3", "version": 2 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", "sha256": "3df1266e8438c9787af97aff38a331b1f2a35d27d8a7541b45c39179cdd7b500", "version": 6 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", "sha256": "1c2093218988bd5075f751f889f33bf5951acd5b6eed596e7b16356c713992b4", "version": 2 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", "sha256": "265e657ed950612b93a122cdac4616aaf53c63454deaa484c2d4b8e0ffac2e55", "version": 3 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", "sha256": "49f28f634ed84feabea9a0466856d470b32de0629543625a47b810c023bf3f7d", "version": 6 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", "sha256": "7e3863b9c9ebca7bc1bd8454cc06df45111aad839afa00701d01deb17557e769", "version": 7 }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", "sha256": "fcd1f8db60952639ad3ee7ab8c7a16bd2b1c60369d4719c852994200e39bf9cb", "version": 2 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", "sha256": "1887a28078d2b00c9d7c5c5fd8f13a55ada9cf7953c5e3f444d6839a32c97bc3", "version": 3 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "87399b0ff196ae92920f9aa67e0535ec5a2ef85ce12cbb1fd7d0fe37d8508dc9", "version": 2 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", "sha256": "a2594bb7b6f814bc779c6bc489a1ad7882ce299cf5fb2c000b040dfa748cf6ac", "version": 6 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "480b24cf11930aac2d017bb6d050f1ba82f830d9381cf0fecf7071d988562260", "version": 6 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "8c53068d8e5b4053fea6daf84a565f31c405759b2852bf641fe25806ca78e742", "version": 2 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", "sha256": "863d0e7eb8b2e8c96e020329bb332e6d0cc0b06c3770ef6607a3e3739e1dcca3", "version": 7 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Azure External Guest User Invitation", "sha256": "43627cd1ed624daac407d02e6c9158da91824c99ab406d7538610d732c60e384", "version": 3 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", "sha256": "24559b065307470c045f9ade897b021cf83019c6d03a716450fdc57b67ecd52e", "version": 7 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "a484099235a7b474f53d5e801f77684ede6321d71c3403301d60f0b644597fe1", "version": 3 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", "sha256": "6f46ddb42d6b1ea82574dd1727b36cfb32d2662d5c3d787ba3321af0ed3f8a12", "version": 3 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", "sha256": "5dd2b107e0fc701668b8e697a5823207fc80d49607e6e8b5178f2f412443d8bc", "version": 4 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", "sha256": "2ce6fa72ac9194f3d8f1dd2883f9b17eb00ae9c438a97b92b314e10cefa513cb", "version": 2 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "rule_name": "Unusual Windows Username", "sha256": "e3bc57714f47a0836cc1c6b7290a3872c953fc3320da7c95d0a8cb6a9ed7f3d7", "version": 3 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "rule_name": "Unusual Windows Service", "sha256": "522b54696d2442ac05611c60b30f7d3ff6979437525632c8ca29ba3244c7dc1e", "version": 3 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "rule_name": "Suspicious Powershell Script", "sha256": "93b050224f92e0f3e5a043d6d2598a105fea78aebd8815f32e6932920731c7be", "version": 3 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "b8604ca4da00ed753c2528b252b3a70dc27e923442b8d3cb9b6efe70b0733069", "version": 3 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "rule_name": "Unusual Windows Remote User", "sha256": "9b5521dffd2429f28febd39b2e0c6854439e3020f4ea36dae83899321f987f80", "version": 3 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Suspicious Execution - Short Program Name", "sha256": "6e89d71c59daded6ae826a8621232f987a054465337646e10ee7e1d284bc1ac2", "version": 2 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", "sha256": "6e872b23e100ee779531cb816953fbf9c13e475e07b3ab4e52ecdef1e474e124", "version": 3 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", "sha256": "58f943ff669854f623265eda509ef58e601bbd39af5f9ce82985e65d0817d796", "version": 3 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", "sha256": "ba1f3d9db01dd4ecac10bceae27c1686745f53fc59c9164cdda820d1ff955667", "version": 2 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Azure Application Credential Modification", "sha256": "f82e7c30280b4862032aa17c77a377dc129dcaf495468cc532d736845a9af8ee", "version": 2 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", "sha256": "8dad953d062015582e4e66a69bebdcb081d7e8504e3a8450486012cbef959148", "version": 4 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", "sha256": "b104414747b46066388a40c0010698e2fadef3a589cd1863923ae97805f2d37c", "version": 6 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", "sha256": "a0c3903438a1efe0c78f19773f9405b91c94f92239c59e63d1ec89073afb78cd", "version": 4 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", "sha256": "a6190376ebfd842ab3228b6713b5d75029b3516c8ec74b6e4ab43c83cba3eeb1", "version": 3 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "b6932e27a95974385f586931c228695347bfd04535e89f328976ff0db921235a", "version": 1 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", "sha256": "4abb8480e4397d41ccad67d9f2aea6c629a9a089247d426bc92135e3073f83a7", "version": 1 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "Public IP Reconnaissance Activity", "sha256": "35dc7d0a375f80421e98e210eed421e7f0bc2e1902eff8e2739bcf1cfdf3e062", "version": 2 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "3f676ea1d24c02433d7e3b42c3288f59c319b51028ed2f6b5e3a4c84a1a95d9c", "version": 3 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "rule_name": "Execution of File Written or Modified by PDF Reader", "sha256": "aa68e54b0b1dab44af2dafcbdb5c36d1b2b9e6d5363b407789b653864158e52f", "version": 2 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", "sha256": "cfee55b352159e0848f887984ef2f0124a7209cb882637f14d4280525e744e49", "version": 3 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", "sha256": "6e49f87f11fba067e6fea0b97078cf1e2d77aa0f6c259309ec67f9fecb867a7f", "version": 1 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", "sha256": "78a5c11812e5b1a80a2060f55840a2c19bb4f16eaf7c12ebd427d977e1579e65", "version": 1 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "1c6a98ed8c939c838cc1d87528f00eee1d6a188c9fd7c6adea39ffb08d1b737b", "version": 1 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Endpoint Security", "sha256": "83322d535ddc84dec40b7a90e9738726df2bd27ac3cdf96e7b9ebd967560bd25", "version": 4 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "rule_name": "Suspicious .NET Code Compilation", "sha256": "0416d1b395d3e71f875fd844d5cfeefd2ca1de353c0595c765c7d7c60de4cfdb", "version": 3 }, "22599847-5d13-48cb-8872-5796fee8692b": { "rule_name": "SUNBURST Command and Control Activity", "sha256": "a1f82797be5307027c2299d4e0bcd5e77d032fdef9bc6d5f5f31197a1af80c88", "version": 2 }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", "sha256": "905b4d51fc906750f57cd87dc8d7d9df6c09909d1f891757204047d2ba50c7f0", "version": 3 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", "sha256": "7207564a7508b0604510440b1fd1d3bebdeaf1e897e503fe298aa7f783c46410", "version": 8 }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "rule_name": "GCP Storage Bucket Permissions Modification", "sha256": "b34c9e0e5d452ba1f81e8fb67dcfd4b37fa2815b55f6167cef81ee2ae22f8435", "version": 3 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "rule_name": "Lateral Movement via Startup Folder", "sha256": "41299fef8c7f35e269c70d1e1e2924da08b1f5c726176c2d5fab5320cca82f61", "version": 2 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Container Access Level Modification", "sha256": "0f878d919fd4f04a318821523e81f19f7b201cfd00ea14dbbe6caefa12085a36", "version": 3 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "f5d597657cdadf16e517169eb237df37db33d4afc77852c7fac5b42c1a6677da", "version": 3 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "1678ed5e26e08ff3c4b51dea2cee32f9fb1275bc8042634dae096429511f64c1", "version": 1 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "Microsoft 365 Exchange Transport Rule Modification", "sha256": "d0610ca7e553b3f159db6d65452c7f6a6834583c1b4e898204125c93730da1a5", "version": 2 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "57b09eec9a69ad0e38e8e43010bf9c0937e1508d050755d0a480820c02f3434f", "version": 1 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", "sha256": "0feabc81d71050379c9157c1cb287680a7c4fba732008ef9a3f17e86d6000acb", "version": 3 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Microsoft 365 Teams External Access Enabled", "sha256": "4182ae86ebceb37ef4daf7e9d714531e546f3d75917079782cba4471e3683054", "version": 2 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Net command via SYSTEM account", "sha256": "7638c2f89b64cef3e108db8da0e69fde6886c3cf8ee55888962e46a36b8cbe40", "version": 5 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Endpoint Security", "sha256": "4a04fd5b4099a19a093d301762f68352221eca036db21c9b9b2e388dc5c56a9e", "version": 4 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", "sha256": "9f775cc41219f22aeed5606b452afd1ef3492c54f2a31a159971683527bd7079", "version": 2 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "19dc06953af8af51a15fdaefb96489c18d189e4b624b72bc33877826d9cfad4d", "version": 2 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", "sha256": "8898026965d74c21585cf6aec35a7e557e9ebf11998efa5d264e0e4dc9e8bb41", "version": 7 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", "sha256": "d190d8cec6950e03d8e267dca54b372158b1bb414490ac7f6db3d676d7c5d558", "version": 5 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed AutoIt Scripts Interpreter", "sha256": "53e55f065444d26397602d8833b406b630e6d6de7f8db36bdc80300cd00d20d2", "version": 3 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", "sha256": "cdc14ec4b2b923b44462eeec6cca036053f8e2f2ba9da1cdab7ae27d4aaa1885", "version": 3 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", "sha256": "741e753e168271d0ca5c5d7fbd2ae7660b81e53ce36255eec7cc428977c897a5", "version": 6 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", "sha256": "eddb73a664e938bfa193825a0de166c1ae4577d8e2f1ce732819db7f92bfc126", "version": 1 }, "30562697-9859-4ae0-a8c5-dab45d664170": { "rule_name": "GCP Firewall Rule Creation", "sha256": "045c646bf559d459cbad7abe6d452ac4f8fbf355523e81d5bd078230d3d1e2e0", "version": 3 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", "sha256": "5d3c9667ede9ba23dfa05e1ec40a147903c3d22335d29f3006e74f2b130f67ca", "version": 2 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", "sha256": "138656819a723b08184799b57c7b09266cf257c5e4842ef2e9e3e274c644a0ad", "version": 6 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", "sha256": "9f5f01e8c09d70086c93b58bed1b847b2536a16300f2183a79718538a3cf5a6b", "version": 3 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure Network Watcher Deletion", "sha256": "e5b565501ae4c616fa76d99dee894d9cdd5e3b0d803aaf00f2e4d9a9141ef3b0", "version": 3 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", "sha256": "2b5c0f40d332c98bc432ae688248f8f2ef44589a43052b3aecca94b61df3e360", "version": 7 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", "sha256": "ce3f8ded0fa72d256144440ac0bca99298283a465bf53d3d52b5a38f5fe0351f", "version": 2 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", "sha256": "5275750f21477fa6da25c475d8a62428b790254415ae9f915ae9855e34cf6024", "version": 7 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", "sha256": "c2a30a4e9da87291df7a1cb5c6f0488d1dc4363c8c6e8d5852cfe90b7aef9751", "version": 4 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", "sha256": "3f7622021f11c5c2649c14842643ecee2ece082c6e00228f579757cbdf1a5261", "version": 1 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Telnet Port Activity", "sha256": "a818c7383db3a78fc06748e8f69de6d5a29265b5cd157d418395f973930b4e63", "version": 6 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", "sha256": "57c4a0ede1644dd809e968e63ffffe7c22507dc8712728997840850bcd637acf", "version": 2 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", "sha256": "96ed86ac690b1e778290ffe7c0d3a8e9917e20d6a8c8344bf5191801802ede93", "version": 7 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", "sha256": "b404ff24a631ad29d1fc24185a0254b0bbc22ac740efe4cd5a2efa5d4bc338e1", "version": 2 }, "37b0816d-af40-40b4-885f-bb162b3c88a9": { "rule_name": "Anomalous Kernel Module Activity", "sha256": "cd02c225183b6d5187a07bf67653afe3372de17dde89842143f115477aca31d7", "version": 2 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "rule_name": "AWS Execution via System Manager", "sha256": "61dd1760bd8638bc67426d94284aa1224d97b34e9a68dc7542c9fd8f28098cc2", "version": 4 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "rule_name": "Attempted Bypass of Okta MFA", "sha256": "0d3f3665184ac4b21104c3fcba336c4a8e5b58984c79be68719241115cb41a72", "version": 4 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", "sha256": "def0708eb6e6a00bb2f17fb1fafee41d4e11f5e4385ca2ca08447724ff623f68", "version": 4 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with OSASCRIPT", "sha256": "7a6dcc3eea9d2ecd5b9e942e20010eb93c4d3c7ae267c151bd5e8eb74360d2f5", "version": 2 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "User Added as Owner for Azure Service Principal", "sha256": "8464e66812e6b7521a8dc2abf7c67bc0f950a78949daaacc73fc293e4d663111", "version": 3 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", "sha256": "b10f7e2de3f5d6138871b90f41126dfb05cf2bdcafbd36b57348268e22e38be4", "version": 4 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "3ef3999620b103e14c61eed74a63ee361926ae6a6f4b8d30353aa438c2e0665e", "version": 2 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "732ac08d2d07ec76126d378233aaa6ceaad8088afaa81e456854b8a71a3db361", "version": 1 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", "sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941", "version": 6 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", "sha256": "77fbab55e9059eb6fb6492ba30971f3d3a4df6c2e2d7e325b04d0ecd7bc26b52", "version": 7 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Endpoint Security", "sha256": "49bf69bac026013bdfd88dbb0ebbf5f2cf01d0bcc8dbdc00d760cc4c1ecf6daf", "version": 4 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "4ce1347f9fe15a5884acb582586ef9918d0709794bdb3581cbefc8cf9166e707", "version": 2 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", "sha256": "6c4b480706231207a2b53286531f84fb7497f1b136d293d0e1ad8af5b90353ce", "version": 2 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", "sha256": "b1d42eb05bc2bb9c5ca66aab76709e4f3aa79e9293af35f760905331f4fe3d43", "version": 3 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", "sha256": "81893cb7efeaefbe69f4653b3dc5839948ec1fc43fc55f8370f3257e04f15d8c", "version": 4 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "2472409ff9fa897575ec999b050152152e127c3c8f8fba6af7a746e812c3b41f", "version": 2 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", "sha256": "86bd2b4c6d0bc71a1b6510262a029195221c555fc4f67f094e93dc1879d04e93", "version": 1 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", "sha256": "6522bc62d5d8d7ffc42fbb0aeac0f7da2ba74e3932da92569cfa2a871eafde1c", "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "fab4b7b457970b0ff1295a2fe4e230ca8221c8a4f5b6491512a62ae3d870d00f", "version": 3 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "rule_name": "Unusual Login Activity", "sha256": "bff9c2058c32e5568671a4de897f191a1a5fad599b2982f5f5c543d6a2dcb5df", "version": 3 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", "sha256": "7b2f56166e460cbf13418552df56b54023525a2eaf0df76c055f62210bc8a027", "version": 5 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "rule_name": "Shortcut File Written or Modified for Persistence", "sha256": "cf28969a293d000e52873e97e24333b40307b6486244b54714e1b96f74aee319", "version": 2 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "rule_name": "Unusual Windows Path Activity", "sha256": "051a230879f4261f63624018cf932d319e6c4484457aa525a006d0d05facf1d3", "version": 3 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Endpoint Security", "sha256": "de91fb70ece5386bf2fe4d065f50aa219516eff015f22534b5cd1b69064fe002", "version": 4 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "f359ec8bdfe01b859d3a325ba2cd0b00cff639a80f196ea48d201e3cbae74176", "version": 2 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "b7ee618643d98c2169a1b8bc1e871d9adcc21fe9c7c438d548f54462a01b9a77", "version": 7 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", "sha256": "a0ced469a145609a24f3d0b37087aaa6923e859472645ef59120c0cb4e1ff168", "version": 3 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", "sha256": "cd4a76da7357de9b301cac5aab25aff5b3cdc7993a4da71e670c8646c08dee94", "version": 6 }, "47f76567-d58a-4fed-b32b-21f571e28910": { "rule_name": "Apple Script Execution followed by Network Connection", "sha256": "c9c44540966b2d9592ad5f670eba6bd6ee29beba41798f2788fc66fd3c0f6c1d", "version": 1 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", "sha256": "d7a4094671ab3413141af350b26471c1f84f5813e2c751ab1460ade4994ee1f4", "version": 3 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "207cfd123ae87b0a770f175c9018d1e0d3ec80d82dff6d5e2c122b44c0fb09b6", "version": 7 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "f7941ff2450a8f5b2545ab32170eaf4b8ad7a2f5f86fe2f06a1b5495dd2b1f62", "version": 2 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", "sha256": "03e5525912390c97777265582854a101c5ec36a22ce7ac831b671bba2de39f4f", "version": 1 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "b116b6e30fcb1611da5546f1c52c12b88d5dfd9a2041e83fa34583e547860c2c", "version": 2 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "rule_name": "Windows Suspicious Script Object Execution", "sha256": "575bb0ccbaf54a34b2a4967355a6aeabd8e1e1da541113896f9de5e4d02dbc8c", "version": 2 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", "sha256": "1e2b65b762c850b45150a9e0e641e72054c9761de19ecd694cc1dfee10ea8ea7", "version": 2 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "rule_name": "Registry Persistence via AppCert DLL", "sha256": "472d300c8c9ab634eca6e92d2c807265c348300e2c29f01a1dade2b5f74d73a9", "version": 2 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "sha256": "c8d8d20fe7da189d29d5418c818dbcd69206b2517f805a9b0e908cc81bf55f93", "version": 2 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", "sha256": "91f9f78c852e08daa7562d9df8dbe86bb1a55e5e269c26fd014a9a7b70157f9f", "version": 3 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "5e1b6224a46c6f4bac302f5a4b217ea1aa3c52fd980bf278b667f36cd3261083", "version": 1 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", "sha256": "b7adc358703eb3dceb5073c695606ebc4b3f1e328477735bdb5aa1af4a1da7db", "version": 4 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "62f9a83f87a1646d277900c459415fe58eeb8c9dd0b803948689441ab0672d25", "version": 7 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", "sha256": "ef8e961af1c2c6c36321af0253da8a005674aa2c3a6ef52c8498d3d3af6f619d", "version": 3 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", "sha256": "f1509a26320aeb35879f3ed33199d5608bc2f040ea884523217a08c5e5d74eea", "version": 3 }, "52afbdc5-db15-596e-bc35-f5707f820c4b": { "rule_name": "Unusual Linux Network Service", "sha256": "1262f7693276b5913f124eba96f84d2c81408e67dfd2bad1b96a2176f0506d62", "version": 3 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deletion", "sha256": "62305e86230ba4c5c3a1003451d02a3ba84428bc352f1502845e2242cacdf686", "version": 3 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", "sha256": "dfd73583e55e557d6b6b4cd595c2d9b899a833edee7f159aa9b899d6047cf5a6", "version": 5 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", "sha256": "1c339b8b96957808c27abd4eb4b06d28917dd955b3121f4a794ec7db1d52e87d", "version": 2 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", "sha256": "135ac096e16bb4d0f7fda7f52b5fbae7cb80c49e8628cdd928800d9e3940d0e2", "version": 6 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "62b2c18b4283e72805e191b3fbff2f7ed1b2272eedc561fe049c38475b3ae34f", "version": 5 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", "sha256": "36c41e7616e6841d8e8ccc7b8cf07ac26c8bccff0fa0233db17221a20069fc99", "version": 3 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", "sha256": "7a98a305d038362c3fb3a83cf8bd99757e7cd97374f13a8c49583e9253abd937", "version": 7 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Endpoint Security", "sha256": "bdc750ae44da6954d429af1c78db084f915fe63db463a2e084107bd4b7725a73", "version": 4 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "8c36a1ee95f65fd57c309bdf9969add31b8f6d83c342445259834f46484dddad", "version": 7 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", "sha256": "18053d9896302f8e69ce8066403fe67c8995b0f7fd3c803e5c71a3ca9ef74279", "version": 2 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", "sha256": "00ebed2fca50a1579826be2ea418f5bee450e8a31e60680af072af3d99181292", "version": 2 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Lateral Tool Transfer", "sha256": "94039776569f68c81b2596b9811ba52331323a57b2069a1060c42d8fcf601d03", "version": 1 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", "sha256": "2af4c984cf43412d94bc2369b88c7ad65535fa95bddf98b15b81e62b3586de3b", "version": 3 }, "59756272-1998-4b8c-be14-e287035c4d10": { "rule_name": "Unusual Linux System Owner or User Discovery Activity", "sha256": "bcf941f7244ac82c4700aaa98b51326165d8c561e6be7ea725a0372ac568c9e6", "version": 1 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "396ab1ad60804f89853f9976fde22358716c8a6a735791f6342e110370086997", "version": 2 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", "sha256": "223cb3241e8bdf4291664ddd39ab5534cc523b6daf9f6b2e6ed4223f3c4f2186", "version": 2 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "8d78a38091e18b693817210f674b04535f1b66fcd042c355d8e27dc96c376d89", "version": 3 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", "sha256": "280e064ffe4b31935712b8d34e3aa1c97c586ad103f4b61b86a209c6287254f6", "version": 5 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "rule_name": "Suspicious PrintSpooler Service Executable File Creation", "sha256": "8f56c94d9172737c682679aa448bed9762578c30b9e69c5981432e0372761b0e", "version": 2 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "23a72fb952c8871fdf25b30af1b83513cbede2411d85e86dc6b4ee58e3a1b30c", "version": 4 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "rule_name": "Unusual Linux Process Discovery Activity", "sha256": "701bb83db4ee9988f602d8483da8fd2616afd8d5182f6caba81a678824382d69", "version": 1 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "9e8ee2abd46dc1f135f981e2df161ad295f37034b2caef627a87509b42868976", "version": 1 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", "sha256": "66c623494f33deec9f9578828274d64bc626b49e0c4089feb63ed368a2527440", "version": 2 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "91f0f28d9cab78550370bdb54ae1fe045b0386b78af41080ee15ace7422fbc8c", "version": 2 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Microsoft 365 Teams Guest Access Enabled", "sha256": "22e55f416e232d19d6a6fdec998a0bf2c948111ce00daf4e92c92e954c442dbb", "version": 2 }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Command Execution on Virtual Machine", "sha256": "a715d519189c188c0879a60afe5823e05137845c4c782a18fbe85d92c0a8e84c", "version": 3 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { "rule_name": "Azure Service Principal Addition", "sha256": "5f69299722e8c6c6469f902b7867c74056379d15e39f74d8f557d052236cfbb1", "version": 2 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Microsoft 365 Exchange DLP Policy Removed", "sha256": "a23fc63c1652d21efc02a07708eb3c7d173e4d734d5ea9949296486717b37c2f", "version": 2 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", "sha256": "4b4462020136392da9adc5255f937664f218535edd5602e49fe21831a795bfd4", "version": 6 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", "sha256": "3532de678b47a8b6e4b89371d69e552d7b67fae0ec5501f0f97b448ff62b6c54", "version": 6 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "bc0f34f950e9e0160d34ca918e98ecae1b5ff9c07d1a04dd1c4e37cbb87b0e97", "version": 1 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", "sha256": "5d84c2fa70575d8f1b2136ec8618d3aaba781d6844314dcf1e8e9e6f333928d0", "version": 6 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", "sha256": "906c854f64f56a381c73270b7974d2ea0285d8fc16e9f6c6121e54cef5d0e402", "version": 3 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "rule_name": "WebServer Access Logs Deleted", "sha256": "539b8de4adfa60a09feba4677439be7a0f3a32b016a5d59224234a6cba4a882b", "version": 2 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", "sha256": "9880ea66b7f0b33e6c8faa4ced81fd51dcdd75150bac98e336e103a232e9d42e", "version": 2 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "rule_name": "Attempt to Modify an Okta Policy", "sha256": "141a2f379cab2fa52f9fb037db0bf219e44c455a5aafa0ae23c673fd38cf7832", "version": 4 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", "sha256": "e328e8296a29b8d680a32a4ff6e6456241ea6ae5142772d756908e9a64d9a638", "version": 4 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", "sha256": "2132ba64c0691c394c31bb8b68cfe1779c3db0a8b224d068541dee3846f01db1", "version": 7 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", "sha256": "ac76956e9e5ca1a2b9303138d7962b83239d5233cc17c1951f575a1963e7aeae", "version": 2 }, "6839c821-011d-43bd-bd5b-acff00257226": { "rule_name": "Image File Execution Options Injection", "sha256": "3b9679e6ded36023d52f4977ae939b556a66c54813c925f0a96b620bb1aaf8c8", "version": 2 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "rule_name": "Threat Detected by Okta ThreatInsight", "sha256": "6d3c615dc61fba8e4789523d8b658467eebf55d12aaacbe78e092cf303e798d2", "version": 4 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "652f005e7dd427a0d1caa47f44c0e35987934c392b51d869c63418c68aad0867", "version": 3 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", "sha256": "b2b287e32e46fb4a6af0815d394d8910c5de71a2f389112f7749d8083e2ddb9e", "version": 2 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "b219c3f1ae863fc87d2555183a467eccaed16b9f09796f272c52db9db4925437", "version": 1 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", "sha256": "7123531c2f403e877a04a9bd9c0690242128efab72cfcb2ed4186433c305756f", "version": 4 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "dda1ee5944e9a1be0b0bbf8ce73173115593dff29fae8d530efa30b4ea675991", "version": 2 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", "sha256": "1b0e39c02798b3aec53ad0414a3d548a4ae21df79eb215ce5c193991d7b143ec", "version": 6 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", "sha256": "ed2d0e0a212e573ea92041b025fe7f636f904641c177cfefa890bedd36a4fe52", "version": 3 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "d7377f732f983bf9e4d23033681b4ba85752d775f3d284914e55434e0fc0b379", "version": 2 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "a4f4d48080543be6c84780e072b07173109723c55006b044051f67e50d5eed4a", "version": 2 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "rule_name": "Unusual Process For a Windows Host", "sha256": "74d68f9a6e585ad26b9200232e892b1d843aa6b141c91f2abf3def1aa7344bf1", "version": 3 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "rule_name": "Anomalous Process For a Windows Population", "sha256": "e65df18aefdd9bf967dcd78f887216a5c8a4a12fb34d344f64a2a8ddc17edb6f", "version": 3 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "7c9d7f37ae3388f4ce88cbabac925c158192140c5815d9bda106e88e7f9c01a5", "version": 2 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "rule_name": "Security Software Discovery using WMIC", "sha256": "7c13599b8e0d4f2c956bbe141227d03a87bb44d6e2ac0a410d4d714b98026725", "version": 2 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", "sha256": "13fedd6f05827fcd21807bf8b3ecd2923d883e0f27e3910702d7bd2254641681", "version": 7 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", "sha256": "9ffc5ec9fb514ad3fbe969537edd388d30ee0e374e73d3de589ad453aec2126a", "version": 7 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", "sha256": "c5ef241dbb8750fb177ca2e1c3bf24efd7d0c4fa072d0fa0c22c031f5bf56de8", "version": 2 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "rule_name": "AWS CloudTrail Log Deleted", "sha256": "cfa66db8a38fb8fc719bcfb5673e1e5835df3e77322a0e260b3bb2ccd34a7eec", "version": 4 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "rule_name": "AWS Config Service Tampering", "sha256": "027d56568c3cc971b88d2cb5166f2852d0534cf84545c99090eccd7759c6415e", "version": 4 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "356b304bedec2afa2d8ab15398ce6839d25df11453b5c1ca03310ef19dded015", "version": 2 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "2a0fc5337827134733d1b71dac658f687b492525dacae23341aa040fa35a648f", "version": 4 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "71e0b5a65c5c1c009f67c4daa7102a967665283a5b3edeae258ffbf27c40fedb", "version": 6 }, "746edc4c-c54c-49c6-97a1-651223819448": { "rule_name": "Unusual DNS Activity", "sha256": "fe1405fde4d6da1912b657718cc824ba375605b47642e27393d580cbde8b87e1", "version": 3 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "rule_name": "Web Application Suspicious Activity: Unauthorized Method", "sha256": "87fdce46aaffc8303b29aa54c725e384cb978109cc9210f64c8b4fc1b477677d", "version": 5 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "a8cbc9d75c6e4da24fa473047890575c9c70155a3b1501b0b986598ce655655c", "version": 2 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "User Added as Owner for Azure Application", "sha256": "15345a004d3553b592315f2b99bff617cf1e4fe51254318e687143ac5f203f8a", "version": 3 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Endpoint Security", "sha256": "60af511ccd3ed511fec254c879279d5090ca084efa9c11bc4fb01690450b7180", "version": 4 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", "sha256": "53775aedf8cb2c8a2549c947714c72e087d8f66202e04d7b71e2057676f531ee", "version": 2 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "rule_name": "Azure Privilege Identity Management Role Modified", "sha256": "96119234498e675b911d5936a75ac414acbc6dfaf18bb0af8e748dbcaa570de9", "version": 3 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", "sha256": "f4ac999620ed766ccfeb2fca9f79490e65d8c5de4a2372a69872c5474ca4d6b3", "version": 2 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", "sha256": "395293327e180f887cbcc12dcd47cd37ad6960f6d342056c36d6503d26a0e3a6", "version": 3 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", "sha256": "5046e9d5e694a8d1cea49021ff63b18bb21ac7ce9b1b398f409d51860f779728", "version": 6 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", "sha256": "6f5328b72cc7ffc2206ff0b73647384d3bc410de54479be59278f1a3f51bd26e", "version": 2 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "rule_name": "Windows Network Enumeration", "sha256": "5ad19c982c17664ea924524285b788f821d183b40fc9b2d375b9c096b0943447", "version": 2 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Deletion of Bash Command Line History", "sha256": "481ad533c5634070546c3587f45e3f1d15e9ceefe76aef5819cdaf74951c0d47", "version": 5 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", "sha256": "eed9e26ee27ab35033cdcb30265238b416201b0d8511b20fe428c7d9c083b403", "version": 3 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", "sha256": "4a69174a17e82fee11e0402348d00579b3bb466ae795a9ffbbee8c3b0fdf8384", "version": 7 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "dd9d99cd6900e72df71b70782901c1bd17d3ea2e315b5ca80d3f1b7830746ee1", "version": 1 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", "sha256": "a72ac53d78c6de2093b247a25fc6d8a7bee0cd5cc96490e8046640ae77081b30", "version": 2 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Endpoint Security", "sha256": "126b716fe963842ff8406842f8a101953a04e7e9f167e578094712fa6b006b00", "version": 4 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", "sha256": "009b2d96598f654010970715c06ffaf13c67925d69b17952e0a4b02ff31552af", "version": 7 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "rule_name": "Suspicious PowerShell Engine ImageLoad", "sha256": "05067614056729ecd7eff01320f2dc8f93a02ea5e6817c2320554cf1e5781df8", "version": 2 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", "sha256": "891a050afc467a0d6c5df28ccfee056010e269e4b1aebeffe90e7f07437ff52a", "version": 4 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "rule_name": "AWS IAM Group Deletion", "sha256": "9bc0125a9fbc1571fc776de116fdcf28d631cf42b498f7e6f1730a3f64d2c1d4", "version": 3 }, "871ea072-1b71-4def-b016-6278b505138d": { "rule_name": "Enumeration of Administrator Accounts", "sha256": "185f19110127ccbdf643549658b24af18b05f743db3ae0cde77892448ef74bf9", "version": 2 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", "sha256": "b6aab90c7b2a4c83fd447e210bc554b40ac284a846025e0a3fd8e27dd14d7102", "version": 7 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "7066bc711a65e15d4b69f16a1b939ce476cac7ff8c4fcaa63f34e1907b68d1ba", "version": 2 }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "a9c88449a4a2d7e3e8189db5592acfee7a0c276dbfb28e5760472c7ba302d259", "version": 2 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Command Prompt Network Connection", "sha256": "071525e0da043ae11036fb3009483b2ca19b758831b9b1d35125135bdf020e13", "version": 5 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "Setuid Bit Set via chmod", "sha256": "40d946883292446bd724e81d2f504f08012b10bbb1b6077fb6a58859ee3d398f", "version": 6 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "53367015febefe85c092f766055640626b50b1d81a0e4b0b9e88f63f188be398", "version": 2 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", "sha256": "ee34c803b7e56eeb6a9530b2e9d2d22de73c98befbf9a014c839bfca58de3c3f", "version": 7 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "rule_name": "Unusual Child Process of dns.exe", "sha256": "7de8daa3edbdcff733f3ab86cd98ddcad27d568810adb13b99217dcf5ea3010f", "version": 3 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", "sha256": "bf5fcfd9cd7226a093ca39837bc17517c032364a947c002339b22e141ee8da1a", "version": 1 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Endpoint Security", "sha256": "afa86e4d621fd2e511406e86b4ae9c07348c4471320a9ef65b26e0643c34e133", "version": 4 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", "sha256": "5469ed934f92d74acdb435451b375e88569f8a8ae6b817a7f80e7597efd81272", "version": 3 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "39a399aa526d2d2a43153510b8e38765f3c4daafc199cddd96183cef46562b50", "version": 1 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", "sha256": "1cbd2dcf1b2d96cbb7212a41619a4d405cbf173fc7c46a327717a287d748733e", "version": 3 }, "90169566-2260-4824-b8e4-8615c3b4ed52": { "rule_name": "Hping Process Activity", "sha256": "2898ab42516d08724766700fd52fb3cb8507f167be84ad21a09feb058835b4f3", "version": 6 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS Cluster Deletion", "sha256": "76bc8e8bf6c74f88736f29e1e9e785b7f1793903abbcf6c712d8ddad505bbb53", "version": 3 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", "sha256": "5a6c8bdeeb597c962675d57f5d6406069f6a3610504f7094c135a80e5ab40e6c", "version": 3 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", "sha256": "bc973ae5e108630170d8b951afdd2ccb368369aad786910e1af3319bc5c853ac", "version": 4 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "rule_name": "Unusual Web User Agent", "sha256": "b288acb521629bc9ebf5f0510ac30a1d10543df3c2ccb568fa213bc2a4b34599", "version": 3 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "rule_name": "Unusual Web Request", "sha256": "679984488067c3386d68012ce558514f534f412c64560d6f5251ddb5c199e28d", "version": 3 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "rule_name": "DNS Tunneling", "sha256": "a79e4b9ab06f30eea5e33bfd2d9882e77234155f80f10aaeb6339bb4723fcd4e", "version": 3 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", "sha256": "b7d9b32d4686296b39e9e61ef5a22be54164eee16a131558263798087949fba6", "version": 6 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS EC2 Flow Log Deletion", "sha256": "664d4cfc75d2168cc75de2346474279ff7154d5c62b91c031551599cd05c9d37", "version": 4 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "rule_name": "Suspicious SolarWinds Child Process", "sha256": "77107778375a7e1ba5489740bf3f6d6a3804c0deebed41ea92c45d7f3e8c38d7", "version": 2 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Encoded Executable Stored in the Registry", "sha256": "5e12243b0ec527ff06ea2777feab9bba680f46bee79544f4ab9a00f345ee2416", "version": 2 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", "sha256": "7c4aa48afbcff9d26841e06c45fc16e265cb936ec5bc43430547f28b4acdd13e", "version": 2 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", "sha256": "dd83a9d7e1d24d5351b3c80bf0a9824ca7d1e07a85a3ff6a403f00351d22aff8", "version": 1 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", "sha256": "28af4eeb1308afe6f25c74e224066f5513dce33e97bf4a09a5855bb374f6b676", "version": 4 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Compression of Keychain Credentials Directories", "sha256": "f6e3756ec4603100b249d30c832c61cafd051a7f88a01cdb3a868d0dc0359be8", "version": 3 }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "sha256": "3543269df878167d62af261483dfaab9182b57f22357842aae285209210eac43", "version": 2 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", "sha256": "4084b7e08cfeb780ed4c7cb54982cd624dc5e53508ed5bc106fb09a6ed3ac71a", "version": 3 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "rule_name": "Suspicious Zoom Child Process", "sha256": "a728e2fa804205b19155f106b3c04a3742568741c1c495ddcfd49946639e7020", "version": 3 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", "sha256": "607a50450204331d7ee50891c8d790ac24379743352267581e82a534f774373c", "version": 6 }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "rule_name": "Startup or Run Key Registry Modification", "sha256": "8625de5d51b237ac097b4b8485235b1064b1c902df7d77c63ab8f138562b89eb", "version": 2 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", "sha256": "65c712fdbadb4ec666674061d68226b9e3c102b03f2106cdebd0621ea19db63a", "version": 3 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", "sha256": "115be7db3d64c5aaf7e87d245495ffd3fd38f1c3fe67533d108f2a7ac20286af", "version": 2 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "AWS EC2 Snapshot Activity", "sha256": "4ac0360beafc4c079799365d1d9d1accbd7074d369cc6740f5a5f960dd33bf01", "version": 3 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "rule_name": "Process Injection - Prevented - Endpoint Security", "sha256": "92c674029d3c058f18ec3fafbf91a3c2443023a6a18db9c3118cbf6d4138388d", "version": 4 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security", "sha256": "8ec7416fc13c3cdde052cb4ffa8d26b6b2ac42862a6aa8422c5b703e87918188", "version": 2 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "rule_name": "Suspicious Explorer Child Process", "sha256": "682638b8ee8bbd25b306a15c47695f1420a82004fc51fd415f39c164c86812e5", "version": 2 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "41829a9b79a22a1214bd1360bd10e601b851c6b18cbe9c1f09a4bdd7426fd35f", "version": 2 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "rule_name": "Persistence via WMI Event Subscription", "sha256": "a613b4ee192edb46c8557966cbe7f75ded7aa0eb4c3482fbc1d7ae500178b7d4", "version": 2 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "rule_name": "Hosts File Modified", "sha256": "6a473138e933cb1899ac57f4062c02c8304a8c2a8d59dc926f3af31cc658300d", "version": 3 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "ffaae603c0fa1d7436f8ea510f84ddfc50be4fd25ebbc6eeec733d39775bd65c", "version": 2 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { "rule_name": "Trusted Developer Application Usage", "sha256": "78f7858dd10d07dfdee91e3d1a872c82a75e4a714673695e81cd2ce56cd5af76", "version": 6 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "443fe4115ac4876ac13361d9c51b3f8cd3d23c324e51d08ed9bc2d7ee85292c6", "version": 6 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "d43be8b7a7e092ef11888e5b943c696e3fcba164567971e073e40bb01d80ff45", "version": 6 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "544dde4552bf1768311ae7e0c33e73d7374c2573ee1be3a7b5080d943576b45d", "version": 6 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Microsoft Build Engine Loading Windows Credential Libraries", "sha256": "04d52622c9febc4986cf3530223968ef7ab841d3f82858585669b82675ca9fcf", "version": 6 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "1e5b8f6922097da81e22a0e6767a0bef2145647d53ab2de2421829f6bb60c688", "version": 6 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "8145ecbefa775960be1ee4d237e886325b6bebae824f07e0540f2d67c9d6b0c5", "version": 4 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", "sha256": "97eb1480debfc4d14c82db4a2d76bcaf1e5b3c7e7fd04ffcfb458eb5dc804373", "version": 1 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "rule_name": "Unusual Linux Process Calling the Metadata Service", "sha256": "004f6cedd68f8a3e36c0e678f27bcd2047fadc049f48bc4fb8a4a7367e7b9211", "version": 1 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", "sha256": "9797234b80c4f7d12daac255fd4dd049080c9730c82d73e37b7e2a4714e45399", "version": 5 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "AWS Access Secret in Secrets Manager", "sha256": "37be1522c5265733d1c521a2ee4c8a39b4ea867ef3d465e447547c269bc82a90", "version": 3 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", "sha256": "6bfc349ca906a512e6a616a624af17727c6877327b17a555aae56fb1dcb77527", "version": 3 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", "sha256": "770756236699c90255ee512de436252e9aee5f134879f8125dbfbbdf0568d461", "version": 2 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", "sha256": "e134a599a0c31f531e1ef027d05105e91cf57dcea9bab63338081ab3379d553d", "version": 6 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", "sha256": "a2cf43f683742b3f0b3aaf43aadafc7dba6354013f2f48cbc7d446afad7229ca", "version": 3 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", "sha256": "99645bfec35b37000af36efc7d7fb9d738ac7087f27b56d65478e7fb90ff6b4a", "version": 2 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", "sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17", "version": 4 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "rule_name": "AWS IAM Assume Role Policy Update", "sha256": "655573dcfacc3a63d76ad5bfc8d631ccfe68850bd2fb66d0d20d185968fe9285", "version": 3 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Azure Active Directory PowerShell Sign-in", "sha256": "1504dd19c4d00f6fec043813c49e5383a9d0a445ea693c06a7c01a3074efd36d", "version": 2 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", "sha256": "2abff3a9f2e9bbf5479f1947bcb032d554167fc8da620100ac3a191f96dfbdd3", "version": 7 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious PrintSpooler SPL File Created", "sha256": "980fb95e206349f1bcdae9b5721538026f766a9bdddb9a105251e9deca6e914f", "version": 2 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "04dba98361fb9bdbbf82ed28d24fb693e994954a297d9d048988f30663e5ea07", "version": 2 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", "sha256": "b96e0e4e371be1ac1c315923d0d704df046678db261463030d33a0a925abb91d", "version": 5 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", "sha256": "381b079f59d5ee4f7685a4b792f84ab7840cf0f97a418bc404cc26e5acd7e9a0", "version": 6 }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", "sha256": "d11f9e4122aff669f9a82f3e31c714c7e2a662467f55a71c2f23ecac63a6b8bd", "version": 2 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "rule_name": "Google Workspace Password Policy Modified", "sha256": "12f14c4749a7fceef70c089a2a38b19d7c33075ecb1f3e17608891313e4b80f9", "version": 2 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "ad61204594077b7918ff7828d8f1a913b3fa87e52848462b6f15207af1bc50fb", "version": 2 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", "sha256": "aad1b5006e2ac2aac28fe8a07e3cad70cbb98e3823b81ba15a9f2c91d8817b5a", "version": 6 }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", "sha256": "36f09d32f22926b656535eeab37abce2a55146b2efe665237596eeccfc907722", "version": 3 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "rule_name": "System Log File Deletion", "sha256": "57dccd2cb0d159a8da2832c464b0e427c3f8ddda96824d66bb5ece7d71cf600c", "version": 2 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "rule_name": "Remotely Started Services via RPC", "sha256": "378f8ce524eee1aef24018a4a17eb55353559cc57adecc2b6a3ee1ffe71b8f2d", "version": 1 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", "sha256": "b4742a5907688dfb96cac8284d71df61ec5430dfcce9653aa56c82bd8288a9c4", "version": 1 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "8e0b773de6395741187c17f254d0d3e6d9c33c2a8dc34067c5dd9689bd1d35f0", "version": 1 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "rule_name": "Suspicious WerFault Child Process", "sha256": "9006cec4ad27c31db36f6ed910183f2b0fd985304c19bc6e351cb734a18ab080", "version": 2 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", "sha256": "61030c4ed5783a5267a042417e8d7604e0b04eb36a6da6aaa8a630c10fcb0977", "version": 2 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", "sha256": "e8a4bf103723eb12e3cd69a8149ff0ac55ea66ada671751e0842d58a1cd994f5", "version": 2 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", "sha256": "85555d822707d421f4757e862b5cb505544cb9a451c4c2cf04fb4cec5df7d052", "version": 1 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential SSH Brute Force Detected", "sha256": "95eee06042a8070b93d08264c73c46771db9bd046e90bacfbbabe54c8d7b4934", "version": 1 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "e0437a436bd0809b9767d0771bd7f9ab554e5a269729c9888f4f0c42289c35a7", "version": 2 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", "sha256": "6daf86b7ae1e77991a8746825cddde9048b4831cd7751c3fc9657b15deadd50e", "version": 7 }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { "rule_name": "Google Workspace Custom Admin Role Created", "sha256": "e8ce9ad3c57e19411395968326acf2a4c2089d7cfe7f6c6d39d5550ff26c278e", "version": 2 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", "sha256": "a32bc9518e2c0931cd2b9deff09caebba196cdf960d7534786c1002bd4e544f6", "version": 2 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "Netcat Network Activity", "sha256": "484787194ac835658ef3dc707a026b3a0f7c7fadb2fb57b29b8a156e7d213709", "version": 5 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Commands", "sha256": "1f7db99c01f9a701380826045b7cb199fdb99450481d9b72bc60e152f5353b3f", "version": 6 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", "sha256": "85a166495a48e6eebe0ffc43e959711cb77b4fbd10fa986459e46b7f4db17c6c", "version": 2 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", "sha256": "00693df432fecce30109abc71f88dbe2b04ae1aa0f8a26475a91e6ab90b0b07b", "version": 2 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", "sha256": "c745562b8799190c0796b1ea6f84e766130818f342c77b4842579ba216e29323", "version": 6 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", "sha256": "44159cc2fe3ba1252b583e05834febc367f266e66f6cefb6dc5302eab620305f", "version": 3 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "231d85fb51acbcddcdc5d41cde82d53e3069d08bce27592570c01aced7e6825f", "version": 3 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "rule_name": "Attempt to Delete an Okta Policy", "sha256": "bf819443073dbebcc3368bdfe074885ab4bd25693acd6cf03377c1fa41732a46", "version": 4 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deletion via VssAdmin", "sha256": "279ef5024f334a402d809055b5c1685f1082f71c0a318531516dbd540ff3ca26", "version": 7 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "45cc14e84175cd9bd73d21cddb502b11bc2d6d9984edac3fdda44920ebb1f980", "version": 1 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "ff09c99de5283ae7e2cb78e43329cd9db62c6b79be25ee481de93cc1aa09110a", "version": 3 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "9f73c4e1d01477efa8e3e1984613b6eb3362f6fc89a93888927b7426fa01a9bf", "version": 4 }, "b8075894-0b62-46e5-977c-31275da34419": { "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "3775382bd5260f71cb15c758f1eed47f78b5bb400bc1baa611b3d28704d79f24", "version": 4 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "3079830160ee1e9fa1439d0b3b2547e2594583051655b060e539bbe49c46953b", "version": 3 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", "sha256": "b6730853dd499a1f5bdd7adce3dd750c04b5acb1ad52c08a818be52b790016c9", "version": 5 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "a356c6b552f9b182763acfa38c451360bd70981b848afdc23c5566031f48d5ca", "version": 2 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories", "sha256": "58109147ac539d0dba93b555813d127e0ae42d5ead5a32df50b9b94ebdb87bbc", "version": 5 }, "b9960fef-82c6-4816-befa-44745030e917": { "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "10851b590f0ff1f675738bd36db07201a6791e08499f094ef66b960ad88dee11", "version": 2 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", "sha256": "183bc920de288c25759da14909826873e441d5f97faf2b64f82ba501db10e2c8", "version": 3 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "d27cff3d6c5751e9cfd3404e7e0ed3b97a989e0df1e15fd4439bcf5fc7c6942d", "version": 2 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deletion", "sha256": "dc2d60e88c29a05e78f269f6facd482c456a9da301fdfd8c66f89cee0f8a4885", "version": 3 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", "sha256": "00f1e4824b1ff5a97ebaa7c117a5492decb5225904fd9fefe0d16c6b12d3d6d0", "version": 4 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", "sha256": "94b0fb4de4cac4e10566cb8ae4234e58cc66737f391a72915775586e0cbc57f4", "version": 2 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "AWS Root Login Without MFA", "sha256": "585d427e1865ca47021b6701ca3214a0c4c22ee154aabdff05a378c9c9a66ef7", "version": 3 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "rule_name": "GCP Storage Bucket Deletion", "sha256": "7a809a16bb94956512c514a8fb8f7927700d307537cabcac128600dd9c8632e8", "version": 3 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "rule_name": "Azure Conditional Access Policy Modified", "sha256": "46c90a2ba9b55dc072b15e9d564f941ad603cff49519bde6ee7c79e7ff66b079", "version": 3 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "rule_name": "GCP Service Account Disabled", "sha256": "1abc4c8b1f73bd28b79d4b0ab488c95ce1a44f513ade1c5d831519ec2afe813f", "version": 3 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "cecd7d93e882686b0f78176c259b17b6b02185cb39a2df6b9d2307f25c0e91b5", "version": 1 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "a15dc8b9b0d2b27835ebdebc808f5e0849c535d2802be1ae44ab900b29a565ae", "version": 3 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Endpoint Security", "sha256": "3e27a7e7fda1be83a083f51ec320e2c49e41a3048660137a7d551e30b8c997c3", "version": 4 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "79a3b7715efb86fab78e72e5536f6c355077da76471e08e17e16956dbb06abdd", "version": 3 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "rule_name": "Unusual Linux Network Connection Discovery", "sha256": "505c5b266419774eaf329af4f0f25e9009c93211214858e730bb637bb665f62c", "version": 1 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", "sha256": "c3098f9a8ff4dbe6ddae14bf87cc3ae0dc3b2000ed09029b7b73ab7d3ae2c85b", "version": 1 }, "c2d90150-0133-451c-a783-533e736c12d7": { "rule_name": "Mshta Making Network Connections", "sha256": "27507954b3e3d4d61214f223d6afd52cc306b2726af409fdf5448619131f7aac", "version": 2 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Endpoint Security", "sha256": "7b185258dbbaa2a9837362d5bb5f7551cfdf689ccbd0119140c1155c581dd80c", "version": 4 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "b84179def6e28b59ba5234ee8fbdfee37306718e1c7a33cda3451d2e037c90ac", "version": 2 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", "sha256": "4f290d0d23f951fade6f3f059a997afaeb9df4c69dcc5c8c06be74186577863e", "version": 3 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", "sha256": "6e3ffdadba05c9bab0bb5408eec0fccb6e415111cc005cee2389d35f3d87d1ee", "version": 2 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "22d5c4182a90dc3f985da71ab2a79feac45b616a49e9b40ac005ce1b58db1450", "version": 6 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "rule_name": "Remote File Download via MpCmdRun", "sha256": "ec891f05657fb312a46e46a6ece87ca1e888b953de1120db6c93e0bbc339b3b1", "version": 3 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", "sha256": "54df5574036f49aa1c3b1ae83294e6d0bd2906b138bf541e4eaa6332449dc988", "version": 7 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "d33b7ddc3848881bdc5fd89eb9c3fdf127e694cb448ab4ad1f226d1ac35cd584", "version": 2 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "rule_name": "Attempt to Modify an Okta Application", "sha256": "ef8f0d17bfa1893438e50436c155fb58b423d7c70d49d94b87e5143845f58890", "version": 2 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "rule_name": "Unusual File Modification by dns.exe", "sha256": "89219be0f6a8a3e0939c890ebd17ad0b316bd3328dc94ed6aecd2f91baae5c6c", "version": 3 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", "sha256": "f2216d6fb197d8ebe56b438b60c6c17a2c6fee1272f95b362a62f66ae9d08a26", "version": 7 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "Direct Outbound SMB Connection", "sha256": "68c9f903236999653c3561153b05cb3569b2144445be4451d4c02630559d1b57", "version": 5 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", "sha256": "f7d2316ba6acd2bce179b629a2f2d807c6621fad1e6f4a05ed2e544060baa6f9", "version": 6 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Endpoint Security", "sha256": "0734e9a063c5bbf35c5b4b73c95544f1399e648c12d6396698015de1d5d392ef", "version": 4 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", "sha256": "51b65fec94a20040f5983aeaabdd81528b3dab3911e7e612795171ea64cde6ce", "version": 2 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "rule_name": "Google Workspace MFA Enforcement Disabled", "sha256": "b63844150664f0411f2d2d5c878cce77fcdb882611a2588686e1f892d5a7e9e0", "version": 2 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", "sha256": "c619b62ecb53d348c75792b948ab0b9b8b53374e1d19332bfb78f123bda8e094", "version": 5 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", "sha256": "e69b031746dcf8715663be0e26e468235a4fdca6a7bd0ab85ebb68984e27e028", "version": 3 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "c3d53bc1a5a55116dd350a87ae779d6b74d09897063bab5870c0e164b530fe6c", "version": 4 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", "sha256": "295e8b053ee6f7acf40105fdc9c1e9cf16689482d786246cb96eb0a9be078e8d", "version": 1 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "b423d8f1781945d1f743a5ec517fb17d039cbcecfff55dffa2199ed10fc235f7", "version": 4 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", "sha256": "800f417ab3153b956bf14740aef7bba4409913c8a18c19e4151419aacfdecc61", "version": 6 }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { "rule_name": "Anomalous Linux Compiler Activity", "sha256": "1ccdd79a3d8c423d8fe97857e1ce97a9ecd7e846405f4572bcc911a90b720f2d", "version": 1 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", "sha256": "4ff38bae1f36562b3da44c1bfba3df1bfa7357a6fc71416407ab1981dc89d1bc", "version": 6 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "Attempt to Deactivate MFA for an Okta User Account", "sha256": "bf3c8c2643d927650b978c33445092099c8f1e4ad946d638f8621d8ff2cf2e1e", "version": 4 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "cd6eedc231fe502a3bdaa324c47802176e603af08001c6f5b139a414b8baf992", "version": 2 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", "sha256": "22e04005795df325ce598f470c07578306c20b1e2ad4f10552dc734b53abedc9", "version": 3 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "rule_name": "Domain Added to Google Workspace Trusted Domains", "sha256": "37bf638366896b35971a2e4ba3b5b763414bb15d9a8d21e55e7cf5785f2ca1da", "version": 2 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "abbc696eef76e67c082c799b1714b9f555ce201910e4123ed3f9573f8bbcc179", "version": 2 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "rule_name": "Registry Persistence via AppInit DLL", "sha256": "a0785cbffecd78f1f38bfdd475f4b2cfc4393c973d799005702ef5196fa95fbc", "version": 2 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", "sha256": "692bca729434e89ffa2c06e474554cdd89568f48c24892047a1a6db742bc5934", "version": 6 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", "sha256": "5a3345b1375898e2d96937c57e97800e36e9b49f13a4180668c6f44b3e549e87", "version": 7 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", "sha256": "20cce1e74b134378da1095bbe74784c7c83419746dd9e333c3d77af405448619", "version": 1 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "rule_name": "Attempt to Delete an Okta Application", "sha256": "afb64842c0a54eb3e5cfa2c2666a9af23903e8b4ebfa4dc19d0f616212d22b4f", "version": 2 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", "sha256": "433ffde338fefd9d64542d5dc81eb073b458a2151131e6fde0768a85fc20843a", "version": 5 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "rule_name": "Unusual Linux System Information Discovery Activity", "sha256": "e0e46e6ee2027def12fd17f22fae998afd8c4a85057349c80869c06bf44b3f01", "version": 1 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "99dfd643c2a36c1b6dc871d05f308a697320a34844ad3213783e8637c15808cb", "version": 2 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "84c5d892ab21a437ebac47aa1a4a817b9e11a65eb520fb910e7d72f6dd2d9164", "version": 2 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "rule_name": "Service Command Lateral Movement", "sha256": "e66df2e2111657b7ee9cdd483f6f9611b4d76cb8924ee9fc415a41013c4afd26", "version": 2 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", "sha256": "abb84201e8bfa65651ffb134c8681989181732438dcca96f5b39d2e742f4a797", "version": 4 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", "sha256": "5815cf026c54469194103b8a1ddebc04eb5b1ce869a3a41a7f5ac3857285803a", "version": 3 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", "sha256": "3691ba5a6ea56663b45fc80286b7c51d2dd04d0444a399c0785dc16076644078", "version": 6 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "sha256": "d11854f903a47b9aa94f16222e6c5cdfd516831fd12ac3f94168476b5838fa51", "version": 2 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", "sha256": "bdb98ed41e40d6f7dce270696e535b7fa8983d0b32650807489d7d1f06e9c66c", "version": 2 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "sha256": "dcd757b2c70ffc37336013571378b078e20da74eacdd9597ebd8c86919c83b08", "version": 2 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "rule_name": "Interactive Terminal Spawned via Python", "sha256": "56283dfe2653f43fe67949d88fd1c2e175a137c4538e7b6515f1c1c4cf023235", "version": 5 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", "sha256": "489757a06a439a07bd987a173a396ad69b90370a3e0acb82277d4ca3925b64ea", "version": 6 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", "sha256": "1b77a57e76ad6dfc79e7d95f7663ea4b9bfef18d0ed0069bb34182bfd2d22b11", "version": 3 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Multi-Factor Authentication Disabled for an Azure User", "sha256": "1a5b13bbbc9e151aac30ea7f4473debea355892cc7a289d052ed4d8b47d6776f", "version": 3 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Endpoint Security", "sha256": "ce8fd451c2c3bc3c5f9b35f212dc0b75348bb07d1c1c4c1559e575150874345f", "version": 4 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "a78e869e4a22fbcad724e729eb1f94c711a457d9f046a3856635c2857e38660c", "version": 7 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", "sha256": "707a6d1770899a0eabedae7ba5976fcb00ea9abe77e0d9a7e712f66110d29f0a", "version": 2 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "c47e2e4e00f67549407ed0ae2d4d7db1532ff50d5293f52b8283d7d841e524bc", "version": 2 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", "sha256": "a682f3e59e293b99eb3d435effa228cafa3938d325275e68a82b85869d0708f0", "version": 6 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "12354ef075f45d594f81cd132ed6cd134dcd58e0e4181f55e2ca8fbab4ea1ca6", "version": 1 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", "sha256": "765cc2c11a3441564214b3fc4b49b1c1684de8da5137c2bfa74572a78ab9b96a", "version": 3 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", "sha256": "3bc74d9fd01dd0927a435386302afe89bcb60c8bb286e4e1885e06651d25b2ba", "version": 6 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure Firewall Policy Deletion", "sha256": "32b4d11ac6b6495661cab9e04fc95ef48fd51465591227b0069aae39827a9531", "version": 3 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "a3226b1f93c0daf89b90f2eab25d21a8391e9aecac05f35459ac17ed73cc48d2", "version": 2 }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deletion", "sha256": "b99daf7d5024207be1eec7c151ff2e8cad2b7ef7c47a3d2ecd9ba372f40017ce", "version": 3 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", "sha256": "053174e8aba7ee8eef851e60c2edcb41bc14bdcdf162f9683e44b4eedbef0832", "version": 4 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "rule_name": "Connection to External Network via Telnet", "sha256": "a41f7d4da002a598a64a0c86a8a640bcc3fb38df115244ce462b8350efa17a50", "version": 4 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", "sha256": "2d8fc8ff84ceed47bca16ef187f6e9b0feef63524eed45db0cfc4a70cb663b0e", "version": 3 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "fcc8d66a6b444e403216ec25372ef32dc19755c1adaf5a10181680cbd51fc884", "version": 3 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", "sha256": "b7cb14b9f86fbd6700de65392846e21e554b97379cba6d77b21ceaa7e1366808", "version": 3 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", "sha256": "e6c3a918a6fed641a349f992888acfddf7eb7a7f03757d94d78ed227aa364cc2", "version": 6 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Endpoint Security", "sha256": "911ba16663efb30078217f771edbd6e7356f869662483fac274b09c8097580cb", "version": 4 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "d5c1778b8b06ec9a97a83ef1ff37b90c881133028c3e73e7d954470004db83a0", "version": 2 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "eb22dec56f8a7daf9f3803523f9cceb7972c1b899c633052403b1e992c5424ad", "version": 4 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "9abfadd9fb00097a0bafbd914188789be09de30c2740922791789e3ab53c8a9d", "version": 2 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", "sha256": "27b24fb4f81b6583600cf3c68ecd4228c9b541f58ccc9180350dc493ec977b31", "version": 7 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "rule_name": "Possible Okta DoS Attack", "sha256": "106ffd7b336d3d2f62e0c565541ef07ebe8b377a7219e678b3f2a337eb35d938", "version": 4 }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", "sha256": "64dfead1ef9066469366e2cadb08f751171478410ad2b034593c46c7cee27bf1", "version": 2 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "rule_name": "Execution of Persistent Suspicious Program", "sha256": "e3dae289ce5ea3435e8c63dce8fab1b29a46b9acb14027a69f13714a35421945", "version": 1 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Local Service Commands", "sha256": "cf6d83712cc60526fd908ff8340f3babc2ba382947921e61997418e895755a62", "version": 7 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", "sha256": "ab3bfc7f12dd37194cf775c83e92a5fb8e10a77d254e80d0cbce3abef3bf9c61", "version": 2 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "0c670e28f62f7e6a59b4e8d2bfb089bdb4b6dd439db64c1946212fc3a071cdfc", "version": 2 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "46d831233fa92a30570a7bac5c80cb5772b63e6167798ae2854f6d896f63e431", "version": 2 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", "sha256": "f60eb699d29e466ef9e88ffc1c5462d2162e2b40a1e5c15a6c928040eda6c09b", "version": 3 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", "sha256": "5c9f1ae1341311001eb7c14c069f10a81ab5cfad7c8b6d9696819b6e4b996036", "version": 7 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Brute Force of Assume Role Policy", "sha256": "8e0be7cb15dcca220017e99ae2a6ae37f45b6c62427db572043644d06693d155", "version": 2 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", "sha256": "b7c6a3082304fb21fe016ceb17e61d5d0f74e9e8661feddd949c4ef71c9c3496", "version": 2 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", "sha256": "3b343539b4dc70561e233016bbafa2e521920eec985a5b18a349b91031eb98ec", "version": 6 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "b040ed5e6961427ffd09b24310f0fd7b5303573d6f770388a7f1eb181c799d1b", "version": 2 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", "sha256": "da21066645a55b63d8fecb808eecf1bd74748457263ef40dab8da1aaec3a51bd", "version": 3 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "rule_name": "Process Execution from an Unusual Directory", "sha256": "64c50e1dbe97849d4f6b0b418d1206190121db260caca612646b457c804c8d3f", "version": 2 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "AWS RDS Instance/Cluster Stoppage", "sha256": "31ec9b4252253e348100d49100907f5db68352b72ec0e959b609a9eab4be5c0e", "version": 3 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Azure Global Administrator Role Addition to PIM User", "sha256": "181aab572cb5e16c41ef255ad97789d321122d3d0c4a865e257304d19f463298", "version": 3 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", "sha256": "773d4d374830376166856b84be6a91ca48b97e1098553fd4153bd5a5514ec128", "version": 2 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "16410686f1addb8ee1d8cc39ff4d33c8f00caf70339e98436662df5ef95e1e2b", "version": 2 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "e6052dff19b5557c53e9db1244263626ff01c9988018efbf59923b07250d09d7", "version": 2 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", "sha256": "0977bd6e10761072797280e93ff365753d0d91c6107098df12bed4963b154122", "version": 5 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "0fefec116fb90ec262136f0464b0762ea5fb9f6aa26bdfacf18f06bb9bb8ec71", "version": 2 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "f23c21708a33952012b9296311171fdb9f8986310f55c48dba0c486fa7f92083", "version": 2 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Attempt to Remove File Quarantine Attribute", "sha256": "180024780a0971d835e2a44fd9dbb0dd015fb488fbc89be89003e4685a07b538", "version": 2 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Apple Scripting", "sha256": "00f1eeeb4a4f3d2a6b1e225903d6ce431a403154f39b039a05f793128498a371", "version": 1 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", "sha256": "18df26083a6c02fcaa4e7cee8ad92e03b464dc171dcea36b543b122a2c174982", "version": 2 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", "sha256": "1f81a9ebc9304e983f56c73f0d7f3778d17df0ca9281c93b861c5ba0f76489ca", "version": 1 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "8e08c279331382bd518d79884d5d1ea71193b4eaebeee5349a1198c52fe5622b", "version": 2 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", "sha256": "59ce3a59bdb9ed1052472602725a34f56538b83c0a90bb8d2954fb07d417fe7a", "version": 7 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "d5f7787b38586f96eba4a09474b220c7eb0378acbe4ac430a7bf766239630d3d", "version": 7 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", "sha256": "061877c4b789741e0bd2d4bfba5fb30e96a628308269dbbc3b39d49ce33d58e5", "version": 4 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "cd8c249795eacd3b7a4c748a5794d3e2b48d63eb111e1a7013471e068cf49161", "version": 2 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux System Network Configuration Discovery", "sha256": "7afb429644c3e194451bd0341400e1bd62aa315f1d7477235795f0d8e060f8a7", "version": 1 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "fe4f99d829a1426cf43e16b2efff819241cd72b5dfec5144bb4ac0415fe0afb4", "version": 4 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "rule_name": "Remote File Copy to a Hidden Share", "sha256": "50d2efa2cce15ad7d8084bc0af8847fd0e6bbf6250234a6fd759276cfc04be15", "version": 2 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Registration Utility", "sha256": "3a398bca99d1e42d9d86563ea7a23796f297b26203d69c23e75288d8f5de11dc", "version": 6 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", "sha256": "89856060e32329a084c73bbdce355d720cb79aca895202cea39db79ecc704830", "version": 4 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "6067b40a4db1b3f6319eb436fd4aa338eda23b182565f1ae0c5d49da69ecd1d3", "version": 2 }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "c321c182cc1a8b7ee15673433fe16f6bd0b87e67010b5128bd7e0486fe493e11", "version": 6 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Encoding or Decoding Files via CertUtil", "sha256": "b4ccf60e28786ecb6902d7a38d49265627c0acc491f7db0ceaf332f4c05586bd", "version": 6 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", "sha256": "926a6b9f74f9730557ec6eed7aa0a5a4d4c29e9506a8d7b36104e93da5af6118", "version": 6 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "3239bfe296eb7c63506903d43dcf09dabe9b83387d6d6e9840abcfea2a7d6a1a", "version": 2 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation", "sha256": "13c44d617fe906b97d8cc74566aa68faf1d450d2813b3975fc23c3bc9ab1e658", "version": 2 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", "sha256": "0d1109d0ef4e0bb769ea14addf28c8e4e60fa5f83f8cacfa7d678ec811fa5661", "version": 3 } }